As a concrete testament to its ongoing efforts in building a trusted and resilient infostructure for the Philippines, the Department of Information and Communications Technology (DICT) in January launched the country’s Cyber Management System Project (CMSP). The CMSP will be used primarily for information-sharing, monitoring threats, and defending cyberinfrastructure. With a hefty price tag of Php508 million, the Philippines’ latest investment will allow the government to predict, respond and recover from cyber attacks.
In the past three years, the Philippines continued to demonstrate progress in the area of cybersecurity exemplified by the launch of the National Cybersecurity Strategy Plan 2016-2022, the establishment of the national computer emergency response team (CERT), as well as participation in regional initiatives such as the ASEAN Cybersecurity Capacity Program. The setting up of the CMSP is a significant step to further achieving a cyber-resilient Philippines.
However, it must be emphasized that building a trusted and resilient cybersecurity should not be the mandate of the government alone but falls upon every individual and institution in the country.
It is crucial to break down the silos that confine cybersecurity solely within the purview of the technocratic lens and to shift the debate to crosscutting perspectives, to devise practical insights and approaches. Established tech companies like IBM have started to embrace non-IT professionals noting that innovative and agile solutions are informed by creative thinking and technical skills. For its part, DICT has been advocating for a whole of nation approach towards cybersecurity, despite its limited resources and capacity. Central to achieving resiliency in cybersecurity is partnership building. It is the defining hallmark in developing a collaborative framework that brings together the private sector, academia, and not-for-profit organizations as well as intergovernmental and bilateral partners. Through partnership building, a more inclusive approach to building a cyber resilient Philippines becomes feasible.
Increasing collaboration through information sharing
The acquisition of the CMSP will bolster the government’s efforts in information sharing, starting with an initial list of 10 government agencies. Nevertheless, it remains unclear to what extent the CMSP will be deployed to engage other parties outside the government because such a move would surely entail critical questions relating to data protection and privacy. Given the nature of threats and risks in cyberspace as borderless, every individual or organization is put at risk of being a potential target, hence information sharing is highly imperative.
One of the prominent approaches to information sharing is the so-called Cyber Threat Intelligence or the sharing of real-time actionable information which will guide organizations to draw the appropriate response. But determining a two-way flow of sharing quality information will require a strong commitment especially among private organizations. Building trust and transparency take time as companies are often sensitive about sharing information that might expose their core processes among their competitors. However, the benefits of leveraging on collaborative networks outweigh the perceived skepticism toward information sharing, especially given the increasing damage from cyber-related incidents in the Philippines, estimated at US$3.5 billion.
To overcome such barriers, a working group comprised of representatives from the government, private sector, academia, think tanks, and not-for-profit organizations could jumpstart preliminary discussions in identifying a standardized approach, to lay the groundwork for a solid policy framework, including effective industry-led and cross-sectoral responses and trend analysis. The current efforts of the Bangko Sentral ng Pilipinas or Central Bank of the Philippines in expanding compliance to cooperative mechanisms via information-sharing within the financial industry could be a model that can be expanded or replicated into other sectors such as energy, transportation, and healthcare.
Developing the next breed of Cybersecurity Workforce
It is projected that the current shortage of cybersecurity professionals will spark an industry crisis with a staggering 3.5 million unfilled positions by 2021. In 2018, the Philippines trailed behind its ASEAN peers with only 84 certified information security systems professionals while Indonesia has 107, Thailand has 189, Malaysia has 275 and Singapore has 1,000. According to a study conducted by IBM and the Ponemon Institute in 2018, talent deficit in cybersecurity caries immense risks as the number of sophisticated data-breaches increases with the absence of competent cybersecurity professionals to deploy countermeasures in detecting and preventing attacks.
Although Artificial Intelligence, Machine learning, Data analytics and the use of cloud computing could mitigate the shortage of cybersecurity professionals, experts argue that technology alone cannot solve the problem because detection still requires verification process from the individual to determine the legitimacy of threats. This puts the human resources dimension to building a cyber-resilient nation front and center.
As one for the fastest growing sectors in the Information Communications and Technology Industry, Cybersecurity presents a myriad of opportunities for the Philippines with its young and vibrant workforce. To realize such an opportunity, there is a need to bridge the gap by equipping the number of talents available with the required cybersecurity-skills. The DICT, the Commission on Higher Education (CHED), and the Department of Education (DepEd) have joined forces to tackle this impending labor shortage of cybersecurity talents. Their proposed solution is to integrate cybersecurity in the academic curriculum of Senior High School students. While a bachelor’s degree in Cybersecurity shall be offered, inspired by the George Marshall European Center for Security Studies.
These developments offer improved prospects for a highly-networked and internet savvy youth in the Philippines, but it requires preparing such pipeline of anticipated graduates of cybersecurity programs to be highly competitive in order to seize available opportunities in the job market. DICT, DepEd, and CHED must work in partnership with the private sector to offer immediate upskilling through actual internships and hands-on learning opportunities. In the interim, companies can either initiate retraining programs to maximize the existing pool of talents or outsource cybersecurity and compliance services to outside vendors.
Leveraging on existing regional and bilateral partnerships
In the cybersecurity realm, cooperation is not a choice, it’s a given. The Philippines must leverage all possible partnerships available to meet the country’s demand to bolster its defenses against cyber threats. With the porous nature of the cyber domain, risks and threats are difficult to contain, and given its limited capacity at the moment, the Philippines must strengthen its cyber intelligence-sharing capacity with like-minded partners such as the United States, Australia, and Japan. These three countries have expressed their strong desire to build on international partnerships in the realm of cybersecurity as indicated in their respective cybersecurity strategies.
For example, Japan held cybersecurity exercises in the Philippines in 2017 along with other ASEAN ministries involved in Cybersecurity. Such efforts are being sustained through the ASEAN-Japan Cyber Capacity Building Center engagements in Thailand. Meanwhile, the U.S. and the Philippines held a Joint Cyber Security Working Group Briefing in 2018 to strengthen law-enforcement operations through training and technical assistance between the two governments and their respective counterparts from private companies. Through its Cyber Affairs division, Australia has been widely engaged in sharing best practices and capacity building initiatives among ASEAN member states, most notably Thailand and Indonesia. There is an opportunity for Australia to extend such collaboration with the Philippines by showcasing its thriving cybersecurity industry under its current Australia Now ASEAN program.
Just as the Philippines continues to engage its partners in the region on traditional security concerns, it must also include non-traditional strategic domains such as cybersecurity. A concrete initiative that can be explored in this area includes a joint CERT to CERT cooperation framework for cyber intel and risk assessments, as well as operational agreements on law enforcement on cyber-related crimes. A track 1.5 mechanism can provide the foundation for exploring at the bilateral level an information-sharing and analysis hub involving governments, private sector, think tanks, academia, and not-for-profit organizations.