Big problem in cybersecurity

There is no escaping a fully digital world, but our government is struggling to understand the basics of cybersecurity… so, it can’t properly regulate the private sector and it can’t adequately protect its own databases.

Last week, PhilHealth was hacked and our personal data files have been compromised. Then, it was most embarrassing that our national security agency or NICA was also hacked and some of our military secrets are now being sold on the dark web.

It has been reported that 500 megabytes of sensitive information are up for sale for 500 XMR (a cryptocurrency) online, containing details about the visits of foreign ambassadors and military attaches in Manila, as well as information about the level of training of the Philippine Air Force. Our security allies will now be more careful sharing information with our military because we have no capability of safeguarding such sensitive data.

The pathetic thing is… the Department of Information and Communications Technology (DICT) appears to have given up because they lack manpower and other resources to do a decent job of safeguarding government computer systems. DICT called on national government agencies to have their own cybersecurity response teams as the threat of cyberattacks increases.

In a story posted by ABS-CBN News last Sunday, DICT Undersecretary Jeffrey Ian Dy was quoted as saying that the National Computer Emergency Response Team (NCERT) under DICT “could not handle” all government agencies in need. NCERT receives, reviews, and responds to computer security incidents.

Dy told Teleradyo Serbisyo: “We responded to more than 3,000 events or cybersecurity issues nationwide, mula January hanggang August. Pero ang mga tao namin puro mga job order.” Job order staff do not have security of tenure, are paid less, and do not have mandatory benefits. They are probably also not the best qualified or why would they agree to a job order arrangement.

Dy said they could have responded to the ransomware attack on the Philippine Health Insurance (PhilHealth) Corp.’s system sooner “if we have the correct tools.” The PhilHealth system was down for more than a week.

ABS-CBN reported that it took PhilHealth a while to restore its systems because of the lack of capacity and tools to analyze its cybersecurity “environment.” Because the PhilHealth system is linked to the eGovPH app, Dy said individual computer units had to be checked to make sure they were free of the Medusa malware. “Kung kumalat ‘yun, ko-konnect ‘yun sa amin. Yung DICT, connected din sa other agencies,” he said.

DICT is preoccupied in promoting the eGov superapp that integrates the services of various agencies in one. But they did not give more attention to the security of government IT systems.

It is simple negligence that PhilHealth didn’t have cyber protection software when hackers attacked its computers, giving criminals access to the data of millions of us.  Medusa demanded a $300,000 ransom for stolen data.

But it was nothing new with government agencies. Some years ago, Comelec computers were also hacked and our voter data files were compromised.

Now that we have a National ID, it is probably just a matter of time before all that valuable information about every Filipino, including our biometrics, will end up on the dark web. The danger is obvious, but all that our government could do was appeal to what they call “patriotic hackers” to help protect the system.

Back in 2018, Privacy commissioner Raymund Liboro urged “patriotic” hackers to help secure Philippine cyberspace, beginning with the national identification card.

“We can do a lot more to help protect the data that will come out of PhilSys processing. You can do your part in it as well as ‘hackers ng bayan’… Your country needs you more than ever,” Liboro told local hackers.

Politicians jumped on the PhilHealth fiasco by urging better cybersecurity.

For example, Sen. Sherwin Gatchalian filed Senate Bill 2066 or the Critical Information Infrastructure Protection Act, which mandates the Department of Information and Communications Technology (DICT) to determine and update information security standards and require institutions to comply with such standards.

“With the increased use of digital technologies in our daily lives, malicious actors from casual scammers to highly sophisticated state-based groups hunt for vulnerabilities in ICT systems and networks to steal information, disrupt essential services, and profit from attacks,” Gatchalian said.

A press release is cheap, but will Congress give government agencies – led by DICT, the proper funding to make their systems safer from cybercriminals?

DICT is asking for confidential and intelligence funds but what they need are funds to hire more staff with the necessary skills and properly compensated. DICT had a total of P1.2 billion in confidential funds in 2019 and 2020 and still failed to deal with cyberattacks on government systems and networks.

Or maybe we can admit that at this point, given how chaotic our government is being managed, it will be better to outsource the storage of critical government data to reputable providers of cloud storage services.

One comment in one of my Viber groups: “The irony is this data (PhilHealth and NICA, too) would have been more secure if they hosted it on Amazon Web Services or Microsoft Azure because it would have been protected by smart measures implemented by competent engineers. The idea that data hosted locally is secure because it’s under Philippine sovereignty is a joke.”

That’s only on the government side. Our private sector is just as problematic in handling our personal data.

Said one cybersecurity expert I asked: “Achieving effective cybersecurity, establishing proper governance, and implementing robust processes demand substantial investments. Regrettably, only a limited number of Philippine companies can bear this financial burden independently. They have to seriously consider shared or hosted services models.”

Back to government handling of data… last December, the US Defense Department awarded contracts to four technology companies to provide services in support of its Joint Warfighting Cloud Capability. The four companies include Amazon Web Services Inc., Google Support Services LLC, Microsoft Corp., and Oracle.

If these companies are good enough for the Pentagon, our government should consider outsourcing at least PhilSys and our national intelligence to them too. The ragtag system we have now is ready to explode in a real big crisis.

Boo Chanco’s email address is [email protected]. Follow him on X or Twitter @boochanco