Cybersecurity in the Philippines remains in its infancy stage. Several initiatives to address cybersecurity concerns have been undertaken in the previous administrations, all of which were inadequate in deterring a good number of cyber threats that transpired in recent years.
In March 2013, after the Lahad Datu incident in Sabah, Malaysians defaced Philippine Web sites apparently to send a message to Filipinos to keep away from Sabah. In retaliation, Filipinos likewise defaced Malaysian Web sites. In May of the same year, Taiwanese hackers defaced Philippine Web sites to compel the Philippine government to apologize for the death of a Taiwanese fisherman due to a shooting incident involving Philippine Coast Guard personnel.
There are numerous other examples. On Nov. 2014, government Web sites were hacked by Anonymous-affiliated hackers to show discontent over the alleged incompetencies of government officials in addressing the aftermath of Yolanda. On April 2015, in response to the (illegal) reclamation done by China in the West Philippine Sea, Filipino hackers defaced Chinese government, educational and commercial Web sites.
Two of the biggest blows came next. In Feb. 2016, hackers breached the computer system of Bangladesh Bank and attempted to withdraw $1 billion from the Federal Reserve Bank of New York. Out of the $1 billion, $81 million was successfully transferred to the Philippines. Then in March, Anonymous Philippines hacked the Web site of the Commission on Elections, stole sensitive personal information of registered voters, and compelled the Commission to implement the security feature of the precinct count optical scanners. In July of the same year, after the Permanent Court of Arbitration ruled in favor of the Philippine in the West Philippine Sea, some Philippine government Web sites were hacked.
These incidents show that data networks of the Philippine government are not as secure as they should be. As technology advances, so does the knowledge of hackers. As such, the government should not remain complacent in maintaining cybersecurity. Continuous improvements of security measures in cyberspace should be vigorously pushed.
Hopefully, this will change with the implementation of the National Cybersecurity Plan (NCSP) 2017-2022, which was launched by the Department of Information and Communications Technology (DICT) in May. The launch is seen as a crucial first step in building the country’s security posture in cyberspace. The formulation of the NCSP not only provides strategic directions for the government in addressing cybersecurity concerns, but more importantly, it shows the government’s commitment to include cybersecurity in its priority agenda.
Under the NCSP, among the key government agencies tasked in maintaining security in the cyberspace include the DICT, the Department of National Defense (DND), the Armed Forces, and the Philippine National Police (PNP). While these agencies appear to have interlocking jurisdictions, the roles and functions of these agencies are clearly defined in the law.
The DICT has four main thrusts: make critical infrastructure trusted and secure; make government information environment secure; raise cybersecurity awareness of individuals; and make business and supply chains secure. Taking into account these trusts, DICT is the primarily responsible in the formulation, recommendation and implementation of national policies, plans, programs and activities related to cybersecurity activities. It shall likewise provide technical expertise to government agencies governing cybersecurity.
On the other hand, the PNP shall be the lead agency in the investigation, enforcement, and prosecution of cybercrimes; and likewise lead in domestic national security operations. DND, together with the Armed Forces, shall be the lead agency for National Cyber Defense, which would include the defense of military network from cyber attacks; gathering of foreign cyber threat intelligence and determination of attribution; and investigation of cybercrimes under military jurisdiction, among others.
Interestingly, the Philippine Cybersecurity Conference of the DICT held Feb. 26-28 shed light on the programs and initiatives undertaken by these government agencies to fulfill these roles and functions. Applaudingly, these agencies have carried out measures focused on legal, technical, organizational, capacity-building and international cooperation that would improve its cyber-readiness.
It is reassuring to know that these government agencies are working hand in hand to faithfully carry out the objectives of the NCSP. However, maintaining a secure cyberspace requires the collective effort of not only key government agencies but private individuals and businesses. Indeed, the roles and functions of government are just but a piece of the cybersecurity puzzle. As the capacity of our government to address cybersecurity is still being improved, the private sector can play a critical role by forging partnerships with the government with the aim of sharing best practices and collaboratively addressing cybersecurity challenges.
Katrina Clemente-Lua is Executive Director of Stratbase ADR Institute.