Downloaded 193 times
![77ICT Development and Cyber Security Reader
Philippine Cyber Security: General Situation
Angel S. Averia, Jr.
The paper is a post-write up of the presentation with the same title delivered at the seminar, âTowards
ICTD and Cyber Security Enhancementâ, held at the National Defense College of the Philippines
on June 6-8 and 11, 2012.
_______________________________________________________________________________
What is Cyber Space?
B
efore we begin to gain an understanding and appreciation of the Philippine Cyber
Security Situation, let us first try to gain an understanding cyber space. There is an
abundance of literature that chronicles the development of the Internet that evolved
into a platform host of what we know today as cyber space. In the earlier days of the
Internet, the interconnectivity of independent networks allowed for the basic exchange
and sharing of data/information between and among select groups of individuals. The
development of packet switching, IP addressing, and domain name systems, among others,
provided the building blocks of the Internet.
Advancesinthedevelopmentofapplicationslikebrowsers,web-basedapplications,
and search engines provided efficiencies in information sharing and independent search
for information, ushering the transformation of the Internet into cyber space. As electronic
mail evolved in the Internet platform, groups or online communities started to develop
and, with the development of enabling applications, transformed and expanded into
what we now know as social networks. In the meantime, in parallel developments, online
market places also started to evolve, triggering commercial and trading activities.
Cyber space has not been fully defined, but it exists. As a virtual domain, cyber
space consists of physical, logical, and social components. [See: TRADOC Pamphlet 525-
7-8, U.S. Army, Cyberspace Operations Concept Capability Plan 2016-2028 at www.fas.
org/irp/doddir/army/pam525-7-8.pdf ]
The cyberspace components are:
1. Physical
a. Geographic Locations â locations in the physical world where computers,
electronic devices, networks, wired and wireless telecommunications facilities
and infrastructure, people, communities, and organizations may be found.
b. Networks â the interconnected information system networks and devices and
telecommunications infrastructure that make up the internet and allows easy
connectivity
2. Logical
a. IP Address â the logical address of devices connected to the internet, such devices
are used to access cyberspace](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-77-2048.jpg)
![80 ICT Development and Cyber Security Reader
âą Department of Health
âą Department of Social Welfare and Development
âą Bases Conversion and Development Authority
âą Philippine Nuclear Research Institute
âą Department of Trade and Industry
âą Department of Interior and Local Government
âą Philippine Information Agency
âą Philippine Army, 4th Infantry Division in Mindanao
âą Housing and Land Use Regulatory Board
âą Office of the Ombudsman
âą www.e.com.ph
âą mandaluyong.gov.ph
âą www.undp.org.ph
âą www.bayan.ph/petition
âą www.epa.org.ph
âą www.philproperties.ph
âą www.insurance.gov.ph
âą www.popcom.gov.ph
âą http://webgis.dost.gov.ph/mindanao
The Culprits
The perpetrators identified themselves as:
âą PrivateX
âą Philker
âą iSKORPiTX - a Turkey based group of hackers
âą China Hacktivist
âą BatangMahiligMagbatibot
âą Black AtTacKer
âą MISTA Haxor
âą Clienc0de bgh7 m3rcil3sS
âą Freeman
⹠KuTaHYaLıBeLa
âą team crimes linux -
âą 1923Turk Grup
âą Ha[c]kingFor[c]es
âą Mr-CaCaRoTe
âą Saudi Arabia Hackers
âą Ma3sTr0-Dz
Phishing
Phishing, a type of social engineering attack, is designed to lure netizens to
provide personal information. Phishers (as perpetrators of phishing attacks are referred
to) masquerade themselves by mimicking bank websites and requests random targets
to update their account information. Three local universal/commercial banks were
mimicked by phishers in 2011. Cost of damage is unreported as banks sought to protect
their identities and reputation.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-80-2048.jpg)
![94 ICT Development and Cyber Security Reader
Cyberwar and Rules of Engagement
Drexx D. Laggui CISA, CISSP
____________________________________________________________________________________________________________________________________
Definitions
C
YBERWAR is generally defined as a hostile, state-sponsored operation to conduct
sabotage, espionage, or subversion through information systems, the Internet,
or other telecommunications media referred to as cyberspace. Another widely
accepted definition of "cyberwar" is the use of the Internet and related technological means
by one state against political, economic, technological and information sovereignty and
independence of any other state[1].
The employment of the word "war" is derived from a description of a conflict
between state or non-state peoples, declared or undeclared actions, and highly-organized,
politically controlled wars as well as culturally evolved, ritualistic wars and guerilla
uprisings, that appear to have no centrally controlling body and may perhaps be described
as emerging spontaneously[2].
Further, when considered from a strategic point of view, war in this context is an
actual, intentional and widespread conflict between political communities [3], with the less
violent design[4] of:
- crippling economies,
- manipulating political views,
- undermining the authority of a state,
- disturbing a state's relationship among its allies,
- reducing a state's military efficiency if not their effectiveness in physical
combat domains,
- equalizing the fighting capacity of richer nations to that of third-world nations,
and
- denying access to a nation's critical infrastructure so they can be coerced to
obey a dictated action.
Long-term threats
The conduct of cyberwar is an attractive option to a state because it is a relatively
cheap activity with remarkable benefits, vis-Ă -vis very low short-term risks on the lives
of its attacking combatants. However, the "use of force" in cyberspace can have violent or
crippling effects in the physical world of the state's targets.
As an identifiable long-term threat against Philippine national security, it is
often misunderstood and thus not managed correctly, simply because cyber warriors are
typically anonymous, that the individual users of ICT (information and communications
technology) assets believe they are very familiar with technology, and ICT administrators
can control cyber attacks in an ad hoc manner. The human mind reacts slowly to long-term](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-94-2048.jpg)
![95ICT Development and Cyber Security Reader
risks, thus comes the unfortunate realization that many elderly statesmen view cyberwar
as merely an abstract restricted to the imagination of science fiction writers.
The paradigm behind cyberwar is not a concept born out of a vacuum. Recent
developments reported on international news media brings to light the beginning, but
dramatically improving capabilities of state-actors. Famous examples include:
- 2003 to 2006: Titan Rain was the designation given by the US government to a
series of coordinated attacks on American computer systems by China [5].
- 2007: a three-week wave of massive cyber-attacks came upon Estonia by
Russia, the first known incidence of such an assault on a state, caused alarm
across the Western alliance, with NATO urgently examining the offensive and
its implications [6].
- 2008: Weeks before bombs started falling, attacks against Georgiaâs Internet
infrastructure were conducted by Russians. The cyberwar had the effect
of silencing the Georgian media and isolating the country from the global
community. Furthermore, the Georgian population experienced a significant
informational and psychological defeat, as they were unable to communicate
what was happening to the outside world [7].
- 2009:GhostNetisthenamegivenbytheInformationWarfareMonitortoalarge-
scale espionage operation by China. High-value targets included ministries
of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei,
Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania,
Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the
ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South
Asian Association for Regional Cooperation), and the Asian Development
Bank; news organizations; and an unclassified computer located at NATO
headquarters [8].
- 2010: Stuxnet is a highly sophisticated computer worm that sabotaged the
uranium enrichment equipment of the Natanz nuclear facility in Iran, by
Israel and USA [9]. This operation was deemed as a cheaper alternative than
sending attack aircraft to bomb the nuclear facility.
- 2011 and 2012: Duqu was found on 2011 [10], and Flame on 2012 [11]. Both
worms are related to Stuxnet.
- 2011: the Syrian Electronic Army used DDoS attacks, phishing scams, and
other tricks to fight opposition activists where they're strongest, which is
online[12]. Syrian President Bashar al-Assad's forces are currently in a state of
civil war, and determined to defeat the protest movement that toppled fellow
dictators in Egypt, Libya, and Tunisia.
- 2012: Here at home, a barrage of website vandalisms and e-mail intrusion
attempts were experienced and are co-related to the diplomatic tensions
between the Philippines and China arising from territorial disputes in the West
Philippine Sea. The events are tracked and reported by local news media[13].](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-95-2048.jpg)
![96 ICT Development and Cyber Security Reader
Known State Actors
Several nations have declared their respective government policies and military
strategies on cyberwar. Basically, these nations have come up with their cyberwar
doctrines and their rules of engagement, defined what can constitute an act of war, and
have established what are their proper measures to take in response.
The North Atlantic Treaty Organization (NATO) has established a strategic
concept for the defense and security of their member states. On 19 November 2010, NATO
stated that "We will ensure that NATO has the full range of capabilities necessary to deter
and defend against any threat to the safety and security of our populations. Therefore,
we will...develop further our ability to prevent, detect, defend against and recover from
cyber-attacks, including by using the NATO planning process to enhance and coordinate
national cyber-defence capabilities, bringing all NATO bodies under centralized cyber
protection, and better integrating NATO cyber awareness, warning and response with
member nations[14]."
Also on the later part of year 2010, U.S. DoD Deputy Secretary William J. Lynn III
said that "the Pentagon has formally recognized cyberspace as a new domain of warfare.
Although cyberspace is a man-made domain, it has become just as critical to military
operations as land, sea, air, and space. As such, the military must be able to defend and
operate within it. To facilitate operations in cyberspace, the Defense Department needs an
appropriate organizational structure." [15] On May 21 of 2010, the U.S. Cyber Command
(USCYBERCOM)achievedtheirinitialoperationalcapability,withGeneralKeithAlexander
as their commander [16].
USCYBERCOM is a sub-unified command subordinate to U. S. Strategic Command
(USSTRATCOM).Theirmissionstatementis"USCYBERCOMplans,coordinates,integrates,
synchronizes, and conducts activities to: direct the operations and defense of specified
Department of Defense information networks and; prepare to, and when directed, conduct
full-spectrum military cyberspace operations in order to enable actions in all domains,
ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."
The work focus is that "USCYBERCOM will fuse the Departmentâs full spectrum
of cyberspace operations and will plan, coordinate, integrate, synchronize, and conduct
activities to: lead day-to-day defense and protection of DoD information networks;
coordinate DoD operations providing support to military missions; direct the operations
and defense of specified DoD information networks and; prepare to, and when directed,
conductfullspectrummilitarycyberspaceoperations.Thecommandischargedwithpulling
together existing cyberspace resources, creating synergy that does not currently exist and
synchronizing war-fighting effects to defend the information security environment.
USCYBERCOMwillcentralizecommandofcyberspaceoperations,strengthenDoD
cyberspace capabilities, and integrate and bolster DoDâs cyber expertise. Consequently,
USCYBERCOM will improve DoDâs capabilities to ensure resilient, reliable information
and communication networks, counter cyberspace threats, and assure access to cyberspace.
USCYBERCOMâs efforts will also support the Armed Servicesâ ability to confidently
conduct high-tempo, effective operations as well as protect command and control systems
and the cyberspace infrastructure supporting weapons system platforms from disruptions,
intrusions and attacks."](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-96-2048.jpg)
![97ICT Development and Cyber Security Reader
IntheUnitedKingdom,theUKCyberSecurityStrategy[17]publishedonNovember
2011, called for the creation of a dedicated and integrated civilian and military capability
within their MoD, and setting up the Defence Cyber Operations Group (DCOG)[18]. An
interim DCOG is supposed to be in place by April 2012, and is expected to achieve full
operational capability by April 2014. The DCOG "will include a Joint Cyber Unit hosted
by GCHQ at Cheltenham whose role will be to develop new tactics, techniques and plans
to deliver military effects." "A second Joint Cyber Unit embedded within the centre at
Corsham will develop and use a range of new techniques, including proactive measures,
to disrupt threats to (UK's) information security." Basically, DCOG is developing an
offensive capability to respond to UK's enemies who are trying to launch attacks against
their critical infrastructure, detect and disrupt espionage operations, or disable weapons
of mass destruction through cyber attacks.
Many counter-terrorist operators in the world appreciated a taste of British humor,
when MI6's "Operation Cupcake" became public on June 2011 [19]. British intelligence
penetrated an al-Qaeda online magazine and replaced bomb-making instructions with a
recipe for cupcakes.
