Points to consider in securing Philippine cyberspace
Cyber-attacks on websites managed by the Philippine government have been persistent and increasingly sophisticated.
During the past year, Anonymous Philippines—a movement that believes the social system can change through the aggressive use of information technology—has attacked numerous government websites, including those of the Office of the President, the Department of Budget and Management, the Philippine National Police, and most recently, the Office of the Ombudsman.
While scholars, government officials and technical experts agree that the Philippines should have a national strategy to address cyber-attacks, the scope and content of this strategy remains elusive.
Cyber-attacks will not stop
More people may decide to engage in cyber-attacks because of the low barriers to entry, anonymity and presence of others involved in similar activities.
Performing various operations in cyberspace is not difficult because the resources and knowledge required to exploit and disrupt infrastructure are modest compared to the requirements of exploiting other domains of conflict such as land, sea, air and even space.
Any individual with sufficient technical knowledge and has access to information communication technologies can execute cyber-attacks.
Anonymity is another reason why cyber-attacks will not stop. Since there is no absolute way of identifying the perpetrators, individuals will use cyberspace to carry out their illegal activities. Also, the accessibility of cyberspace allows all types of actors—individuals, nongovernment organizations, corporations, nation-states—to operate and provide support, which makes it very complicated for authorities to detect.
The military must not take the lead in cyber defense
The broad mandate of the Armed Forces of the Philippines (AFP) is to protect the state and the people from external threats. Since it is not possible for authorities to accurately confirm that external aggressors or nation-states are behind the cyber-attacks, the military should just play a supporting role and work with other government agencies such as the Philippine National Police and the National Bureau of Investigation in addressing cyber-attacks.
An example of the military’s necessary involvement in cyber defense was during the distributed denial of service attacks against Estonia in 2007. Another is the employment of a “Stuxnet” (a sophisticated computer program designed to penetrate and establish control over remote systems) against an Iranian nuclear facility in 2010.
Expecting the military to take the lead in cyber defense may mean expanding their mandate and providing them with more resources. This may detract the AFP from their main focus of developing modest territorial defense capabilities for land, sea and air domains.
Even with an effective cyber security strategy, authorities cannot expect to prevent every cyber-attack from happening. An effective strategy can, however, reduce the projected disastrous impact of an attack and possibly decrease the scope and duration of any exploitation or disruption caused by an initial attack.
Security strategies are not definitive
Mitigation measures involve technical expertise, developing a culture of cyber security, and implementing initiatives to ensure resilience.
There are several abundant sources of technical expertise in the Philippines in addition to experts in government. There are scholars in leading universities whose research focuses on fields like security engineering and cryptography. There are also professionals engaged in nongovernment organizations, such as the Information Systems Security Society of the Philippines, Information Systems Audit and Control Association, and Philippines Emergency Computer Response Team.
Experts in information technology companies like Symantec, McAfee and IBM, who constantly develop solutions to secure data and infrastructures globally, may be tapped.
Developing a culture of cyber security includes promoting awareness and standards in private and public institutions through education and national information campaigns.
It is critical for the public to understand how to spot potential cyber threats as well as the damage caused by actual cyber-attacks. More importantly, people must be made aware of the rationale and scope of Republic Act No. 10175 and other laws that protect Philippine cyberspace.
Ensuring resilience requires institutions to have the agility to prevent, detect and respond rapidly and effectively, not just to cyber-attacks, but also to the consequences.
This means developing multidisciplinary teams from different sectors of the country to develop and test procedures and plans that will eventually contribute to a more comprehensive cyber security strategy.
This team should be able to respond quickly to an incident by briefing stakeholders regarding the situation, and communicating with individuals and organizations that might have been compromised.
Cyber-attacks have limited impact
Although there have been numerous types of cyber-attacks executed in cyberspace, none of these attacks have caused the same damage as attacks against land, sea and air targets. Therefore, cyber-attacks have a limited impact on nation-states because the attacks rely on an electromagnetic spectrum, require man-made technology to function, and do not involve lethal action and physical violence.
Cyberspace is dependent on preexisting electromagnetic spectrum. Therefore cyber-attacks will not be successful if the spectrum is controlled or access to critical networks is blocked by accountable government units.
Another related point is that cyber-attacks require man-made technology to be deployed. The hardware and software required by people who carry out cyber-attacks are not top secret and are readily available in computer stores. Therefore, developing measures and strategies to counter the attacks will not be impossible.
A third point is that cyber-attacks have limited impact because they do not involve lethal action or physical violence.
There have been several books, articles, and reports from think tanks that explain how the escalation of cyber-attacks may eventually lead to a “cyber war.” However, these claims seem to be exaggerated.
Cyber security expert Thomas Rid of King’s College London makes a more sensible claim when he argues that “all politically motivated cyber-attacks are merely sophisticated versions of three activities that are as old as warfare itself—sabotage, espionage and subversion.”
War by definition always involves lethal action and physical violence; therefore the cyber-attacks against Estonia in 2007 and Georgia in 2008 may not be considered examples of cyber-war. Cyber-attacks can exploit databases, disrupt networks and, to a certain extent, damage infrastructure. But these are still limited compared to the impact and destruction caused by attacks from land, sea and air.
(The author is a postgraduate research student pursuing an MRes and PhD in International Relations at the Department of Politics and International Relations of University of Reading, United Kingdom. He obtained his MA in Intelligence and Security Studies from Brunel University in London in 2009 and is an assistant professor (on leave) at the International Studies Department of De La Salle University Manila.)
