Myanmar’s Cybersecurity : Structure, Strengths, Vulnerabilities, and the Road Ahead in the era of 2025

Myanmar’s digital landscape has expanded rapidly over the past decade, bringing both opportunities and risks. As more citizens, businesses, and government services come online, cybersecurity has become a critical concern. This blog post provides a comprehensive overview of Myanmar’s cybersecurity system, examining its structure, key institutions, strengths and weaknesses, and how it fits into the global cyber context. We will also discuss recent cyber incidents impacting Myanmar, the intersection of cybersecurity with national security and the economy, and recommendations for building a more robust cyber ecosystem. The goal is to make these insights accessible to general readers, technical professionals, and policymakers alike. 

Structure of Myanmar’s Cybersecurity Infrastructure 

Government Institutions: Myanmar’s cybersecurity infrastructure is anchored by government bodies. The Ministry of Transport and Communications (MoTC) plays a central role through its Information Technology and Cyber Security Department, which oversees the National Cyber Security Center (NCSC). The NCSC is tasked with safeguarding national information and communication networks against cyber threats such as hacking and distributed denial-of-service (DDoS) attacks. It also leads efforts to secure government systems and critical digital infrastructure. Within the NCSC, the Myanmar Computer Emergency Response Team (mmCERT) operates as the national CERT division, responsible for handling cybersecurity incidents and responses. The NCSC/mmCERT maintain a Security Operations Center (SOC) to monitor threats, an effort bolstered in 2020 by international collaboration (more on that below). 

Law enforcement is another key component. The Cyber Crime Unit of the Myanmar Police Force, located in the Criminal Investigation Department’s Transnational Crime Department, handles cybercrime investigations. This specialized police unit works to investigate offenses like hacking, online fraud, and digital theft. However, their capacity has historically been limited, prompting external training initiatives (for example, EU-sponsored courses for Myanmar police officers on cyber threats and dark web investigations in 2018). 

At the highest level, Myanmar’s new Cybersecurity Law (No. 1/2025) mandates creation of a Cybersecurity Central Committee (CCC) to oversee implementation of cybersecurity policy. The CCC will establish a Steering Committee, which in turn assigns responsibilities to relevant ministries. This suggests a multi-agency approach: for instance, the Ministry of Defense may handle military cyber defense, the Ministry of Home Affairs (which controls the police) addresses cybercrime, and MoTC/NCSC focuses on civilian infrastructure security. The law also requires each critical sector ministry to set up incident response teams and appoint officials responsible for critical information infrastructure protection. In summary, Myanmar’s government cyber apparatus includes strategic committees (CCC and its Steering Committee), an operational nerve center (NCSC with mmCERT), and enforcement arms (police cybercrime unit and potentially military cyber units). 

Critical Information Infrastructure (CII): The Cybersecurity Law defines critical information infrastructure to encompass vital sectors – national defense and security, e-government systems, finance, transportation, telecommunications, health, electricity and energy, and any other infrastructure designated by the CCC. Operators of CII (e.g. power utilities, banks, telecom companies) are expected to follow cybersecurity plans and report incidents. This structure indicates an attempt to systematically secure essential services, though practical implementation will depend on cross-sector coordination. 

Private Sector and Civil Society Involvement: The private sector in Myanmar’s cybersecurity ecosystem plays a growing role, albeit still nascent. Major telecommunications providers – historically including MPT (state-backed, with Japanese partnership), Ooredoo, Telenor (which exited Myanmar in 2022), Mytel (military-owned joint venture), and now ATOM – manage the bulk of internet infrastructure and thus are on the front lines of network security. Under the new law, large digital platform providers (with over 100,000 users in Myanmar) must register a local company and adhere to cybersecurity regulations. This requirement aims to bring big tech platforms (social media, messaging services, etc.) under local jurisdiction for security and content control purposes. Additionally, cybersecurity service providers (companies offering security consulting, audits, etc.) now must be licensed in Myanmar, which could spur growth of a domestic cybersecurity industry. 

Myanmar’s tech community is represented by organizations like the Myanmar Computer Federation (MCF), which bridges government and private ICT sectors. The MCF and its affiliated computer societies have been involved in advising on digital policies and building awareness. For example, when the draft Cybersecurity Law was circulated in early 2022, it was sent to MCF, telecom operators, banks, and other stakeholders for feedback. Private IT firms and banks increasingly recognize cybersecurity as a business priority, especially as digital banking and e-commerce grow. Some banks have reportedly faced cyber incidents (there was a recent claim of a data breach at a local bank, Innwa Bank, with customer data put at risk, highlighting the need for better protection). 

Civil society also has a voice, primarily around digital rights. Local NGOs and digital rights groups (like Free Expression Myanmar) have scrutinized cybersecurity policies to ensure they respect privacy and freedom of expression. While civil society involvement in official cybersecurity initiatives is limited under the current military administration, these groups provide important oversight and advocacy for a more open and rights-respecting cyber environment. 

Strengths and National Cybersecurity Efforts 

Despite being a developing country with late internet adoption, Myanmar has made some notable strides in cybersecurity in recent years. Key strengths and positive efforts include: 

1. Comprehensive Cybersecurity Legislation and Strategy: After years of piecemeal laws, Myanmar introduced a broad Cybersecurity Law in January 2025, which for the first time provides a unified legal framework for digital security. The law’s objectives are ambitious: it seeks to ensure safe use of cyber resources and critical infrastructure, protect state sovereignty from cyber threats, foster development of cybersecurity services, enable effective investigation of cybercrimes, and support a digital economy on secure foundations. In tandem, the Department of IT and Cyber Security (under MoTC) published the Myanmar Cyber Security Policy 2023, a five-year strategic plan through 2028. This strategy lays out a vision for a “stable and robust cyber environment” and explicitly prioritizes new legislation as a cornerstone. Indeed, a key component is enacting cyber and digital security laws to establish clear authority and protect personal information. The policy also calls for creating the Cyber Security Central Committee and Steering Committee (which the 2025 law then formalized), and emphasizes safeguarding critical infrastructure and regulating digital platforms via licensing and standards. 

By articulating a national strategy and passing a comprehensive law, Myanmar has addressed the previously identified gap of having no national cybersecurity strategy or up-to-date legal framework – a weakness highlighted in a 2018 World Bank/Oxford assessment. The new law also introduces stricter measures (such as mandatory data retention and local incorporation for large online platforms, and licensing of VPN services) aimed at strengthening oversight of the cyber realm. While some provisions are controversial (e.g. potential for censorship or surveillance), from a purely cybersecurity standpoint this legal framework establishes clearer rules of the road for both government and industry. 

2. Institutional Setup and Coordination: The formation of high-level bodies like the Cybersecurity Central Committee (CCC) is a positive step toward centralized coordination. Cyber threats often span ministries and sectors, so having a top-tier committee to direct strategy can improve coherence. The CCC’s mandate to assign responsibilities to relevant ministries and require annual cybersecurity reports from critical infrastructure agencies should instill greater accountability. In theory, this means sectors like finance or energy must actively assess risks and implement protections, under CCC guidance. The requirement for each critical sector to establish incident response teams is also a strength, as it pushes preparedness down to the operational level. If effectively implemented, Myanmar could develop a network of sectoral CERTs coordinated by the national CERT (mmCERT) – a best practice in national cyber defense. 

Moreover, Myanmar had earlier set up an e-Government Steering Committee (in 2018) that recognized the need for cyber laws and sub-committees on cyber law and security. This continuity of recognizing cybersecurity at the policy level is encouraging. The NCSC under MoTC acts as a focal point for cybersecurity operations. Notably, in mid-2020 the NCSC partnered with SK Telecom (a major South Korean telecom company) to bolster its capabilities. SK Telecom’s experts helped design and establish a Security Operations Center for Myanmar’s NCSC, deploying threat monitoring solutions and a Security Information and Event Management (SIEM) system tailored to NCSC’s environment. This partnership equipped Myanmar with improved tools to detect and respond to cyber intrusions, and SK Telecom described working closely with NCSC to build a “sophisticated Security Operation System” to protect against ever-increasing threats. International capacity-building projects like this demonstrate Myanmar’s willingness to learn from and leverage global expertise, which is a strength. 

