Written by cyberarnis

DND’S EFFORT IN SECURING THE PHILIPPINE CYBERSPACE

By J. Irving

As invited lecturer at the Philippine Army Cybersecurity Summit that was attended lately by various Information Systems Officers (ISOs) of the different major units of the Army,  I apprised them by saying . . .

The topic given for me to speak today would have stunned me if I were asked last year. For all intent and purpose, I have reflected on this issue so many times. I know the role of DND, which is guarding the country from threats coming from the land, sea and air; and now it includes the new dimension of war – the cyberspace. DND is well prepared for land, sea and air warfare; but what really can DND do to defend the Philippine Cyberspace if attacked?

Today, I’m happy to share DND’s preparation with you, as I have written all my ideas down in my blog – CYBERARNIS. I am now more focused this time and have already the mind-set on how to realize slowly not only DND’s but also the Philippines Cyber Defense posture. However, I still need the wholehearted help of the different government agencies, business vendors and the whole citizenry. In my quest, I cannot do it alone! Honestly, I tried looking predefined answers anywhere, even in the archives of my office, Office of the Defense Reform, Office of the Assistant Secretary for Plans and Programs (OASPP) or all around DND; and I realized that I, as the present Chief of the Management Information Systems Service (MISS) of DND, am left alone to answer this question: What can DND do in Securing the Philippine Cyberspace?

I know most of you, if not everybody, have seen already the National Cybersecurity Plan 2022 crafted by the Department of Information and Communication Technology (DICT). I, for one, have read the manual so many times and lost track already of how many times I had been flipping to the pages where the DND role is mentioned. In the diagrams in pages 19 and 24 of said manual, both pages say: “DND to defend the country from cyber attack!” Really? The first time I saw this diagram, I was plastered! It was presented at NDCP last year in one of the school’s colloquia, discussions amongst scholars and expert. I was still awaiting for my appointment to be signed by the President to let me work at DND at that time. When I saw the slide flashed on the screen, I left surreptitiously from the lecture room because I was afraid somebody might ask me about DND’s cyber capabilities and preparations. I do not have the answers yet at that moment. If asked, the only answer I would have said is that I am new in my job! The answer, of course, is not palatable and even pleasing to be heard from a person aspiring for the MIS job.

The proper discussion here should be about what the nation can do quickly to defend its cyberspace regardless of who is in charge of the effort. I remember the time when the existing Executive Order # 189 series 2015 was very much alive and being practiced. I am referring to the National Cybersecurity Inter-Agency Committee of the pre-DICT days, the precursor of the Cybercrime Investigation Coordinating Center (CICC) of DICT now. The group used to meet regularly under the leadership of General Nick Ojeda (Ret), still an ICT Office. DND is one of the members of the committee along with other departments and to include: the offices of National Privacy Commission (NPC), National Bureau of Investigation (NBI) and the Anti-Terrorism Council. I remember during one of its meetings, I was teasing NBI to share with us their apprehended hackers, who stole the database of voters from the Commission of Elections. I said I can handle and motivate them well by letting them wear white hats, instead of black.

DND, with its mandate, needs only to play an expanding role in addressing the national cybersecurity challenges. DND proactively leverages its direction in establishing military structures, formations, resources, procedures, and industry partnerships along with all other government entities to dramatically ameliorate the nation’s cybersecurity posture. However, the best agency within the government that is well postured to address cybersecurity is DICT. The Department is now making its round nationwide going to the provinces to promote the National Cybersecurity Plan 2022. On DICT’s Plan, DND was never consulted. There was even the mention of AFP Cyber Command in the manual. Meron na ba?

Yes, AFP has plan to create and organize one but it is still on the drawing board. There is already a unit named Cybersecurity Group under the Communication, Electronics and Information Systems Service (CEISS), Armed Forces of the Philippines (AFP). The mandate of the unit is limited in protecting the the Camp Aguinaldo Networks (CAGNET) and the AFP Long Lines.

According to the US Department of Defense, [To quote] “The country’s cybersecurity policies and stratagems must be complimentary across the government and local levels of implementation, and facilitate better cybersecurity in the private sector in order to safeguard our economic national interests. Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges a country face as a nation. The very technologies that empower a government to lead and create, also produce vulnerabilities while simultaneously empowering people who would disrupt and destroy. The government enables its military superiority, but notice intruders to continuously probe also their unclassified military networks. Additionally, the U.S. National Security Adviser (NSA) declares the nations digital infrastructure a strategic national asset, and protecting it is a national security priority. It also addresses methods to achieve cybersecurity. It charges the country to deter, prevent, detect, defend against, and quickly recover from cyber intrusions and attacks by advancing two goals — investing in people and technology, and strengthening partnerships”. [Unquote] This is true to the Philippines and any nation.

On Investing In People And Technology, DND is recruiting and spotting talents. Just like in any sports major leagues, for instance the NBA, talent agents go around hunting people with potentials and signing them up to join a particular team. In similar manner, the Army Management Information Center (AMIC) was allowed to advertise and recruit fresh graduates from computer schools to join the Army through a special enlistment. The successful applicants serves AMIC for at least one tour (3 years) as programmers, IT specialists and network administrators. AMIC, renamed as Network Enterprise Technology Center (NETC), is accredited as a CISCO Academy. Technical people at AMIC are CISCO certified. DND also supports the certification of personnel on different specializations. It, likewise, sends people to different local and international seminars. It yearly sends representative/participant at DEFCON, an international hackers’ convention, learning the recent developments and trends on cyber; the Seoul Defense Dialogue in Korea, the Global Cyberspace Cooperation Summit at University of California Berkeley.

