Update our cyber laws

As the world shifts more and more into digital mode, we are woefully unprepared to deal with the bad elements that go with it. Our overpaid members of Congress have failed to update our cyber laws.

As digital adoption in the Philippines increases, so does the risk. The Kaspersky 2019 report places the Philippines as the fourth country with the highest number of online threats.

The Philippine threat landscape and risk to corporations has increased during COVID 19. This is likely driven by digital transformation, growth in applications, and the remote work ecosystem.

It is estimated by industry leaders that over 100 million Philippine user records have been exposed on the dark web.

A banking industry presentation I saw reveals that the Philippines is the number one country attacked in South East Asia. There are over 25,000 phishing sites targeting the Philippines and the threat actor groups in the country have expanded by 500 percent in five years.

We have to be many steps ahead of cybercriminals, but unfortunately our cybercrime law has not kept pace with how criminals exploit technology. For example, phishing as a crime is not yet defined in our law.

The US has an anti-phishing act, but the nearest thing we have in our current law is the Access Devices Regulation Act. But that is really more about credit card fraud and ATM skimming (and the artifacts needed here to prove a crime has been committed is illegal possession of credit cards and/or ATM cards). In phishing and social engineering attacks, account takeovers are done online (no contextual artifact equivalent to a card), so how to prove the crime?

In the US, they have the Computer Fraud and Abuse Act (CFAA) of 1986 (amended in 2008) that stated  phishing constitutes wire fraud, which carries a potential imprisonment of up to 20 years. Phishing is also covered under various state laws.

The good news is... there is a pending bill in our Congress proposing amendments to RA 10175,  otherwise known as “The Cybercrime Prevention Act of 2012.” The pending bill is HB 07712, sponsored by Rep. Junie Cua, the chairman for the House Committee on Banks and Financial Intermediaries.

There is a similar bill in the Senate (SB 1894) sponsored by Sen. Grace Poe, who chairs the Senate Committee on Banks, Financial Intermediaries and Currencies.

In addition, Rep. Cua is also sponsoring HB 9615 – the Bank Account and E-Wallet Regulation Act, which would criminalize the use of “mule” accounts.

Unfortunately, our legislators are distracted by pork funds and the coming election. These vital bills have not been given the priority required to protect our people and our economy.

The Bankers Association pointed out in a presentation to some legislators the challenges in enforcing our outdated cyber law.

Offenses are bailable except for violation of the Access Devices Regulation Act that constitutes economic sabotage.

Cybercriminals are no longer just attacking IT and security systems, but exploiting customers through social engineering schemes (phishing, vishing, smishing); fault passed on to the victim.

Strict bank secrecy laws make it difficult for victims and banks to return alleged “stolen” funds. There is a proliferation of money mules/ mule accounts to avoid arrest.

There is also a lack of trained law enforcers to deal with highly technical criminal acts. There is a need to train lawyers/ prosecutors and law enforcement agencies on the various forms of cybercrime. We can perhaps arrange to have NBI, PNP, and DOJ officials train with the FBI to enable them to deal with cyber criminals.

Some banks are continuously improving security systems, but cybercriminals are also continuously improvising fraudulent schemes. Our government plays catch-up to newly reported cybercrimes.

Dealing with cybercrimes must be a top priority of our government. We cannot transform into a digital economy if online fraud is rampant.

As we have seen in the recently publicized case of identity theft that caused a housewife to lose over P1.7 million through the SIM swap fraud, the crime was done digitally.

In that case, the victim bank’s fraud management system had an inadequate velocity check (multiple transactions) that eventually locked out the credit card, but still allowed so much money to be transferred in transactions that were out of the victim’s pattern of use.

The phone company also had inadequate safeguards to prevent the use of a fraudulent identification card when an impostor requested to suspend the victim’s account. Perhaps a SIM can be made specific to a phone to thwart a digital takeover.

Unless we all get some amount of protection, our digital transformation will not happen smoothly as distrust of anything digital sets in. There must be some way to keep customers whole provided they are innocent victims.

But in the end, our cybercrime law needs to be updated. Law Enforcement Agencies need proper tooling and training. Our judiciary and prosecution officials, likewise, need to be conversant with the law and the nature of the crime.

Malampaya

Much has been written about the Malampaya deal to a Duterte crony. My big fear, other than the implied sweetheart deal, is that we may end up losing what remains of the gas reserves.

This looks like a replay of the political interference in the development of the Malampaya oil rim by then PGMA. Because PGMA insisted on awarding the deal to an unqualified crony, we lost potential oil production altogether.

For Malampaya, work should have started in 2020 to prove there are additional gas reserves. Five wells are supposed to be drilled at $100 million a well. It has not been done or even started.

I heard from a reliable source that a large number of operations engineers have left. In the recent 21 day maintenance shutdown, only 26 percent of the originally planned work was done due to manpower/material delivery problems. Thus, we need another shutdown next year.

I understand Shell has not been paid pending formal government approval. Does this mean Malampaya is in an ownership limbo?

Unless Malampaya is handled professionally in the meantime, reduced pressure on the existing wells poses a risk that more of the remaining reserves will become unrecoverable.

Boo Chanco’s email address is [email protected] .Follow him on Twitter @boochanco