Australia's Cyber Security Operations Centre (CSOC), based within the Defence
Signals Directorate (DSD), focuses on identifying and responding to cyber incidents of
national significance[20]. It is interesting to note that the language used by CSOC is less
aggressive than their American and British counterparts.
Unit 8200 is from Israel, and known to be one of the most active and advanced
group of cyberwar operators in the world[21]. Although they are the largest unit in the
Israel Defense Forces (IDF), and their alumni have started-up many international high-tech
companies like Check Point Software Technologies, there is not much information known
about them. It is observed that their missions fit very well the Israel's defense doctrine,
including conduct of pre-emptive strike operations, and that any combat should take place
on enemy territory as much as possible.
In the South East Asian region, South Korea's Ministry of National Defense [22]
launched a Cyber Command on January 2010, under the control of their Defense Security
Command (DSC). They also added that with their 200 specialists, they have the capability
to conduct both defensive and offensive cyber operations, under the direction of the
defense minister.
Meanwhile, North Korea's Reconnaissance Bureau of the General Staff Department
[23] is credited to be trailing only with the capabilities of the Americans and the Russians
[24]. On April 28 until May 13 of 2012, GPS signals were jammed in S. Korea by the electronic
combatants of N. Korea, causing difficulties in air and marine traffic controls.
Senior Colonel Geng Yansheng, spokesperson for the China's Ministry of National
Defense as well as director-general of the Information Office of the Ministry of National
Defense, announced on May 2011 that their People's Liberation Army (PLA) established
an "Online Blue Army" in order to enhance Chinese troops' network protection only [25].
Many observers worldwide however, believe that their unit with at least 30 operators,
organized under the Guangdong Military Command, is an essential part of China's assets
who are responsible for being the single largest source of cyber attacks [26].](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-97-2048.jpg)
![98 ICT Development and Cyber Security Reader
Very recently however, Chinese telecom companies Huawei and ZTE are tagged
by the U.S. Congress as a security threat to the critical infrastructure of the United States,
by providing equipment that are alleged to be capable of relaying American secrets back
to China. In their intelligence report, the Americans state that "China has the means,
opportunity and motive to use telecommunications companies for malicious purposes."
"Based on available classified and unclassified information, Huawei and ZTE cannot be
trusted to be free of foreign state influence and thus pose a security threat to the United
States and to our systems," the report says [27].
Casus Belli
Article II, Section 2, of the 1987 Constitution of the Philippines states that our
nation "renounces war as an instrument of national policy, adopts the generally accepted
principles of international law as part of the law of the land and adheres to the policy
of peace, equality, justice, freedom, cooperation, and amity with all nations" [28]. Article
II, Section 7 also says that "The State shall pursue an independent foreign policy. In its
relations with other states, the paramount consideration shall be national sovereignty,
territorial integrity, national interest, and the right to self-determination."
The Philippines is a very peaceful nation, and throughout history, it has never
even dreamt of occupying another nation-state. On the contrary, the Philippines have
been occupied by other nation-states in its hundreds of years of existence as a nation. The
rejection of war as a national policy is consistent with the Charter of United Nations, which
says in Chapter I, Article 1, that "All Members shall refrain in their international relations
from the threat or use of force against the territorial integrity or political independence of
any state, or in any other manner inconsistent with the Purposes of the United Nations"
[29].
However, the 1987 Constitution of the Philippines only disowns aggressive war,
but not defensive war which will only for the preservation of national honor, integrity,
and the security of the Filipino. The nation-state of the Philippines will not waive the
fundamental right of self-preservation. President Benigno S. Aquino III upholds the 1987
Constitution by documenting his statement of principles in his National Security Policy
2011-2016, saying that "The Philippines needs to develop a defensive capability against
perceived or real external security threats" [30].
The National Security Policy intends to promote internal socio-political stability
by: ensuring the effective delivery of basic services; helping to protect the nation's natural
resources and reducing the risks of disasters; promoting economic reconstruction and
ensuringsustainabledevelopmentthroughincreasedinvestmentsincriticalinfrastructures;
pursuing reforms in the security sector; strengthening institutions and internal mechanisms
to safeguard public order and security; contributing in the strengthening of the rule of law
throughout the country; promoting the peace process as the centerpiece of the Internal
Security Program; and launching a holistic program to combat terrorism. The National
Security Policy also wants the Philippines to develop a defense capability to protect its
soveriegnty and strategic maritime interests.
The term "critical infrastructure" has been officially defined and recognized
back in 24 September 2003 when the Cabinet Oversight Committee on Internal Security](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-98-2048.jpg)
![99ICT Development and Cyber Security Reader
(COC-IS) created the Task Force for Security of Critical Infrastructures (TFSCI), headed
by Undersecretary Abraham Purugganan [31]. Critical infrastructures are vital not only
for economic growth and development, but also as necessary means for the conduct of
each Filipino's daily lives. Critical infrastructure include assets or facilities for: energy
generation, transmission and distribution; information and communications systems;
transportation systems; public health facilities; financial services; government public
safety and emergency services; agriculture and food production and distribution; strategic
commercial centers; as well as religious and cultural centers. TFSCI, now defunct, then
coordinated all government efforts to manage and mitigate any threats against the critical
infrastructure as those are deemed threats to the national security of the Philippines.
Any threat or attack conducted through cyberspace, against the national security
of the Philippines, should be identified, assessed, and then mitigated, if not eliminated.
These threats involve espionage, terrorism, sabotage, or subversive activities. If an attack
through the domain of cyberspace by another state yields death or physical injury of
people, property damage, disruption of critical infrastructure, overthrow of the legitimate
government of the Philippines, hostile disclosure of state secrets, with an outcome
equivalent to a conventional military attack, then that event should merit an appropriate
military action. The amount of damage caused by the cyber attack, whether actual or
implied, should be used a metric as to what will justify proper retribution.
To add to previously mentioned real-world examples of cyberwar operations, other
scenarios that could cause harm to the national security of the Philippines are not limited
to: opening of dams to intentionally drown entire communities; disruption of air traffic
navigation controls to chaos in, or death from the skies; suppression of TV or public radio
infrastructure; theft of confidential e-mail containing state secrets regarding the diplomatic
position of the Philippines versus China, in relation to disputes in economic trade as well
as territories in the West Philippine seas; as well hijacking of phone and Internet assets for
espionage purposes.
The guidelines set by the National Security Policy of President Aquino may be
interpreted to allow only the undertaking of defensive actions in a foreign state, or if
within the Philippines, only if reliable intelligence reports indicate that there is a clear
and present danger against national security, that would have disastrous consequences
like death or loss of critical infrastructure. This practically means that the Armed Forces
of the Philippines may not be tasked to employ kinetic weapons against the aggressor, but
instead employ cyberwar operations to stop the source of cyber attacks.
Rules of Engagement (ROE)
The directive that controls the use and degree of force, how and when, for what
duration and what target, that generally specifies the circumstances and limitations for
engagement, is called the Rules Of Engagement. The complexity and technical aspect of
a cyber attack operation, coupled with the fact that targets may appear or disappear in a
matter of seconds, would required careful planning and development of the ROE.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-99-2048.jpg)
![100 ICT Development and Cyber Security Reader
Guidelines for crafting the ROE
ROE must take into consideration all applicable domestic and international law,
operational concerns, and political considerations [32]. The recommended underlying
doctrine for drafting the ROE should be Bellum Iustum, or the Just War theory. Part 3,
Section 2, Chapter 2, Article 5, Paragraph 2309, from the Catechism of the Catholic Church
[33], gives us the following "conditions that are subject to the prudential judgement of
those who have responsibility for the common good."
- The damage inflicted by the aggressor on the nation or community of nations
must be lasting, grave, and certain;
- All other means of putting an end to it must have been shown to be impractical
or ineffective;
- There must be serious prospects of success;
- The use of arms must not produce evils and disorders graver than the evil to
be eliminated.
In general peacetime conditions, which the Philippines expect to find itself in most
of the time, the ROE is to be dictated by the principles of necessity and proportionality [34].
"Necessity" requires that cyber operations conducted in self-defense require that a hostile
act occur (i.e. acts of espionage, sabotage, or subversion), or a force or terrorist unit exhibit
hostile intent. An example would include a cyber attack on a positively identified target
that has been qualified by reliable intelligence reports. The "proportionality" principle
states that the force used must be reasonable in intensity, duration, and magnitude, based
on all facts known to the cyber commander at the time, to decisively counter the hostile act
or hostile intent.
Components, other than hostile threat or hostile act, that affect the principles of
necessity and proportionality may include:
- Threat sources and their identification, capabilities of the adversary,
characteristics of adversary's intent, how the adversary analyzes their target,
and range of effects for non-adversarial threat sources
- Threat event identification, and its relevance
- Vulnerabilities of Philippine critical infrastructure and other assets affecting
national security, pervasiveness and severity of the said vulnerabilities
- Likelihood of the hostile threat to occur
- Impact or effects on critical infrastructure and other assets affecting national
security
After the ROE has been analyzed, and permissions have been granted to the
cyber combatant by the commander, the following steps may occur in the cyber attack:
Set Mission Objectives > Establish Baseline Condition of Targets > Recon: Research Target
Information > Discover and Assess Vulnerabilities > Analyze Situation; Plan Attack >
Execute War Plans; Exploit Vulnerabilities; Escalate System Privileges > Re-Engage Other
Targets > Produce Analysis and Report > Re-Set Targets Information Systems to Original
Condition (Optional)](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-100-2048.jpg)
![101ICT Development and Cyber Security Reader
Conclusion
Mary Ann Davidson, the Chief Security Officer of Oracle Corporation, testified on
10March2009totheHomelandSecuritySubcommitteeonEmergingThreats,Cybersecurity
and Science and Technology. She says that there are a few challenges to when applying the
American's Monroe Doctrine on Cyberspace [35].
- Credibility: the deterrence strategy needs teeth to be credible.
- Invocation Scenarios: there should be an escalation framework, where some
instances can invoke cyberwar.
- Attribution: Detecting attacks is hard enough already, and attributing them
correctly is even harder, but not impossible.
Taking those said technical and ethical challenges into consideration, the unsettled
doctrine guiding cyberwar, the unformulated jus ad bellum of cyberwar, while state and
non-state actors in cyberspace build up their capacity for initiating threat events, the time
to recognize cyberspace as a new combat domain, is now. The correct time to investigate
the Philippine capacity to engage in cyberwar, should be prior to the conduct of cyber
operations, not during an emotional or desperate situations, or after being shamed on the
international scene. The Philippines have all the pieces to put a Cyber Command in place,
and can have it done right from the start, to engage, sustain, and achieve objectives in
cyberspace.
# # #
Endnotes
[1] Alexander Merezhko; International Convention on Prohibition of Cyberwar in
Internet; http://www.Politik.org.UA/vid/publcontent.php3?y=7&p=57
[2] Alexander Moseley; The Philosophy of War; http://www.IEP.UTM.edu/war/
[3] Brian Orend; War; http://Plato.Stanford.edu/entries/war/
[4] Sandro Gaycken; Cyberwar â Das Internet als Kriegsschauplatz;, https://www.
OpenSourcePress.DE/index.php?26&tt_products=313
[5] Nathan Thornburgh; The Invasion of the Chinese Cyberspies; http://www.Time.
com/time/printout/0,8816,1098961,00.html
[6] Ian Traynor; Russia Accused Of Unleashing Cyberwar To Disable Estonia; http://
www.Guardian.co.UK/world/2007/may/17/topstories3.russia
[7] Capt. PShakarian; The 2008 Russian Cyber Campaign Against Georgie;
http://USACAC.Army.mil/CAC2/MilitaryReview/Archives/English/
MilitaryReview_20111231_art013.pdf
[8] Information Warfare Monitor; Tracking GhostNet; http://www.InfoWar-Monitor.
net/research/
[9] NateAnderson;Confirmed:UsAndIsraelCreatedStuxnet,LostControlOfIt;http://
Arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-
control-of-it/
[10] Budapest University of Technology and Economics; Duqu: A Stuxnet-Like
Malware Found In The Wild; http://www.CrySys.HU/publications/files/
bencsathPBF11duqu.pdf
[11] Kim Zetter; Meet âFlame,â The Massive Spy Malware Infiltrating Iranian Computers;
http://www.Wired.com/threatlevel/2012/05/flame/](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-101-2048.jpg)
![102 ICT Development and Cyber Security Reader
[12] Max Fisher & Jared Keller; Syria's Digital Counter-Revolutionaries; http://
www.TheAtlantic.com/international/archive/2011/08/syrias-digital-counter-
revolutionaries/244382/
[13] Chiara Zambrano; Chinese Hackers Have More Sinister Plans; http://rp1.ABS-
CBNnews.com/nation/04/27/12/chinese-hackers-have-more-sinister-plans-
experts-warn
[14] NATO; Active Engagement, Modern Defence; http://www.NATO.int/cps/en/
natolive/official_texts_68580.htm
[15] William J. Lynn III; Defending a New Domain; http://www.Defense.gov/home/
features/2010/0410_cybersec/lynn-article1.aspx
[16] https://www.CYBERCOM.mil (Access restricted.)
