The persistence of digital vulnerabilities and the need for cyber resilience

National Bureau of Investigation director Jaime Santiago and NBI Cybercrime Division chief Jeremy Lotoc present the three alleged hackers during a press conference at the NBI headquarters in Quezon City yesterday. The three suspects were tagged for hacking into private and government websites as well as banks and Facebook accounts.
Miguel De Guzman

The recent cyberattacks on government agencies reveal a disturbing pattern and a malicious intent. Ransomware and hacking incidents, including those involving the Department of Science and Technology, the Philippine National Police, and others, demonstrate a deliberate effort to steal data, disrupt services and cause anxiety among the public.

Since 2022, there has been a significant increase in these types of attacks, which are complemented by the spread of disinformation. The timing of these incidents is suspect since many of these events seem to coincide with developments in the West Philippine Sea and the Balikatan military exercises.

For its part, the government's response to these incidents has been consistent but reactive. At the policy level, the recent approval of the National Cyber Security Plan (2024-2028) signaled a strong commitment to address the country’s digital vulnerabilities.

In general, the NCSP provides a framework for public agencies on how to organize, respond, and sustain cybersecurity efforts. To further emphasize its urgency, President Ferdinand Marcos Jr. signed Executive Order 58 mandating its adoption. The order established the National Cybersecurity Inter-Agency Committee to monitor and coordinate the implementation of the NCSP. 

These actions are commendable and are important steps in the right direction. However, the Philippines is confronted with challenges that have compounded over the years and have created opportunities for criminals and state-sponsored malign actors.

For instance, the country’s fragmented and siloed approach to digitalization means that there is little collaboration and adoption of cyber standards, especially in the public sector.

Due to the need for transactional efficiency as mandated by previous laws and programs, security has become an afterthought and a victim of cost-cutting efforts.

Furthermore, government IT initiatives are often funded through agency-specific annual budgets. This means that agencies often lack the time to develop business cases and functional requirements that are crucial in collaboration and determining vulnerabilities. 

This brings us to the penchant for fast solutions and stop-gap measures. The focus of this reactive practice is usually on emergency response and cyber forensics capabilities. There is also a misplaced emphasis on cost efficiency and techno-centric solutions. The standards of continuity, privacy, and security are the first ones to be thrown out of the window in this situation.

An alternative to this is the adoption of resilience strategies that can address digital vulnerabilities through proactive practices. To do this, one must be able to connect the dots, recognize the evolving nature of cyber threats, and implement holistic interventions.

Connecting the dots

The importance of connecting the dots in cybersecurity cannot be overstated. This effort requires collaboration between government agencies and the private sector to achieve common goals.

An example of this is the sharing of information on threat vectors and the exchange of expertise through internship programs. Furthermore, adherence to frameworks like the NIST 2.0 and ISO 27001/27002 will allow for the institutionalization of these practices and enhance organizational preparedness. These standards will also help government agencies define the digital competencies that are needed to strengthen cyber resilience.  

Evolving nature of cyber threats

It would be a tragedy if we are not able to recognize the convergence of offensive cyber incidents with disinformation operations. Usually perpetrated by state-sponsored actors, this phenomenon is often used as part of gray zone tactics.

It uses illegally obtained data for espionage and social engineering using artificial intelligence to create profiles intended to enhance audience targeting. This is done to ensure the efficacy of disinformation campaigns. It will not be difficult to imagine the use of stolen personal data from government agencies to establish patterns that can be used for malign influence operations.  

A way forward 

Searching for a magic bullet to solve our cyber vulnerabilities is a futile and costly move. Quick solutions are tempting, but these temporary fixes will only result in the recurrence of these problems. 

For this purpose, I believe that the country’s whole-of-society approach to cybersecurity is the best option. However, the question is, “How do we now operationalize this concept?” 

To answer this question, I argue that a good starting point for this is to adopt a cyber resilience paradigm, which underscores the importance of collaboration, adherence to standards and mitigating emerging threats.

In addition, cyber resilience also views vulnerabilities and solutions at the level of the individual (citizens), the organization, and society.

Often described as cybersecurity’s weakest link, citizens are crucial in a cyber resilience strategy. The basic components of this level include the empowerment of individuals through awareness and cyber hygiene practices. In addition, the rampant spread of disinformation necessitates the development of critical thinking and digital literacy skills. 

At the organizational level, giving equal priority to preparedness and continuity together with emergency response is paramount. Cyber preparedness is a proactive approach that requires organizations to determine its vulnerabilities. This can be done through risk assessments and audits.

For instance, the conduct of the data privacy impact assessment as mandated by the Data Privacy Act is a useful tool to establish security baselines. The Civil Service Commission’s business continuity program combined with IT disaster recovery techniques is another valuable tool.

In addition, the creation of sector-specific collaborative spaces for the sharing of threat intelligence and best practices is another important facet of resilience. This can be accomplished by creating professional associations and venues that allow for the inclusion of other stakeholders. 

Lastly, a societal level view of cyber resilience underscores the importance of adopting a holistic and broader view of cybersecurity. By using a national security lens, it views the current information environment as a contested space that malign actors will continuously exploit.

Therefore, it is crucial for the country to identify its critical sectors and strengthen its resilience posture. Furthermore, the Philippines needs to leverage its international alliances to enhance its capabilities, learn from best practices, and ensure the timely exchange of threat information.

Cyber resilience is a holistic approach that underscores the importance of protecting the individual, the organization, and society. It is a proactive technique that emphasizes the importance of preparedness, continuity, and collaboration among others. Unfortunately, there is no magic bullet. Moving forward requires hard work, dedication and commitment.

 

Sherwin E. Ona, Ph.D. is a non-resident fellow of the Stratbase-ADR Institute. Dr. Ona is also an associate professor of political science and development studies at De La Salle University.

Show comments