The Philip­pines’ jour­ney to cy­ber re­siliency

Manila Bulletin - - Front Page - By ASEC AL­LAN CABANLONG

The dig­i­tal econ­omy in the Philip­pines has the po­ten­tial to add US $8 bil­lion to the coun­try’s GDP over the next three years. How­ever, cy­ber risks could im­pede trust and re­silience in the dig­i­tal econ­omy and pre­vent the na­tion from re­al­iz­ing its full dig­i­tal po­ten­tial.

The 21st cen­tury saw our beloved coun­try be­ing plagued with cy­ber-at­tacks both from state and non-state ac­tors. Govern­ment web­site de­face­ments, no­to­ri­ous hack­ing of crit­i­cal in­fra­struc­ture and the largest govern­ment data breach back in 2016. And how did we re­spond? Put out fires. Try to get back up. And hope and pray noth­ing like that ever hap­pens again.

But it hap­pens again, and again, and again.

Un­til in May 2017, barely a year af­ter its cre­ation, the Depart­ment of In­for­ma­tion and Com­mu­ni­ca­tions Tech­nol­ogy (DICT), via its Cy­ber­Se­cu­rity Bu­reau, launched the Na­tional Cy­ber­se­cu­rity Plan (NCSP) 2022. With a hand­ful of peo­ple and on a shoe­string bud­get, I stepped on an un­char­tered road in Philip­pine his­tory. And there, right there, the road to cy­ber re­siliency for the Philip­pines has be­gun.

Cy­ber­se­cu­rity gov­er­nance has been laid out in the NCSP. Three months af­ter the pub­li­ca­tion of the plan, poli­cies for its im­ple­men­ta­tion were pub­lished — DICT MC 005-007, s2017. The Philip­pines’ Na­tional Com­puter Emer­gency Re­sponse Team – CERT PH, un­der DICT’s Cy­ber­Se­cu­rity Bu­reau was launched in Fe­bru­ary 2018.

Pro­tec­tion and se­cu­rity as­sess­ments of crit­i­cal in­fos­truc­ture (CIIs) are un­der­way with the DICT Cy­ber­Se­cu­rity Bu­reau do­ing a recog­ni­tion scheme for assess­ment providers. Fo­cus Group Disor cus­sions have com­menced to en­gage the 12 CIIs iden­ti­fied in the NCSP to ini­ti­ate the Sec­toral CERT strat­egy. The En­ergy Sec­toral CERT, led by the Depart­ment of En­ergy, is set to be launched by the last quar­ter of this year.

On the le­gal front, even with both the Cy­ber­crime Pre­ven­tion and Data Pri­vacy Acts in place, we rec­og­nize the need for a cy­ber­se­cu­rity law and we are in the process of draft­ing one. Hence, Philip­pines cy­ber­se­cu­rity spend­ing is ex­pected to show dou­ble-digit growth up to 2025.

Cur­rently though, when bench­mark­ing na­tional cy­ber­se­cu­rity spend­ing as a per­cent­age of GDP, the Philip­pines is at 0.04 per­cent ver­sus the global av­er­age of 0.13 per­cent and a best-in-class av­er­age of 0.35 per­cent such as that of Is­rael. This cre­ates a po­ten­tial risk of in­suf­fi­cient spend rel­a­tive to a rapidly es­ca­lat­ing threat land­scape. It is then our hope to rec­tify this via the en­act­ment of a cy­ber­se­cu­rity law.

From a ca­pa­bil­ity per­spec­tive, cer­tain spe­cific skill sets such as sys­tems ar­chi­tec­ture de­sign, be­hav­ioral an­a­lyt­ics, and dig­i­tal foren­sics are acutely in short sup­ply, and there is a large and grow­ing de­mand for in­dus­try-spe­cific cy­ber­se­cu­rity tal­ent. Ex­ec­u­tives cite sub­tle nu­ances re­lated to a com­pli­ance mind­set needed in the fi­nan­cial ser­vices in­dus­try as op­posed to the recog­ni­tion of real risk of phys­i­cal dam­age to life and as­sets ap­pli­ca­ble in the man­u­fac­tur­ing oil and gas in­dus­try. There is also in­ad­e­quate ex­per­tise in cy­ber­se­cu­rity sup­port sec­tors, such as cy­ber in­sur­ance, where both ef­fec­tive frame­works and suf­fi­cient knowl­edge are needed to ac­cu­rately as­sess the value-at-risk.

To ad­dress this, the DICT Cy­ber­Se­cu­rity Bu­reau is un­der­tak­ing ca­pac­ity build­ing ini­tia­tives with a strate­gic view.

On top of our cy­ber­se­cu­rity aware­ness and train­ing pro­grams such as CERT train­ings cov­er­ing all the re­gions of the Philip­pines, we came out with a sus­tain­able plan to ad­dress the short­age of cy­ber­se­cu­rity-skilled pro­fes­sion­als. Adopt­ing a cur­ricu­lum devel­oped by the George Mar­shall Eu­ro­pean Cen­ter for Se­cu­rity Stud­ies, we ini­ti­ated a Bach­e­lor of Sci­ence in Cy­ber­se­cu­rity pro­gram.

AMA Univer­sity is set to of­fer it within the year. Other col­leges and uni­ver­si­ties are be­ing en­gaged for the pro­gram.

While the coun­try is no longer a sit­ting duck to cy­ber-at­tacks as was the case be­fore the Na­tional Cy­ber­Se­cu­rity Plan was launched, it re­mains to be a prime tar­get. Cy­ber­at­tacks in the Philip­pines in­creased over the last three months, land­ing the coun­try among the top 10 most at­tacked for the sec­ond quar­ter of 2018.

In a re­cent in­ter­view, I was asked about the Philip­pines’ cy­ber­se­cu­rity in­fra­struc­ture. We are set to award the con­tract for the govern­ment’s Na­tional Cy­ber In­tel­li­gence Plat­form (NCIP) this year. The plat­form will pro­vide for the mon­i­tor­ing of threats so that we can pre­vent any threat that en­ters our in­fra­struc­ture.

Though bet­ter than it was, the Philip­pines still has big­ger moun­tains to face, mas­sive road­blocks to con­quer as it tra­verses the long and wind­ing road to re­siliency. To say that the job of se­cur­ing the Philip­pine cy­berspace is dif­fi­cult is an un­der­state­ment but with a clear vi­sion and un­com­pro­mis­ing in­tegrity, the jour­ney on the road to re­siliency looks bright.

While the coun­try is no longer a sit­ting duck to cy­ber­at­tacks as is the case be­fore the Na­tional Cy­ber­Se­cu­rity Plan was launched, it re­mains to be a prime tar­get.

The 21st cen­tury saw our beloved coun­try be­ing plagued with cy­ber-at­tacks both from state and non-state ac­tors. Govern­ment web­site de­face­ments, no­to­ri­ous hack­ing of crit­i­cal in­fra­struc­ture and the largest govern­ment data breach back in 2016.

Newspapers in English

Newspapers from Philippines

© PressReader. All rights reserved.