[17] The UK Cyber Security Strategy; http://www.CabinetOffice.gov.UK/sites/default/
files/resources/uk-cyber-security-strategy-final.pdf
[18] http://www.MoD.UK/DefenceInternet/AboutDefence/WhatWeDo/
DoctrineOperationsandDiplomacy/JFC/
[19] http://www.Telegraph.co.UK/news/uknews/terrorism-in-the-uk/8553366/MI6-
attacks-al-Qaeda-in-Operation-Cupcake.html
[20] http://www.DSD.gov.AU/infosec/csoc.htm
[21] http://Dover.IDF.IL/IDF/English/News/today/2008n/09/0101.htm
[22] http://www.KoreaTimes.co.KR/www/news/nation/2009/12/205_56502.html
[23] http://www.GlobalSecurity.org/intell/world/dprk/rb.htm
[24] Choi He-Suk, The Korea Herald; N. Korea Has Third Most Powerful Cyberwar
Capabilities; http://www.Stripes.com/news/pacific/n-korea-has-third-most-
powerful-cyberwar-capabilities-1.179826
[25] http://English.People.com.CN/90001/90776/90786/7392182.html
[26] http://www.FoxNews.com/tech/2011/05/26/china-confirms-existence-blue-
army-elite-cyber-warfare-outfit/
[27] U.S. House of Representatives; Investigative Report on the U.S. National Security
Issues Posed by Chinese Telecommunications Companies Huawei and ZTE; http://
Intelligence.House.gov/sites/intelligence.house.gov/files/documents/Huawei-
ZTE%20Investigative%20Report%20%28FINAL%29.pdf
[28] The 1987 Constitution Of The Republic Of The Philippines; http://www.Gov.
PH/the-philippine-constitutions/the-1987-constitution-of-the-republic-of-the-
philippines/the-1987-constitution-of-the-republic-of-the-philippines-article-ii/
[29] Charter of the United Nations; http://www.UN.org/en/documents/charter/
chapter1.shtml
[30] National Security Policy 2011-2016: Securing the Gains of Democracy; http://www.
Gov.PH/2011/08/18/national-security-policy-2011-2016/
[31] Rose Palacio; Task Force To Protect Critical Infrastructure; http://Archives.PIA.
gov.PH/?m=12&sec=reader&rp=1&fi=p040916.htm&no=7&date=09/16/2004
[32] https://rdl.Train.Army.mil/catalog/view/100.ATSC/0EF89CA1-2680-4782-B103-
D2F5DC941188-1274309335668/7-98-1/chap2l4.htm
[33] Catechism of the Catholic Church; http://www.Vatican.VA/archive/ENG0015/__
P81.HTM
[34] Defining The Rules Of Engagement; http://www.GlobalSecurity.org/military/
library/report/call/call_96-6_roesec2b.htm
[35] MaryAnnDavidson;TheMonroeDoctrineinCyberspace;http://www.WhiteHouse.
gov/files/documents/cyber/Davidson%20MaryAnn%20-%20The%20Monroe%20
Doctrine%20in%20Cyberspace.pdf](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-102-2048.jpg)
![103ICT Development and Cyber Security Reader
The Evolving Landscape on
Information Security
Wilfred G. Tan, Carlos T. Tengkiat & Simoun S. Ung
Introduction
W
e all have a preconceived notion on information technology security; however
for a lot of organizations this value is subjective because there is an acceptability
of risk. This is not to imply a particular organization is unaware of the value
of security; it may simply be that the organization needs to consider the allocation of its
resources for security relative to the value of the asset being protected.
A large number of organizations, as evidenced by strong growth and interest in
security standards such as PCI-DSS [1], either depend on or follow guidelines set forth by
government institutions and standards bodies. Conventional wisdom dictates that following
guidelines is normally a good approach. As a security officer, planner or executive, one
should always consider going beyond the existing standard and to be reminded that the
security standards are developed in response to already recorded and occurring incidents.
Moreover, security standards take time for the standard setting bodies to create, review,
approve and implement. Security is a living practice and needs the proper attention, time
and consideration.
Laying out and maintaining a comprehensive cyber security plan not only requires
expertise, but also involves careful thought, assessment, and constant refinement and
adjustments. In addition, legal frameworks differ from country to country; therefore, best
practices in one country are not directly portable to a different country, even within similar
industries. Unlike more traditional crimes such as theft and robbery, the specific rules and
regulations tend to be varied at best for cyber-security and cyber-crime related incidents.
Computer security related incidents have risen significantly over the past decade
[2] and there is every indication that this trend will continue for the foreseeable future. The
Global Security Report of Trustwave[3] presents the origin of cyber-attacks:
Russia leads the statistics with 29.6% in the data[3]. However, because 32.5% of all
attacks are from of unknown origin, it can be as likely (or equally unlikely) that any one
nation is the single source or culprit of all of the incidents. Pinpointing the location in a
timely manner is very difficult, if not impossible, given that the technology today allows
users to use anonymous proxies to connect to the Internet which further compounds the
problem.
This article is written for non-technical executives and policy makers, whose
responsibilities require them to interact with information security professionals, as a primer
on the current landscape of information security as well as its likely evolution. Security
professionals and practitioners are already well-versed in the material contained herein.
The paper examines the motivation behind cyber-attacks followed by a survey of common
threats and attack variants. It then presents the popular defensive strategies followed by a
discussion of future challenges and developments.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-103-2048.jpg)
![104 ICT Development and Cyber Security Reader
Motivation
Behind all threats and cyber security breaches are either individuals or organizations.
Cyber security incidents do not occur in a vacuum. Generally, the motive behind a cyber-
attack can be classified as follows: personal reasons, unlawful profiteering, corporate or
national interests, and other purposes.
Personal Reasons
Personal reasons for conducting a cyber-attack include peer recognition, revenge,
personal gain or satisfaction, and even curiosity. Some intruders derive a perverse sense
of fun from conducting the attack and revel in the psychic income of being noted for
notoriety.
Unlawful Profiteering
Perhaps the most common motivation for conducting a cyber-attack is financial
gain. The primary goal of fraud is to gather information that can be used to access funds of
other entities for illicit proceeds. Popular targets include savings accounts and payment,
debit and credit, card data. Organized criminal syndicates are the primary perpetrators of
these attacks. Inopportunely, the skill and savoir-faire developed are often adopted for use
in cyber-terrorism and other cyber-attacks.
Although there is no data for the Philippines, a study conducted by eWEEK Europe
in 2010[4] on a simulated auction of stolen data determined that the relative value of data](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-104-2048.jpg)
![105ICT Development and Cyber Security Reader
is primarily determined by purchaser. The end goal remains the same, obtain information
through illegal and fraudulent means which can be used for financial gain. Information
itself has become a commodity; it can be traded, bought and sold.
Corporate or National Interests
The strategic objectives for a corporation or nation-state are sometimes achieved by
attacking others using cyber-warfare capabilities. The intent may be to disable a nuclear
enrichment program or a more mundane purpose such as spy, steal or subvert a rivalâs
plans and secrets.
In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable
and destroy Siemens industrial equipment which were specifically used to control centrifuges
that create nuclear material for a fissionable weapon. According to a study by Symantec in
August, 2010 [5], 60% of the computers infected by Stuxnet were in Iran suggesting a highly
âtargetedâ operation. The wormâs sophistication and intelligence suggested a nation-state
level of sponsorship; speculation was rife that the United States and Israeli forces were at
least partially responsible for the development and deployment of the worm.[5]
Threat Evolution
Approaches to attacks have evolved over time, adapting to developments in
technology. Tools for exploiting systems have evolved considerably; likewise, tools that
are available for testing and exploiting vulnerabilities are readily available in the market.
There are even attack platforms freely available that ironically were intended to test the
security of a system. Several of the more common threats are outlined below: physical,
cyber-stalking, social engineering, phishing, distributed denial of service, network attacks
and malwares.
Physical
In the 1980s, the common practice was to actually go onto the premises of the
target company or to harvest data from unprotected sources. Criminals would find ways
to physically obtain storage media or hardcopies of data. Dumpster diving, or the sifting
through garbage and trash to find bits and pieces of information, is still practiced today.
The careless disposal of seemingly innocuous information such as an obsolete version of an
information security plan, PIN mailers, passwords, social security numbers, et cetera can
facilitate an attack via social engineering or phishing.
Today, practices have improved to include tapping into data cabling that are
accessible from unsecured areas and the access of unlocked, accessible computer servers
and systems. It is still a common occurrence for unencrypted, sensitive data to be lost or
stolen from physical media such as USB flash drives, laptops and cellular phones.
Cyber-Stalking
Cyber-stalkers assault their victims using electronic communication: email, instant
messaging (IM) and/or posts to a website or discussion group. While most cyber-attacks
target an organization, cyber-stalking tends to be of a more personal nature. Cyber-stalkers](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-105-2048.jpg)
![106 ICT Development and Cyber Security Reader
typically gather personal and private information about their target then send them harassing
or threatening messages.
Trolling is a form of cyber-stalking in which negative posts, comments or other
defamatory statements are made which are injurious to the reputation or emotional health
of the victims. When committed by more than one individual, trolling is also known as
cyber-bullying. Sadly, there are cases involving teens which have resulted in the victims
committing suicide.
Social Engineering
Social engineering cyber-attack involves the manipulation of people to perform
certain actions that can compromise security; this requires a solid understanding of human
responses and behaviour. Although physical contact is not necessary, some form of trickery
to gain the confidence of the target is employed. Social engineering attack occurs in two
phases: information gathering then the pretext stage in which a believable story is crafted
in order to earn legitimacy and gain the trust of the target.
Social engineering is not strenuous on the attacker, thus it is normally employed
in conjunction with other forms of cyber-attack. The insertion of malware into otherwise
hardened, secure systems is a common combination with social engineering. Many enterprise
systems are well protected and require significant time and effort to breach. However, if
the attackers are able to use social engineering to insert physical media such as USB flash
drives into the internal network, then all the external defences are immediately bypassed.
Based on recently conducted social engineering study[6], companies with well-
implemented security awareness protocols are more resistant to social engineering tactics.
Participants in the oil industry fared better compared to less security aware industries
like retail. This study was designed such that questions were designed that would expose
security design and architecture of the respondentâs organization:
The study[6]revealed that certain data can be harvested from the internet itself.
Researchers were able to utilize the data culled from the internet in their social engineering
tasks to profile a targetâs internal security implementation. The table below displays the
details gathered from the questionnaire above in blue while the additive information
garnered from the internet is shown in red:
Recently, face-to-face social engineering tactics have been increasing; this is
disquieting since it may expose the targeted individual to physical danger.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-106-2048.jpg)
![110 ICT Development and Cyber Security Reader
Distributed Denial of Service (DDOS)
DDOS is one of the older forms of attacks that are still popular today. In a DDOS
attack scenario, the victim typically finds their system slows to a crawl or unable to respond
at all. There are several variants that are commonly used such as ICMP Flooding, SYN
flooding, Teardrop, and others. The defining aspect of DDOS attacks is the rendering of
the target system crippled or inoperable, thereby denying service to the systemâs legitimate
users. As recent as mid-2012, DDOS attacks against major financial institutions such as
HSBC, Bank of America, and JP Morgan Chase were recorded. [7]
The duration and severity of the attack is dependent on the number of zombies,
or slave computers, used by the attacker, and the resiliency of the target computer(s) to
withstand the attack. A DDOS attack may be used in conjunction with other attacks to exploit
vulnerabilities exposed while the DDOS attack is in progress; sometimes, a DDOS attack is
a diversionary tactic to enhance the probability of success of other attack methods. Major
disruptions to critical infrastructure like defense, utilities and banking will result not only
in mere inconvenience due to loss of services but cause significant financial and economic
losses.
