The Philippines’ journey to cyber resiliency

Published October 14, 2018, 12:20 AM

by Roel Tibay

By Asec Allan Cabanlong

The digital economy in the Philippines has the potential to add US $8 billion to the country’s GDP over the next three years. However, cyber risks could impede trust and resilience in the digital economy and prevent the nation from realizing its full digital potential.

The 21st century saw our beloved country being plagued with cyber-attacks both from state and non-state actors. Government website defacements, notorious hacking of critical infrastructure and the largest government data breach back in 2016. And how did we respond? Put out fires. Try to get back up. And hope and pray nothing like that ever happens again.

But it happens again, and again, and again.

Until in May 2017, barely a year after its creation, the Department of Information and Communications Technology (DICT), via its CyberSecurity Bureau, launched the National Cybersecurity Plan (NCSP) 2022. With a handful of people and on a shoestring budget, I stepped on an unchartered road in Philippine history. And there, right there, the road to cyber resiliency for the Philippines has begun.

Cybersecurity governance has been laid out in the NCSP. Three months after the publication of the plan, policies for its implementation were published — DICT MC 005-007, s2017. The Philippines’ National Computer Emergency Response Team – CERT PH, under DICT’s CyberSecurity Bureau was launched in February 2018.

Protection and security assessments of critical infostructure (CIIs) are underway with the DICT CyberSecurity Bureau doing a recognition scheme for assessment providers. Focus Group Discussions have commenced to engage the 12 CIIs identified in the NCSP to initiate the Sectoral CERT strategy. The Energy Sectoral CERT, led by the Department of Energy, is set to be launched by the last quarter of this year.

On the legal front, even with both the Cybercrime Prevention and Data Privacy Acts in place, we recognize the need for a cybersecurity law and we are in the process of drafting one. Hence, Philippines cybersecurity spending is expected to show double-digit growth up to 2025.

Currently though, when benchmarking national cybersecurity spending as a percentage of GDP, the Philippines is at 0.04 percent versus the global average of 0.13 percent and a best-in-class average of 0.35 percent such as that of Israel. This creates a potential risk of insufficient spend relative to a rapidly escalating threat landscape. It is then our hope to rectify this via the enactment of a cybersecurity law.

From a capability perspective, certain specific skill sets such as systems architecture design, behavioral analytics, and digital forensics are acutely in short supply, and there is a large and growing demand for industry-specific cybersecurity talent. Executives cite subtle nuances related to a compliance mindset needed in the financial services industry as opposed to the recognition of real risk of physical damage to life and assets applicable in the manufacturing or oil and gas industry. There is also inadequate expertise in cybersecurity support sectors, such as cyber insurance, where both effective frameworks and sufficient knowledge are needed to accurately assess the value-at-risk.

To address this, the DICT CyberSecurity Bureau is undertaking capacity building initiatives with a strategic view.

On top of our cybersecurity awareness and training programs such as CERT trainings covering all the regions of the Philippines, we came out with a sustainable plan to address the shortage of cybersecurity-skilled professionals.

Adopting a curriculum developed by the George Marshall European Center for Security Studies, we initiated a Bachelor of Science in Cybersecurity program.

AMA University is set to offer it within the year. Other colleges and universities are being engaged for the program.

While the country is no longer a sitting duck to cyber-attacks as was the case before the National CyberSecurity Plan was launched, it remains to be a prime target. Cyberattacks in the Philippines increased over the last three months, landing the country among the top 10 most attacked for the second quarter of 2018.

In a recent interview, I was asked about the Philippines’ cybersecurity infrastructure. We are set to award the contract for the government’s National Cyber Intelligence Platform (NCIP) this year. The platform will provide for the monitoring of threats so that we can prevent any threat that enters our infrastructure.

Though better than it was, the Philippines still has bigger mountains to face, massive roadblocks to conquer as it traverses the long and winding road to resiliency. To say that the job of securing the Philippine cyberspace is difficult is an understatement but with a clear vision and uncompromising integrity, the journey on the road to resiliency looks bright.