Securing the Digital Future with DICT | Thoughts on Tech Series 2 Episode 2
You're watching Thoughts on Tech powered by Eastern Communications. Now in this podcast series, we are discussing cyber security, especially now with a booming digital economy. A lot of businesses are actually forced to put their business online. Question is, how do they protect their businesses from any form of cyber threats? AI is a tool.
So whether it's a friend or a foe depends on who uses it. So I suggest for everyone who's afraid of AI, use AI. We are not saying that you will not be attacked. You will be. But the magic word there is that you should be resilient.
If one of your services go down, you should be quick enough to get it back to service. The truth is, no matter how small your business is, you need security. Whether physical security or cyber security. Security is still very important. There will be threat actors always, but we need to adapt this because at the end of the day, we just want to use technology to better our lives.
I'm Jes de los Santos and you're watching Thoughts on Tech powered by Eastern Communications. Good afternoon, everyone. I'm Jes de los Santos. And thank you for joining us here on Thoughts on Tech powered by Eastern Communications.
Now, for this four-part podcast series, we are zeroing in on cyber security. With the booming digital landscape, it is but imperative that we Filipinos actually get to cyberproof our lives online. Now that weight is going to fall on government. Question now is, is government keeping up with the changes in the cyber security world? Now, to answer that, we have with us DICT Undersecretary Jeffrey Dy.
Usec. Good day. Thank you for joining us. Good day to everyone listening. One thing that we have to look back on, by the way, is what you did back in 2017-2018.
Around that time, you were still in private practice. You spoke during a convention and you actually had a bit of a gimmick during your talk. Tell us more about that. Yeah. Well, that was a gimmick. I wanted to show the public how easy it is to create a fake access point or a fake Wi-Fi.
So, I wanted to show the public how easy it is to do a fake Wi-Fi. In fact, I did it on my own in just about 30 minutes. And then I put it in the venue and then I asked for their Facebook usernames and passwords.
But don't worry, I already deleted the usernames and passwords. You haven't gotten any special information from that? No, no, no. But it's quite interesting because a lot of the attendees are actually cyber security professors and cyber security practitioners.
They didn't even have a clue? Or some of them had? They didn't. Oh, really now. So, what insight did you get from that? I mean, looking at what you were telling us earlier, sometimes I would feel like, is it necessary for me to become a cyber security expert? I need to at least know how to be an effective hacker as well. Well, not necessarily, but it works to your advantage if you know both the offensive and the defensive cyber security domains. A lot of the defensive domains, if they focus on defense, they become vendor-specific if they don't know how to offense. So, I think you need a little bit of both to be an effective cyber security professional.
Usec., all that narrative drives the point that that was 2017, 2018. If it were that easy for you to do that back then, I'm sure hacking is easier to do now in 2024. Oh, you said it very, very clearly, Jes. Hacking is a lot easier now. In fact, that's the problem exactly. The cost of offensive cyber security capabilities is less than the cost of defending.
Imagine the disparity also from rural areas, but they can do it. Even if you're far away from an area where there is robust telecommunications infrastructure. Defenders would invest in a firewall, would invest in an XDR, would invest in whatever the top-of-the-line encryption. And these usually cost millions of pesos, right? A hacker will just create a fake access point, like what I did in 2017. And all it takes is one person out of the 10,000 employees in that particular organization to be fooled by the fake access point.
And once they got in, the rest is as easy as jumping from that particular person's computer to the entire organization. So, it's that easy. Or I'll just send an email. I'll just send like 500 emails. It just takes one person to click on that link and the rest is as easy as connecting the dots. One thing that I would like to say is they're working as a team.
Let's not talk about the cyber activists. Let's talk about the more organized one. Let's talk about ransomwares. Let's talk about state-sponsored attacks.
Carefully crafted phishing emails. Do you know that they work as an industry? How do you do your job exactly if that's such a wide net? Yes. So, DICT is in charge of the policy framework.
