A GROWING number of the Philippine population has taken to using the internet with the proliferation of smartphones. The country boasts about 48million social media users (http://isupportworldwide.com/blog/archive/socialmediaphilippines/). With the horrendous traffic in Metro Manila, motorists seek guidance from Waze to get to their destination via the quickest route. It is not uncommon to see commuters on trains or buses during the rush hours busy with their smartphones playing an online game, browsing social media, reading the news online, or simply responding to messages. Netizens have also adopted e-commerce or mobile commerce, using the electronic devices to shop, make travel registrations, book accommodations, and pay for their purchases.
But with the good that technology brings comes the bad.
Global cybersecurity incidents have been increasing steadily in volume, velocity, and sophistication and the country is no stranger to such cybersecurity incidents. Government websites have repeatedly been defaced. Reports of cybercrimes have been increasing through the years. The latest such incidents that hogged the headlines are the Bangladesh Central Bank cyber heist with $81 million reaching the Philippine banking system, and the ComeLeak incident involving the defacement of the Commission of Elections website and the exfiltration of its voter registration database of about 55 million voters.
Citizens need to be protected against the menace of cybercrimes.
After a long wait, the country now has a National Cyber Security Plan (NCSP). Launched last May 2, 2017, by the Department of Information and Communication Technology (DICT), the NCSP lays out an expansive blueprint that seeks “to address the urgency to protect the nation’s critical infrastructures, government networks both public and military, small and medium enterprises to large businesses and corporations and its supply chains, and every Filipino using the internet.” (NCSP 2022, http://www.dict.gov.ph/national-cybersecurity-plan-2022/)
A work in progress, the DICT will have to prepare guidelines on how the stakeholders can respond to meet the objectives of the NCSP.
The plan addresses the need to develop qualified cybersecurity professionals yet misses out on the development of awareness, knowledge, and capacity-building among the ordinary netizen-users. For the protection of the individual, a culture of security in cyberspace needs to be developed. The non-techie user needs to be cybersecurity aware. The seeds of cybersecurity culture can be nurtured from as early as when a child becomes of school age since a growing number of schools have adopted technology as a tool for education and students now download their homework from their school’s system and upload their homework accomplishments. They are encouraged to do their research using the internet. Awareness building can also be collaborated with and through organizations, public and private.
Technology companies, banks and financial institutions, telecommunications companies, hotels, retail shops and department stores, airline companies, and online businesses are among the businesses that have been using information and communications technology (ICT) in their day-to-day operations for a number of decades. Government agencies, too, have adopted ICT in the delivery of their services and in meeting their mandates. Many of them have information security professionals who have put in the necessary technology protection measures to protect their infrastructure from unwanted intrusions. But information security has largely been seen as a technology matter left to the chief information security officer or chief technology officer to address. Information security must be elevated to corporate board or senior management level, as an information technology governance and risk management matter requiring compliance with available laws, regulations, and standards.
The country’s critical infrastructure like energy generation and transmission, water utilities, and transportation, among others, rely on ICT for management and operations. Some rely on private sector-operated infrastructure. Private sector operators and government agencies running critical infrastructure must collaborate for the protection of the overall infrastructure from cybersecurity threats.
The NCSP envisions an incident reporting and response system through the establishment of layers of computer emergency response teams – organizational, sectoral, and national. While government agencies can be mandated to report cybersecurity incidents and breaches, reporting by private sector entities requires coordination, cooperation, and collaboration between the DICT, the regulatory body, and the private-sector organizations. Many cybersecurity incidents have gone unreported, with the affected organizations opting for non-disclosure lest they face legal challenges and risk damage to their reputation. While there is a legal obligation to disclose information on cybersecurity incidents, it is limited to breaches involving personally identifiable information and sensitive personal information as provided in the Data Protection Act (RA10173). The DICT needs to promote voluntary cooperation to encourage information sharing and exchange. It might be necessary to provide incentives for organizations to provide data on cybersecurity incidents that they experience.
When the victim of a cybersecurity incident decides to pursue legal action against the perpetrator, it crosses the line from being a cybersecurity incident to a cybercrime matter that needs to be addressed by law enforcement agencies. The anti-cybercrime group of the Philippine National Police and the cybercrime division of the National Bureau of investigation has progressively been working at developing the capability to conduct cybercrime investigation and digital forensics. The technologies used by both organizations need constant updating in order to catch up with the latest technological developments.
The NCSP has a long way to go. The frameworks and programs described in the plan need to be dissected and operating and implementation plans need to be developed. The DICT needs all the help it can get from stakeholders.