Cyberattacks pose clear and present danger to PHL
By Arjay L. Balinbin, Senior Reporter
AS CYBERATTACKS surge around the world, the Philippines is still at the 鈥渋nfancy鈥 stage in terms of cybersecurity, raising worries over the government and private sector鈥檚 ability to handle present and future cyberthreats.
Six years after the country鈥檚 cybersecurity framework was launched, Department of Information and Communications and Technology (DICT) Acting Secretary Emmanuel Rey R. Caintic said that based on observations, there is still much work to be done to strengthen the country鈥檚 defenses against cyberthreats and attacks.聽
鈥淲ell, Rome wasn鈥檛 built in a day,鈥 he said in a virtual interview.
Of the five levels of maturity in terms of cybersecurity, Mr. Caintic noted the Philippines is still at level 1 (initial or ad hoc) in terms of awareness and communication; and cybersecurity skills and expertise. According to the Cobit (control objectives for information and related technology) maturity model, level 1 means 鈥渘o standardized processes are in place.鈥
The Philippines fared better in terms of policies, plans, tools and responsibility, but procedures are not sophisticated enough.
Mr. Caintic said the DICT is aiming to reach the maturity level 5, or the 鈥渞esilient enterprise鈥 level in around five years.
The Philippines ranked fourth in Kaspersky鈥檚 2021 global ranking of countries most targeted by web threats.
鈥淭his means Filipinos who have been mostly stuck at home surfing, working, banking, or studying via the web during the entire second year of the pandemic have had a heightened exposure to further dangers of the internet,鈥 the Russian cybersecurity firm said in its report released in February.
This year, the DICT has a budget of up to P600 million intended for cybersecurity, significantly bigger than the previous budget of P300 million, according to Mr. Caintic.
He said the government is looking to upgrade the Security Operations Center (SOC), which was acquired in 2019. At least 10 government agencies are connected to the SOC, which is involved in cyber defense and closely monitors the agencies鈥 networks for unusual activities or cyberattack.
The DICT also plans to conduct this year a 鈥渃yber range,鈥 or simulation training, with the Armed Forces of the Philippines, the Department of National Defense, and the National Intelligence Coordinating Agency. Mr. Caintic said the cyber range platform is being set up for drills in April.
The country鈥檚 Cybersecurity Plan 2022 was updated in 2021 to strengthen the cybersecurity capabilities of both government and private organizations.
鈥淭he DICT is mandated to ensure the security of critical ICT infrastructures including information assets of the government, individuals, and businesses,鈥 Mr. Caintic said.
The DICT is also pushing for the creation of a cybersecurity agency, which is aimed at boosting the Philippines鈥 cybersecurity capabilities.
Mr. Caintic said a bill is being prepared for the next Congress. The bill would also require organizations to hold cyberattack drills and comply with minimum security standards.
GLOBAL CYBERATTACKS
Russian cyberattacks against Ukraine, including its critical national infrastructure, have worried governments around the world.
The governments of the United States, United Kingdom and Australia publicly attributed the cyberattacks against the Ukrainian banking and government websites in February to the Russian Main Intelligence Directorate. Russia has rejected these allegations.
The Philippines, given the status of its cybersecurity capabilities, may not be able to survive a similar attack, ethical hacker Allan Jay 鈥淎J鈥 Dumanhug said in a virtual interview.
鈥淯nfortunately, we can鈥檛 even prevent cyberattacks from local cybercriminal groups, so why are we even talking about international cyberattacks or state-sponsored attacks if we can鈥檛 prevent our local cybercriminal groups?鈥 said Mr. Dumanhug, the chief executive officer of cybersecurity testing platform Secuna.
鈥淪o, imagine China attacking the Philippines. We can鈥檛 even keep up with them. We don鈥檛 have the right capability in terms of resources, in terms of leadership, especially in our government,鈥 he added.
The government and the private sector should also ramp up efforts to increase the number of cybersecurity professionals in the country, said Angel T. Redoble, chairman and founding president of the Philippine Institute of Cyber Security Professionals.
鈥淲e need more skilled professionals鈥 Cyberattackers are innovating and evolving on a daily basis, so we, on the defender side, should do the same,鈥 he said in a virtual interview.
Secuna鈥檚 Mr. Dumanhug said the National Government should require all agencies to perform a 鈥渢horough security assessments of all their applications that store, process, and transmit sensitive and critical information of our government and fellow citizens.鈥
鈥淎s we all know, we have around 100 million Filipinos in the country right now, and we hold a lot of pieces of data, and cybercriminals will target any kind of organization. As long as you hold thousands of data, you will be targeted, because per data it can be sold for $5 to $10, I guess, in the black market,鈥 he noted.
The implementing rules of the Data Privacy Act of 2022 already require the National Privacy Commission to manage the registration of personal data processing systems in the country. Mr. Dumanhug said most startups appear to be unaware of the law, which is why the government should slap fines on those that violate it or else these lapses will continue.聽
CYBERSECURITY AWARENESS
As the pandemic drove a shift to digital services, there was also an increase in cybercrimes against consumers.
Losses from bank fraud, such as unauthorized withdrawals or illegal transfers, during the pandemic reached P1 billion, the Bankers Association of the Philippines (BAP) said.
鈥淗owever, as more Filipinos are shifting towards online banking, cybercriminals have found an opportunity to exploit victims on a wider scale,鈥 the group told 大象传媒 in a statement.
The rise in cybercrimes highlighted the need for banks to continually upgrade their systems to deter cryberattacks, as well as for the government to hold cybercriminals accountable, the BAP said, adding the industry launched a CyberSafe campaign to raise cybersecurity awareness among the public.
Yeo Siang Tiong, Kaspersky鈥檚 general manager for Southeast Asia, said the government and the private sector should start working on cybersecurity awareness.
鈥淩egulations, policies, and private-public partnership must be there鈥 There must be general awareness that they need to beef up their defenses,鈥 he said during a virtual interview. 鈥淭he reality today is that it is all pretty random.鈥
Mr. Yeo said people should be aware that cyberattacks can occur via social media and messaging apps, and should know how to respond.
For Mr. Redoble, there are already a lot of intelligent devices that can protect one from cyberthreats and attacks, but are very expensive especially for these micro, small and medium enterprises (MSMEs).
鈥淥nly the large enterprises can afford new technologies and hire the right people,鈥 he said. 鈥淭he MSMEs are unable to put up a team and unable to buy new technologies. That is a big problem for us, because we have 99% of the business sector vulnerable to cyberattacks.鈥
Mr. Redoble said a culture of cybersecurity starts by changing the mindset of people, from the top management to the users.
Kaspersky鈥檚 Mr. Yeo pointed out that a study done by his company last year showed that only 48% of Filipinos who use digital payment methods believe they need an antivirus software to protect their money and data online, even if they鈥檙e aware of phishing scams and bank and credit card fraud.
Mr. Dumanhug warned cyberattacks are expected to become 鈥渕ore complex鈥 in a few years.
鈥淲e have to keep up with them by implementing whatever they are doing or they will perform. Probably, cyberattackers will also use new technologies like artificial intelligence, so the organizations and the National Government should also use this stuff to keep up with the attackers,鈥 he noted.