We know that DICT alone can't do it. So, we have to have a whole of government approach. And that's what we did with the National Cybersecurity Plan 2028, which was approved by the president and issued as Executive Order 58, Series of 2024. What we did is we defined the organizational structure that will form convergence of all activities related to cybersecurity and cybercrime. For example, we have the National Cybersecurity Interagency Committee, chaired by the Executive Secretary.
And the members of the committee are different undersecretaries and secretaries of the departments with a mandate to either police, apprehend, or technology like DOST, or cybersecurity and telecommunications infrastructures like NTC and DICT. This shows you that the entire government needs to act together. If the criminals, if our enemies are organized, we should too. And on top of that, we do international cooperation.
We're now a member of the Counter Ransomware Initiative. We're now at par with other cybersecurity agencies in the world. We're sharing information with them such that if an attack emanates from them, we can also tell them, can you please help us apprehend? Yes, it's difficult, but maybe consolably, it's because we're not alone.
While it's comforting that you're not alone, I would like to think also that this is a very gargantuan task for you guys. I mean, you're dealing with wide networks here, but at least here in a local setting, how big of a problem are cybercrime incidents? I mean, how often do they happen and in what forms? So, cybercrime is a huge gamut of things. Scamming, you lost 500 pesos. That's the normal idea of a cyberthreat for the Filipino. That's also cybercrime. And if you look at the PNP statistics, cybercrime did increase by approximately 200%, that's times 3.
Wait, what's the timeline? From January to July, compared to last year, same period. But crime decreased. The total crime statistics went down. What does that tell us? That tells us that street criminals are now transforming into cybercriminals. For example, if there are fewer snatchers, there are more people who steal from e-wallet platforms. Someone suddenly called you and said, can you send me a load? Because your friend's voice changed, so the crime changed.
But we don't touch that. That's CICC. There's a separate government agency there. Cybercrime Investigation Coordinating Center. And then PNP and NBI there.
We deal with the larger stuff. State-sponsored attacks on government facilities, attacks on critical information infrastructures. When we say critical information infrastructures, these are infrastructures that are critical to the lives of the Filipino people.
Like attack on airports, attack on power, attack on water, healthcare, etc. So that's what we in the ICT are more focused on. That's a big deal. But there's some good news there.
We're improving. What do you mean by improving? I don't know if you've heard. The Global Cybersecurity Index of the United Nations had placed us in Tier 2.
Tier 2? There are five tiers. Tier 1 is like Singapore, US, China. We're in Tier 2. In 2020, we were in Tier 3. So from a score of 77, we are now at 93.49. That's a big improvement.
That's a big improvement. And we're 1.51 points lower there. That's because now we defined an organization. So at least it's clearer.
How do you respond in operational terms, in real practical terms when an attack happens? Because that's what's important. It should be operational. Government must be able to respond. You don't have to think about who this is. NBI? Who do you tap? Yeah.
So now it's clear. It's the Computer Emergency Response Team who also reports under me in my office. And then we coordinate with the rest of the government agencies if necessary. Okay. Now, you said you want to pick up on what you mentioned earlier about how the cyber criminals in a way are more after big business.
Or let's say they're getting more and more sophisticated in a way. That's the correct way to put it. They're becoming ICT-enabled, I guess.
ICT-enabled. Okay. That's a good way of putting it. That also presupposes that the forms of attacks have also changed. Correct. How so? Before, they used landlines, right? And then actually, think of the past.
SMS phishing. You receive text. Yes. Now, they're using something else. Now, they have broadcasts.
There are links. There are links. Do you know that they're not using SIM cards anymore? So, what are they using now? They're using fake BTS stations or what we call MC catchers to broadcast without using SIM cards. Really? Yes. It has a range of about 2 kilometers or 1 kilometer depending on how big
the building is like in Makati. They just do drive-bys. And then they can sense how many mobile phones are in this area. Then they do a broadcast. Oh.