On Strengthening Partnerships, it is necessary to expand the ways for the government, the private sector, and individual citizens to work together to meet the cyber challenges. It also mandates strengthening our international partnerships on a range of issues, including the development of norms for acceptable conduct in cyberspace; laws concerning cybercrime; information assurance (including data preservation, protection, and privacy); and approaches for network defense and response to cyber attacks. Last July this year, the Philippines hosted and co-chaired with New Zealand the ASEAN Defense Ministers Meeting (ADMM)-Plus Experts Working Group for Cybersecurity, which was held at Crowne Plaza Manila. It was attended by the ten ASEAN nations to include: Australia, China, India, Japan, New Zealand, Russia and USA. Republic of Korea was absent (but was updated at the Seoul Defense Dialogue that was held a couple of weeks ago). Representatives from the AFP six-family were present. I also wish to thank G6 for helping me in the ASEAN endeavor. I involved the Signal Corps as direct participants and observers because I know they could learn a lot from the Cybersecurity meeting. They can improve their respective plans by copying from other nations and their military. I read somewhere that it is only in the field of cybersecurity where plagiarism is authorized. Some nations admitted copying their cyber defense plans from other nations and improving them according to their needs. At the meeting, as its co-chairman, I was successful in establishing Point-of-Contacts, Cybersecurity Centres for those who have already, linking them together for coordination and sharing of information between or among countries on matters of cyber.

For us, our Cyber Center is the Defense Situation Monitoring Center (DSMC) which used to monitor events-of-interest such as radical activities and disaster operations and alike. DND redefined its functions. It now includes cyber issues because it is critically important for us to have this a place in unifying, managing, and leading the efforts of the country’s cyber community. The center is now placed directly under the office of MISS, which is under my supervision. By next month, the DND will be launching a mobile apps for reporting cybersecurity incidents. Watch out for it!

DND has responsibility for defending the military’s information infrastructure and systems; and it is forward leaning in establishing policy and making organizational changes in the AFP for cyber matters.

Establishing a unity of effort across the government and private sector is a daunting task, but the first step needed to achieve the synergy necessary to address securing cyberspace involves identifying forces to lead the effort.

In any warfare, the first thing to write down in an OPLAN or OPORD is to identify forces. Without the forces you necessarily need, you cannot fight! So, DND will develop its Cyber Capabilities through the Signal Corps. If land warfare is for the Army; sea warfare for the Navy; air warfare is for the Air Force, then, cyber warfare is for the Signal Corps; but do not get me wrong, cyber components are also present in any dimensions of warfare, it may be on land, sea or air – through a so-called Network Centric setting.

The next ADMM-Plus EWG for Cybersecurity meeting will be in New Zealand. It will be on the legal framework. The meeting will be talking about the Tallinn Manual 1.0 and 2.0. I thought I was in control of the situations that I can fully engage participants when the time comes by having staff personnel trained on cyber laws. The 2 slots, however, which I requested through New Zealand and granted by the Australian Government, were given outside my office. Pity me! Anyway, I enjoin you and everybody to read these manuals. The manuals will be the references to give us cyber order in the world. The things written there are mere suggestions only because countries are the ones making laws. In the manual 2.0, cyber warfare is now referred as cyber operations, instead of the former.

To motivate you, in the United Nation’s International Telecommunications Union latest survey – the Global Cybersecurity Index (GSI) for the year 2017: the Philippines stands number10 in the Asia Pacific out of 49 countries and number 37 globally out of 165 countries, considered as a Maturing country, which is in between the leading and initiating countries. The 5 pillars of the survey were bases on legal, technical, organization, capacity-building and cooperation. The top 3 nations are Singapore, US and Malaysia, in that order.

To summarize, the DND’s efforts in securing Philippine Cyberspace in line with GSI:

FIRST, for Legal aspect:

  • Cybercriminal Legislations

we have the Republic Acts (RA) #4200 – Anti-Wiretapping Law of 1965; RA #8484 – Access Device Regulation Act of 1998; RA #8792 – E-Commerce Act of 2000; RA #9208 – Anti-Trafficking in Persons Act of 2003; RA #9995 – Anti-Photo and Voyeurism Act of 2009; RA #9725 – Anti-Child Pornography Act of 2009; RA #10173 – Data Privacy Act of 2012; and RA #10175 – Cybercrime Prevention Act of 2012.

  • Cybersecurity Regulationsthe National Privacy Commission (NPC) has implemented the designations of Data Protection Officers (DPO) at all government and private entities.
  • Cyber Security Training2 personnel from DND is leaving for Australia anytime on October to study Cyber Law.

SECOND, on Technology:

  • National Computer Incident Response Team (CIRT)
  • Government CIRT
  • Sectoral CIRT
  • Standards for Organizations
  • Standards and Certification for Professionals
  • Child online Protection

THIRD, on Organization: the

  • Strategy
  • Responsible Agency
  • Cybersecurity Metric

FORTH, on Capability-Development

  • Standardization Bodies
  • Good Practices
  • R & D Programmes
  • Public Awareness Campaigns
  • Professional Training Courses
  • National Education Programmes and Academic Curricula
  • Incentive Mechanisms
  • Homegrown Cybersecurity Industry

FIFTH, on Cooperation.

  • Intra-State Cooperation
  • Multilateral Agreements
  • International For a Participation
  • Public-Private Partnership
  • Inter-Agency Partnership

In closing, let me quote KEVIN MITNICK, the author of the book “The Art of Invinsibility”, a compiled teachings of the world’s most famous hackers on how to be safe, he said: [to quote] “The methods that will most effectively minimize the ability of intruders to compromise cyber security are: comprehensive user training and education.” [unquote]

Disclaimer:

This article was written in my personal capacity. The opinions expressed here are my own and do not reflect the view of the Department of National Defense (DND).

Leave a comment