Putrajaya’s in-house digital development directive has drawn concern from industry players who argue that data sovereignty can be achieved without sidelining the private sector that Malaysia has spent decades building.
The directive, as conveyed by Prime Minister Anwar Ibrahim to his cabinet on June 5, requires all government digital services to be developed internally to safeguard data security and sovereignty.
Government spokesperson Fahmi Fadzil told a post-cabinet meeting press conference that the internal development of digital services, including direct access to source code and talent development among civil servants, would be coordinated by the Digital Ministry through the National Digital Department.
However, certain quarters Malaysiakini approached said details available on the policy thus far hint at a potential conflation between two distinct goals: controlling national data and cutting out private developers.
Pursuing both aims together, they cautioned, might risk doing more harm than good.
Vicks Kanagasingam, who previously led the protem data governance committee under the Digital Ministry, said that while he supports the policy direction, it is vital to consider how the directive shifts the economics of the local tech ecosystem.
He pointed out that for decades, the public sector has been one of the largest and most reliable spenders on IT services, software licences, and system integration.
As such, he said that while the policy aims to boost capabilities within the public sector, its impact on private tech vendors and startups will be a mix of disruptive displacement and new, specialised opportunities.
“The most immediate and severe impact will be felt by traditional IT system integrators and vendors who rely heavily on government procurement contracts for their revenue.
“Simple, repetitive projects like building ministry websites, basic administrative portals, database entry forms, or standalone applications, will be cut off from the private sector entirely,” Vicks said.
Noting that many legacy vendors survive on “lucrative” and recurring annual maintenance contracts, the era of locking government agencies into proprietary vendor code to secure indefinite maintenance fees is likely to come to an end.
This, he said, is because the prime minister’s directive explicitly demands government ownership of the source code.
Investing in expertise
However, Vicks opined that the directive does not mean the government stops spending on the private sector entirely. Instead, it changes what is being bought - rather than purchasing finished software, the government could instead invest in expertise and guidance.
Considering how the government will still need private-sector expertise to avoid project failures, he recommended that start-ups and tech companies with deep domain knowledge in artificial intelligence, cloud orchestration, or cybersecurity pivot toward a “consultative, staff-augmentation model.”
“Instead of selling a ‘turnkey’ system, private companies (can) embed their top senior engineers inside the Digital Ministry to co-architect systems and mentor civil servants, (thus shifting) the private sector’s role from builders to enablers,” he said.
If such companies can adapt their offerings as plug-and-play application programming interfaces (APIs) or software development kits (SDKs) which internal government developers can integrate directly into public platforms, their businesses could thrive under the new policy, Vicks added.
Small talent pool
The most disruptive consequence of the directive could be the intensified competition it would trigger for an already scarce pool of technology talent within the nation.
Vicks noted that to successfully build internally at scale, the Digital Ministry would need to “aggressively recruit” local software engineers, data scientists, and product managers.
As such, should the government introduce competitive, specialised tech salaries to do so, it could potentially drive up the cost of talent nationally, thus pricing out early-stage local startups that are already struggling to compete with multinational firms.
The Malaysian Association of Bumiputera ICT Industry and Entrepreneurs (NEF Malaysia) highlighted that the country has only 13,000 cybersecurity professionals against an identified need of 25,000.
The association further cited the World Bank's Malaysia Economic Monitor from October 2025, which found that the Digital Ministry itself reported a 64 percent difficulty rate in hiring digitally competent staff, with barriers described as structural rather than salary-related.
NEF Malaysia president Lilyana Abdul Latiff explained that when government contracts disappear, local ICT companies can no longer sustain the specialists they have developed.
“Malaysia bears the full cost of training these professionals through public universities and government scholarships, yet Singapore, Australia, the United Kingdom, and the United States are ready to absorb this talent the moment local opportunities dry up.
“This is an extraordinarily expensive paradox for national development, and one that directly contradicts the very digital sovereignty objectives the directive seeks to achieve,” she said in a June 9 statement.
Consider hybrid co-creation model
While commending the directive as a “strategic push” to mature Malaysia’s internal tech capabilities via smart, collaborative architecture, Vicks proposed that the solution lies not in abandoning the policy’s ambitions, but in reframing how they are pursued.
Arguing that it would be “practically impossible” and “highly inefficient” for the government to cut ties with the private sector entirely, he stressed that there is a need to focus on a hybrid co-creation model to cement the policy’s realistic survival.
