By Jeffrey Ian Dy
(Following the steps of the Israeli government to secure its country against cyber attacks, the Technical Skills, and Education Authority (TESDA) of the Philippines is planning to offer a national certification (NC) for cybersecurity. TESDA Executive Director for Information and Communications Technology Jeffry Ian Dy was recently invited to the 12th Cyberweek to learn how the Israeli government successfully integrated cybersecurity into the schools' curricula. TESDA, through Dy's recommendation, seeks the assistance of Israel to develop the Philippines' national certification for cybersecurity. Below are his learnings and reflections on the recently concluded Cyberweek -- Art Samaniego, editor)
The Deputy Commander of Unit 8200 of the Israel Defense Force (IDF) gave his keynote address at the 12th annual Cyberweek here in Tel Aviv, Israel. Unit 8200 is an Israeli Signals Intelligence Corps created to defend Israel's information assets from online attacks. The unit is also responsible for collecting signal intelligence (SIGINT) and code decryption.
Introduced only as "Colonel Yuri," he repeatedly reminded the audience that it is not his real name. He talked about his experience with an ongoing silent war on the internet. He gave more pragmatic and practical information on the same picture presented by the incumbent and former Directors of National Cyber Directorates and National Security Advisors of major NATO powers who spoke before him. His presentation was full of examples of national government sites and critical infrastructures being attacked, not only by nation-states but by cybercriminals who were encouraged by the relatively profitable and easy-to-enter field of cybercrime. His message was that in the last two years, cybercriminals not only target individuals or corporations, but they now target national databases. These cybercriminals use triple extortion schemes, first, where they ask for ransom money to reveal the system's weaknesses. Second, get ransom money for not disclosing that the system was compromised to the public, and third, get a ransom not to leak citizens' personal information to other cybercriminals. Also, cybercriminals can endanger lives as ransomware attacks can cause massive power failures, hospital information systems to go down, and national citizens' databases to be compromised.
Col. Yuri's keynote lasted only 15 minutes. Still, it was enough to terrify me so much that I started reflecting on whether or not my country, the Philippines, is prepared to defend our information assets in cyberspace.
Note that 80% of the war against cybercriminals is waged silently. This war is made by professionals on both sides behind computers and keyboards. In most cases, the public is only informed by cybercriminals themselves as part of their triple extortion modus to frighten the public and pressure governments to concede to their demands. Take the example of Costa Rica when in 2021, President Rodrigo Chavez declared a National Emergency as cyber crooks from a hacking hive named "Conti" held hostage through ransomware, the country's public hospital system. The same modus operandi also happened recently in the Philippines. During the last election, a group called "XSOX" (who are amateurs compared to Conti as the latter now has a US $10M bounty from the US State Department) tried to extort money from Philippine Election provider Smartmatic. When the company refused, XSOX leaked Smartmatic employee information, which in some included full names and mobile numbers, to the public. This led to a Senate investigation. While XSOX revealed some relevant election information, the senate investigation made it clear that the election was not compromised as a result of the hack. While the security breach could not change the outcome of the polls, Comelec and Smartmatic officials who denied that no breach ever took place were publicly humiliated.
Then there is the problem of attribution. As a cyberwar rage on the internet, it is always difficult to pinpoint who is responsible for the crime. Is the country equipped with the proper tools and personnel to identify the perpetrators accurately? Going back to our example on XSOX, they are now out on bail because the evidence is weak. I am confident the PNPs Cybercrime group will reveal more evidence, but it is what it is right now. In most cases, the perpetrators can only be determined by counter-hacking. This is a practice where law enforcement agencies also hack the other group in an effort to plant a "tracker" in the cybercriminals' computers which helps law enforcement find the criminals and also makes digital forensics easier.
But the most critical aspect of cybersecurity is human capital. Does the Philippines have enough human resources trained in cybersecurity to defend our information assets? Manila Bulletin published an interesting article in December 2021. The article's central thesis is that in a survey of industries, it was clear we lack cybersecurity professionals in the country. Consider that higher learning courses in Information Security was only introduced in the country within the last five years. These schools, including my alma mater, the University of the Philippines, lack suitable cyber ranges and laboratories to give students hands-on experience in blue and red team cyber operations. Most of our country's cybersecurity professionals were certified by private vendors. But the outlook is improving. The Technical Skills and Education Authority (TESDA) is trying to build a vendor-neutral national certification for cybersecurity. As per TESDA's competency-based qualifications framework, the qualification will be designed with the assistance of the private sector, companies engaged in cybersecurity, the academe, and government offices primarily engaged in cybersecurity (e.g., the Department of Information and Communications Technology). This is the reason why TESDA officials were invited by the Israel Ambassador to the Philippines, HE Ilan Fluss to attend Cyberweek. TESDA reached out to the Israel government, arguably the cybersecurity capital of the world, to assist in developing the country's national certification for cybersecurity.
While in Israel, I personally discussed this advocacy to Gen. Rami Efrati (Ret), one of the founders of Israel's National Cyber Directorate. He liked the idea so much that he said he would suggest the same to the Prime Minister of Israel. I want to think that with this, we also contributed to the discussion.
This brings us to my last point: Cybersecurity needs a multidisciplinary approach that ties up not only technical personnel but also psychologists, sociologists, political scientists, and lawyers, among others. This is not a job for the government only. Our defenses are only as good as the weakest link. So perhaps the approach to cybersecurity should be changed from assigning the task to a central government agency but by creating a council where the academe and the private sectors in each industry can contribute. The council can share ideas and even share tools. The national cyber range purchased by the DICT can be shared with council members to enhance the country's disaster preparedness in case of cyber-attacks. The information must be shared across all units.
This is the only way to fight this war. By giving cybercriminals a message: "If you mess with one of us, you mess with all of us."
###
About the author: Jeffrey Ian Dy is the Executive Director for Information and Communications Technology of the Technical Education and Skills Development Authority. He received his MSc in Information Security, with Distinction, from the Royal Holloway, University of London. The University awarded his thesis on the Information Security of the Philippine Automated Election as the best academic thesis in 2021.