Also, they're now using Viber. They're using messengers, right? Right. But have the objectives changed? No. I mean, it's still money. It's still money. It's still fooling you.
It's still trying to fool you into a sense of trust that you're talking to a real person, that you're talking to a friend. So, now, they're now using AI to mimic your voice. That's been happening recently as of late. Yes. We call them robocalls.
Robocalls. Robocalls. Also, what I want to find out, Usec., are some industries more vulnerable to
cyber incidents compared to others? Yes. An industry that includes money usually is more… Which is basically another industry. So, that's usually banks and wallets and e-commerce. They are the most susceptible to attacks.
The second is government. If I remember that right. The third is academia. So, government followed by telecommunications companies and then academia. So, that's the most targeted.
The other industries, you can't say anything about it. Right. To be honest, they say there are only two types of organizations.
Which is? The first one is you know you are being attacked or you've been attacked. And the other one is you don't know. So, to say that you're not being attacked, I think you should think twice. Because you might not know. But how exactly do you cyberproof your organization? Because I mean the primary fear or the primary concern would always be cost. Cost, correct.
So, how do you handle that? That's a good question, Jens. A lot of us are fooled into a false sense of security by thinking that technological controls are sufficient. But no.
Controls, in order to strengthen an organization's cybersecurity, three things must happen. Technological controls are there, yes. But there should also be policies that will reinforce or enforce those technological controls. Including ingress and egress of people who has access to your data, etc. And third but not the least, there should be people. The right people who will implement these controls.
And also, you have to train your people not to be the weakest link. Because in most cases, the weakest link are your people as well. Like what I'm saying, fake access points. I didn't hack them. I just hacked their social thinking.
Thinking, yes. That there was a free Wi-Fi here. So, you need to train people. In that whole ecosystem that you mentioned earlier, the three things, where are we the weakest? People.
It's not about, I'm not saying people really are, because people are simultaneously the strongest and the weakest. But right now, we have to understand, and that's what DICT is trying to work on. Is that we really have a critical shortage of cybersecurity professionals. Not only in the government, but also in the private sector.
And that's what we need to work on. Did you know when we first sat in DICT back in 2022. There were like only three universities offering bachelor's or master's degrees in cybersecurity.
Cybersecurity. Now, there are more than 10. So, we're happy. In just the span of two and a half years, there are more than 10 universities offering that. I myself have to get my course. Further trainings.
Further training abroad. Because during that time, back in 2017, 2018, there was none in the Philippines. And we need to improve that situation. But is that enough? 10 institutions? No, it's not.
We need to produce approximately 300,000 by 2028. By 2028? So, that's more or less four years away. How do you handle that? So, we need to improve the training. We need to improve the quality of the courses.
And I think we're succeeding in that particular front. That's why we increased the global cybersecurity index score. And we have to promote work for cybersecurity professionals as well.
Right. And we're happy to say that there's a lot of outsourced security operations centers now building their offices here in the country. So, we're transitioning the outsource of BPO, business process outsourcing, into an industry where you can also outsource security operations. Not only for the Filipinos, but also that's where we're experts in. We're an outsourcing provider for the entire world. Exactly.
Okay. Would you consider that a long-term goal? Yes. It is a long-term goal. Okay. Earlier, we were talking about costs.
But one other thing, when these incidents happen, it's not only just the financials that are affected. But let's talk about that. How much do you lose in cases of cyber attacks? We're talking about financials. We're talking about timeline and projects. There was this research that in the banking industry, I have to check my figures out. But globally, the banking sector is approximately a trillion US dollars of direct costs over the past 10 years.
Not counting indirect costs, which is some banks or corporations or financial institutions that have to close down because of reputational damage. Irrecoverable reputational damage. So, it is huge.
And another thing, a lot of people are not reporting. Yeah. Right? I mean, you have to be honest, Jess. If you lost 500 pesos, would you go to the police? I would go to the police.