3. Growing Awareness and Training: In the past, cybersecurity awareness in Myanmar was very low, but it has been improving gradually. Government officials and the IT community have started to discuss cybersecurity more actively, thanks in part to conferences and workshops often supported by international organizations. For example, the United Nations’ Asia-Pacific Center for ICT (UN-APCICT) co-organized a Data Privacy and Protection webinar in early 2021 with the NCSC, training Myanmar policymakers on the importance of data protection laws and international best practices. Similarly, prior to 2021, the European Union funded the MYPOL program which, among other things, trained Myanmar police officers in basic cyber investigation techniques and network security fundamentals. These initiatives, coupled with the inclusion of cybersecurity in development agendas, have begun to seed a culture of cyber awareness in both the public sector and law enforcement. 

In the private sector, banks and telecommunication firms are increasingly aware of cyber risks. Some banks have initiated staff training on cyber hygiene and hired IT security professionals. The Myanmar Banking Association has discussed cybersecurity as digital banking services (like mobile wallets and online payments) grow. The Myanmar Computer Federation and affiliated tech associations have periodically run awareness seminars for businesses about threats like malware and ransomware. While such efforts are not yet widespread, they mark a positive trend toward recognizing cybersecurity as an essential component of Myanmar’s digital transformation. 

4. International Cooperation: Despite political challenges, Myanmar has engaged in some international cybersecurity cooperation which can be considered a strength. Regionally, Myanmar is part of ASEAN, which has initiatives on cybersecurity capacity building and information sharing. Myanmar’s delegates have participated in ASEAN Regional CERT exercises and ASEAN cyber policy meetings (though its involvement may be limited in recent years due to diplomatic issues). Beyond the SK Telecom project mentioned earlier, Myanmar also signed agreements with friendly countries: for instance, in September 2019, Myanmar and Russia agreed to enhance cooperation in cybersecurity and information technology. This culminated in an agreement signed by Russia’s Security Council and Myanmar officials in December 2022, focusing on joint measures to counter cyber threats and an understanding that each country has sovereign rights over its own cyberspace. The Russia-Myanmar agreement emphasizes mutual respect for digital sovereignty – essentially, Russia supports Myanmar’s efforts to control and secure its internet, and vice versa. Such cooperation could mean access to Russian expertise or tools for cyber defense (or, potentially, surveillance). 

Myanmar has also received support from multilateral organizations. The World Bank and the Global Cyber Security Capacity Centre (University of Oxford) conducted a Cybersecurity Capacity Maturity assessment for Myanmar in 2017-2018. Although the findings exposed many gaps, this assessment was a constructive first step that helped Myanmar authorities understand their weaknesses and prioritize improvements. It was funded by international partners (UK, Korea) and set the stage for crafting the cybersecurity policy and law that followed. Collaboration with countries like South Korea, Japan, and ASEAN neighbors has also been notable. For instance, Japan (through JICA) supported some of Myanmar’s e-government infrastructure where cybersecurity components were included, and Singapore and Thailand have at times shared best practices through ASEAN forums. 

In summary, Myanmar’s strengths lie in its new policy and legal framework, the beginnings of a coordinated institutional approach, increased international support, and a gradual rise in cyber awareness. These create a foundation on which Myanmar can build a more secure digital environment. The Global Cybersecurity Index (GCI) has reflected some of this progress – Myanmar’s score, while still low, has improved in recent editions more than any other ASEAN country, indicating commitment from the government to catching up. Of course, passing laws and plans is only half the battle; effective implementation is needed to truly capitalize on these strengths. 

Weaknesses and Vulnerabilities in Myanmar’s Cyber Ecosystem 

For all the steps forward, Myanmar’s cybersecurity capacity remains fragile. Multiple weaknesses and vulnerabilities undermine the country’s cyber defenses and digital resilience: 

1. Gaps in Legal and Regulatory Frameworks: Until recently Myanmar lacked modern cyber laws, and even with the new Cybersecurity Law 2025, gaps remain. As of this writing, Myanmar has no dedicated personal data protection law or independent data protection authority. User privacy safeguards are minimal; a 2017 Privacy Law exists to protect citizens’ privacy rights, but in practice it is not effectively enforced in the digital realm. The absence of a comprehensive data protection regime means both government and businesses have little obligation or guidance to secure personal data – a significant vulnerability in an era of frequent data breaches. The Electronic Transactions Law (ETL) of 2004 (amended in 2013 and again in 2021) contains some cybercrime provisions, but by international standards it was outdated and incomplete. It only partially covered offenses like unauthorized access or data interference, and it was often wielded more against online speech than to prosecute genuine cybercriminals. Procedural laws for cybercrime investigation (e.g. powers to preserve data, conduct digital forensics with proper checks) are also underdeveloped. Myanmar is not a signatory to the Budapest Convention on Cybercrime, and it has yet to adopt a formal cybercrime strategy or comprehensive legislation aligned with international norms. 

While the 2025 Cybersecurity Law aims to fill some gaps, it has introduced other concerns. Its heavy focus on content control (e.g. penalties for “false news” and broad cyber “misuse”) and strict provisions like criminalizing unregistered VPN use indicate an approach centered on regime security more than on genuine cybersecurity best practices. The law’s implementation rules are still to be seen, but one vulnerability is that overly draconian regulations could drive skilled companies and talent away or underground (for instance, tech firms or researchers may be reluctant to operate in Myanmar if licensing is onerous or if sharing threat information might implicate them legally). Additionally, certain technical standards and guidelines are missing – there is no national cybersecurity standard for government systems (previous reviews found no uniform security standards across public sector agencies). Until such standards and compliance enforcement are in place, many government systems remain insecure by design. The NCSI (National Cyber Security Index) currently scores Myanmar very low on points like having a competent cyber supervisory authority or mandatory security measures in the public sector, reflecting these regulatory voids. 

2. Limited Digital Infrastructure and Connectivity: Myanmar’s internet infrastructure is still developing and has inherent vulnerabilities. Internet penetration was around 44% as of early 2024, meaning a large portion of the population remains offline. Those online rely predominantly on mobile networks (over 64 million mobile subscriptions). Fixed broadband is below 7% penetration and largely confined to cities. This heavy dependence on mobile networks creates a few issues: mobile networks are easier for authorities to shut down or throttle (a tactic the military has used in conflict areas), and many users access the internet on low-end smartphones which may not have strong security. The quality and stability of connections are also challenges – average speeds are not high (mobile ~24 Mbps) and frequent power outages disrupt network availability. In conflict zones, telecom towers have been damaged or destroyed, further weakening infrastructure. A damaged or patchy infrastructure means cybersecurity tools (like intrusion detection systems or incident response communications) may not function reliably when needed. 

Additionally, many critical services rely on very basic IT setups. For example, some government offices might still use older software (perhaps even pirated copies of Windows without security updates), and smaller banks or companies may not have any network segmentation or disaster recovery sites. Infrastructure resiliency is low – backup power for data centers, redundant network links, and robust disaster recovery sites are not commonplace. This makes critical systems vulnerable not only to cyberattack but also to physical threats and accidents (any data center outage could wipe out services for days due to lack of redundancy). 

