WHILE cybersecurity in the country is still in its infancy, the Philippines has already faced a number of online threats—four of which are considered advanced and persistent—over the last few years.
And because the government is hell-bent on addressing issues relating to online threats and attacks, it is moving to beef up the talent pool of Filipino cybersecurity experts who are currently only few in numbers.
Department of Information and Communications Technology (DICT) Assistant Secretary for Cybersecurity and Enabling Technologies Allan S. Cabanlong said his group will be outsourcing cybersecurity services from private firms in line with the agency’s five-year National Cybersecurity Plan (NCSP).
He added the department is looking at tapping local and foreign managed service providers (MSPs) who can provide the needed technology and technical know-how necessary to achieve its goal of fortifying the country’s cybersecurity defenses.
MSPs manage an institution’s information-technology (IT) operations, including the software, physical infrastructure and data security.
“Cybersecurity is a new field for our government. We have many experts on IT, but they’re from the private sector. Our strategy is for them to train our people inside so that these corporations will be able transfer their knowledge,” Cabanlong told the BusinessMirror.
Cabanlong said the government recognizes that protecting the Philippine cyberspace is an urgent task, which will be addressed through the NCSP.
It is set to mainly safeguard critical information structures, and government networks, such as public and military, small and medium enterprises, large corporations, and every Filipino on the Internet.
The flurry of cyber attacks in the country became prominent in 2012, when hacker group Anonymous Philippines defaced 20 government web sites.
Last March the same group also defaced the Commission on Elections’s (Comelec) web site, demanding the government to strengthen the security of the vote counting machines.
After the hack, another hacker group made the Comelec’s database available online, posting mirror links, which put 55 million Filipino voters at risk. Information leaked included passport numbers and addresses, which can be used for crimes like identity theft.
More pressing, however, are four “advanced persistent threats” that Russian multinational cybersecurity and anti-virus provider Kaspersky found in the Philippines from September 2016 to July 2017.
The same company ranked the Philippines eighth on its list of countries with the most mobile malware attacks with a score of 34.97 percent.
“The Philippines, as a developing economy, quickly gets access to connectivity,” Kaspersky Director Vitaly Kamluk said. “I see that in the near future the number of mobile attacks in the Philippines might increase.”
Information and Communications Technology Undersecretary Eliseo M. Rio noted that these are some of the issues that the NCSP will address, as it calls for the institutionalization of the adoption and implementation of information-security governance and risk-management approaches. It will also establish the National Computer Emergency Response Team (NCERT), which aims to build capability for quick response and recovery for cyber attacks.
“To hit the ground running, we’re going to outsource at first. We’ll hire a name that is internationally recognized as a cybersecurity firm,” Rio told the BusinessMirror.
The outsourcing move was approved by President Duterte last month.
“We were able to get the support of the President to have this rolling, so the program will start as early as possible,” he said.
Open to proposals
The alarming number of cyber attacks, such as WannaCry and Petya ransomware, also contributed to the DICT’s decision to look for trusted service providers for the NCSP.
According to Rio, the department is open for proposals from MSPs that can cater to their needs. It is also looking at tapping the public-private partnership (PPP) scheme for this program.
As of now, the department is coming up with feasibility studies for the project, assuring that the program will be set in motion within the year.
“For MSPs, they’ll be giving us their services. These include training of people, putting up tools, monitoring cybersecurity breaches,” Rio explained.
The move is geared toward both public and private sectors, in which the DICT aims to build confidence in the government’s cybersecurity capacity.
According to experts, the country lacks largely in human resources, or experts in the field of information technology.
“The Philippines lacks the ICT talent, the main emphasis of the cybersecurity plan by the DICT. It’s really hard to implement such program that can help the whole nation without the right expertise,” International Data Corp. (IDC) analyst Aljon Rejano told the BusinessMirror.
The outsourcing program will also involve technology transfer, which emphasizes on training and employment of homegrown IT experts since the DICT is lacking in manpower.
“At the moment, we lack people, experts in the field. This move will help us manage the services, as well as transfer knowledge, so that by 2019, the government’s personnel will outnumber the MSPs,” Cabanlong explained.
According to the department, the government’s participation will eventually increase as the NCSP is implemented.
Changing cyber culture
Another major component of strengthening cyber defense is the general public.
For experts, changing the general public’s mind-set on cybersecurity must be the first step in combatting it.
“There are many areas where the government can improve its efforts, but the most long-term efforts must be in educating the public about cybersecurity. We are only as strong as our weakest link, and if poor cybersecurity hygiene, such as clicking on unknown links, use of USB pen drives with unknown provenance, or use of pirated and malware infected software, remains to be a norm, the Philippines will remain vulnerable,” tech expert Pierre Tito M. Galla told the BusinessMirror.
The government also plans to open up cybersecurity courses in 2019.
Holy Angel University and AMA University are poised to open a bachelor’s and master’s degree on cybersecurity in two years’ time to help companies and the government counter cyber threats and attacks.
“The curriculum was contributed by the department. It was from the George C. Marshall Center for Security Studies, where I graduated,” Cabanlong said.
The curriculum is now with the Commission on Higher Education.
“Eventually we will be integrating cybersecurity in the curriculum. Universities will be offering the bachelor of science and master’s with reference to the curriculum we shared to them,” Cabanlong said.
Galla said he is looking forward to the culmination of NCSP, especially with the outsourcing plan in motion.
“There is nothing wrong with outsourcing, provided it is done correctly. The proof of the pudding will be on the degree of security demonstrated, on whether or not attacks are defeated, and the DICT will be responsible for their decision,” Galla said.
However, Rejano doubts the feasibility of the move, especially since there might be financial constraints.
“We lack the budget. For the IDC, we think that the NCSP needs to be implemented under PPP,” Rejano said.