With much of the country—and the world—preoccupied with issues of security and terrorism, a critical aspect typically escapes attention: cybersecurity. In the Philippines, one of the recent events that brought this obliviousness to the fore was the $81-million heist that unidentified hackers pulled off over the Bangladesh central bank’s account in February 2016. The entire Philippine financial system was alarmed by the catastrophic repercussion of what happened.
This is not the first high-profile cybercrime incident in the country and will certainly not be the last. Clearly then the Stratbase-Albert del Rosario Institute-organized roundtable discussion “Developing a Cybersecure Culture” last week in Makati couldn’t have come at a better time. Officials and experts from government, the academe, and the private sector exchanged thoughts on where the country stands in terms of cybersecurity and, most importantly, what can be done before it was too late.
There was a palpable urgency to the discussion. And for good reason. In opening the forum, Stratbase ADRi president, professor Dindo Manhit, stressed modern life’s increasing dependence on technology and the consequently high cost of any disruption.
“Cybersecurity has become a critical concern and the widespread collection, use, and sharing of data] between companies of personal data can negatively affect one’s financial wellbeing and career prospects,” he said.
As such, the role of government and regulation cannot be overstated, he added, in particular the institutionalization of laws and policies to safeguard digital-age rights, such as privacy of information.
A key milestone, he said, is the Department of Information and Communications Technology’s Cybersecurity Plan 2022. It is holistic and multi-sectoral in nature, as it includes “making critical information infrastructure trusted and secure to ensure its continuous operations, making government information environment and businesses secure; effective coordination with law enforcement agencies, and helping shape a society with an ingrained culture of cybersecurity.”
The government recognizes the importance of dealing with cyber threats, said DICT Assistant Secretary Allan Cabanlong. In fact, he said, aside from the National Cybersecurity Plan, the agency is also looking at ICTs as they are used in illicit trade involving drugs and guns, which are paid through virtual currencies, as well as terrorism, in which websites are used to promote and recruit potential members.
The President himself, Cabanlong said, has prioritized dealing with the “threat of cybercrime,” enjoining the Philippine National Police and other law enforcement authorities to coordinate in dealing with the matter. The Cybersecurity Plan was put in place precisely because the country stands to lose so much in terms of investment if its digital infrastructure is not as robust as necessary.
In particular, the cybersecurity roadmap identified four key strategic imperatives: the protection of critical Infostructure, the protection of government networks both public and military, the protection of businesses and supply chains, and the protection of individuals.
“Users are typically the weakest link, and so there is a need to educate them no matter how sophisticated their systems are,” he added.
Commissioner Raymund Liboro of the National Privacy Commission emphasized that in addition to this new roadmap there is a “symbiotic relationship between data privacy and cybersecurity, and it is supported by a “trinity of laws.” These include the Cybercrime Prevention Act of 2012, the Data Privacy Act of 2012, and the law that created the DICT.
Liboro said the commission received complaints in relation to unauthorized processing and security of personal information. Half of such reported breaches, he added, were from malicious criminal attacks, while the rest were a result of system glitches and human error.
According to Union Bank Chief Information and Security Officer Aldrin Escurel, the private sector can contribute to cultivating a cybersecure culture by integrating controls in its products and services and shifting from “passive to active defense” in this light.
“For the private sector, what’s at risk are customer privacy and security, and this security is integral to the supply chain, and so the sector should work with regulators and relevant authorities,” he said.
For instance, the cybersecurity team of Unionbank monitors the security operations center 24/7, where there is harmony between people and the process, the better to catch cyber-attacks and threats such as pharming, phishing, and social media impersonators.
Technology has implications on strategic affairs, said Stratbase ADRI fellow and University of Nottingham professor Francis Domingo. Among them, there is a general misperception of cyber threats due to exaggerated framing in the media, there is a militarization of cyberspace, especially in Asia, and while there are guidelines such as the Tallinn manual, not all states comply to these. Agencies like the UN, Nato, and the EU failed to make cyber rules, to cite.
As complex as the issues are, a good way to move forward, Domingo said, is to manage what’s happening on three levels: Global, state, and individual. For its part, for all its regulatory strength, the Philippines is in a strong position to do just that.