By Keith Detros, Programme Manager, Tech for Good Institute
The Philippines is the fastest growing digital economy in Southeast Asia (SEA), valued at US$ 17 billion in 2021. This growth is spurred by various factors, including a young population with a median age of 25.7 years old, an internet penetration rate of 67%, and a mobile phone penetration of 138%. Filipino internet users spend the most time online globally. COVID-19 accelerated this trend even further, as Filipinos relied on technology to continue availing of goods and services in the face of strict lockdown measures and limited movement of people.
While the rapid adoption of digital services is a welcome development, the rise in cyber-attacks and data breaches have risen in step. Private firms saw a 30% increase in ransomware attacks and 49% in web threats. The Philippine National Police (PNP) also reported a 37% increase in online scam cases, while the National Bureau of Investigation (NBI) recorded a 200% increase in phishing cases. This trend has led the government to ramp up awareness campaigns on attack vectors frequently used by cyber criminals. However, there remain areas of improvement for the Philippines to handle the ever-changing cyber threat landscape.
Philippine Cybersecurity Capacity
Despite having the fastest growing digital economy, the Philippines cyber security capacity is still maturing. Based on ITU’s Global Cybersecurity Index, It scores high on the legal and cooperative measures, while coordination of institutions, policies, and strategies can be improved. An upcoming Tech for Good Institute study also sees an opportunity for the Philippines to improve its capacity to adapt in order to improve resilience.
Brain drain and lack of competitive rates have also resulted in lack of cybersecurity professionals in the country. Based on the data of International Information System Security Certification Consortium (ISC2), a global cybersecurity professional organisation which grants the Certified Information Systems Security Professional (CISSP) – one of the most coveted certifications of cybersecurity experts – the Philippines ranked 4th in SEA with 183 CISSPs in the country as of July 2021. This translates to a ratio of 2 cybersecurity experts to every 1 million internet users in the Philippines. To put this into perspective, Singapore leads the region with 2,683 CISSPs, with a much smaller population.
In addition, the Philippines also suffers from the lack of reliable data in cybersecurity incidents due to the government not having a centralised and localised view of the kind of cyber threats that Filipinos are facing.
Improving cybersecurity manpower and data collection frameworks are therefore vital to the Philippine’s ability to maximise the benefits of the digital economy.
A Web of Issues: Policy Landscape and Unstructured Reporting Data
Over the last decade, the Philippines has been laying down the foundations to protect the data of its citizens. There are two landmark laws that govern the Philippine cybersecurity policy. First is the Data Privacy Act of 2012, which created the National Privacy Commission (NPC) and serves as the national watchdog and main policymaking body in all matters related to privacy. Second is the Cybercrime Prevention Act of 2012, providing the legal framework against crimes committed through digital means. The latter law created several offices including the Office of Cybercrime in the Department of Justice (DOJ), and the anti-cybercrime divisions within the NBI and the PNP. In addition, the Department of Information and Communications Technology (DICT) is also a key player in cybersecurity policymaking.
The policy landscape has created several agencies in government that respond to cyberthreats but there are overlapping duties and responsibilities that can be streamlined moving forward. For example, on the law enforcement side, PNP and the NBI have their own cybercrime divisions, but the delineation is not clear – especially among end-uses – on what cases each group covers.
On the other hand, data on cyber incidents is crucial to develop corresponding policy and incident response mechanisms. The Philippine government gathers cyber incident data through three streams:
- the National Cyber Threat Intelligence Platform which is a national platform where intelligence is shared across limited government agencies;
- the Threat Intelligence Feed where the DICT subscribes to private vendors that gives them an intelligence information on major threat activities in the world; and
- Actual Incidents Reported where the government tracks actual incidents reported by end users.
The main issue for cyber threat reporting is that there is no integrated database across government agencies, especially for the Actual Incidents Reported. End-users can choose any of the agencies they can report to, with each of the agencies having their own reporting and response mechanisms. This results in databases that are siloed and not connected to each other. There is also no uniform format for reporting cyber incidents. Since agencies keep their own records, the categories and data entry strategies are vastly different.
The Way Forward: An Integrated Cyber Threat Database
A coordinated response is key towards combating cyber threats and protecting data of governments, businesses, and individuals. A step forward is to have an integrated reporting system that would capture, aggregate and analyse local challenges end-users are facing. This integrated local threat database would complement data gathered from international partners and organisations, and would serve as the basis for a more holistic and responsive cybersecurity strategy. For the Philippines, there are several recommendations towards this goal.
- Streamline and consolidate the data gathered across several agencies. There are several policy options to enable this. One is to empower the Cybercrime Investigation and Coordinating Centre (CICC) as the main repository and data governance body when it comes to cyber vulnerabilities and incidents. A consideration here however is that CICC needs sufficient manpower to do this mandate. Another is to create a National Cybersecurity Agency (NCA) that will serve as the main policymaking body for cybersecurity, maintain an integrated database of cyber threats, and designate policy responses to the appropriate government agencies. This is akin to Singapore where the Cyber Security Agency is the focal body for cyber policy making. To have a strong mandate, this new agency can be attached to the Office of the President. This option will necessitate a reorganisation of several existing bodies and their bureaucratic relationships with a new agency. Regardless, there is a need to streamline the current process of collecting data for cyber threat reporting.
- Make reporting easy for end-users with standardised reporting and escalation procedures. It would be ideal to have a unified portal where government agencies, businesses and individuals can submit their complaints. The data format should be uniform with clear categories for reporting. With a repository of data available, data analytics can be employed to have a holistic view of cyber threats.
- Build trust and inspire confidence in the country’s cyber incident and response mechanisms. The main challenge remains encouraging the private sector and individuals to report whenever they are breached or hacked. There should be a continuous campaign highlighting the fact that not sharing information could create blindspots. And given the fact that cyber threats can rapidly spread across domains, sectors, and industries, it is important to advocate for a whole-of-society approach throughout the entire ecosystem. The government should continue to encourage information sharing to improve its capacity to handle cybercrime and data breaches.
Overall, an integrated cyber threat database would serve as a foundation for evidence-based cyber policymaking. The data gathered from the integrated data system can be used to address other weaknesses in Philippine cybersecurity. Only when the stakeholders know what it is up against can responsive capacity building measures be designed, budgets to retain talent be justified, and timely advisories against emerging cyber threats be issued.