3. Shortage of Skilled Cybersecurity Professionals: Like many developing nations, Myanmar suffers from a severe lack of cyber talent. There are relatively few certified cybersecurity experts, ethical hackers, or digital forensics specialists in the country. Universities and technical institutes have only recently begun to include cybersecurity in their curriculum. The top tech universities in Yangon and Mandalay produce general IT graduates, but specialized training in cybersecurity or information assurance is rare. This talent gap permeates both the public and private sectors. A government audit or SOC team may be staffed by only a handful of people with limited experience in advanced threat analysis. In the private sector, banks often have to bring in foreign consultants for security audits because local expertise is insufficient. 

The 2018 cybersecurity maturity assessment explicitly noted *“lack of cybersecurity awareness and awareness-raising within the public and private sector as well as amongst users”*. This implies not only a skills gap but also a low baseline of understanding about cyber hygiene throughout society. Many end-users in Myanmar are first-generation internet users with little knowledge of risks like phishing, which makes them easy targets for scams and malware. Within companies, cybersecurity is often seen as just an IT issue rather than a governance or risk management issue. The brain drain following the 2021 coup has exacerbated the talent shortage – numerous IT professionals fled the country or moved to other industries, leaving even fewer skilled personnel to manage cyber defenses. 

4. Inadequate Incident Response and Crisis Management: Although Myanmar has a national CERT (mmCERT), its capacity is limited by both manpower and resources. Incident reporting from organizations is not yet systematic – many breaches likely go unreported due to fear or lack of awareness. The channels for coordinated response (like a national cyber crisis plan) are not well-established. For instance, if a major cyber incident struck a Myanmar bank or a power utility, it’s unclear how quickly the national authorities would coordinate a response or communication. There is no known national cyber emergency exercise conducted to test readiness (contrasting with some neighbors that run drills). The new law’s requirement for annual cybersecurity reports from CII sectors could improve this over time by forcing sectors to simulate and plan for incidents, but as of now, incident response remains a weakness. 

One example highlighting this vulnerability was the massive data leak of the Myanmar Investment Commission files in 2020 by hacktivists. When 156 GB of data were stolen and dumped online (exposing sensitive economic data and personal information of officials), there was little indication of an effective incident response from authorities. The leak was discovered only when activists publicized it, and the government’s ability to investigate or contain the damage seemed minimal. Such episodes suggest that threat monitoring and digital forensics capabilities are in need of significant development. 

5. Critical Infrastructure Risks: Several of Myanmar’s critical sectors have glaring vulnerabilities. The banking sector, for example, is growing more digitized with mobile money and online banking, but not all banks have robust cybersecurity. Some banks likely lack real-time monitoring for fraud or intrusions. In mid-2023, a threat actor claimed to have breached a private bank (Innwa Bank), potentially leaking customer data. While details are scarce, it underscores that banks are targets and may not be fully prepared. The power and energy sector also faces threats; any successful attack on the grid or distribution could have outsized impact given Myanmar’s limited capacity to quickly restore systems. Similarly, the nascent e-government systems (for citizen ID, passports, etc.) could be attractive targets for both sabotage and data theft, yet their protection might be rudimentary. 

6. Overemphasis on Content Control vs. Security: The current cybersecurity approach of Myanmar’s military-led government is heavily intertwined with information control. The Freedom on the Net 2024 report rated Myanmar’s internet freedom among the worst in the world, noting pervasive censorship, surveillance, and even arrests for online activity. The government’s top cyber priority often appears to be silencing dissent (through site blocks, social media bans, and prosecuting online critics) rather than securing systems against criminals or foreign attackers. Resources are spent on building firewalls and monitoring social media, for example launching a state-controlled video platform “MTube” as a propaganda outlet when YouTube is restricted. While this might achieve the regime’s short-term political goals, it diverts attention from genuine cybersecurity measures like hardening critical networks or educating users. Moreover, trust in the government’s cyber initiatives is low among many IT professionals and citizens because they perceive them as tools of repression. This mistrust can be a vulnerability: it means companies or researchers might be unwilling to cooperate fully with authorities on cybersecurity issues, depriving the country of a unified defense front. 

7. Lack of International Engagement in Cyber Norms: Myanmar has remained somewhat isolated in international cyber cooperation frameworks, especially after 2021. It is not party to cyber norm discussions or formal agreements beyond the ASEAN level. This isolation is a weakness because cybersecurity often benefits from global collaboration (for example, intelligence sharing about threats, or joint law enforcement against cybercriminals). The junta’s strained relations with many Western countries mean Myanmar may not have access to capacity-building programs or intel-sharing that those countries offer to partners. (By contrast, countries in the region like Indonesia, Singapore, even Cambodia have participated in programs with Interpol or US cyber agencies; Myanmar has largely missed out due to political sanctions and its internal conflict.) 

In summary, Myanmar’s cyber ecosystem remains fragile and under-resourced. The situation in 2018 was described by experts as having *“no national strategy, no cybersecurity units in departments, no understanding of critical infrastructure, inadequate legislation on digital rights, and lack of standards”*. While some of these have started to be addressed on paper, many practical deficiencies persist. Limited infrastructure and talent make it difficult to cover all vulnerabilities. Without significant improvement in these areas, Myanmar will continue to be at high risk from cyber threats ranging from criminal scams to state-sponsored espionage. 

Myanmar’s Cybersecurity in the Global Context 

Myanmar’s cybersecurity challenges do not exist in a vacuum – they are influenced by and have implications for international cyber threats, geopolitics, and issues of digital sovereignty. Here’s how Myanmar’s cyber landscape functions in the broader global context: 

1. Exposure to International Cyber Threats: As a nation with relatively weaker cyber defenses, Myanmar can be considered a soft target for various malicious actors. Advanced Persistent Threat (APT) groups, especially those linked to nation-states, have targeted Myanmar government entities for espionage. China-linked cyber-espionage is a known issue – for example, the APT group known as Mustang Panda (a.k.a. “Red Delta” or “LuminousMoth”) has repeatedly conducted campaigns in Myanmar. In 2021, researchers discovered a sweeping espionage campaign dubbed LuminousMoth that initially hit dozens of Myanmar government computers with malware (via fake email attachments and even a spoofed Zoom application). The campaign showed an “affinity” with known Chinese tactics and later expanded to other ASEAN countries. Early stages of this operation saw most infections in Myanmar – suggesting Burmese government agencies were among the prime targets. Similarly, in 2024 Palo Alto Networks’ Unit 42 reported that Chinese APT groups (such as one code-named Stately Taurus, associated with Mustang Panda) timed attacks to regional diplomatic events and specifically created malware that targeted entities in Myanmar among other countries. These incidents underscore that Myanmar is very much in the crosshairs of bigger geopolitical cyber actors, likely due to its strategic location and China’s interest in Myanmar’s political trajectory. 

Myanmar has also been targeted by other regional actors. There are reports of Indian-linked APTs (like SideWinder) targeting Myanmar’s government and military networks, possibly in connection with Myanmar’s relations with other neighbors or its internal conflicts. Additionally, North Korean cybercriminal groups have a history of attacking banks in Southeast Asia; while not confirmed publicly, Myanmar’s banks could be on the list for groups like Lazarus seeking to steal funds. The implication is that Myanmar must defend itself not just from generic cybercrime, but from highly sophisticated campaigns by state-sponsored groups – a daunting task for a country with limited capacity. 

2. Myanmar as a Base for Transnational Cybercrime (Scam Centers): Ironically, even as Myanmar struggles to defend against external threats, it has become a hub for cybercriminal operations that affect victims worldwide. Since the political turmoil of the 2021 coup, parts of Myanmar (especially border regions with weak rule of law) have been taken over by organized crime syndicates running massive cyber scam centers. These syndicates, often with Chinese leadership, operate out of casinos or special economic zones in areas like Shan and Kayin states. They traffic human labor (including foreigners lured from across Asia and beyond) and force them to conduct online fraud schemes – notably the so-called “pig butchering” cryptocurrency investment scams. Estimates indicate a huge global impact: between 2020 and 2024, victims around the world lost on the order of $75 billion to Southeast Asian scam operations, many of which were run from Myanmar, Cambodia, and Laos. In the United States alone, an estimated $2.6 billion was lost in 2022 to pig-butchering crypto scams and related frauds, according to the FBI. 