As such, he vouched for a public-private partnership where private experts co-develop alongside government teams and allow the state to retain the intellectual property (IP), source code, and data pipelines, rather than being locked into proprietary vendor software.
The Digital Ministry, he added, should act as an enterprise architect by setting mandatory APIs, data standards, and security frameworks that all agencies build upon, rather than each ministry developing in isolation and repeating the “historic issue” of silos.
Strategic control
The distinction between co-creation and exclusion sits at the heart of a broader argument raised by Endry Lim, a member of the protem data governance committee who advises the Digital Ministry specifically on AI matters.
Implying that the directive’s underlying premise needs to be interrogated before its implementation is debated at all, Lim emphasised that “sovereignty” is not all about isolationist control over everything.
Rather, he said, it is strategic control over the layers that matter: data, architecture, governance, auditability, resilience, and accountability.
He told Malaysiakini that for government and critical national information infrastructure (NCII) systems handling sensitive data such as those on finances, health, identity, or tax records, the control threshold must be high and data must not leave the country's jurisdiction.
But, the more pertinent question, he said, should be the issue of data residency, model governance and accountability - not of who writes the code.
“The argument on sovereignty is not the same as insourcing. A system can be built internally and still be insecure, poorly governed or fragmented.
“A system can involve private partners and still be sovereign if the architecture, contracts, audit rights, source code access, exit rights, and accountability structures are properly designed,” he added.
Another more pertinent query, he said, is not whether development happens in-house or is outsourced, but what the government must own, what it must control, and where the broader ecosystem can safely contribute.
However, not everyone shares those reservations about the directive's fundamental premise, and among its supporters, the case for the policy spans both the domestic and the geopolitical.
Besides flagging implementation risks, Vicks also said the directive's ambition aligns squarely with Malaysia's AI Nation 2030 goal, noting that to become an AI nation, a country must become a builder and not just merely consume foreign technology.
By requiring government agencies to develop services internally, Putrajaya creates what he labelled as a “massive, continuous sandbox” for technology deployment within the civil service, who will be expected to up their tech literacy instead of just being project administrators managing vendor contracts.
Right move
Cybersecurity practitioner Murugason R Thangaratnam said the directive represents far more than a procurement decision, describing it instead as a “strategic shift” in how Malaysia safeguards, governs, and derives value from one of its most critical national assets: data.
Situating the policy within a broader geopolitical context, he cited an increasingly fragmented digital landscape where foreign technology giants dominate global infrastructure and geopolitical rivalries influence technology access, opining that Malaysia is right to chart a different path.
The rationale for the move, he said, is compelling on four fronts, including retaining full control over where national data resides and who can access it, as well as gaining direct visibility into system vulnerabilities without depending on external vendors to respond.
Besides that, he also mooted the policy’s ability to cultivate a generation of engineers and cybersecurity professionals within the public sector who understand local realities, and reduce exposure to political and economic pressures from beyond the country’s borders.
While he acknowledged challenges such as ageing legacy systems, budget constraints, talent shortages, and the broadening cyber threat landscape that comes with expanding digital services, the University Malaysia of Computer Science & Engineering adjunct professor of practice held firm to the direction.
“The cost of building sovereign digital capabilities may be significant, but the cost of surrendering control over critical national systems is far greater.
“The question is no longer whether Malaysia should build its own digital future - instead, it is whether Malaysia can build it well enough to become a regional model for digital sovereignty in the years ahead,” Murugason said when contacted.
‘Fit for purpose’ solutions
For NEF Malaysia, that question cannot be answered without greater transparency from Putrajaya on what prompted the directive in the first place, which will then allow the industry to respond constructively and propose solutions that are “genuinely fit for purpose”.
As such, the association called on the government to provide a fuller public explanation of the policy rationale, including any specific security incidents, risk assessments, or governance gaps that informed the directive.
In calling for the immediate establishment of a government-industry joint working group to design an implementation framework before the directive is fully operationalised, NEF Malaysia stressed that a policy of this magnitude with far-reaching implications warrants transparent public deliberation.
“NEF Malaysia does not oppose public sector digital transformation. We do not question the intent of this directive - we question its breadth and the unintended consequences that are otherwise unavoidable,” Liyana said.
“What is needed is the willingness to design smarter policies. NEF Malaysia, and our partner network of similar industry associations, offer our full cooperation to achieve that goal.”
She added that NEF Malaysia will be submitting formal letters to the Prime Minister's Office and the Digital Ministry, requesting the scheduling of an official dialogue within 60 days. - Mkini
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.