THE Philippines has been ranked 37th among 193 member states, with an index score of 0.594 in the Global Cybersecurity Index (GCI) 2017 published by the International Telecommunication Union. Thirty-nine other member states ranked higher than the Philippines, with Singapore leading the pack with an index score of 0.925.
The GCI measures the commitment of member states in addressing cybersecurity through the existence of frameworks, strategies, policies, programs, human capacity, and institutions in the following pillars: legal, technical, organizational, capacity-building, and cooperation.
The GCI reveals the indicators where the Philippines is strong and where the country can improve. The scores attained have been classed into high (above the 65th percentile), medium (33rd to 65th percentile), and low (below the 33rd percentile).
The Philippines scored high in the legal pillar.
An indicator in this pillar is the existence of cybercrime legislation. The definition of hacking or cracking as a crime was tucked into the Electronic Commerce Act (RA8792) which basically provides for the legal recognition of electronic documents and electronic signatures. Prior to the passage of RA8792, there were the technology-related laws: the Anti-Wiretapping Law (RA4200) and Access Device Act (RA8484). The Cybercrime Prevention Act (RA10175) which defines various crimes that may be committed using information and communication technologies was passed in 2012.
Another indicator measured in the legal pillar is cybersecurity legislation. The Data Privacy Act (RA10173), passed in 2017, mandates the protection of personal information collected, processed, and stored by government agencies and private sector organizations. There appears to be no other law that specifically addresses cybersecurity. But the matter of cybersecurity is tucked into RA10175. The law created the Cybercrime Investigation Coordinating Center which is mandated to formulate and enforce the national cybersecurity plan and establish the national Computer Emergency Response Team (CERT).
The country needs improvement in cybersecurity training indicator. Various surveys say that more than half of the Philippine population has access to the Internet. There is a need to develop a culture of security among users. This could start with school-age children who are already accessing the Internet not only for academic purposes but to get connected to friends and classmates as well as seek entertainment. Technical training programs must be developed as well.
The Philippines needs to improve in the technical pillar which attained a medium score.
The country scored high in the national CERT and government CERT indicators, which is surprising. The GCI survey was conducted from January to September 2016. Plans were afoot to establish the national CERT even before the current administration took over the reins of government in July 2016. With the creation of the Department of Information and Communications Technology (DICT), plans were again set into motion to create the national CERT. In practice, incident response teams in various private organizations and in some government agencies exist but there is lack of data that could fully support this.
The Philippines scored low in cybersecurity standards for organizations and professionals. But through the years, organizations and professionals looked to and have adopted international cybersecurity standards and best practices. Formally, however, identification and adoption of global standards has been slow. This is an area where the country needs to improve.
The country scored high in the child protection indicator. The Philippine National Police’s Anti-Cybercrime Group (ACG) established Angel Net. The ACG coordinates with various organizations, especially schools, and conducts an annual Angel Net gathering aimed at generating cybersecurity awareness among the youth. It also works with various agencies, including the Department of Social Welfare and Development, in curbing incidents of child exploitation and human trafficking in the Internet.
The score card shows the Philippines’ organizational pillar with a medium score.
The indicators of strategy and responsible agencies attained high scores while the cybersecurity metrics indicator scored low. Indeed, responsible agencies have been designated by law and these agencies are working on developing frameworks and formulating strategies on how to address cybersecurity. Cybersecurity metrics still have to be developed.
The country’s score in the capacity-building pillar was at medium.
The Philippines scored high in cybersecurity good practice and professional training courses indicators. The indicators of standardization bodies, R&D programs, public awareness campaigns, education programs, and homegrown industry attained medium scores. Where the country needs to drastically improve is in the incentive mechanism indicator which got a low score. Improvements in public awareness campaigns and education programs which are among the focus areas in the country’s National Cybersecurity Plan may be revealed in the next GCI round. In education, cybersecurity degree programs have already been introduced by some schools.
Improvement is much to be desired in the cooperation pillar which attained a medium score.
A high score is indicated in the international participation, public/private partnerships, and interagency partnerships; however, low scores were obtained in the bilateral agreements and multilateral agreements indicators. While Philippine law enforcement authorities are able to use mechanisms in addressing cybercrime through mutual legal assistance treaties, government needs to address international cooperation in the area of cybersecurity.
ITU’s GCI shows that the state of Philippine cybersecurity is at medium or maturing state. The government, through the DICT, should dig deeper into the GCI survey and, together with cybersecurity experts and stakeholders, develop programs and mechanisms that will lead to performance improvement in all pillars and work towards joining the 21 leading member states.