Right? Because you will lose more if you report. Maybe if you lose 50,000 pesos, then that's when you will report. And that's where they play. That's where these cybercriminals play around. The 500 pesos, 1,000 pesos.
When you add those together. It's huge. Yeah. But more than that, Usec., we're talking about the cost here.
It's all about big business. I mean, a lot of these cybercrimes, a lot of these cyber incidents. So, for a small business owner, some of them would think that I'm too insignificant for cybercriminals to even consider tapping into my network. Well, let's put it this way. These cybercriminals are big criminals. I'll give you a very practical example of what happened.
There was this shop. I won't name a name. I won't name that shop.
Who informed us saying that they received a ransomware demand. You know how much it was? How much? Something like 36,000 to 45,000 pesos. Okay.
Because the amount of data was small. Yeah. Right? But that data was actually their sales from their POS. Ooh. So, let me ask you.
For the big industry of ransomware, which are usually international syndicates, you'd say, oh, 45,000 pesos, that's small. For you, as a small business owner, you would say, I really need that data. I need to report to BIR. I need to report to my boss about my sales. I need to know how much inventory I have.
I'll just pay it. What's 45,000 pesos? It's like what? Two days of your income, of your gross sales, right? So, you'll pay for it. That's how they work. That's how the mindset is.
So, for you, would you invest 45,000 pesos in cyber? But this is what our countrymen don't know. Actually, you can use that portion of your 45,000 to secure. You don't need to secure everything. What's critical to you? For example, you're a shop owner. What's critical to you is your POS. How much is your POS in a 30-table restaurant or 20-table restaurant? Right? Two or three terminals? Secure that.
How much is that? So, that's what we don't realize. Security is not about securing everything. It's focusing your money to where it matters most.
And that way, you can significantly lessen your cost of security. But what I like about what you mentioned is that there are tools available that are cost-effective. Yes. Can you give us more concrete examples on that? So, I gave an example on POS.
Number one, if you're just small, what you need to do is your Wi-Fi access point, which usually you're providing either free Wi-Fi or Wi-Fi for your employees, secure that. A firewall enabled for your Wi-Fi could cost you, what, like, I don't know, 25,000 or 35,000 for a very small shop. And then, of course, buy XDRs, Extended Defense and Response, for your POS and other computers that handles your financials. That's it. And of course, you have to train your people. Because whatever defense you have, if your people keep putting in a password that's called password123, you're dead.
But let's dwell now on what government is doing exactly to really cyber-proof the whole nation, especially with a booming digital economy. What's the strategy? So, number one is we focus on critical information infrastructures. Same concept. So, you're running a country, you have to focus your resources on what really matters.
If power is affected, then the lives, the quality of life of Filipinos is significantly affected, including the economy. So, we have to focus on protecting the critical information infrastructures. That's where we're focusing on.
Number two, we have to get our acts together. There is still a lot of technologies out there that are made commercially available, but have been deprecated elsewhere. For example, we're talking to telecommunications providers on a timeline to deprecate or to start moving out of the technology that is below 3G. I know, again, I know the telcos will say it's a huge investment for us. We have to replace our equipment.
But we have to start that discussion now. And how are they responding? Well, they're responding positively. Let's just not ask for tomorrow. We understand that.
That's how we partner with the private sector. We want to understand where you're having problems, and we'll help you improve and evolve into a better service. I want to pick up on what you mentioned earlier. You're working on the national cybersecurity law.
I remember this coming out, especially during some of the attacks that happened in some government agencies. One glaring point there is the fact that private entities, in fact, are not mandated to report to government. Correct. There is no mandatory disclosure. Why is that the case? That's a problem.
When a radar system goes down, we're not informed if it's a cybersecurity incident. When transmission lines get a computer glitch, we get informed, oh, by the way, we have a glitch. And then we start asking questions. They say, don't worry, we're investigating. And I think that has to change. This is what I'm saying.
