Cyberwar: Is Phl defenseless?

In the 5th century BC, historian Thucydides introduced the concept of the two domains of warfare – land and sea. World War I resulted in air becoming the third domain. Subsequently, satellites made outer space the fourth domain. Now, the ubiquity of the internet which has brought unprecedented prosperity and enhanced quality of life has also left societies vulnerable to its weaponization. In 2011, the US Defense Department added cyberspace as the fifth domain into their planning, doctrine, resourcing and operations.

Richard Clarke and Robert Knake, former US counter-terrorism officials, recently come out with a book “The Fifth Domain” where they discuss various hacking menaces to the computer networks that are part and parcel of modern life. For the most part, business and especially the financial sector have been coping with cyber-attacks such as financial fraud and ransomware attacks that can put hospitals, drug factories, and shipping firms out of commission. They say, however, that the capacity to deal with threats to national security seems to be lagging. These include Russian, Iranian, and North Korean cyber-incursions; the subversion of voting systems; and the commandeering operation systems of utilities that could destroy electric grids and gas pipelines. The book mentions real and potential cyber-attacks on military targets like missiles, drones, helicopters, aircraft and ship propulsion and navigation.

Whereas the four traditional domains require massive physical assets to dominate, cyberwarfare/cyber-terrorism can be waged from a room in some nondescript building and without declaration. Unfortunately, while the US continues to dominate the four domains — for now — it has failed to keep up with cyber threats from abroad. China and Russia have re-routed internet traffic to their own servers. Iran has in the past disrupted the websites of the largest eight US banks and it is expected that the current US-Iran conflict will be fought in cyberspace. US intelligence agencies acknowledge that Russia has the ability to disrupt America’s power grid and that China can take control of the natural-gas pipeline. The failure of the US to achieve dominance in cyber’s fifth domain has created instability, and, as the authors warn, “instability can lead to war.” They predict that the next major US war “will be provoked by a cyberattack”.

The Internet of Things

Our vulnerability to cyber-attacks will increase exponentially with the rapid adoption of IoT. The IoT is comprised of the billions of online objects embedded in our homes, workplaces and cities, that are constantly collecting, analyzing and transmitting data and triggering an action in response to pre-set parameters. That ranges from alerting a refrigerator malfunction to the automatic braking of a car or train, the triggering of heart pacemakers, traffic light operation, navigating vehicles, safety monitoring of refineries and chemical plants, operating surveillance cameras, subway cars and airport trams, drones, switches on electric power substations, office building HVAC sensors and controls, elevators and so on.  There are now 20 billion IoT devices and this  is expected to reach 75 billion by 2030 according to Gartner. According to a 2015 Frost & Sullivan report, Philippine spending on IoT is forecasted to grow to $766.8 million in 2020. With the roll-out of 5G technology in the country, that number is expected to take a quantum leap. Each device provides a potential entry point to hack a network.

Most IoT devices are vulnerable by choice for cost considerations or because of a lack of security awareness by both users and manufacturers. From 2016 to 2017, there was a 600 percent increase in IoT attacks. Imagine the damage and chaos from our power grid being put out of commission, traffic lights being out of sync, or even seismic sensors on Taal shutdown or fed false information.

How prepared are we for cyberwar/cyberterrorism?

Within hours of the Permanent Court of Arbitration’s unanimous rebuke of China’s territorial claims in the South China Sea on July 12, 2016, at least 68 national and local government websites in the Philippines were knocked offline in a massive distributed denial of service (DDoS) attack. The attacks that ensued over several days targeted key government agencies, including the DFA, DND, BSP, and PMS, along with smaller local government units thus limiting their ability to conduct normal functions. While China denied it was behind the attack, the context and timing are certainly damning. That claimants to the South China Sea - Philippines and Vietnam - have been targeted in the past belies the obvious. 

DDoS are just the warning shot. Most times, DDoS attacks end up with a restoration of web service and an increase in network security to help thwart such attacks. But there are other more destructive tools designed to shut down critical national infrastructures (such as energy, transportation, government operations) and to steal or wipe out massive amounts of data that will cripple the economy.  The proliferation of IoT will only increase the points of attack.

Are we prepared to deal with these attacks? We have a National Cybersecurity Plan 2022 which was promulgated in 2017. DICT is tasked with its implementation along with the DND. I am not really sure at what stage of implementation it is. But it does recognize that we are still at the infancy stage in our cybersecurity and so, hopefully, our leaders and lawmakers are aware of the magnitude of the challenge. Like any plan, it needs to be reviewed and updated regularly. I would suggest that it would be worthwhile to consider best practices from other countries like Singapore.

Indeed Singapore began its cyber security planning by conducting a cyber-threat readiness survey to pinpoint the issues, needs and solutions. The private sector was engaged in formulating the Cybersecurity Plan and given ownership of certain security responsibilities. A comprehensive review of the legal environment was undertaken and relevant laws and more effective enforcement were formulated. And above all, adequate budget was allocated.

For the Philippines, cybersecurity must be a top-level concern to muster the necessary funding and to make it a whole-of-society effort. I call on our leadership to give this its utmost attention.