The series of hacking incidents and cyberattacks on several government portals has stirred up fears about the security of the personal data we’ve handed over to state agencies in their bid to digitize all aspects of governance.
The hacking by the clandestine group Medusa of the computers of the Philippine Health Insurance Corp. late last month affected the accounts of 13 to 20 million PhilHealth members, making it the largest breach of government data since the Commission on Elections’ “Comeleak” incident in 2016.
Earlier, in April, the Philippine National Police, National Bureau of Investigation, Bureau of Internal Revenue, and Special Action Force also experienced a data breach. This was followed by a cyberattack on the Department of Science and Technology’s OneExpert portal on Aug. 31.
Last week, the Philippine Statistics Authority said it was investigating a reported data breach of its systems for the national ID project and civil registration. On Tuesday, the website of the House of Representatives became inaccessible after it was defaced by hackers last Sunday. That of the Senate also received a “spike of attacks” on the same day, a Senate official said.
Individuals whose data had been exposed could be potential victims of identity theft, phishing attacks, and other malicious acts that could compromise government and private business transactions.
While hacking and cyberattacks for ransom have been happening even in the most advanced countries, the Philippines is seen as a most vulnerable target.
For one, its foremost information technology (IT) agency, the Department of Information and Communications Technology (DICT) said it lacks the resources to trace hackers and monitor their moves and modus operandi. Citing a slimmed down allocation of P300 million for next year from P1 billion in 2022, Information Secretary Ivan John Uy said the shrinking cybersecurity budget makes it difficult for the agency to properly assess the integrity of all national government agencies.
The COVID-19 lockdown led as well to “a tidal wave of data breaches, because companies [had to] open up access to their remote employees, and not [realizing] that they had accidentally opened the entire database for everyone,” noted an IT expert.
It doesn’t help that despite the alarming rise in cyberattacks—5,000 cyber threats in the first six months of 2023 alone, according to the DICT—there remains an urgent need for 180,000 cybersecurity experts in the Philippines, the National Association of Data Protection Officers said. And yet “we are not lacking in potential and talent when it comes to cybersecurity,” noted Armed Forces of the Philippines chief of staff Gen. Romeo Brawner Jr., recalling that the “I Love You” virus, which infected millions of computers worldwide in 2000, was created by a Filipino. As it is, the government does not seem to appreciate Filipino cybersecurity experts enough to pay them their worth and match the lucrative offers by private companies.
Aside from the potential use of an individual’s exposed data for illicit activities, such weaknesses in the country’s cyber landscape also threaten its business process outsourcing industry and other financial hubs, as well as our national security. A 2021 report by the United States cybersecurity company, Insikt Group, noted that the country’s military agencies were being persistently targeted by Chinese state-sponsored hackers. Such hacking operations are related to the West Philippine Sea, according to Mark Manantan of the Hawaii-based think tank Pacific Forum.
Given such critical risks, one has to ask: whatever happened to the five-year National Cybersecurity Plan (2023-2028) which, according to Uy, “actually identifies areas where critical infrastructures that need to be secured and [which civilian and military] agencies will be addressing that’’? Shouldn’t the President prioritize it amid the escalating data breaches?
Enhancing collaboration in cyberattack investigations is necessary as well, and the inclusion of cyber defense in this year’s “Balikatan” exercises with the US is a good start. And so is information sharing on perceived threats and risks that can lead to community efforts to thwart potential attacks. Private companies can meanwhile invest in intensified training through cybergames, internships, and boot camps to strengthen their IT capabilities. A Senate probe into the current cybersecurity infrastructure of government agencies and their capacity to fend off hackers should be pursued as well.
The President, too, must issue an executive order compelling heads of agencies to comply with minimum data security standards, as prescribed by the DICT. Such directive must also require these agencies to create a computer emergency response team to manage cybersecurity incidents. For its part, the National Privacy Commission must make it easier for complainants to report a possible data breach, instead of discouraging them as it did when it stated that the burden of proof on hacking lies with the victim.
Until government takes its mandate to protect data privacy seriously, “do not collect if you can’t protect,” remains a timely reminder it must heed to gain back public trust.