That has to change. You know, the new BSP is really good. Their financial sector cyber resiliency plan, which is a subset of the national cybersecurity plan. You know why? They're talking about real-time information sharing among banks.
Such that when a bank gets attacked, and BSP knows how that attack progressed, inform the other banks so that the issue won't happen again. It means that because of competition, they don't want to share. You say, I was hit. If they were hit, then we're on our own. But that's not how the world works.
The only way we can reduce the cost of defense and be at par with the cost of offense is to work together. And we're working on mechanisms like mandatory disclosure as a proposed law. And we're working on a security operations center where government agencies will be connected in real time.
Right now, we have that. We have 30 government agencies connected to DICT's security operations center. And I'm proud to say that of the many government agencies that were hacked, the probability that the attack will progress is lower if you're connected to our SOC.
Because we detect it faster. Right. As should be the case. As should be the case. Okay. Now, one other thing is that we're also celebrating or at least observing cybersecurity month.
How does a program like this one help? Oh, huge. Number one, let's face it. For the past two years, cyber security has been in the consciousness of Filipinos. Especially in a post-pandemic scenario. Yeah. Thank you for asking that.
So, I can also invite others to our activities. We have Hack4Gov. This is what I'm talking about.
You have a combination of offensive capabilities. So, these are college students. And we're inviting college students to participate in Hack4Gov.
You know, it's a team of four. And the winner gets sent to Thailand to compete in an international capture-the -flag competition. That's one. We also have a… I think the Binibining Pilipinas will visit us in the ICT for our opening. Opening of the Cybersecurity Month.
Do you know that the current Binibining Pilipinas is a gamer? And is an advocate for cybersecurity. So, in this particular case, beauty, brains, and gaming. That's an added boost. That's an added boost. I'm her fan now.
And then we also have a culminating activities sometime October 27. It will be in PICC. It will show you the entire government. There will be an exhibit.
Private sector will be there. And we'll showcase to the entire public what we're doing in cybersecurity. Of course, in between, there are a series of trainings. Government officials and government sector, including the private sector, expect trainings.
We'll be inviting you in DICT. My staff told me that I'll be teaching two subjects. Why not? Okay. Now, given all that, what's the vision here when it comes to bolstering cybersecurity in the Philippines? What's going to be the main goal? The main goal is to be operationally capable of responding to cyberattacks and to build resilience. Notice the shift from defense to resilience.
We are not saying that you will not be attacked. You will be. But the magic word there is that you should be resilient. If one of your services go down, you should be quick enough to get it back to service. You should have a redundancy such that when one was attacked, the other can take over.
And again, the sharing of information in real operational matters, even among competitors, is imperative. And that's why we need that cybersecurity law. And I think the national cybersecurity plan is already in place for that. I'm happy to note that our current score in GCI, which is a huge leap from 77 to 93.49, we're 1.51 points of being in the top tier. So I think the international community has recognized that we are making strides in cybersecurity. But you're right.
We have to admit that this has to be operational. Because I'm a fan of very, very operational, very practical plans. It's easy to write that this is what you're doing.
But we need to have what can be done on the ground. For example, vulnerability disclosure. Number two, we need to inform the public of what are the secure Internet of Things devices that they can buy. I'm not saying don't buy them. I mean, for the poor.
It's just like Christmas lights. Sometimes you buy the one without a sticker, right? That's okay. But remember, you have a high risk of burning your Christmas tree there. At least we should inform the public, or is this a secure Internet of Things? Or is this a secure router? Etc.
So that the buying awareness of the public about cybersecurity products will also improve. Do you see that shift happening anytime soon? Yes. Our plan was to make that particular concept operational by 2026. And the plan, we're progressing through it until 2028. Okay. We're with you on that one.
Thank you very much for your time today. Again, such insightful conversation here with you. Again, Usec. Jeffrey Dy.
Thank you very much, Usec. Thanks, Jes. Thanks.
2024-10-18 21:58