Myanmar’s instability and patchy governance have made it attractive for these criminal networks. Complicit or cash-strapped local power brokers (including some ethnic militias and even elements of the Myanmar military) profit by hosting or protecting the scam compounds, undermining efforts to shut them down. Essentially, cybercrime has intertwined with Myanmar’s internal conflict economy. This poses a transnational security threat – Myanmar’s territory is being used to defraud hundreds of thousands of victims worldwide, prompting a diplomatic and law enforcement outcry from many countries. 

The global ramifications are significant. China has been particularly alarmed because many victims of these scam centers are Chinese citizens and many lower-level perpetrators are also Chinese nationals who were trafficked. In mid-2023, China took the extraordinary step of supporting an armed offensive by an ethnic militia (the Karenni Army) to attack scam compounds near the China-Myanmar border, after accusing the junta of tolerating these operations. Chinese authorities subsequently repatriated over 40,000 of their citizens who were involved (either as victims or low-level scammers). Thailand has similarly had to rescue Thai citizens and has grown concerned that these criminal enterprises on Myanmar soil pose a threat to its national security and reputation. The United States, for its part, imposed sanctions in December 2023 on individuals and entities in Myanmar linked to the scam industry. The U.S. Treasury specifically targeted a Myanmar militia leader and companies for facilitating cyber scams and associated human trafficking. 

This unusual situation – where Myanmar is a generator of global cybercrime rather than a victim – complicates its international standing. It demonstrates how geopolitics and cybercrime intersect: Myanmar’s weak governance in cyberspace (and the physical space where internet infrastructure sits) not only harms its own people but also creates headaches for other nations trying to combat online fraud. It also means any improvement in Myanmar’s cybersecurity and rule of law would have positive ripple effects internationally by shrinking a major safe haven for scammers. 

3. Digital Sovereignty and Alignment with Authoritarian Powers: On the geopolitical stage, Myanmar’s current rulers have embraced a concept of “digital sovereignty” that aligns with Russia and China’s worldview. The cybersecurity agreement with Russia in 2022 explicitly affirmed that states have the sovereign right to control their national segment of the internet and ICT infrastructure. This echoes Russia and China’s push at the United Nations for norms allowing stricter state control over information space under the banner of preventing instability. In practice, Myanmar has been implementing a kind of “sovereign internet” approach internally – mandating data localization, requiring social media companies to have a local presence, and blocking foreign platforms that refuse to comply. The junta has sought technical assistance possibly from China to install surveillance and filtering equipment similar to China’s Great Firewall (there were reports of Chinese telecom firms advising on a national internet gateway). 

Myanmar’s pivot toward Russia and China for cyber cooperation is also a result of being cut off from Western support. After the coup, most Western governments halted any cybersecurity capacity programs with Myanmar’s government. Instead, the junta deepened ties with Moscow – aside from the 2019/2022 agreements, it has engaged Russian tech firms and reportedly looked into Russian internet monitoring systems. China, while officially cautious, has continued to supply telecom gear (like Huawei and ZTE infrastructure) which potentially includes surveillance capabilities. Geopolitically, Myanmar’s cyber domain is now influenced by the authoritarian model of cybersecurity – one that prioritizes state control, censorship, and surveillance, even at the expense of individual liberties and perhaps at the expense of international cooperation on cybercrime. This positions Myanmar on one side of a global split: it will work with Russia/China on information control norms, while being isolated from initiatives led by democracies (like norms against hacking critical infrastructure or election interference, which Myanmar is absent from). 

This alignment has some benefits for the regime: Russia and China can provide technology and know-how to build Myanmar’s cyber capabilities (for example, advanced offensive tools, or training in cyber warfare tactics). On the flip side, it raises concerns that Myanmar could become a testing ground for those powers’ cyber tools or a proxy in great power cyber conflicts. Already, Myanmar’s crisis has drawn in cross-border hacktivism: international hacker collectives like Anonymous have launched operations (“#OpMyanmar”) targeting the military’s websites in solidarity with Myanmar’s protestors. The military’s sensitive data and emails were also exposed by foreign activists (as mentioned earlier with activists like donk_enby helping leak surveillance details). This means Myanmar is a theater for not only local but global ideological cyber battles, with hackers worldwide either supporting the pro-democracy movement or, conversely, possibly state-sponsored retaliation against those hackers. 

4. Implications of International Cyber Norms and Sanctions: Internationally, Myanmar’s stance on cyber issues could incur further repercussions. The UN and ASEAN have been discussing normative behavior in cyberspace (for instance, ASEAN has an agreement with Russia on cooperation in ICT security). If Myanmar is seen as harboring cybercrime (like scam camps) or engaging in malicious cyber activities, it could face more sanctions or collective countermeasures. Already, as noted, the U.S. and others have sanctioned Myanmar entities for cyber-scams. Myanmar was also downgraded in the U.S. State Department’s Trafficking in Persons report in part due to cyber-scam trafficking, resulting in cuts to aid and cooperation. These global pressures might eventually push Myanmar to crack down on such abuses for the sake of its international relationships, if not for the victims. 

Additionally, Myanmar’s low ranking in global indices (like Freedom House’s Freedom on the Net or ITU’s Global Cybersecurity Index) affects how international investors and tech companies view the country. A “Not Free” internet status coupled with concerns of state surveillance could deter foreign tech investment or partnerships that could otherwise help cybersecurity (tech firms might be unwilling to set up data centers in Myanmar if they fear government interference or instability). 

In summary, Myanmar’s cybersecurity situation is both impacted by global trends and impacts others: 

• It is targeted by state-level hackers seeking intelligence. 

• It has unintentionally become an exporter of cybercrime due to lawlessness exploited by international gangs. 

• It has chosen to align with a geopolitical bloc favoring tight control over the internet, which influences its laws and partnership choices. 

• Its internal cyber policies have drawn international criticism and sanctions, tying cybersecurity to human rights and foreign relations. 

The current global context – one of rising cyber threats and a split in digital governance philosophies – places Myanmar in a precarious position. The country risks becoming isolated as a digital pariah state used as a playground for criminals and spies, unless it can reform and cooperate on at least some common cybersecurity goals with the international community (such as fighting financial cybercrime and protecting critical infrastructure). Digital sovereignty should not mean digital isolation, and navigating that balance is a key challenge for Myanmar moving forward. 

Case Studies of Cyber Incidents Impacting Myanmar 

Several cyberattacks, breaches, and security incidents in recent years illustrate the realities of Myanmar’s cyber landscape and its vulnerabilities. Here we explore a few notable examples: 

1. Post-Coup Hacktivism and Data Breaches (2021–2022): Following the military coup in February 2021, a wave of hacktivism swept through Myanmar’s cyberspace. Pro-democracy hacker collectives – including some claiming affiliation with the Anonymous movement – targeted military government websites, databases, and online services as a form of digital protest. In the spring of 2021, for instance, hacktivists temporarily took down websites of the Central Bank, state-run broadcaster, and other government agencies as part of “Operation Myanmar”. More consequentially, hacktivists leaked large troves of data to expose the regime’s inner workings. 

One major breach occurred in March 2021 when activists obtained and disclosed documents revealing the Myanmar junta’s high-tech surveillance apparatus. These leaked files (shared with outlets like Reuters) detailed deals the military had with foreign surveillance technology companies and the extent of electronic monitoring deployed against citizens. The exposure was significant enough that Google, cited in the report, shut down some services (blogging platforms, email accounts) used by the coup leaders after evidence emerged from the leak. In another instance, a hacker group leaked a database of over 120,000 Myanmar company registrations (from the Directorate of Investment and Company Administration’s online registry). This leak, which hit the internet in 2021, revealed financial records and ownership structures of companies – some of which implicated military-linked businesses and cronies. It demonstrated both the hackers’ capabilities to penetrate government systems and the government’s inability to protect even relatively sensitive economic data. 

