Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Standards, Regulations & Compliance

Philippines' Cybersecurity Initiatives Running Out of Time

Funding Problems and Simmering Workforce Crisis Could Delay Cyber Readiness Plans
Philippines' Cybersecurity Initiatives Running Out of Time
Makati, the Philippines' financial district in the Metro Manila region (Image: Shutterstock)

The Philippines' efforts to respond to growing cyberespionage threats and disruptive cyberattacks may get bogged down by systemic issues, including long-pending cybersecurity legislation, lack of resources and glaring gaps in forensic capabilities. But time is not on the country's side.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Among the most-targeted victims in the Asia-Pacific region in 2023, the Philippines experienced coordinated cyberattacks against law enforcement agencies in April that compromised the personal information of millions, a cyberattack on the state-owned insurance company PhilHealth in October affecting 13 million people, and major breaches at the Department of Science and Technology and the Philippine Statistics Authority.

President Ferdinand R. Marcos Jr. recently promised to advance a proposed Cybersecurity Act in Congress, calling the measure "priority legislation" aimed at boosting critical infrastructure security. The bill is awaiting Senate approval.

A national cybersecurity plan drafted by the Department of Information and Communications Technology, the government's lead agency to coordinate cybersecurity efforts, is also gathering dust awaiting presidential approval.

Cyberattacks on Filipino government agencies and the military escalated after a pro-U.S. administration took charge of the government last year, Sherwin Ona, associate professor at Manila-based De La Salle University, told Information Security Media Group. Some of the attacks were timed to coordinate with major U.S.-Filipino military exercises in the West Philippine Sea near the contested Scarborough Shoal.

The country has yet to adopt an offensive stance against cyberattacks and is stuck in a perpetual defensive mode, Ona said. Making matters worse, the country has limited forensic ability to identify attackers.

Government investigations into major cyberattacks on the Philippine National Police, the National Bureau of Investigation and the Bureau of Internal Revenue have failed to identify the attackers, and a series of power surges affecting the international airport in Manila was passed off as a network outage, though some observers suspected an attack on the electrical grid.

Making Cybersecurity a Priority?

Cybersecurity has become a national security concern that the government says it will address, but recent geopolitical events, internal security concerns, climate events and artificial intelligence-related concerns may divide the government's spending priorities.

The Philippines published a five-year national security policy in November, placing cyber, information and cognitive security among seven core national security interests that include political stability, territorial integrity, national harmony and climate change resiliency.

Manila's ability to optimize cyber defense capabilities requires a "whole of government" and a "whole of nation" approach, the policy says, but it also relies on the government fixing systemic issues that slow down incident response capabilities.

The government has several agencies - including the national police, the Anti-Cybercrime Group and the Cybercrime Investigation and Coordinating Center - that focus on cybersecurity, but a coordinated approach between these agencies is necessary to boost the country's response capabilities, Christine Lisette Castillo, defense research officer at the National Defense College of the Philippines, told ISMG.

The Department of Information and Communications Technology is small and has limited people with the technical skills to lead cybercrime investigations, Castillo said. The department's primary goal is to lead digital transformation efforts.

According to Ona, cybersecurity is handled by a small bureau within the group and the focus is on increasing awareness and capacity building. As a result, the agency does not have adequate organizational structure to deal with a wide range of concerns. It is also competing for funds with other government offices such as the e-government and digital connectivity offices.

"DICT has its hands tied behind its back. It does not have positions to hire technical people, and any decision to hire certified cybersecurity professionals will have difficulty being approved," Ona said. "This is why the government is facing difficulty in upgrading cyber readiness because it cannot hire people with the right skills and competence."

The Military Steps In

The Armed Forces of the Philippines formed a cyber battalion in 2013 and is now upgrading the group to a command-sized unit, with additional resources and manpower. Ona, who also serves as an auxiliary commander in the Philippine Coast Guard, said the cyber command will exclusively secure and defend military systems from cyberattacks.

But branches of the military are also competing for budget money. With the Chinese Navy threatening the country's sovereignty over its island territories, the military is rapidly shifting its focus to external defense, which requires huge investments in modernization.

"Units are competing for resources, and the priority is to confront the physical threat," Ona said. "As a result, the cyber domain isn't receiving as much attention as it deserves. Upgrading a battalion-sized unit to a command-sized unit will take some time."

The government has another big challenge on its hands: a simmering workforce crisis. Government and private sector organizations require at least 180,000 cybersecurity and data privacy professionals to meet resource demands, but only 200 certified professionals are in the country.

The Armed Forces plan to ease fitness requirements for new recruits of cyber professionals and hopes to collaborate with the private sector to upskill its information technology personnel, but such actions could take years to implement, Castillo said.

Can the Education Sector Help?

Castillo said colleges and universities on the mainland but also in the provinces are offering cybersecurity courses, but enrolment is low. The government plans to introduce a dedicated cybersecurity course as part of STEM training to generate interest among younger students.

According to Ona, the government has already prescribed the design of cyber courses, but there is no guarantee students will take up these programs. "This program is new and competes with traditional degrees, such as maritime and nursing, that have guaranteed economic benefits. It even competes with allied programs like data analytics and artificial intelligence. So, I think this route is a long shot," he said.

The government and universities could introduce short-term certificate programs that could rapidly develop resources. Organizations could take advantage of these programs to quickly upskill internal IT staff but according to Ona, these programs are expensive, and most government agencies are unwilling to shoulder the cost.

"The alternative here is for academic institutions and the private sector to offer customized programs for the public sector in lieu of formal certification. It will also be desirable if competencies are defined not only for cyber but for the digital transformation thrust of the government," he said.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.