Network attacks
TheU.S.DepartmentofDefensereferstonetworkattacksasââŠactionstakenthrough
the use of computer networks to disrupt, deny, degrade, or destroy information resident in
computers and computer networks, or the computers and networks themselves.â[8]If an
attacker successfully connects to the network of the target, innumerable opportunities to
launch attacks are made available.
Commonmistakesinnetworksecurityareweak,defaultornon-existentadministrator
passwords. Moreover, ill-designed networks also allow easy access to database servers,
the usual targets for data mining. Attackers can use SQL injection, in which direct SQL text
is encoded as part of the attack stream, in an attempt to subversively access a back-end
database system.
Malwares
The current trend of cyber-attacks is predominantly associated with malwares.
Trustwave defines malware as â⊠often purposefully designed to capture and extricate
data, provide remote access, or automate compromised systems into a botnet â or to just
cause general mayhem.â[9]Malware comes in a myriad of types and varieties. The common
categories known today include computer viruses, worms, trojan horses, spyware, adware
and root kits.
Entire software product suites and solutions have been created to combat malwares.
However, malwares have evolved and continue to do so; they are constantly being updated
to meet challenges of exploiting new vulnerabilities and avoid detection by the users and
by third-party security products. These accounts for the discouraging statistics that show
infections often go undetected. The popularity of malware as an attack vector is evident in
the fact that by 2007 the number of malwares created on that one year alone is the equivalent
to the combined total of the previous twenty years.[10]](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-110-2048.jpg)
![111ICT Development and Cyber Security Reader
Malwares are used with great efficacy to achieve a beachhead in infiltrating systems. Some
of the recent incidents involving malware are listed below:
Flame
Discovered by the Iranian National Computer Emergency Response Team (CERT),
Kaspersky and CrySyS Lab, Flame is widely considered as one of the most sophisticated
malware ever created.[11] It spreads via local area network or USB. Infected computers act
as a bluetooth beacon and attempts to harvest contact information from nearby bluetooth-
enabled devices. At twenty megabytes, Flame is uncharacteristically large for a malware. Its
capabilities include recording of audio, keystrokes, screenshots and Skype conversations;
thus Flame is deemed a cyber-espionage tool.
RSA Breach
RSA experienced a security breach in 2011.[12] The attack vector was an email
sent to an employee with an Excel attachment that contained a malware. This malware
exploited vulnerabilities in Adobe Flash and installed a variant of Poison Ivy, a common
remote administration tool. The attackers then obtained critical information including the
token seeds in SecureID and algorithm designs used by RSA; consequently, the RSA security
tokens were rendered vulnerable for exploitation. This directly resulted in cyber-attacks
against Lockheed Martin and L3 Communications, both US military contractors.
Malwares have proven to be a very effective and potent tool for cyber-attacks
and their continued use will foster further evolution in sophistication and complexity.
Organizations should take steps to detect and eradicate malwares; depending solely on the
hardening of perimeter defense is a common fallacy to prevent malwares from infiltrating
an organization.
Common Defensive Strategies
Information security personnel and teams tend to use several common defensive
strategies. Unfortunately, there is no perfect defensive strategy; therefore, to be effective,
a defensive strategy must be continuously upgraded and assessed against the constantly
evolving cyber-attack mechanisms and methodologies.
Physical
There are numerous physical defensive strategies; the most common are the
following:
1. Deployment of access systems secured by biometric, ID card, PIN and/or a
combination thereof;
2. Closed circuit TV (CCTV) security cameras; and
3. Doors, cages, locks and man-traps.
One of the simplest and cost-effective strategies is to locate critical servers and
systems in a secure facility; failing that, the servers and systems should be locked in a cage
to prevent unauthorized tampering and access.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-111-2048.jpg)
![113ICT Development and Cyber Security Reader
property rights, this is the most important, self-serving incentive to procure properly
licensed software as it guarantees that there will be support and maintenance. With open-
source software, it is critical to implement a maintenance cycle to ensure that any bugs or
vulnerabilities in the software are patched quickly and consistently.
Firewalls
Firewalls are network devices that filter traffic; it attempts to segregate public or
open traffic that exist beyond the organizationâs network perimeter. Firewalls range from
the basic that protect your home network costing a few thousand pesos to the enterprise
versions costing several millions. There are many brands of firewalls from manufacturers:
Cisco, Juniper, Checkpoint, Fortinet, Huawei, ZTE among others. Of special interest lately
is the Congress of the United States position that Huawei and ZTE pose a security threat.
[13]
A properly configured and maintained firewall defends against many threats. It is
a key component in many security strategies implemented today. Ensuring that the firewall
is properly patched is another important key to having a good defensive strategy.
Regular Testing and Backups
Regular tests of information security systems are crucial in maintaining readiness.
Internal and external penetration tests, scans, and verification procedures all contribute
towards ensuring that systems are configured properly. Regular backups are akin to buying
insurance. Failures are an unavoidable part of the human experience and information
systems are not exempt. Having a ready backup is no longer a luxury but a necessity.
Intrusion Detection Systems/Intrusion Prevention Systems
Intrusion detection and intrusion prevention systems(IDPS) are a class of devices
that have come into the forefront of defensive arsenal about a decade ago. Such devices
are capable of detecting incidents by monitoring events or inspecting packets and, at the
start of an incident, trigger some automated response including reconfiguration of firewalls,
sending out alerts by SMS or email, locking down ports, et cetera.
Most systems in the market today involve the deployment of hardware appliances,
few are software based, and these are usually installed in-line either behind, or adjacent to
the firewall(s) in an organizationâs network. The NIST[14]lists four types of technologies
available today:
1. Network based: examination and detection based on network segments, or network
and application protocol.
2. Wireless: examination of wireless network traffic.
3. Network behaviour analysis: examination of system-wide behaviour including the
sudden rise of packets, policy violations, et cetera.
4. Host-based: limited to single host examination and events linked to the single
host.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-113-2048.jpg)
![114 ICT Development and Cyber Security Reader
IDPS are useful in detecting and identifying potential incidents. Therefore, they
are an indispensable tool in the defensive toolkit of many information security managers.
An IDPS provides intrinsic value by adding automated detection, logging, recording, and
monitoring capabilities to an organization, when configured and maintained properly.
Outsourcing of information security
Within the Philippine context, many organizations, including government agencies,
do not have the budget, expertise or capability internally to properly secure their information
systems. Accordingly, to properly prepare for a cyber-attack, organizations may resort to
outsourcing, analogous to the deployment of private security guards for the protection of
physical assets.
There is a prevailing misconception regarding the role of law enforcement in
information security. By definition, law enforcement agencies provide post-incident
investigation, apprehension and filing of charges against suspected perpetrators. Their
responsibilities do not include ensuring an organizationâs systems are safe and secure.
Typically, a Computer Security Incident Response Team (CSIRT) or a Computer Emergency
Response Team (CERT) is engaged to assist an organization to prepare, simulate cyber-
attacks and conduct post-assessments of information security systems.
Future Developments and Challenges
Current technological trends are likely to continue in the foreseeable future. With
the rapid and accelerating pace of change in technology, a discussion of the pervasive
technologies and their prospective impact to information security is warranted.
Mobile technology
Todayâs smart phones are truly mobile computers; some have greater processing
power than desktops from less than a decade ago. Penetration rates in more advanced
countries have exceeded 50% and have reached 78% in the United States. [15] This trend
will rapidly be replicated in emerging markets like the Philippines, particularly with the
commonplace availability of smart phones retailing for less than one hundred US dollars.
With the advent of mobile commerce and the Philippine propensity for rapid
adoption of mobile phones, there will be a host of new, unforeseen security challenges. This
will be accelerated by the deployment of LTE empowering mobile broadband by the local
telecommunication carriers. Compounding the security challenges with mobile is the lack
of a legal framework and the non-existent registry of mobile SIM cards: attackers utilizing
a mobile platform will enjoy even greater anonymity.
Initial malware on the mobile platform were largely limited by the fragmented,
proprietary operating systems that ran the previous generation of phones. The industry
has already consolidated to four major mobile platforms: Appleâs IOS, Googleâs Android,
Windows Mobile and Blackberry. With this convergence, the mobile platform presents a
tantalizing target for cyber-attackers. There have been numerous incidents involving social
engineering with deceptive messages sent to victims asking them to send money to process
their contest winnings or to help a friend or relative in a supposed emergency situation.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-114-2048.jpg)
![115ICT Development and Cyber Security Reader
Video/Voice Over IP (VOIP)
Skypeâą
was one of the pioneers that allowed people to make voice calls, later adding
video calls, for free utilizing IP technology. Nowadays, multi-party video conferencing is
already commonplace. The National Telecommunication Commission has issued VOIP
licenses for several years already. From an implementation and technology angle, VOIP is
terrific: provision of clear communications enabled by constantly improving compression
technology. Commercialized form of 3-D hologram communication may soon be
achievable.
Cyber-attackers recognize that networks carrying voice and video data as an
attractive target. A Brazilian CERT noticed an upsurge in scanning for VOIP traffic in their
honey pot network. [16] Intruders that gain access to a VOIP system would potentially be
able to monitor, access and even reroute all communications made through it.
Outsourcing cyber-attacks
Insofar as protecting information security systems are being outsourced to trusted
professionals, cyber-attackers have also begun to resort to outsourcing. The Russian
underground market in cybercrime is vibrant. The inexpensive cost for outsourcing of
various methods of cyber-attacks is alarming; a sampling of the available services and its
prices is listed below: [17]
Service Price in US dollars
Hiring a DDOS attack $30 to $70 per day
Email spam $10 per million emails
Bots for a botnet $200 for 2,000 bots
ZeuS source code $200 to $500
Hacking a Facebook or Twitter acct $130
Hacking a Gmail account $162
Scans of legitimate passports $5 each
Traffic $7 to $15 per 1,000 visitors from US & EU
As cyber-attacks continue to grow in sophistication, this development of outsourcing
cyber-attacks will not only continue unabated, but likely escalate geometrically.
Conclusion
The notion of information security tends to be organization-specific. In the
Philippine context, there is a relatively high tolerance for risk. Even within the defence
establishment, some of the prevailing attitudes are best characterized by the tongue-in-
cheek responses gathered in a series of interviews: âOur approach is security through
obsolescenceâ and âItâs only 1âs and 0âs anyways, who can read it?â With the pervasiveness
of the internet and technology in human society today and the resultant diminishing barriers
of distance and geopolitical borders, information security must be everyoneâs problem and
responsibility.
The Information and Communications Technology Office under the Department
of Science and Technology has already set policy that information and communications](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-115-2048.jpg)
![116 ICT Development and Cyber Security Reader
technology must be governed due to its pervasive and essential nature in todayâs society.
[18] The recent attacks to deface government websites should serve as a clarion call for
imperative action. Perhaps due to the technical or the rapidly evolving nature, some of the
national leadership still do not recognize the gravity of the situation, or lamentably, simply
choose to believe it will go away.
For some context within the Philippine environment, consider the IT-BPO industry,
a sunshine and rapidly growing sector of the Philippine economy:[19]
2011 2012 2013
Industry revenues (USD) $11 Billion $13.6 Billion $16 Billion
Full-time employees 638,000 772,000 926,000
How much loss, potential or otherwise, must be suffered by the Philippine economy
for information security to be considered a matter of national security? What is the impact
to this single sector of a single or a series of cyber-attacks or data breaches exacerbated by
inadequate response from government? Government and the private sector must work
together to secure our national interest.
This article presented an overview of the current landscape of information security.