Perhaps the most dramatic was the hack and leak of the Myanmar Investment Commission (MIC) files (referred to earlier). Distributed Denial of Secrets (DDoSecrets, a whistleblower site) published 156 GB of data hacked from the MIC in 2020. The files contained confidential documents, foreign investment proposals, and approvals. Among the revelations was evidence of how profits from telecom operator Mytel were funneled to military generals. The breach not only embarrassed the authorities by exposing corruption and financial flows, but also suggested that hackers had deep access to government networks (potentially via MIC or Ministry of Investment systems). The junta reportedly launched investigations into domestic IT firms, suspecting insider assistance in these breaches, but the fundamental issue was a lack of robust cybersecurity in those agencies. 

These hacktivist-driven incidents highlight Myanmar’s insider threat and basic security lapses – admin passwords could have been compromised, systems lacked encryption, and there were no effective responses. They also show the two-edged nature of cybersecurity in Myanmar’s political context: one side using hacks to fight for transparency and democracy, and the other side (the state) seeing these as serious cyber threats to its authority. 

2. Cyber Scam Compounds and Human Trafficking (2021–2023): The phenomenon of cyber scam centers has already been described from a global perspective, but it also deeply impacts Myanmar’s own people and security. Thousands of Myanmar citizens have been caught up in these operations – some as low-level workers for quick cash, others as victims duped by fake job ads and then forced to perpetrate scams. Within Myanmar, these criminal enclaves have spurred violence (there have been shootouts and raids), and they complicate the civil war landscape. For example, in areas like Laukkai (in Shan State’s Kokang region) and Myawaddy (on the Thai border), the presence of heavily guarded scam compounds has drawn incursions by armed groups. In late 2023, local resistance forces attacked a scam compound in Laukkai, rescuing some trafficked workers. Meanwhile, the Myanmar military, despite public statements, was accused of turning a blind eye or even colluding with some scam operations in exchange for revenue or intelligence. This undermines the rule of law and demonstrates a weak cybersecurity enforcement environment – parts of the country are effectively “lawless zones” from which major cybercrimes emanate. 

From a case-study angle, consider the Shwe Kokko New City project in Kayin State, initially a Chinese-backed development, which morphed into a haven for online casinos and scam centers. Investigations by groups like the Asian Crime Observatory and media uncovered that within these SEZ-style compounds, large buildings full of rows of computers and teams of multilingual scammers were conducting romance scams and crypto fraud calls 24/7. People who escaped told harrowing tales of torture and captivity for those who failed to meet scam targets. This is a unique cybersecurity issue: it’s not about malware or hacking in the traditional sense, but about the use of Myanmar’s cyberspace for organized crime at scale. The case has led to unprecedented collaboration – Myanmar’s neighbors and even China have had to coordinate cross-border operations. One result was that in March 2024, Thai police, with tacit approval from the junta and assistance from Chinese officials, helped repatriate nearly 1,000 people from one Myanmar border scam zone back to China. 

The persistence of these scam hubs indicates failures in Myanmar’s internal security and cybersecurity governance. It shows that malicious actors can set up entire criminal IT infrastructures (call centers, servers, VPNs, etc.) on Myanmar soil with impunity. Until these are dismantled, Myanmar’s name will be associated with global cyber fraud, which in turn discourages legitimate digital businesses from operating there due to reputational risk. 

3. Ransomware and Malware Threats to Businesses: While less publicized, Myanmar’s businesses and government agencies have also faced common cyber threats like ransomware, viruses, and banking trojans. A local IT security firm (Noventiq Myanmar) warned in 2022 that cyberattacks in Myanmar were on a worrisome rise, citing detection of banking malware and cryptomining malware on many computers. In one instance, a government ministry’s server was reportedly hit by ransomware, encrypting important data – the incident was quietly handled without public disclosure, but it caused downtime in services. The health sector too saw at least one hospital in Yangon suffer a ransomware attack that disrupted its patient database for days. These cases often go unreported to avoid reputational damage, but anecdotal evidence suggests that phishing emails and infected pirated software are common entry points for attackers in Myanmar. Many organizations don’t regularly patch software or run modern anti-virus, making them susceptible to even relatively old strains of malware. 

One concrete breach example: In 2021, activists claimed they hacked Mytel (the military-owned telco) and leaked subscriber data as part of a boycott campaign. The leaked data, if authentic, contained personal information of thousands of users and internal documents about Mytel’s operations. This was both a politically motivated attack and a straightforward data breach. It indicated weak points in telecom security (perhaps an insider or a cloud storage left exposed). 

Another example is the breach of a local financial institution’s database in 2023 (the earlier-mentioned Innwa Bank case). A hacker on social media boasted obtaining hundreds of thousands of customer records from the bank. If true, this breach could lead to identity theft and undermines trust in digital banking among the population. The bank denied a major incident, but also quickly rolled out an urgent “system maintenance,” leading observers to suspect they were patching whatever hole was exploited. 

These examples show that cyber risks are not abstract in Myanmar – they have resulted in real theft of data and disruptions of service. Given the country’s nascent digital economy, even a moderate cyber incident can have outsized effects (for instance, if the top mobile payment service was hacked and shut for a week, it would impact millions of people who rely on it for daily transactions). 

4. Cyber and National Security Intersection: Lastly, consider a case linking cybersecurity and national security: In late 2022, Myanmar’s military revealed it had foiled an attempted cyber-espionage against its defense networks. Though details were scant, a military spokesperson claimed that foreign actors tried to hack into military email servers and systems, but were detected by “cyber war” units. This hints that the Tatmadaw (Myanmar military) has been building a cyber warfare unit to protect its own secrets and possibly conduct offensive operations. The veracity of the claim is unverified, but it reflects the military’s increasing focus on cyberspace as a domain of conflict. Given Myanmar’s volatile political situation, it’s likely that opposition groups also use secure communications and cyber means to coordinate, which the military in turn tries to penetrate. There have been reports of the military deploying spyware (possibly tools like Pegasus, purchased before 2021) to hack activists’ phones. Each such incident – even if not fully public – constitutes a case study in the cat-and-mouse between attackers and defenders within Myanmar. 

In summary, the case studies from Myanmar range from politically motivated hacks and leaks that exposed state secrets, to organized criminal enterprises running global scams, to common cybercrime like ransomware hitting local targets. They collectively paint a picture of a country that has become a frontline for many types of cyber incidents: 

• Hacktivist breaches demonstrated the weakness of government network security and had international impact by prompting responses from tech companies and foreign governments. 

• Scam center operations show how cybersecurity failure in one country can enable crime worldwide and invite foreign intervention. 

• Traditional cyberattacks like malware and data theft are beginning to hit Myanmar’s emerging digital services, risking economic damage. 

• Cyber-operations in conflict indicate that cyber tactics are now part of Myanmar’s internal warfare (each side trying to out-hack the other’s communications). 

Learning from these cases is crucial. They highlight the need for better defensive measures (to prevent breaches and protect data), international cooperation (to tackle cross-border cybercrime), and balanced policies (so that securing systems isn’t overshadowed by the politics of controlling information). Each incident has been a wake-up call that Myanmar’s cybersecurity system must be improved to prevent similar or worse events in the future. 

