Cyberattacks pose clear and present danger to PHL

A broken ethernet cable is seen in front of binary code and words “cyber security” in this illustration taken on March 8. — REUTERS

By Arjay L. Balinbin, Senior Reporter

AS CYBERATTACKS surge around the world, the Philippines is still at the “infancy” stage in terms of cybersecurity, raising worries over the government and private sector’s ability to handle present and future cyberthreats.

Six years after the country’s cybersecurity framework was launched, Department of Information and Communications and Technology (DICT) Acting Secretary Emmanuel Rey R. Caintic said that based on observations, there is still much work to be done to strengthen the country’s defenses against cyberthreats and attacks. 

“Well, Rome wasn’t built in a day,” he said in a virtual interview.

Of the five levels of maturity in terms of cybersecurity, Mr. Caintic noted the Philippines is still at level 1 (initial or ad hoc) in terms of awareness and communication; and cybersecurity skills and expertise. According to the Cobit (control objectives for information and related technology) maturity model, level 1 means “no standardized processes are in place.”

The Philippines fared better in terms of policies, plans, tools and responsibility, but procedures are not sophisticated enough.

Mr. Caintic said the DICT is aiming to reach the maturity level 5, or the “resilient enterprise” level in around five years.

The Philippines ranked fourth in Kaspersky’s 2021 global ranking of countries most targeted by web threats.

“This means Filipinos who have been mostly stuck at home surfing, working, banking, or studying via the web during the entire second year of the pandemic have had a heightened exposure to further dangers of the internet,” the Russian cybersecurity firm said in its report released in February.

This year, the DICT has a budget of up to P600 million intended for cybersecurity, significantly bigger than the previous budget of P300 million, according to Mr. Caintic.

He said the government is looking to upgrade the Security Operations Center (SOC), which was acquired in 2019. At least 10 government agencies are connected to the SOC, which is involved in cyber defense and closely monitors the agencies’ networks for unusual activities or cyberattack.

The DICT also plans to conduct this year a “cyber range,” or simulation training, with the Armed Forces of the Philippines, the Department of National Defense, and the National Intelligence Coordinating Agency. Mr. Caintic said the cyber range platform is being set up for drills in April.

The country’s Cybersecurity Plan 2022 was updated in 2021 to strengthen the cybersecurity capabilities of both government and private organizations.

“The DICT is mandated to ensure the security of critical ICT infrastructures including information assets of the government, individuals, and businesses,” Mr. Caintic said.

The DICT is also pushing for the creation of a cybersecurity agency, which is aimed at boosting the Philippines’ cybersecurity capabilities.

Mr. Caintic said a bill is being prepared for the next Congress. The bill would also require organizations to hold cyberattack drills and comply with minimum security standards.

GLOBAL CYBERATTACKSRussian cyberattacks against Ukraine, including its critical national infrastructure, have worried governments around the world.

The governments of the United States, United Kingdom and Australia publicly attributed the cyberattacks against the Ukrainian banking and government websites in February to the Russian Main Intelligence Directorate. Russia has rejected these allegations.

The Philippines, given the status of its cybersecurity capabilities, may not be able to survive a similar attack, ethical hacker Allan Jay “AJ” Dumanhug said in a virtual interview.

“Unfortunately, we can’t even prevent cyberattacks from local cybercriminal groups, so why are we even talking about international cyberattacks or state-sponsored attacks if we can’t prevent our local cybercriminal groups?” said Mr. Dumanhug, the chief executive officer of cybersecurity testing platform Secuna.

“So, imagine China attacking the Philippines. We can’t even keep up with them. We don’t have the right capability in terms of resources, in terms of leadership, especially in our government,” he added.

The government and the private sector should also ramp up efforts to increase the number of cybersecurity professionals in the country, said Angel T. Redoble, chairman and founding president of the Philippine Institute of Cyber Security Professionals.

“We need more skilled professionals… Cyberattackers are innovating and evolving on a daily basis, so we, on the defender side, should do the same,” he said in a virtual interview.

Secuna’s Mr. Dumanhug said the National Government should require all agencies to perform a “thorough security assessments of all their applications that store, process, and transmit sensitive and critical information of our government and fellow citizens.”

“As we all know, we have around 100 million Filipinos in the country right now, and we hold a lot of pieces of data, and cybercriminals will target any kind of organization. As long as you hold thousands of data, you will be targeted, because per data it can be sold for $5 to $10, I guess, in the black market,” he noted.

The implementing rules of the Data Privacy Act of 2022 already require the National Privacy Commission to manage the registration of personal data processing systems in the country. Mr. Dumanhug said most startups appear to be unaware of the law, which is why the government should slap fines on those that violate it or else these lapses will continue. 

CYBERSECURITY AWARENESSAs the pandemic drove a shift to digital services, there was also an increase in cybercrimes against consumers.

Losses from bank fraud, such as unauthorized withdrawals or illegal transfers, during the pandemic reached P1 billion, the Bankers Association of the Philippines (BAP) said.

“However, as more Filipinos are shifting towards online banking, cybercriminals have found an opportunity to exploit victims on a wider scale,” the group told BusinessWorld in a statement.

The rise in cybercrimes highlighted the need for banks to continually upgrade their systems to deter cryberattacks, as well as for the government to hold cybercriminals accountable, the BAP said, adding the industry launched a CyberSafe campaign to raise cybersecurity awareness among the public.

Yeo Siang Tiong, Kaspersky’s general manager for Southeast Asia, said the government and the private sector should start working on cybersecurity awareness.

“Regulations, policies, and private-public partnership must be there… There must be general awareness that they need to beef up their defenses,” he said during a virtual interview. “The reality today is that it is all pretty random.”

Mr. Tiong said people should be aware that cyberattacks can occur via social media and messaging apps, and should know how to respond.

For Mr. Redoble, there are already a lot of intelligent devices that can protect one from cyberthreats and attacks, but are very expensive especially for these micro, small and medium enterprises (MSMEs).

“Only the large enterprises can afford new technologies and hire the right people,” he said. “The MSMEs are unable to put up a team and unable to buy new technologies. That is a big problem for us, because we have 99% of the business sector vulnerable to cyberattacks.”

Mr. Redoble said a culture of cybersecurity starts by changing the mindset of people, from the top management to the users.

Kaspersky’s Mr. Tiong pointed out that a study done by his company last year showed that only 48% of Filipinos who use digital payment methods believe they need an antivirus software to protect their money and data online, even if they’re aware of phishing scams and bank and credit card fraud.

Mr. Dumanhug warned cyberattacks are expected to become “more complex” in a few years.

“We have to keep up with them by implementing whatever they are doing or they will perform. Probably, cyberattackers will also use new technologies like artificial intelligence, so the organizations and the National Government should also use this stuff to keep up with the attackers,” he noted.