From the motivational aspects behind cyber-attacks to a review of current common
threats and attack variants to a presentation of the popular defensive strategies ending
with a forward look to future challenges and developments. Although technology and
methodologies continue to evolve, the human factor, not rapid technological advancement,
continues to be the biggest source of vulnerability:
· Many continue to blindly follow security standards set by governments and
standards bodies without proper evaluation of their suitability for their own
situation.
· Lax stewardship is the leading cause of security breaches in established
organizations.
· Social engineering is still the most prevalent cause of data compromises.
· Senior leadership, especially at the national level, typically fail to recognize the
critical nature of information security to their organizations until after a breach or
other incident has occurred.
If the Philippines were to experience a cyber-attack today, there is no single office
of primary responsibility within government to mount a coordinated response. At best, the
country can only rely on the Philippine Computer Emergency Response Team (PHCERT),
â⊠a non-profit aggrupation of Information Security Professionals providing Technical and
Policy Advisory Services Pro Bono Publico.â[20] The National Computer Center recognizes
the limited programs and projects that PHCERT can support: âPHCERT ONLY accepts
security incident reports from its members. Technical advice may be provided depending
on volunteer availability. Forwarding and coordination to the appropriate law enforcement
agency can also be done if the situation warrants or member organization desires to do](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-116-2048.jpg)
![117ICT Development and Cyber Security Reader
so.â[21] On the legal front, although the Philippines recently enacted the Cybercrime
Prevention Act of 2012,Republic Act 10175, to empower law enforcement to better combat
cybercrime, the Supreme Court issued a Temporary Restraining Order delaying its
implementation by 120 days in response to questions about the constitutionality of certain
provisions.
Information security is so pervasive that even a superpower like the United
States and advanced societies like Japan with relatively unlimited budgets find it difficult
to cope with the immense challenges. Government and private sector must cooperate to
make significant progress in this regard. Forging ahead, given the current landscape of
information security and its likely progression, the Philippines must take two foundational
steps to improve its information security:
1. Government must designate a single office of primary responsibility to prepare,
mitigate, and coordinate a response to cyber-attacks; and
2. Government and the private sector must work together and establish a pro-active,
independent, fully-functional Computer Emergency Response Team (CERT) and/
or Computer Security Incident Response Team (CSIRT).
# # #
References
This article relied extensively on the collective knowledge-base and
experience of the authors as well as sources from both the internet and
printed material. Similar references were grouped together for brevity.
1 http://blog.elementps.com/element_payment_solutions/2011/11/visa-releases-pci-compliance-
level-stats.html
2 http://www.pcworld.com/article/79303/article.html
3 http://2011.appsecusa.org/p/gsr.pdf
4 http://www.techweekeurope.co.uk/news/experts-admit-motivation-for-cyber-attacks-
overlooked-6696
5 http://www.symantec.com/connect/blogs/hackers-behind-stuxnethttp://www.symantec.com/
connect/blogs/stuxnet-introduces-first-known-rootkit-industrial-control-systems; http://www.
airdemon.net/stuxnet.html; http://www.reuters.com/article/2010/09/24/security-cyber-iran-
idUSLDE68N1OI20100924
6 http://www.social-engineer.org/social-engineering-ctf-battle-of-the-sexes/
7 http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-
stuxnet/;http://nakedsecurity.sophos.com/2012/09/27/banks-targeted-ddos-attacks/;
http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks-expose-computer-
vulnerability.html; http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us-
banks-continue-092712
8 U.S. Department of Defense, Joint Publication 1â02: DOD Dictionary of Military and Associated
Terms (November 8, 2010, as amended through May 15, 2011).
9 http://www.iseprograms.com/lib/Trustwave_2012GlobalSecurityReport.pdf
10 http://web.archive.org/web/20071207173837/http://www.f-secure.com/2007/2/
11 http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-
targets-middle-east; http://www.crysys.hu/skywiper/skywiper.pdf
12 Cyber-warfare â The new battlefront for Defence Forces by Dr. Peter Holliday](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-117-2048.jpg)
![136 ICT Development and Cyber Security Reader
nations around the world. The transnational nature of cybersecurity underscores the need
for transborder cooperation and dialogue since this threat cannot be solved by any one
nation.
The Power of Social Media in Southeast Asia
Southeast Asia is ably considered as one of the promising techno hubs for young
and gadget-oriented consumers in the world. With over half a billion population livable
with hip and young dynamic peoples and growing economy, it is only fitting to admit
that this region will have tremendous contributions and adaptations to the interactive
and high-tech world of social media. Expectedly, there are also dangers caused by the
phenomenal success of social networks in the regionâs cybersecurity infrastructures.
Social Media is defined as a group of new kinds of online media, which shares most
or all of the following characteristics that [1] encourages participation, [2] open to feedback,
[3] two-way conversation, [4] forms communities, and [5] thrives on connectedness
(Mayfield, 2008).
Henceforth, social media has created, mobilized, and demonstrated waves
of consciousness and action that reach much more people than traditional industrial
media. As much as social media has the ability to draw together mass involvement in a
personalized way, it also does so in an unsupervised manner, thus crafting it as a potential
threat to human security. Consequently, this formulates social media to be a tool that both
augments and degrades human security (Romero, 2009) with leveled off boons and banes
of cybersecurity landscapes in the current deterritorialized playing field.
A 2012 report released by Nielsen revealed that social media receives a strong
trust rating among consumers in the ASEAN region particularly in Vietnam, Thailand,
the Philippines, and Indonesia. Accordingly, although television still reigns (9 out of 10
people in Southeast Asia watch âFree to Air TVâ), but online has grown rapidly in reach
and influence in the last decade.5
Others would believe that there are benefits of social media marketing that includes
the following: [1] it generates exposure for the products/business, [2] it improves web
traffic and the opportunity to build new partnerships, and [3] it generates qualified leads.
In the sphere of social media to date, Twitter â a popular microblogging service
that was launched in July 2006 claims popularity based on userbase in the world, topping
all other social networking services. In a report by the social media monitor Semiocast
revealed that in the âTwitterverseâ two Southeast Asian countries, namely, Indonesia
which ranks 5th spot while the Philippines which places 10th spot are hooked to Twitterâs
ever growing 517 million users based from the worldwide rankings (Montecillo, 2012).
Initially, it was Facebook that held the most popular spot among the social networking
sites around the world having 835,525,280 users as of 31 March 2012.
The Wall Street which purports to offer analysis and commentary for investors
proclaimed the Philippines as the âSocial Networking Capital of the World,â (Hamlin,
2011). Furthermore, in a 2008 study conducted by McCann Universal, Filipino netizens
ranked: first in social networking, first in sharing photos, first in viewing videos, second to
South Korea in reading blogs, second to Brazil in sharing videos, fourth in writing blogs,](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-136-2048.jpg)
![137ICT Development and Cyber Security Reader
fourth in downloading podcast, and sixth in using RSS/feeds. Accordingly, email (63%),
instant messaging (63%), and search (58%) are the most common online activities for
Filipino internet users with social network site usage at (51%).6
Reasonably, the Philippines is leading other member-countries of ASEAN in
examining conscientiously many pivotal issues of cybersecurity threats in the region.
Having been recently achieved the newly-industrialized country status, our country is
now becoming a hot player and emerging powerhouse in the global villageâs playing
field when it comes to ICTs. It is now ranked as the global topnotch for Business Process
Outsourcing (BPO) in the voice sector; still considered as the âtextingâ or SMS capital
and one of the active hot players in social networking around the world. Previously, the
Philippines was cited in 2002 by Global New Economy Index of the Meta Group for its
âexcellent availabilityâ of skilled IT workers with compliment for the Filipinosâ technical
and business skills, such as in mainframes, minicomputers, and microcomputers, and for
their technical and business skills in ICT projects.7
Thus with the expanding sphere of influence of social media worldwide, it has
led many governments to acknowledge the power of social media to engage its citizens
to participate in state-sponsored activities such as elections and policy-making. Now
individuals with well-known reputations such as journalists have a well-established
readership. Other individuals have emerged as âstarsâ within the political blogosphere,
developing an established network of contacts and readers. Popularity is driven by group
identity be it race, ethnicity, gender or sexual orientation. These blogs draw readers that
are untapped by traditional media. Thus, blogs facilitate the creation of a network of like-
minded individuals (Pole, 2010).
However, there are various social media governance issues that must be addressed,
as pointed out by experts and practitioners, such as the following: [1] how should
organizations regulate and mange the use social media by their staff during work hours?
[2] what sort of risks do organizations face, in terms of potential data loss, unregulated
communication of confidential information and work time? [3] should social media sites
be blocked or disallowed in government institutions and private firms as a whole? [4]
how should the government address the use and abuse of social media in its campaign for
transparency, fair and open exchange of information, and reducing corruption to ensure
wise use of resources? and [5] how to define and adopt a social media policy, including
roles and responsibilities, communications and training, and metrics and monitoring?
(Malacaman, 2010).
New Forms of Cybercrimes
The cyberspace has led to some government and private experts to conclude that
cybercriminals are at the threshold of using the internet as a direct instrument of heinous
crimes and bloodshed. The new threat bears little resemblance to familiar financial
disruptions by hackers for viruses and worms (Cabalza, 2011).
The United Statesâ Federal Bureau of Investigation (FBI) recently estimated that the
âlovebugâ8
made by a Filipino student in 2000 has caused worldwide damage amounting
to approximately USD$12 billion. Hence, threats to the financial systems will have dire
consequences for nationsâ ability to operate effectively and efficiently.9](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-137-2048.jpg)
![140 ICT Development and Cyber Security Reader
In addendum, it would not be surprising, if by all means government official
websites, usually hosted by sloppy private industriesâ Internet Service Providers (ISP)
could increase espionage from cyberterrorists and can cause massive electronic attacks due
to lack of security mechanisms on computer systems. Violations occur when unauthorized
user illegally accesses network computers that are forbidden to access.
Recently, alien or foreign hackers and cyber attackers infiltrated some Philippine
government sites.17
Thus, study would show that there is leeway that they could scythe
even critical and vital military, commercial, or monetary institutions from remote locations
to disrupt the free worldâs defense and communications systems. Possibly, attackers could
hack into computer systems for information gathering or data altering, sabotage, and
installing malicious codes. These malicious codes may be distorted in the forms of Trojans,
worms, and viruses. There are also Deadly Distributed Denial of Service (DdoS) attacks
which employ âzombieâ machines that are controlled by a master server. More or less, it
has the ability for taking down entire networks.
Cyberterrorists could also apply information hiding by means of stegonography
where one can simply take one piece of information and hides with another picture or
document. This well-planned strategy could cripple infrastructures and bug down key
government sites and services.18
They have the clout to destroy and disrupt critical infrastructures in split seconds.
With just the hit of a keystroke, one can send a fatal blow by simply sitting in his armchair,
from thousands of miles away. That could wreak greater threats to a wider gamut of
annihilation from a mere nuisance to a larger national security problem.
Jurisdictional Problems And Lack Of Laws On Cybersecurity
I would still cling with my advocacy for a collective action to look at the problem
of jurisdictional and lack of laws related to cybersecurity in Southeast Asia and other
regional blocs in the world that may impede investigations on cyber crimes and cyber
terrorism.
The task of enforcing laws would legitimize the prosecution and extradition of
cyber criminals in a globalizing world and transnational border. I am optimist that cyber
terrorism is now being fought at the international level and recently the UN Counter
Terrorism Committee (UNCTC) is responsible for coordinating cyberterrorism-related
response and information exchange. Meanwhile, legal and security practitioners must
keep abreast of this emerging non-traditional security and must be trained conscientiously
with the fast-changing fads of technology and the many surprises of the internet.
I would still suggest the same mechanisms I addressed in 2007 for the ASEAN
member-countries to achieve a more responsive policy in a volatile and gullible security
environment of cybersecurity. Southeast Asia, which has tremendously experienced
different facets and prisms of terrorism, is now experiencing the effects of cybercrimes
and cyberterrorism. Therefore, I propose that ASEAN countries should forge realistic
agreements based from the following recommendations: [1] to build cooperation and
networks for intelligence reports among ASEAN countries; [2] to engage in government
andprivatecooperation.Toundertakecollaborativecollectionandanalysisofcybersecurity](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-140-2048.jpg)
![141ICT Development and Cyber Security Reader
related information; [3] to increase intensive research on the security of the regionâs
cyber structures and minimize duplication of efforts, [4] to organize fora/forums for
stakeholders (e.g. enforcers, prosecutors, and cyber users); and [5] to forge cooperation and
international treatise initiated by governments and private cyber industries in the region
that are necessary mainly because cybercrime and cyberterrorism are multi-jurisdictional
and cuts across border. Hence, there is a need to increase and ignite high-awareness level
on cybersecurity.
