ON Thursday we reported on a disturbing new assessment from noted cyber-security firm FireEye, which found the Philippines twice more vulnerable to cyber attacks than other countries. This is a development that must be regarded as a critical threat to national security, and approached with the same resolve that we would like to believe our country would respond to an armed invasion.
FireEye – the firm engaged by Bangladesh to investigate the hacking of that country’s central bank that resulted in $81 million in stolen funds finding their way to the Philippines – didn’t mince words when it came to describing the threat this country faces.
“The Philippines’ cyber security gap is an urgent economic and national security concern,” Eric Hoh, FireEye’s president for Asia Pacific, said. “Organizations here are frequently targeted by advanced attackers. As geopolitical tensions drive rapid militarization in the West Philippine Sea, it is important we acknowledge the first shots in any conflict will be fired in cyberspace.”
In the past few years we have seen many examples of the “cyber security gap,” particularly among government agencies, whose websites have been hacked with a frequency that should alarm our officials responsible for protecting sensitive systems. It is fortunate, perhaps, that almost all of these attacks have been carried out as a form of political protest; one that we certainly do not condone, but which has proven so far to be more annoying than harmful.
The reality is, however, that nothing except the “benign” and merely “naughty” intentions of the hackers have prevented any of these attacks from causing real damage. But now alarming indications suggest that the attackers are becoming bolder and perhaps beginning to pursue more dangerous objectives. At the beginning of the month, someone managed to break into Comelec’s systems and steal virtually the entire voter information database – sensitive personal information for nearly 55 million registered voters. The hackers themselves may not intend any further misuse of that information, but now that it is publicly accessible, the potential for others to use it for various kinds of fraud that could cause people real personal and financial harm is almost limitless. And very frightening.
Even more disturbing is that our experience with cyber security failures doesn’t even begin to take into account the potential for an organized, powerful state-managed cyber warfare, which was FireEye’s greatest concern in its report. It is no secret that China, with whom we have a serious dispute over the West Philippine Sea – despite, thank God, our basically happy, social, cultural and diplomatic and people-to-people relations that the President Aquino almost destroyed – has well-equipped and efficient cyber warfare operations. These, FireEye said, have already targeted the Philippines.
The US and at least some of its allies also have well-developed capabilities, and have already employed them, which raises the nightmarish prospect for us that we could conceivably find ourselves caught in the middle of a digital war at some point in the not-so-distant future.
Businesses are vulnerable as well, and while they are usually much better equipped and proactive than the government in addressing their cyber security needs, doubts about the soundness of institutional systems as well as the strength of the telecommunications infrastructure – both things being generally regarded as still leaving a lot to be desired – add complications to Philippine-based businesses’ abilities to accomplish their objectives.
These weaknesses are a bigger risk factor than they ought to be in potential investors’ assessments of our business environment.
The next government of the Philippines, whoever will lead it, must have a clear plan to address the nation’s “cyber security gap,” and the political will to apply the required resources to carry it out. The warning that damaging cyber attacks will happen, and that they are more likely to happen here than anywhere else, should be sufficient to spur the government into action.
We cannot afford to wait for another object lesson before our leaders take the threat seriously. By that time it will already be too late.