What is the state of cybersecurity in the country?

Last week, I wrote about our state of preparedness (or lack of) to deal with cybercrime  and the threat of cyberwar/cyberterrorism or what is now termed as the Fifth Domain. Since then, I had the opportunity to consult with people in the know and I came away with this impression: we have made progress in enhancing our capability to combat cybercrime but woefully unprepared to deal with cyberterrorism and cyberwar.

Our capacity to deal with cybercrime is more advanced because they affect our online interaction which today practically encompasses all aspects of our daily existence – work, education, health, banking, communication, public services, and storing personal data, among others. So it is in the interest of the general public, business and government to ensure the integrity of the system. They are in constant dialogue and have engaged with experts here and abroad. There are legislations in place to protect both users and providers and to arm regulators with effective enforcement mechanisms. There is the Electronic Commerce Act of 2000, the Data Protection Act of 2012 and the Cybercrime Prevention Act of 2012, which criminalizes offences that violate the integrity of computer data and systems, that uses computers to commit crime such as fraud and content-related acts like pornography and libel. The Philippines also acceded to the Budapest Convention on Cybercrime in 2018 which is the first international treaty on crimes committed via the internet and other computer networks aimed at pursuing a common criminal policy against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.

Singaporean approach

There is no similar legislation that covers threats to the country’s national security – particularly against cyberterrorism and cyberwar. Singapore’s Cybersecurity Act establishes a legal framework for the oversight and maintenance of national cybersecurity. The Act strengthens the protection of critical information infrastructure against cyberattacks, empowers the Commissioner of Cybersecurity to deal with threats or incidents, and establish a regulatory framework that is conducive to the growth of a vibrant cybersecurity ecosystem. Singapore began its cyber security planning by conducting a cyber-threat readiness survey to identify issues, needs and solutions. The private sector was engaged in jointly formulating the Cybersecurity Plan and given ownership of certain security responsibilities. A comprehensive review of the legal environment was undertaken and relevant laws and more effective enforcement were formulated. If we had undertaken a similar exercise perhaps the issue of co-location and erection of transmission towers could have been avoided.

DICT

The closest equivalent we have is the law creating the DICT which vests it with wide-ranging powers to develop a cybersecurity ecosystem for the country. It has done so by developing the National Cybersecurity Plan 2022 with the objective of serving as a roadmap of actions to safeguard the cyberspace against threats and attacks. Its goals are to assure the continuous operation of our nation’s critical infostructures, public and military networks; to implement cyber resiliency measures to enhance our ability to respond to threats before, during and after attacks; effective coordination of enforcement and promoting a cybersecurity educated society.

NCSP vs NEDA clout

The Plan practically mirrors that of Singapore well enough. The difference is in implementation. I have several concerns. The first has to do with DICT’s clout and how it can ensure compliance with the NCSP. NEDA draws up the Philippine Development Plan (PDP) and is approved by the NEDA Board which is chaired by the President and with key Cabinet Secretaries as members. This serves as the blueprint for each Department’s budget particularly the public investments program. With the NCSP there is coordination but not at the level of Cabinet Secretaries and certainly the President is not on top of it. Cybersecurity readiness is a whole-of-society effort and who better to lead it than the President. In fact, DICT should be a member of the NEDA Board.

Budget

This gives rise to my second concern – the adequacy of budget support. The PDP serves as the basis for each Department’s budget. In contrast, funding for the implementation of the NCSP will come from the line budget of DICT which is in itself limiting. 

Manpower

My third concern is about adequate competent manpower. From what I gather, the DICT has competent staff but is unable to hold on to them. The particular skills involved are coveted by the private sector and other government agencies and so I am not surprised that the turnover is high. The dearth of cybersecurity personnel in the Philippines has led to the engagement of foreign consultants and to outsourcing.  This is not sustainable and quite expensive. There is some training available based on European Council standards. Only two schools though currently offer degree programs on cybersecurity.

Ethical hacking has come into its own because of rampant cyber threats such as data security breaches, ransomware, and using AI as weapons. They are employed to fight against security breaches of both government and private website; take proactive measures against hackers; and to build a system that helps prevent penetration by hackers. They should be recognized and allowed to flourish. Their services would be indispensable if the government is to swiftly respond and recover from cyberattacks.

Black Hole: DND/AFP

The black hole here is the capability of the DND and the AFP who prefer to keep things close to their chest. The Philippines has been targeted in the past such as when a massive distributed denial of service (DDoS) attack on July 12, 2016, knocked offline 68 national and local government websites within hours of the PCA’s unanimous ruling against China’s South China Sea territorial claims.

There are other more insidious tools than DDoS designed to shut down critical national infrastructures (such as energy, transportation, government operations) and to steal or wipe out massive amounts of data. The proliferation of IoT devices will only increase our vulnerability.

The AFP has announced a strategic plan to increase its cybersecurity manpower capability. They need not look further. There is a ready-made pool of cybersecurity resource in the military academies if this can be incorporated into their curriculum.

This is the 21st century which demands the technical competence of youth, not retirees like this columnist.