The need for unified cybersecurity standards

By Allan S Cabanlong, PECE, ASEAN Eng.
Author of the Philippine National CyberSecurity Plan 2022

The entry of new technologies to the Philippine market, such as Artificial Intelligence (AI), Machine Learning, and 5th Generation(5G) mobile, has created concerns about implementing cybersecurity and data protection for the Filipino people.

On the other hand, Critical Information Infrastructure (CII) sectors have been the target of many cyber threats. In recent years, several breaches were reported, including that of a Filipino pawnshop leaking 900 thousand sensitive clients' personal information. One of the country's major media outlets was forced to close two sites due to a card data breach. Advanced Persistent Threat (APT) 32 campaign was found to have been targeting businesses around Southeast Asia, ransomware incidents attacking an insurance company, and a data breach concerning a Filipino credit app, to name a few. When not prevented or left undetected, these threats could be devastating and could cripple the political, economic, social, and technological stability of our country.

In the 5th Generation (5G) technology era, the GSMA and 3GPP have initiated specific testing and validation standards for mobile network equipment, the Network Equipment Security Assurance Scheme (NESAS).

In 2016, the DICT launched the National Cybersecurity Plan (NCSP) of 2022, the first National Cybersecurity Strategy of the Philippines, which defines the four key imperatives of the plan, namely: Protection of Critical Information Infrastructure, Protection of Government and Military Networks, Protection of Businesses and Supply Chain and finally, Protection of Individuals. The NCSP 2022 has explicitly expressed the need to adopt cybersecurity standards in Information Technology (IT) and Operational Technology (OT) and in the protection of the supply chain to protect the Filipino people. This is also meant to set structured methodologies and provide reliable data that save time in the innovation process.

But where are we now in the adoption of cybersecurity standards? A cybersecurity standard is a technical reference document, created and consented by a group of experts in an internationally recognized organization, such as but not limited to, International Telecommunications Union (ITU), Institute of Electrical and Electronics Engineers (IEEE), Groupe Spécial Mobile Association (GSMA) and 3rd Generation Partnership Project (3GPP). The said standard is designed to be used as guidelines, rules, or references by regulators, manufacturers to ensure uniformity to certain practices within the cybersecurity industry.

While the National Telecommunications Commission (NTC) imposes strict measures and ensures compliance of telcos for better services and connectivity, it does not directly tackle the security component. Thus there is a need to strengthen policies on cybersecurity, especially in the adoption of related equipment security standards for testing and validation. One good example is the reference standard set by ITU, the ITU IMT-2020 5G technical standard, which 3GPP 5G became the officially adopted technical standard on July 10, 2020.

One could ask, are local telcos following or adopting specific cybersecurity standards? Major telecommunications players in the country use network equipment that follows globally accepted security equipment testing and validation standards. However, ensuring compliance with standards requires consistent and robust enforcement from the government. This is the gap that needs to be addressed. The National Telecommunications Commission and the Department of Information and Communications Technology should adopt cybersecurity standards. The positive effect of standardization is that it can help weed out incompatible and unsecure technologies in the market that slow down the growth of technology. From the government's perspective, having standards in place also means streamlining both internal and external processes.

In the 5th Generation (5G) technology era, the GSMA and 3GPP have initiated specific testing and validation standards for mobile network equipment, the Network Equipment Security Assurance Scheme (NESAS). NESAS provides security baselines for network equipment that have been developed according to standard guidelines for the mobile communications industry. In this scheme, GSMA defines NESAS methodology while 3GPP defines the SeCurity Assurance Specifications (SCAS), which provides test cases for the security evaluation of network equipment.

Adopting such a standard like NESAS would assure the public that any operators who use network equipment following this scheme are safe to use, taking out other cyber threats methods, thus protecting the cybersecurity and data privacy of the Filipino People.