Conclusion
The regional security outlook in Southeast Asia is indeed faced with a wide range
and/or combination of traditional, non-traditional, transnational, and crisis management
challenges. The weight of cybersecurity which I proposed and adopted as one of the top five
security issues in the region,19
during the Fifth Network of ASEAN Defense and Security
Institutes (NADI), is an affirmation that cyber infrastructures apparently affect regional
and worldwide security. Future norms on this emerging security threat in the region must
be further enhanced now to lessen the burden of destruction of life, liberty, property, and
security of individuals and nation-states.
Cybersecurity is a new battlefront considered unimaginable in the past, one which
created a borderless world. Cyber attacks on national scale can make or break a nationsâ
political and economic position. Nations with differences in policy and particular matters
of state interest will look beyond the traditional means of solving disputes and resort to
these cyber attacks. However, he still encouraged everyone to be unified and continue to
strengthen the collaboration not only with the private sector but also to global counterparts
in gearing towards an improved resilience to cyber incidents and to proactively reduce
cyber threats. Through shared principles, countries in the region as well, will build not
only stance as credible gatekeepers of cybersecurity but valuable guardians of national
security (Binay, 2012).
In the end, the proper handling of related information through the use of various
cyber investigative techniques is very significant to help eliminate or reduce such threats.
Sustaining institutionalized cybersecurity programs in Southeast Asia region will be
helpful to continuously develop and improve the competency and skills of leaders and
law enforcers in confronting this international security threat.
# # #
Endnotes
1. Cybersecurity is the protection of data and systems in networks that are connected
to the internet. See information security, as defined in http://www.newswithviews.
com/Trinckes/john100.htm.
2. Cited from Chester Cabalzaâs blog article on, âCyberterrorism and Its Implications
on Global-Local Discourse in Southeast Asia,â uploaded on October 2009 at http://
cbclawmatters.blogspot.com/2009/10/cyberterrorism and-its-implications-on.html.](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-141-2048.jpg)
![147ICT Development and Cyber Security Reader
S. No. 2796
H. No. 5808
Republic of the Philippines
Congress of the Philippines
Metro Manila
Fifteenth Congress
Second Regular Session
Begun and held in Metro Manila, on Monday the Twenty-fifth day of July two thousand
eleven.
[Republic Act No. 10175]
AN ACT DEFINING CYBERCRIME, PROVIDING FOR THE PREVENTION,
INVESTIGATION, SUPPRESSION AND THE IMPOSITION OF PENALTIES
THEREFOR AND FOR OTHER PURPOSES
Be it enacted by the Senate and House of Representatives of the Philippines in Congress
assembled:
CHAPTER I
PRELIMINARY PROVISIONS
SECTION 1. Title. â This Act shall be known as the âCybercrime Prevention
Act of 20123 .
SEC. 2. Declaration of Policy. â The State recognizes the vital role of information
and communications industries such as content production, telecommunications,
broadcasting electronic commerce, and data processing, in the nationâs overall social
and economic development. The State also recognizes the importance of providing an
environment conducive to the development, acceleration, and rational application and
exploitation of information and communications technology (ICT) to attain free, easy, and
intelligible access to exchange and/or delivery of information; and the need to protect and
safeguard the integrity of computer, computer and communications systems, networks,](https://image.slidesharecdn.com/nsrcyber5-130519204802-phpapp02/75/National-Security-Review-147-2048.jpg)
Uploaded bySimoun Ung
National Security Review
The document discusses the rapid growth of cyber threats as technology and internet usage has advanced. It notes that while the internet has provided many opportunities, it has also enabled criminal activities like hacking, identity theft, and network attacks. The keynote address argues that as both individuals and organizations increasingly rely on digital systems, enhancing cyber security is a shared responsibility to protect people from these growing cyber threats.
National Security Review
- 1. 1ICT Development andCyber Security Reader A special edition of the National Security Review ICT Development & Cyber Security Reader Papers and Proceedings from the Fora on Cyber Security Awareness and Collaboration NATIONAL DEFENSE COLLEGE OF THE PHILIPPINES
- 2. 2 ICT Developmentand Cyber Security Reader Editorial Board Dr. Fermin R. De Leon Jr, MNSA President, NDCP Dir. Ernesto R. Aradanas, MNSA Executive Vice President, NDCP Ananda Devi Domingo-Almase, DPA Professor Dr. Antonio G. Matias, MNSA Professor Prof Charithie B. Joaquin Professor Prof. Christine June P Cariño, MNSA Chief, Academic Affairs Division Cdr Rostum J Bautista, MNSA PN (Res) Chief, Research and Special Affairs Division ________________________________________________________ Secretariat/Publication Committee Grace Q. Banlaoi, Manmar C. Francisco, Segfrey D. Gonzales, Gee Lyn M. Magante, Eugene Galang, Jaime Saulo, Francis Mangadlao Copyright 2012 by NDCP This volume is a special edition of the National Security Review and is published by the National Defense College of the Philippines. The papers compiled herein are solely those of the authors and do not necessarily represent the views and policies of their affiliated governments and institutions. Comments and suggestions are welcome and may be sent to NSR Publication Office, NDCP Camp Aguinaldo, Quezon City, with telephone number +63-2-912-9125. Cover photo credits: web.securityinnovation.com, topsecretwriters.com, topsecretwriters.com, craxel.com, choosemontgomerymd.com
- 3. 3ICT Development andCyber Security Reader Foreword T he Philippines, although considered an emerging country in computer and cyber technology, is not isolated or shielded from acts of cyberterrorism and cyberwar. The more advanced a country is in terms of technology, the greater the impact of a cyber attack or network denial of service. There is a need for an increased awareness in the national and global environment on what cyber crimes are and how to deal with their effects. Undoubtedly, the internet is very much a part of our lives now and we cannot simply disconnect from it. Cyberspace is the interdependent network of information infrastructure that includes the internet, computer networks, systems and the embedded processors and controllers in critical industries such as telecommunications, banking, transportation, business. It is virtual and has become the âfifth domainâ after land, sea, air and space. Since cyber crimes are virtually committed and transnational in nature, it is imperative to build trust among nations in sharing information on how to combat cyber threats. Perhaps the most prevalent crime of the 21st century in an age of information and communication technology (ICT) is cybercrime, also known as computer crime. Cybercrime has grown and worsened in alarming proportions as it affects information and data management systems important to government, business, education, and even entertainment. Worse, this crime, especially those that can be done at home, has invaded the privacy of personal life. These modern crimes, which employ computers or mobile phones as tools for illegal activities, include but are not limited to the following: identity theft and invasion of privacy; internet fraud; ATM fraud; wire fraud; file sharing and stealing intellectual property through piracy; counterfeiting and forgery; child pornography; hacking and espionage; programming of computer viruses; denial of service attacks; spam; and sabotage. Due to the widespread adoption and use of computers and the internet in almost all aspects of our daily living, and exacerbated by the vulnerability to aforementioned cybercrimes using the ICT and the cyberspace, the NDCP, in collaboration with the Office of the Vice President and the NDCP Alumni Association Inc. has embarked on a series of public fora and seminar-workshops to increase public awareness on the protection of information, communication technology and cyberspace to improve the security, efficiency, cost effectiveness, and transparency of all government and private online and electronic services through policy formulation and conduct of education, training and research on cybersecurity. The College also hopes and aspires to be the center for policy formulation on security and resiliency in cyberspace, as well as the venue where education, training and research on the protection of information, communication technology and computer network operations, including cybercrimes, defensive activities, and security of the cyberspace infrastructure will be conducted.
- 4. 4 ICT Developmentand Cyber Security Reader We hope that this present volume, ICT Development & Cyber Security Readerâ a collection of papers, thesis, speeches, laws as well as highlights of the proceedings from a series of fora and workshops on cybersecurity awareness and collaboration, will somehow quench the thirst for more ICT literacy and cybersecurity understanding among our policy- makers and the general public. We also hope that this reader will contribute to better prepare public and private cyber infrastructure for any eventuality involving the misuse of cyber technology and for our cyber community to become more proactive in mitigating the risks of such cyber threats to the peaceful conduct of local and international affairs. Fermin R de Leon, PhD, MNSA President, NDCP
- 5. 5ICT Development andCyber Security Reader Foreword 1. Welcome Remarks Fermin R De Leon Jr, PhD....................................................................................... 2. Keynote Address during the Securing a Whole Wired World: A Forum on Cyber Security Awareness and Collaboration Honorable Jejomar C. Binay..................................................................................... 3. Highlights of the First Forum on Cybersecurity Awareness and Collaboration: Securing A Whole Wired World............................................. 4. Keynote Address during the Forum on How Safe Is Your Money?: Rethinking Cybersecurity Honorable Jejomar C Binay...................................... 5. Highlights of the Second Forum on Cybersecurity Awareness and Collaboration: How Safe Is Your Money?: Rethinking Cybersecurity.................................................................................. 6. Opening Remarks: ICT Development and Cybersecurity Enhancement USec Benjamin E Martinez Jr................................................................................. 7. Highlights of the Seminar-Workshop on Cybersecurity: Towards Information, Communication and Technology Development (ICTD) and Cybersecurity Enhancement...................................................................... 8. Highlights of the Third Forum on Cybersecurity Awareness and Collaboration: Cybercrime Law and Its Implications to National Security.................................................................................................. Papers on ICT Development and Cybersecurity 9. Paper Output during the Seminar-Workshop Prioritizing ICT Development and Cybersecurity Seminar ...................................................... 10. Understanding Cyber Security from Global and Regional Perspective Stephen P. Cutler............................................................... 11. Cyber War and Cyber Terrorism Stephen P. Cutler......................................... 12. Philippine Cyber Security: General Situation Angel S. Averia, Jr................ 13. Historical Notes on Technology and Cyber Security Initiatives Lorenzo A. Clavejo..................................................................................................... 14. Cyber-security: Perspectives on Attacks John Peter Abraham Q. Ruero.................................................................................. C O N T E N T S 3 8 9 13 24 27 36 38 48 61 67 75 77 86 90
- 6. 6 ICT Developmentand Cyber Security Reader 94 103 119 122 124 132 135 147 161 163 166 178 189 208 15 Cyberwar and Rules of Engagement Drexx D. Laggui............................... 16. The Evolving Landscape on Information Security Wilfred G. Tan, Carlos T. Tengkiat & Simoun S. Ung....................................... 17. The Need to Secure Our Cyber Space Angel T. Redoble............................. 18. National Security Implications of R.A. 10175: Defense Perspective Nebuchadnezzar S. Alejandrino I......................................................................... 19. Fighting the Crime of the Future: Responding to the Challenges of Cybercrimes Geronimo L. Sy............................................................................ 20. Key Structuring Principles in the Cybercrime Law Discourse Shirley Pelaez-Plaza.............................................................................................. 21. New Frontiers in Cybersecurity: Its Adverse Impacts in the Philippines and ASEAN Region Chester Cabalza........................................ References 22. Republic Act No. 10175 An Act Defining Cybercrime, Providing For The Prevention, Investigation, Suppression and the Imposition of Penalties Therefor And For Other Purposes.............................................................................................................. 24. Types of Cybercrime cybercrimes09.blogspot.com......................................... 23. Cybercrime Interpol........................................................................................... Thesis Abstracts 25. Cybersecurity Capability of the Armed Forces of the Philippines in the Midst of Computer Threats Arturo A Larin...................................................................................................... 26. The Effects of the Internet Age on National Identity and National Security Nathaniel Ordasa Marquez.................................................. 27. Electronics Security System of Universal Banks in the Philippines: An Assessment Rodrigo I. Espina, Jr., ............................................................ Directory of Participants..............................................................................................