Cybersecurity, National Security, Economy, and Politics in Myanmar 

Cybersecurity in Myanmar is deeply intertwined with the country’s national security priorities, economic development, the delivery of digital services, and the broader political environment. The relationships are complex: 

Cybersecurity and National Security: For Myanmar’s government – particularly the military junta – control of cyberspace is seen as a matter of national security and regime survival. The Cybersecurity Law explicitly lists protecting the “sovereignty and stability of the State from cybersecurity threats” as a primary objective. In practice, this has meant that actions like shutting down the internet during unrest, surveilling online communications, and censoring content are justified under the banner of security. The military regards the free flow of information on the internet as a potential threat that could undermine stability or facilitate opposition. As a result, cybersecurity policy often blurs into information security and counter-intelligence. The military has reportedly established a “Cyber Warfare Department” within its signals corps to both defend its networks and conduct offensive cyber operations (though details are secret). This unit likely collaborates with or is advised by allies (Russia, perhaps China) and focuses on tasks such as monitoring dissidents on social media, breaking into opposition communication channels, and guarding military infrastructure from foreign spyware. 

However, the focus on regime security can leave other national security aspects under-addressed. For instance, critical infrastructure like power grids or air traffic systems might not receive as much protection and investment as, say, the capacity to filter Facebook. A stark example of this national security interplay is the ongoing civil conflict: Ethnic armed organizations and the anti-junta National Unity Government (NUG) use encrypted messaging apps and open-source intelligence on social media to organize attacks and spread their message. The junta’s cybersecurity efforts are heavily aimed at countering these – e.g., intercepting messages, blocking mobile internet in rebel areas, and arresting people for Facebook posts supporting resistance. This dynamic shows cybersecurity as a battlefield: both sides consider secure communication and hacking as tools of war. But in this struggle, the broader notion of securing the nation’s digital frontier (against criminals or foreign adversaries) can be sidelined. 

It’s also worth noting that national security is impacted by international cyber actions – the scam centers, for example, became a national security issue when China allegedly allowed a militia attack inside Myanmar’s territory to root them out. That is a very direct case where failure to police cybercrime domestically led to a breach of sovereignty, something any government would view gravely. Thus, Myanmar’s authorities have a national security incentive to clamp down on those criminal enclaves (not just to please China, but to reassert sovereignty). Similarly, if foreign spies infiltrate Myanmar’s government networks and exfiltrate sensitive data (like diplomatic communications or military plans), that is a straightforward national security threat. There have been reports (though not publicly confirmed in detail) that Myanmar’s defense sector was targeted by malware with potential links to foreign intelligence. As Myanmar navigates relationships with big powers (China, India, neighbors), keeping state secrets safe from hacking is crucial for its strategic autonomy. 

Cybersecurity and the Economy: Myanmar’s economy is increasingly digital, and cybersecurity is a linchpin for trust and growth in that digital economy. Pre-coup, Myanmar was on a path to expanding e-commerce, mobile banking, and digital financial services as part of its development strategy. A Digital Economy Roadmap (2018–2025) was even announced, aiming to foster tech startups and online services. However, without robust cybersecurity, these economic initiatives face risks. For example, if consumers do not trust that their mobile payment apps or online banking are secure, they will be hesitant to use them, stunting the growth of fintech. We have seen some early warning signs: in 2020–21, as mobile money usage grew, there were incidents of fraud (social engineering scams where users were duped into sending money). While not highly technical hacks, these undermined confidence in the digital payment system. 

The presence of reliable cybersecurity measures can be an economic enabler. The government has discussed implementing a National Digital ID system for citizens to conduct online transactions securely. If done right, a secure eID could boost e-commerce and digital public services. But implementing such systems requires careful cybersecurity planning to prevent identity theft or misuse. Currently, Myanmar does not have a fully rolled-out digital ID, partly due to political upheaval, but also because the legal and technical safeguards (data protection, encryption standards) are not fully in place. A positive economic-security link is that some international investors and development partners are willing to assist Myanmar in cybersecurity if it means more stable conditions for commerce. For instance, the Asia Development Bank (ADB) and World Bank have at times tied digital economy support with advice on cybersecurity best practices. 

On the other hand, cybersecurity incidents can carry heavy economic costs. A successful large-scale cyberattack on a major bank could cause a loss of public funds or necessitate expensive recovery and compensation efforts. A breach of a popular e-commerce platform leaking customer details would make people withdraw from online marketplaces. In the worst case, a cyberattack disrupting power or telecommunications could grind economic activity to a halt (imagine an outage of mobile networks – businesses would be unable to process payments or communicate). Thus, investing in cybersecurity is investing in economic resilience. The government’s new law includes the goal of “supporting a digital economy based on cyber resources”, implicitly recognizing that without secure cyber infrastructure, the promise of digital economic growth will falter. 

It’s also worth noting the negative economic impact of being a cybercrime hub. The scam operations in Myanmar bring in illicit money for some, but they also scare away legitimate business. For example, the city of Yangon, which aspires to be a tech hub, now has a tarnished reputation as part of a country known for cyber scams and instability. Tech investors weigh country risk when setting up operations – issues like frequent internet shutdowns (Myanmar has had multi-day nationwide blackouts of the internet during the coup aftermath) and lack of security can deter foreign companies. The departure of Telenor, the Norwegian telecom operator, in 2022 was partly due to the untenable regulatory environment (being asked by authorities to hand over user data and assist surveillance, which posed legal and ethical problems internationally). Its exit likely set back Myanmar’s telecom sector progress and served as a cautionary tale for other international firms. All of this shows how intimately cybersecurity (and the broader digital governance) ties into economic fortunes. 

Cybersecurity and Digital Services: Myanmar’s government has been slowly digitizing public services – issuing e-visas online, electronic payment of utility bills, online business registration, etc. The success of these digital services depends on security. A single well-publicized hack can diminish user trust in e-government. For instance, if the passport application portal were hacked and citizen data stolen, people would revert to paper processes and the whole point of e-government (efficiency, accessibility) would be undermined. 

Moreover, internet reliability is part of delivering digital services. Frequent local internet shutdowns (for security crackdowns) not only disrupt access to information but also disrupt e-services and businesses. Many digital services can’t function during outages or throttling. Over the past two years, the junta has imposed local internet blackouts in various townships as a counter-insurgency measure. While they consider it a necessary security step, it has collateral damage: students can’t do online classes, hospitals can’t consult specialists via telemedicine, farmers and traders lose access to market information. The UN has documented that these shutdowns have cost Myanmar’s economy hundreds of millions of dollars. So in a way, the lack of a secure stable environment (where the state can distinguish threats without resorting to blanket shutdowns) directly hits digital service delivery. 

On the flip side, with improved cybersecurity, Myanmar could greatly expand digital services. For instance, during the COVID-19 pandemic, countries with robust digital systems moved many public functions online securely. Myanmar had limited ability to do so (and then the coup interrupted everything). But envision a future scenario where, say, land records are digitized and secured so that citizens can check or transfer property online – that would reduce corruption and improve efficiency. Achieving that requires robust backend security (to prevent tampering with records) and identity verification mechanisms. Right now, these are aspirational because the groundwork of cybersecurity isn’t fully there. 

Cybersecurity and the Political Landscape: The intersection of cybersecurity and politics in Myanmar is perhaps the most pronounced of all. The internet has become a key domain for political expression, activism, and unfortunately, repression. The military authorities view many online activities through a political lens – for example, using a VPN to access banned social media is criminalized not purely for cybersecurity reasons but because it enables people to see and share anti-regime content. The Cybersecurity Law criminalizes vaguely defined acts like “cyber mischief” or posting “fake news”, which in practice can be applied to political speech. Thus, the law has a chilling effect on online discourse. Scores of internet users, including journalists and ordinary Facebook users, have been imprisoned for their online posts since 2021, illustrating how cyber regulations are used as political tools. This environment significantly affects how people behave online – self-censorship is common, many activists have gone entirely dark or moved to anonymous platforms. It hampers the organic development of a vibrant digital society that can contribute to innovation and problem-solving. 

