Using Data to Protect Data: Addressing Gaps in Cyberthreat Reporting in the Philippines

A man despairs as he fell victim to ransomware attack.
Despite having the fastest growing digital economy, the Philippines cybersecurity capacity is still maturing. Photo credit: iStock/Zephyr18 

This article is published in collaboration with the Tech for Good Institute.

The Philippines is the fastest growing digital economy in Southeast Asia, valued at $17 billion in 2021. This growth is spurred by various factors, including a young population with a median age of 25.7 years old, an internet penetration rate of 67%, and a mobile phone penetration of 138%. Filipino internet users spend the most time online globally. COVID-19 accelerated this trend even further, as Filipinos relied on technology to continue availing of goods and services in the face of strict lockdown measures and limited movement of people. 

While the rapid adoption of digital services is a welcome development, the rise in cyberattacks and data breaches have risen in step. Private firms saw a 30% increase in ransomware attacks and 49% in web threats. The Philippine National Police (PNP) also reported a 37% increase in online scam cases, while the National Bureau of Investigation (NBI) recorded a 200% increase in phishing cases. This trend has led the government to ramp up awareness campaigns on attack vectors frequently used by cybercriminals. However, there remain areas of improvement for the Philippines to handle the ever-changing cyberthreat landscape. 

Philippine cybersecurity capacity

Despite having the fastest growing digital economy, the Philippines cybersecurity capacity is still maturing.  Based on ITU’s Global Cybersecurity Index, the Philippines scores high on legal and cooperative measures, while coordination of institutions, policies, and strategies can be improved. An upcoming Tech for Good Institute study also sees an opportunity for the Philippines to improve its capacity to adapt in order to improve resilience. 

Brain drain and lack of competitive rates have also resulted in lack of cybersecurity professionals in the country. Based on the data of International Information System Security Certification Consortium (ISC2), a global cybersecurity professional organization which grants the Certified Information Systems Security Professional (CISSP)—one of the most coveted certifications of cybersecurity experts—the Philippines ranked 4th in Southeast Asia with 183 CISSPs in the country as of July 2021. This translates to a ratio of 2 cybersecurity experts to every 1 million internet users in the Philippines. To put this into perspective, Singapore leads the region with 2,683 CISSPs, with a much smaller population. 

In addition, the Philippines also suffers from the lack of reliable data on cybersecurity incidents due to the government not having a centralized and localized view of the kind of cyberthreats that Filipinos are facing. 

Improving cybersecurity manpower and data collection frameworks are therefore vital to the Philippines' ability to maximize the benefits of the digital economy. 

A web of issues: Policy landscape and unstructured reporting data

Over the last decade, the Philippines has been laying down the foundations to protect the data of its citizens. There are two landmark laws that govern the Philippine cybersecurity policy. First is the Data Privacy Act of 2012, which created the National Privacy Commission (NPC) and serves as the national watchdog and main policymaking body in all matters related to privacy. Second is the Cybercrime Prevention Act of 2012, which provides the legal framework against crimes committed through digital means. The latter law created several offices including the Office of Cybercrime in the Department of Justice (DOJ), and the anti-cybercrime divisions within the NBI and the PNP. In addition, the Department of Information and Communications Technology (DICT) is also a key player in cybersecurity policymaking.

The policy landscape has created several agencies in government that respond to cyberthreats but there are overlapping duties and responsibilities that can be streamlined moving forward.  For example, on the law enforcement side, PNP and the NBI have their own cybercrime divisions, but the delineation is not clear—especially among end users—on what cases each group covers.

On the other hand, data on cyber incidents is crucial to develop corresponding policy and incident response mechanisms. The Philippine government gathers cyber incident data through three streams: 

  • the National Cyber Threat Intelligence Platform which is a national platform where intelligence is shared across limited government agencies; 
  • the Threat Intelligence Feed where the DICT subscribes to private vendors that gives them an intelligence information on major threat activities in the world; and 
  • Actual Incidents Reported where the government tracks actual incidents reported by end users.

The main issue for cyberthreat reporting is that there is no integrated database across government agencies, especially for the Actual Incidents Reported. End users can choose any of the agencies they can report to, with each of the agencies having their own reporting and response mechanisms. This results in databases that are siloed and not connected to each other. There is also no uniform format for reporting cyber incidents. Since agencies keep their own records, the categories and data entry strategies are vastly different.

The way forward: An integrated cyberthreat database

A coordinated response is key toward combating cyberthreats and protecting data of governments, businesses, and individuals. A step forward is to have an integrated reporting system that would capture, aggregate, and analyze local challenges end users are facing. This integrated local threat database would complement data gathered from international partners and organizations, and would serve as the basis for a more holistic and responsive cybersecurity strategy. For the Philippines, there are several recommendations towards this goal. 

  1. Streamline and consolidate the data gathered across several agencies. There are several policy options to enable this. One is to empower the Cybercrime Investigation and Coordinating Center (CICC) as the main repository and data governance body when it comes to cyber vulnerabilities and incidents. A consideration here however is that CICC needs sufficient manpower to do this mandate. Another is to create a National Cybersecurity Agency (NCA) that will serve as the main policymaking body for cybersecurity, maintain an integrated database of cyberthreats, and designate policy responses to the appropriate government agencies. This is akin to Singapore where the Cyber Security Agency is the focal body for cyber policy making.  To have a strong mandate, this new agency can be attached to the Office of the President. This option will necessitate a reorganization of several existing bodies and their bureaucratic relationships with a new agency. Regardless, there is a need to streamline the current process of collecting data for cyberthreat reporting.  
  2. Make reporting easy for end users with standardized reporting and escalation procedures. It would be ideal to have a unified portal where government agencies, businesses, and individuals can submit their complaints. The data format should be uniform with clear categories for reporting. With a repository of data available, data analytics can be employed to have a holistic view of cyberthreats. 
  3. Build trust and inspire confidence in the country’s cyber incident and response mechanisms. The main challenge remains encouraging the private sector and individuals to report whenever they are breached or hacked. There should be a continuous campaign highlighting the fact that not sharing information could create blindspots. And given the fact that cyberthreats can rapidly spread across domains, sectors, and industries, it is important to advocate for a whole-of-society approach throughout the entire ecosystem. The government should continue to encourage information sharing to improve its capacity to handle cybercrime and data breaches.  

Overall, an integrated cyberthreat database would serve as a foundation for evidence-based cyber policymaking. The data gathered from the integrated data system can be used to address other weaknesses in Philippine cybersecurity. Only when the stakeholders know what they are up against can responsive capacity building measures be designed, budgets to retain talent be justified, and timely advisories against emerging cyberthreats be issued.

This article was first published by the Tech for Good Institute on 21 August 2022.

Keith Detros.Keith Detros
Program Manager, Tech for Good Institute

Keith Detros is a program manager at the Tech for Good Institute. He leverages almost a decade of experience in government affairs, evidence-based policy research, and stakeholder engagement to work on areas at the nexus of technology and public policy. His main research interests include cyber resilience and the digital economy. He holds a master's in international affairs (valedictorian) from the National University of Singapore’s Lee Kuan Yew School of Public Policy and a BA in political science from University of the Philippines Manila. 

Tech for Good Institute logo.