- 7. 7ICT Development andCyber Security Reader First Forum on Cybersecurity Awareness and Collaboration 26 October 2011 NDCP Honor Hall, Camp Emilio Aguinaldo, Quezon City âSecuring A Whole Wired Worldâ
- 8. 8 ICT Developmentand Cyber Security Reader Welcome Remarks Fermin R De Leon Jr PhD, MNSA President, NDCP Speech delivered during the Securing a Whole Wired World: A Forum on Cyber Security Awareness and Collaboration, on 26 October 2011, NDCP Honor Hall, Camp Emilio Aguinaldo, QC _______________________________________________________________________________ T heHonorableJejomarCBinay,MNSA,VicePresidentoftheRepublicofthePhilippines; Honorable Voltaire T Gazmin, Secretary of National Defense; distinguished members of the diplomatic corps; sons and daughters of the NDCP; my fellow civil servants; ladies and gentlemen, a very pleasant morning. The College has always been at the forefront of discourses of present issues and concerns that matters to you, to me, and the rest of society. It has always been providing a venue for enlightenment and understanding as it welcomes to its confines, with very much eagerness enthusiasm, open and truthful discussion all in the name of academic freedom. Today, the College, once again, proudly finds itself as the point of convergence of a wide spectrum of stakeholders to tackle perhaps the most crucial issue of this age. For this, I wish to personally extend my gratitude to the Honorable Vice President and the NDCP Alumni for once again, partnering with the College in such a worthy endeavor. As its theme conveys, the event elevates cyber security awareness among its audience, a diverse mixture of cyber security key players coming from the government, private sector, the civil society and the academe. It also highlights the importance of partnership in building the nationâs cyber resiliency. Indeed,oureventisasterlingcontributionoftheacademeinseizingtheopportunities and facing the challenges the Information Age presents. Despite an emerging nation in cyber technology, our country is never shielded from cybercrimes. There is a need to enhance our cyber security if we want to take advantage of the opportunities of this heightened interconnectivity. Thus, I encourage everyone to actively participate in discussions as everyoneâs contribution is important in addressing the evolving threats we face in the cyberspace. Cyber security is something that affects us all. As more and more daily functions rely on digital systems, we have more and more reasons to ensure the privacy, safety and security of our cyber space. Itâs an important task not exclusive to the government nor the private sector. Enhancing our cyber security is rather a shared responsibility because at the end of the day, cyber security is about security of the people. In the first place, technology is there to make our lives better. However, if we fail to be conscientious and proactive users, any sophisticated technology will be rendered useless or, even worse, prove to be harmful. Ultimately, it is in our hands to secure a whole wired world. Magandang araw at mabuhay tayong lahat! # # #
- 9. 9ICT Development andCyber Security Reader Keynote Address Honorable Jejomar C. Binay, MNSA Vice President, Republic of the Philippines Speech delivered during the Securing a Whole Wired World: A Forum on Cyber Security Awareness and Collaboration, on 26 October 2011, at NDCP Honor Hall, Camp Emilio Aguinaldo, QC _______________________________________________________________________________ W hen we first discovered the Internet around two decades ago, we heard about its power as a communications tool. As dial-up networking struggled to cope with our thirst for email, we were content to use the World Wide Web for keeping in touch with friends and family. Yet the birth of cyberspace did not fully reveal the impact it would have on the world. Not long after its propagation, the Web developed a maturity that dissolved borders. Not since the invention of the locomotive has a technological wonder spurred progress the way the Internet did. Education, business, finance and personal exchanges found a new home on cyberspace. Entrepreneurs could do business nationwide without having branches in every city, and almost anything can now be bought online. No longer was it necessary to be in a classroom at a particular time to hear a lecture or complete a course. And in case you needed to access your money after business hours, online banking made it possible to manage your accounts without the help of a teller or ATM. Further technological advances bolstered the World Wide Web, making it possible to transmit data and voice at the speed of light. Geographical barriers to outsourced and offshore services came down and within the past ten years, the Philippines, and several other countries have reaped the benefits of this wave. Governments and firms quickly saw the power and benefit behind storing information in electronic formats. Apart from the positive impact on the environment, this permitted a central and consistent base of records to be maintained and made accessible to the agencies and offices that citizens transact with to obtain basic services. However, where an abundance of opportunity and an openness of exchange exist, criminal genius cannot be far behind. The advancement of the Internet has prompted ill- doers to exploit the Web for their own nefarious purposes. Some months ago, I had a brief encounter with two IT managers. I forget their names, but they were young, very driven and visibly competent Filipinos. Being less fluent than I should be in the language of Information Technology, I picked their brains to learn more of the threats we face, and the weaknesses that they believe are present in our country. The first manager contributed his own notes to the conversation saying that from three years ago, attempted intrusions into his network (or attempted hacks) tripled. From 400 attempts daily in 2008, he is now blocking over 1200 attempts per day. Based on his reviews, only 3% of the attacks emanated from the Philippines. The vast majority came from China with the balance originating from the rest of the world. He lamented that these
- 10. 10 ICT Developmentand Cyber Security Reader attacks will probably increase geometrically in the future and that he works feverishly to keep up with the threats by upgrading access control procedures, security software and where budgets permit, his hardware as well. When I asked for examples of intrusions and their risks, the second narrated his personal experience from his own BPO center in Makati. He was monitoring his VOIP servers, when he saw unauthorized calls being directed to places like Brazil, Zimbabwe and Haiti. He immediately secured his line but the one hourâs worth of hijacked calls cost him over $2000 in charges. The attack originated not from within his workforce but from overseas, and it took months for him to resolve the billing with his service provider. Luckily, his loss was temporary but he added that he personally knew of a center in Ortigas that closed shop after hijacked VOIP servers inflicted monthly losses in the millions of pesos. These trends, in the words of these professionals, represent but a fraction of the threats an IT-enabled business can face. At that point, it became painfully clear that cyber security threats were not just epic events that affected foreign nations or large conglomerates alone. Like other citizens of cyberspace, we too are at risk, and those risks escalate as quickly as fiber optics transmits signals. The breadth and depth of valuable information on the Web has reached critical mass and sends new breeds of criminals into a feeding frenzy. What is valuable to us can now be stolen online, just as easily as a pickpocket can make off with our cell phones. What is critical to us can be shut down or made unusable and no longer are these cases taken from a plot crafted by fiction and cinema. In 2008, a band of three hackers stole more than 170 million credit card numbers before they were arrested. In 2010, South Korea sustained a cyber attack where 166,000 computers from 74 countries jammed the web sites of banks and government offices. Also in that year, IT security experts unearthed a worm named Stuxnet. Unlike previous worms, Stuxnet did not prey on computers and networks. Instead, it compromised software that controls industrial machines and could wreak havoc on facilities like power and water plants. The damaging potential of Stuxnet was exceeded only by the effort that had gone into its creation. The experts who dissected the worm concluded that around 10,000 man hours had gone into its creation. This was aside from the sheer sophistication of the malwareâs design. There was little doubt that cybercriminals had a resolve that matched if not surpassed that of suicide bombers in Iraq or Afghanistan. Their weapon of choice may far exceed the damage that any WMD can inflict. In 2010, the cost of electronic theft exceeded that of physical theft according to the 2011 Global Fraud Report of Kroll Associates, a leading American security and risk management firm. Perhaps the starkest example was the Wikileaks incident, where classified cables from the US State Department suddenly emerged in the open domain. Not even the US government was immune to the threat, despite the wealth of resources at their disposal. Clearly then, cyber security is a national security issue. The practically borderless nature of the cyber world presents a daunting challenge to us as we work to exist safely in that realm. One of our blind sides is the lack of information exchange between all stakeholders. The IT community is most aware of these evolving
- 11. 11ICT Development andCyber Security Reader threats but the public sector may be less so. Currently, no single agency has the capability or mandate to match the scope of this threat and collaboration between public and private parties should remain one of our strongest mooring points. The private sector should be a firm partner in this effort. IT is the focus of their business and apart from employing the best people that they can, it is they who have encountered these threats first-hand. Their defenses and solutions are forged in reality and their findings are invaluable as we map out a strategy to secure the new national assets that the Web has created. Let us see how the skills gained by the private sector can be cascaded to their counterparts in government. Apart from holding hands to gain familiarity with the terrain of the Internet, let us revisit our laws. Many potential foreign investors in the IT field still have the genuine fear of suffering electronic threat offshore, without having legal recourse. Our countryâs e-Commerce law is now over a decade old. Perhaps it is time to lend your talents towards enhancing our laws to insure that they remain capable of addressing the challenges we currently face and those that we shall meet in the future. Other nations have made this a top priority. The UK and the United States have their data privacy laws which are strictly interpreted and enforced. Nonetheless, in the past year alone, 18 bills have been filed in the US Congress to further enhance their laws against cybercrime and similar activities. Let us work with our legislators. I have no doubt that they are all eager to help us close this gap in our virtual borders, but they need to understand not just the jargon, but the threats we face and the consequences we can suffer. Guide them through the language and landmarks of cyberspace and I am confident that relevant and lasting legislation shall result. Operationally, it is my hope that this forum shall give birth to both a cyber security roadmap, as well as a defined framework of collaboration between government agencies and the private sector so that a cyberspace coast watcher system can be established and implemented. In countries like Japan, inbound viruses and malware are treated like outbreaks. The path is monitored in real time, and through pre-established communications procedures, the propagation of the virus is arrested. Alerts are sent out not just to networks nationwide, but to competent government authorities from the source country and other nations in the region. Specialists are tasked to dissect the virus and formulate defenses which are rolled out to all networks in the country. We should be able to achieve such a system if we work hard enough. This may sound like a tall order, for we have yet to acquire the infrastructure sophistication of some of our neighbors. However, within this forum, provide clarity to the question of technical skills that we need to develop and foster in the long term, and how to best organize these skills. Let us explore avenues for government-to-government cooperation in terms of technology transfer with our friends in North America, Europe and Asia. While technologies change, the collaborative approach shall remain the cornerstone of a sound national security response.
- 12. 12 ICT Developmentand Cyber Security Reader This battle in cyberspace comes to us swiftly and unceasingly. This forum is a positive step towards rallying our forces but it will take several steps for us to complete our task. Together, let us raise our virtual army and come to our nationâs defense. Thank you and good morning. # # #
- 13. 13ICT Development andCyber Security Reader Highlights of the 1st Forum on Cyber SecurityAwareness and Collaboration Securing a Whole Wired World _______________________________________________________________________________ I. Executive Summary I n celebration of the Cyber Security Month, the National Defense College of the Philippines (NDCP), in collaboration with the Office of the Vice President (OVP) and the NDCP Alumni Association, Inc (NDCPAAI) launched a series of fora on Cyber Security Awareness and Collaboration with the theme âSecuring a Whole Wired World.â The event was held on 26 October 2011 at the NDCP Auditorium. The Philippines is never shielded from acts of cyber terrorism and cyber crimes. Thus, the objectives of the forum were: 1) to gather cyber security key players and stakeholders in the country; 2) elevate awareness on what cyber crimes are to eventually control and conquer them; and 3) explore prospects for cooperation among the government, private sector, academe, and the civil society. The forum was intended to provide a platform for discourse and collaboration among government agencies, private sector, academe, and the civil society. The activity commenced with the keynote address from Vice President Jejomar C Binay followed by the three lecture sessions comprised of six experts who were tasked to tackle cyber security from theory to practice; and a summary from Mr Abraham Purugganan, MNSA. The Vice Presidentâs keynote address read by the DND Secretary Voltaire T. Gazmin, elaborated on the seeming paradox of cyber technology. It has made lives easier and, at the same time, harder. Cyber security was deemed as an opportunity for interagency, inter- sectoral, and intergovernmental collaborations. Session One provided the current situation, challenges, and opportunities in the cyber space. It revealed the urgent need to boost cyber security awareness and capability in the Philippines. Session Two emphasized the importance of public-private partnership in enhancing the cyber resiliency of the Philippines. It also explored the nature of cyber war and provided foundations in crafting the rules of engagement in cyber warfare. Session Three gave a practical demonstration of how a computer virus can infiltrate industrial control systems and eventually impact the critical infrastructures of a country. The audience was also provided with practical tips in dealing with cyber attack. Overall, the discussions centered on the ever-changing nature of national security as demonstrated by the dynamics in the cyber space. Through cyber technology, we saw how countries flourished to become powerful nations, but we also witnessed how they become victims of cyber crimes, cyber terrorism and cyber warfare. In the end, collaborative approach remains to be one of the most effective ways of dealing with the evolving threats in the cyber world.