Political instability also hampers the institutionalization of cybersecurity. Frequent changes in government or priorities can stall long-term projects. The current junta may prioritize surveillance tech; a future government might have to rebuild trust and reorient towards citizen-centric cybersecurity (like data privacy). There is also the matter of the NUG (National Unity Government), the shadow government formed by ousted lawmakers. The NUG operates largely online and in exile, and it has its own “cyber ministry” and digital initiatives for the areas it claims. It even talked about issuing “D-pay” digital currency for fundraising. While these efforts are in early stages, they indicate that the political divide in Myanmar extends into the cyber realm: two authorities vying to govern digital space. This competition could theoretically lead to cyber skirmishes – e.g., pro-NUG hackers defacing junta sites, or the junta trying to hack NUG’s communications. Indeed, as mentioned in case studies, NUG-supporting hacktivists leaked data to help sanction the military, and the junta has probably attempted to infiltrate NUG networks. 

In essence, cybersecurity in Myanmar cannot be separated from its political context. The tools of cybersecurity (encryption, hacking, firewalls) are being wielded by different actors with different aims: the state to maintain power, activists to resist, criminals to exploit chaos, foreign states to gain influence. This makes the formulation of a neutral, professional cybersecurity posture for the nation extremely challenging. Any measures taken are viewed through a highly politicized lens, which can hinder consensus on things that should be non-controversial (like protecting hospitals from ransomware). 

Ultimately, improving cybersecurity in Myanmar could have positive ripple effects on all these fronts – national security would be bolstered by better protection of infrastructure and reduction of cybercrime, the economy would benefit from a stable and trusted digital environment, digital government services could expand underpinned by secure systems, and the political climate could slowly stabilize if cyberspace is less a wild west of misinformation and repression and more a governed space with rule of law. However, achieving that balance requires careful policy choices and, likely, a more peaceful political environment to implement them. 

Recommendations for a More Robust Cybersecurity Ecosystem in Myanmar 

Building a stronger cybersecurity ecosystem in Myanmar will require concerted effort across legal, technical, educational, and cooperative domains. Below are actionable recommendations to address current weaknesses and enhance resilience, aimed at policymakers, government institutions, and supporting partners: 

1. Develop Inclusive and Up-to-Date Cyber Strategies: Myanmar should update its national cybersecurity strategy regularly and ensure it is inclusive of multi-stakeholder input. The Cyber Security Policy 2023 is a good start, but given rapid changes, a revised strategy (for 2025–2030 perhaps) should be formulated with consultation from not just government, but also private sector experts, academia, and civil society. This strategy should set clear priorities (e.g. protecting critical infrastructure, combating cybercrime, safeguarding citizens’ data) and align resources accordingly. It should also include performance metrics and a timeline so progress can be measured annually. 

Additionally, a dedicated Cybercrime Strategy is needed. Since cybercrime (scams, fraud, hacking) is such a big issue, Myanmar should outline a plan specifically for law enforcement: training more cyber investigators, improving digital forensics labs, establishing channels with foreign police (Interpol, ASEANAPOL) to cooperate on transnational cases, and public reporting mechanisms for cyber incidents. 

2. Strengthen Legal Frameworks with Rights Protections: Address legislative gaps by enacting a Personal Data Protection Law consistent with international standards. This law should require public and private entities to protect personal data with appropriate security measures and notify users in case of breaches. It should establish an independent data protection authority to oversee compliance. Even in a challenging political climate, having data protection rules will help secure personal information (for example, preventing misuse of citizens’ data by any party). 

Revisit and refine existing cyber laws to ensure they target genuine cybersecurity concerns rather than broadly criminalizing online activity. For instance, clarify definitions in the Cybersecurity Law so that terms like “cyber mischief” are precisely defined, reducing the chance of arbitrary enforcement. Introduce safeguards and oversight for any surveillance measures – for example, require judicial warrants for law enforcement to access user data or to seize “cyber resources” from individuals. This not only protects rights but builds trust in the system, encouraging cooperation from the IT community. 

Myanmar should also consider acceding to international frameworks like the Budapest Convention on Cybercrime (or at least adopting its principles domestically). This would modernize procedural powers – enabling lawful network monitoring, evidence preservation, etc., while also reassuring other countries that Myanmar is committed to tackling cybercrime, not sheltering it. If full accession is politically unpalatable, Myanmar could engage in the UN’s ongoing cybercrime treaty discussions to benefit from global best practices. 

3. Invest in Capacity Building and Talent Development: A top priority is addressing the human capital shortage in cybersecurity. The government, possibly with donor support, should launch a Cybersecurity Capacity Building Program offering scholarships, training, and certifications for Myanmar’s students and IT professionals. This could include: 

• University Programs: Encourage universities to create cybersecurity degree or diploma programs. Partner with foreign universities (e.g., in Singapore, India, or Australia) to develop curriculum and exchange programs. 

• Certifications and Workshops: Sponsor young professionals to attain internationally recognized certifications (like CISSP, CISM, CEH). Host workshops and bootcamps led by experts (even virtually) on topics like network defense, secure coding, and incident response. 

• Cyber Ranges and Labs: Establish a national cyber range or simulation lab (perhaps at NCSC or a major university) where trainees can practice defensive and offensive cyber techniques in a controlled environment. This would greatly improve practical skills for the CERT team, police, and system admins in critical sectors. 

• Train-the-Trainer: Given resource constraints, implement train-the-trainer programs where a batch of people are extensively trained and then tasked to train others in their organizations or regions, multiplying the effect. 

Additionally, embed cybersecurity in general education and public awareness. For general internet users, launch awareness campaigns about common threats (phishing, scams, weak passwords). This can be done through social media, SMS blasts by telecom operators, and integration into digital literacy programs. The more the public knows about scams (like pig-butchering methods) and basic hygiene, the less vulnerable they become, thereby strengthening the overall ecosystem. 

4. Enhance Critical Infrastructure Protection: Myanmar should identify and prioritize defenses for its most critical systems – power grids, banking systems, telecommunications networks, healthcare, and government services. Each critical sector should create a Cybersecurity Action Plan with the following: 

• Risk Assessment: Conduct thorough audits of current systems to identify vulnerabilities. International experts or firms might assist in this initially. For instance, scan the banking sector for outdated software and enforce upgrades. 

• Minimum Security Standards: Establish baseline security standards that each critical information infrastructure operator must meet (e.g., requiring up-to-date antivirus, firewalls, data backups, and access controls). As indicated by the NCSI guidelines, include government agencies under these requirements. 

• Incident Response Drills: Mandate annual cybersecurity drills in each sector. Simulate attacks (like a ransomware outbreak in a bank or a DDoS on telecom networks) and test how the organization and national CERT respond. This will expose gaps in preparedness and improve coordination when a real incident occurs. 

• Information Sharing Mechanism: Create a platform for critical sector organizations to share threat intelligence with one another and with mmCERT in real time. For example, if one bank detects a new phishing campaign targeting customers, it should alert other banks and CERT promptly. This could be facilitated through a secure portal or email list managed by NCSC. 

• Protection of Government Websites and Domains: Many Myanmar government websites have been poorly secured (.mm domains were easily defaced). Implement cloud-based security (through services like Cloudflare or others) for DDoS protection and use modern web frameworks to reduce vulnerabilities. All official websites should switch to HTTPS and use security certificates to prevent spoofing. 

5. Tackle Cyber Scam Operations with Law Enforcement and International Help: The cyber scam hubs are a unique challenge that requires a bold response. Myanmar’s authorities should treat dismantling these scam compounds as a top law enforcement priority for both domestic and diplomatic reasons. Recommended steps: 

• Form a joint task force comprising police, military (if necessary due to armed resistance in areas), and cyber investigators specifically to map out, infiltrate, and take down these scam operations. This may involve classic policing (raids, arrests) supported by cyber intelligence (tracking crypto transactions, identifying server infrastructure). 

• Increase cooperation with neighboring countries and China. If direct action by Myanmar’s government is difficult in certain areas, covert or joint operations might be arranged. At the very least, intelligence sharing is crucial – exchange information on key syndicate leaders, financial flows, and technological footprints of these groups. 

• Leverage international justice mechanisms: Collaborate with Interpol to issue notices on scam ring leaders and traffickers. Present evidence to United Nations Office on Drugs and Crime (UNODC) to potentially get assistance or attention on the trafficking aspect. 

• At the policy level, strengthen anti-money laundering measures to make it harder for scam revenues to flow. Work with banks to flag unusual transactions possibly tied to scam payments. 

The objective should be to eradicate the safe havens these groups enjoy. Not only will this directly protect countless victims globally, it will also improve Myanmar’s standing and remove a negative element from its territory. The US sanctions and Chinese pressure have created some momentum – Myanmar can capitalize on that by showing it is serious about shutting the scams down, which might open the door for more international support and less punitive action. 

6. Improve Regional and International Cooperation: Despite political issues, Myanmar can still engage in practical cooperation for cybersecurity. For instance: 

• Continue participating in ASEAN cybersecurity initiatives. If politics restrict ministerial involvement, encourage technical experts (CERT staff, etc.) to join ASEAN CERT discussions and joint exercises. These exercises can provide valuable learning and networking. 

• Use Track 2 or academic forums to keep channels open. Myanmar’s cybersecurity academics or professionals can join regional conferences (like Cybersecurity Week in Singapore or FIRST forums) to learn and share, even if official representation is complicated. 

• Bilateral cooperation on specific issues: Myanmar might quietly coordinate with countries like Singapore or Vietnam that have advanced cybersecurity – perhaps learning from Singapore’s Cyber Security Agency or Vietnam’s experience in building a cyber command. Also, cooperating with India and Bangladesh on cyber threats could be mutually beneficial given they share similar challenges (India, for example, has expertise in digital ID security which could inform Myanmar’s eventual digital ID). 

• Pursue capacity-building offers from neutral organizations. The ITU and UNDP often have programs for cybersecurity in developing countries that Myanmar could join. Also, organizations like the Global Forum on Cyber Expertise (GFCE) might include Myanmar in their projects, especially if Myanmar articulates areas of need. 

7. Establish an Independent Advisory Group or CERT Advisory Council: To build trust and expertise, Myanmar could set up an independent Cybersecurity Advisory Council composed of respected local IT experts, industry reps, and maybe international advisors (from ASEAN or UN). This council can advise the government (or CCC) on implementation of cybersecurity measures and act as a bridge with the tech community. It should have a mandate to review major policies for their security efficacy and impact on the digital economy. An independent voice can help ensure that security measures are balanced and evidence-based. 

For instance, before enforcing a ban on a certain software, the council could weigh in on the consequences. Or it can recommend best practices like adoption of encryption standards, secure procurement guidelines (so that when Myanmar buys technology, it considers cybersecurity criteria to avoid supply chain risks). 

8. Enhance Public-Private Partnerships: Engage the private sector not just as a regulated entity but as a partner. Telcos, banks, and tech companies have some of the most skilled IT personnel in Myanmar. The government should create platforms for these professionals to contribute to national cybersecurity dialogues. For example, form sector-specific working groups (Banking Cybersecurity Working Group, Telecom Security Working Group) that meet with NCSC officials quarterly to share insights and coordinate on emerging threats. 

Moreover, encourage private cybersecurity startups or services. If licensing is required for cybersecurity service providers (as per the new law), ensure the process is transparent and not overly burdensome, so that more companies can enter the field and offer services like penetration testing, security audits, and managed security services to those who cannot do it in-house. Possibly provide incentives or grants for startups focusing on cybersecurity solutions tailored to Myanmar (such as a local language anti-phishing tool or a mobile security app for citizens). 

9. Focus on Resilience and Continuity: Given Myanmar’s political instability and conflict, it’s important to plan for resilience. Ensure critical data has offline backups in safe locations. For example, national databases (citizen ID, land registry, etc.) should be periodically backed up to an immutable storage or even printed to microfiche for worst-case scenarios. Train staff in continuity plans so that if systems are attacked or if the internet is cut off, there are manual or alternative procedures to keep essential services running (this is more disaster-recovery than pure cyber, but the two overlap). 

10. Promote Cyber Ethics and Responsible Use: This is a longer-term soft measure: cultivate a culture of cyber ethics, especially among youth and government personnel. The aim is to reduce insider threats and discourage the allure of cybercrime. Educational curricula can include ethics in computing. Government employees with access to sensitive systems should be regularly briefed on rules and the importance of not abusing their access (for example, not snooping on data they aren’t supposed to). Encouraging whistleblower protections for those who report security weaknesses or corruption in ICT procurement can also help reveal issues before they become breaches. 

Implementing these recommendations will not be easy, especially in Myanmar’s current context. However, even incremental progress on each front can cumulatively make a significant difference. A more robust cybersecurity ecosystem would mean: 

• Government agencies and businesses are better defended against attacks. 

• The public feels safer online, which encourages digital innovation and participation. 

• International confidence in Myanmar’s cyber reliability improves, attracting investment and cooperation. 

• The country can gradually shed the image of a cybercrime haven and become a responsible member of the global digital community. 

Crucially, Myanmar must balance security measures with respect for human rights and the needs of a digital economy. Over-securitizing the internet by excessive censorship or draconian rules can be counterproductive, as it stifles the very benefits of digital technology. Thus, Myanmar’s policymakers should strive for a measured approach: protect networks and users from real threats, crack down on cybercriminals and malicious actors, but also protect citizens’ rights and access to information. Doing so will lay the groundwork for a secure, prosperous, and open digital future for Myanmar. 

Conclusion 

Myanmar’s cybersecurity system is at a crossroads. The past decade has seen the country step gingerly into the digital age – expanding internet access and digital services – only to be confronted by significant challenges: minimal preparedness, aggressive cyber threats, internal conflict spilling into cyberspace, and a policy environment dominated by security concerns. We have examined how Myanmar’s cybersecurity infrastructure is structured, noting the roles of key government bodies like the NCSC and the nascent Cybersecurity Central Committee, as well as the growing involvement of private sector players. We highlighted achievements such as the new Cybersecurity Law and strategy, and collaboration with international partners, which represent positive momentum towards a more secure cyber realm. At the same time, we analyzed deep-seated weaknesses: outdated laws, lack of skills, vulnerable infrastructure, and a focus on information control over comprehensive security. 

In the global context, Myanmar’s experience is a cautionary tale of how quickly a country can become both a target and a source of cyber threats if governance falters. The case studies – from hacktivist leaks to billion-dollar scam operations – demonstrate the tangible impacts of cybersecurity (or the lack thereof) on national security, reputation, and citizens’ well-being. The intertwining of cybersecurity with Myanmar’s national security strategy, its economic prospects, and its turbulent politics cannot be overstated. 

Moving forward, implementing the recommended steps – from legal reforms and capacity building to critical infrastructure protection and international cooperation – will be crucial. These steps are ambitious and will take time, resources, and political will. Yet, they offer a roadmap for Myanmar to transition from a position of cyber fragility to one of cyber resilience. By training its people, hardening its systems, engaging constructively with global norms, and fostering trust in cyberspace, Myanmar can build a cybersecurity ecosystem that supports both its security and the prosperity of its citizens. 

For general readers, the key takeaway is that cybersecurity is not just a tech issue; it’s about safeguarding everyday life in the digital era. For technical professionals, Myanmar presents unique challenges and opportunities to apply solutions in a resource-constrained environment – innovation and cooperation will be key. For policymakers, the situation underscores that effective cybersecurity governance must balance vigilance with openness. As Myanmar navigates the continuing evolution of cyberspace, a collective effort from all stakeholders will be needed to ensure that its digital future is secure, inclusive, and aligned with the broader global move towards a safer internet for all. 

Learnmore……