- 14. 14 ICT Developmentand Cyber Security Reader II. Opening Ceremony Welcome Remarks by Fermin R de Leon Jr PhD, MNSA, President, NDCP Dr. de Leon declared that discourses on significant issues to the society, such as cyber security, are always welcome in the NDCP. The College has always been providing venue for enlightenment and understanding in the furtherance of academic freedom. Cognizant of the importance of cyber security awareness in national security, he thanked the OVP and NDCPAAI for partnering with the NDCP in organizing the forum. He considered the forum as a sterling contribution of the academe in seizing the opportunities and facing the challenges the Information Age presents. He reiterated that developing cyber resiliency is not a responsibility exclusive to the government nor the private sector. Rather it is a shared responsibility; everyoneâs contribution matters. Keynote Address by Honorable Jejomar C Binay, MNSA Vice President of the Republic of the Philippines and President & Chairman, NDCPAAI (Speech delivered by the DND Sec Voltaire T. Gazmin) Vice President Binay noted how the web has become an integral part of human life and an indispensible tool of governments, industries, and various sectors around the world. However, he also emphasized how the internet dissolved boarders and how the breadth and depth of valuable information on the Web has reached critical mass sending new breeds of criminals into a feeding frenzy. In 2010, South Korea sustained a cyber attack where 166,000 computers from 74 countries jammed the web sites of banks and government offices. In the same year, IT security experts unearthed a worm named Stuxnet. Unlike previous worms, Stuxnet did not prey on computers and networks. Instead, it compromised software that controls industrial machines and could wreak havoc on facilities like power and water plants. He also cited the 2011 Global Fraud Report of Kroll Associates, wherein, in 2010, electronic theft exceeded that of physical theft. Vice President affirmed that while the world reaped unfathomed benefits from the heightened interconnectivity among nations and industries, the borderless nature of the cyber world also presents a daunting challenge to everybody as all work to exist safely in that realm. Currently, no single agency has the capability or mandate to match the scope of this threat and collaboration between public and private parties should remain one of the strongest mooring points. He highlighted the importance of the private sector as a partner in ensuring the cyber resiliency of the country. Many potential foreign investors in the IT field still have the genuine fear of suffering electronic threat offshore, without having legal recourse; the countryâs e-Commerce law, being more than a decade old, is already outdated. Heencouragedpertinentagenciestoexploreavenuesforgovernment-to-government cooperation in terms of technology transfer with friends from North America, Europe and Asia. While technologies change, the Vice President is positive that collaboration shall remain the cornerstone of a sound national security response.
- 15. 15ICT Development andCyber Security Reader III. Plenary Sessions Session One: The Regional Cyber Security Landscape, Challenges, and Strategies Cyber Security and Governance by Atty Ivan John Enrile Uy, Former Chairman, Commission on Information and Communications Technology (CICT) Atty Uy offered the latest cyber security landscape. He shared that presently, there are 5 billion mobile phone users around the world; two billion of which are internet users. Out of the 2 billion, approximately 1.2 billion come from developing countries around the world. He reported that online transactions have reached 10 trillion dollars worldwide. The amount of data processed or handled in the virtual realm reached 5 hexabytes in 2001- 2003. Today, the cyber world produces the same amount of data in a matter of days. Radio reached 50 million in 38 years; television took it 13 years. Meanwhile, the internet reached the same number of people in 4 years time; Facebook did it in 3 months. This is how rapid the internet covers and places its footprints across the world. Aspeopleincreasinglybecomeawareofwhattechnologycando,technologybecomes a source of challenge and a matter of security concern for governments. Governments are now being obliged to match how the private sector, through information technology, efficiently delivers services to the people. It is very apparent as many governments worldwide have begun to deliver e-governance and e-services to their citizens. However, as information technology becomes handier and more ubiquitous, more and more criminal minds would want to exploit it. Cyber security concerns have significantly increased over the past years. Recently, Sonyâs playstation network was hacked; 70 million accounts were put at risk. The very first cyber warfare may have happened in 2007 when Estoniaâs information infrastructure was allegedly attacked by the Russian Government after Estonia decided to move the grave marker of a Soviet-Russian hero. These recent events have moved the United States to establish a cyber security command headed by a 4-star general in 2009; South Korea, Great Britain and China followed a year later. When one speak of cyber security one usually refers to common cyber crimes (e.g. fraud, gambling, child pornography). However, there are another arenas that requires adequate attention e.g., cyber terrorism, denial-of-service attacks, online espionage, and online warfare. Such attacks may come externally or within. Information technology has change how the people live and how they act. It has ousted governments who have underestimated its ability to influence the mindset of the people (e.g. EDSA II and Arab Springs). Cybercrimes, Cyberterrorism, and Cyber Security Landscape by Atty Magtanggol B Gatdula, PhD, Director, National Bureau of Investigation (NBI) Atty Gatdula reported that the Philippines is now a haven of transnational organized crime syndicates due to the lack of capabilities and technical-know-how of law enforcers in the country. Quoting Director Sammy Pagdilao of the Philippine National PoliceâCrime
- 16. 16 ICT Developmentand Cyber Security Reader Investigation and Detection Group (PNP-CIDG) he shared that cyber crime mafias, mostly foreigners, have established bases of operations in the country. Cyber crime syndicates have taken advantage of the organizational and technical incapability of law enforcers to fight cyber crimes. Because of great feats in information and telecommunications technology, the public is lured to exchange security over the convenience these tools offer. Being useful and user-friendly, smartphones have become a typical personâs confidante in his daily living. However, due to the mass of personal data stored on these gadgets, most of which are sensitive, these seemingly useful tools may become a source of vulnerability to their users. Today, the world experiences a dramatic increase of malicious software. Smartphones serve as a window of opportunity to cyber criminals to access potential victims personal and bank details. With regard to cyber terrorism, Atty Gatdula believes that terrorism continues to survive because it takes different forms to match the changing times; this includes cyber terrorism. The information age has built a battle zone not only for good intentions but also for evil schemes. In the absence of clear national policy for information security and internet structure stability, the Philippines is vulnerable to cyber attacks. The country currently lacks a well-defined strategy and clear national security policy to combat cyber terrorism. The Human Security Act of 2007 and the E-commerce Act of 2001 could no longer address the emerging and evolving challenges in information security. The vulnerabilities of developing countries continue to encourage terrorists to enhance their hacking skills. No matter how sophisticated the reporting systems of industries are, they would all be rendered useless if the country does not have the technical capability to promptly and effectively respond. Nevertheless, vulnerabilities come with counteractions e.g., prevention, detection, and reaction. The task is mainly reaction; one can never always be proactive when it comes to cyber terrorism. One is blind of the next mode of attack. Amidst different modes of cyber attacks such as Stuxnet1 , there is need to assess and address the vulnerabilities of the countries exiting infrastructure control systems (e.g., MRT, LRT, traffic systems, dams, and wind mills) not only by the Philippine Government but also businesses operating these industry control systems. Session One Open Forum A participant asked the speakers to personally identify the most probable and plausible cyber terrorism attack to the Philippines. Atty Uy opined that the country currently has a lot of vulnerabilities in many areas which may all be potential targets of attack. He particularly identified government websites which have recently become targets of hacking and defacement. He agreed with Atty. Gatdula on the possibility of local critical infrastructures being points of attack. Another participant shared his experiences on receiving e-mails from unidentified persons offering to launder money to the Philippines. He asked if the NBI has ever pursued _____________________ 1 Stuxnet is a computer worm widely suspected to have been designed to target uranium enrichment infrastructure in Iran. IT experts concluded that the sophisticated attack could only have been launched with nation-state support.
- 17. 17ICT Development andCyber Security Reader these scam authors. A former Chief of the NBIâs Computer Crimes Division said that agency launched several information drives against such scams. He also shared that the origin of these emails can be mostly traced in Africa. Because of jurisdictional considerations, the NBI cannot launch full pursuit operations against these scammers. Atty Uy shared that the Philippines already have local versions of such scams. Session Two: Government and Private Sector Solutions Cyber War and Rules of Engagement Drexx Laggui, Principal Consultant, Laggui and Associates, Inc. The recent penetration tests initiated by the Land Bank showed how vulnerable the network systems of Megalink and BancNet members are. Hired computer experts were able to fully infiltrate their systems, allowing them to do fund transfers and hijack remittances. Recently, the information system of the International Monetary Fund was penetrated compromising very sensitive data that could endanger the financial market. The hackers allegedly accessed the network system by targeting the Facebook account of an IMF employee. It is widely suspected that it was a government-sponsored assault. Cyber terrorists would break into online banking systems, still credit card information in order to buy equipment that would carry out their terrorism plans. Through BSP Circular 542 which requires banks to undergo penetration testing yearly, the public is ensured that local online banking systems will survive in the event of cyber war. However, other industries are still vulnerable. The energy, utilities, and the transport industries all use SCADA2 in their infrastructure control system. SCADA is the same system used by the Iran nuclear enrichment plants allegedly targeted by Stuxnet. Cyber war is a state-sponsored sabotage or espionage done before soldiers set foot on the battleground. It is the âuse of forceâ in the cyberspace that has repercussions in the physical world. It is not directed against the military but the national economy which may also have serious implications in national security. In cyber war the rules of engagement (ROE) must be carefully crafted to minimize ambiguities that would delay responses when use of force is already required. When a country is engaged in cyber war the criteria for success (or failure) must be defined. The scope and timeframe of the attack must be set. Targets that are far removed from military objectives (e.g. hospitals) must never be engaged. The impact of cyber weapons is unproven and unknown which makes their employment, in the event of cyber war, a critical decision given to the Head of State. The health, welfare, and privacy of the public must not be compromised. The reports, records, and data generated from cyber operations must never be used for commercial gains. In crafting the ROE for cyber war, three challenges must be addressedâcredibility, invocation scenarios, and attributions. The key to deterrence is to show that the nation has the capability to defend itself against attacks and, if necessary, to fight back (i.e., credibility). The Philippines should have potential escalation framework, where some instances could invoke cyber war, as part of a planning activity (i.e., invocation scenarios). There is also a need to beef up capabilities that would aid law enforcers to identify the face (or nation) behind the keyboard (i.e., attribution). __________ 2 SCADA (supervisory control and data acquisition) refers to industrial control systems (ICS)-computer systems that monitor and control industrial, infrastructure, or facility-based processes
- 18. 18 ICT Developmentand Cyber Security Reader The Philippines has a maturity level of 13 when it comes to cyber war capabilities. The country has arcane laws, regulations, and ROE that hobble its capability to ensure its national security. Nevertheless, it has the potential capability to engage, sustain, and achieve objectives in cyberspace. Public-Private Partnership in Cyber Security Stephen Cutler, President and CEO, Official Global Control Corporation The world is facing the same transgressions as it did hundreds of years ago (e.g., fraud and theft); the only difference is the speed of which they are committed. The state and military security structures do not move quickly as policies change. Like any crimes committed in the real world, there is a need to differentiate the acts of crimes committed by a pathological criminal (which are felonious) and those committed by a pathological criminal but in charge of the state (e.g., Hitler and Stalin). It is critical to differentiate acts of war and crimes. Educational institutions such as the NDCP may provide light in this important issue. Some people in the military believe that the private sector should protect themselves; the armed forces should protect the shores of the nation. However, in the advent of the information age, one may rarely see physical assaults as extensive as it was during the Spanish colonial era. However, at present, the private sector holds most of a countryâs national assets. It is therefore, a responsibility of the military to protect them. One should take a holistic view of national security. There is a need for public-private partnership and dialogue. There is a need to gather stakeholders from the country and representatives from the international community as well. National assets (both public and private) must always be protected. Whether the country is faced with invasion in the physical or the cyber world it does not matter; national assets will be lost. Both the private and the public sector must contribute their utmost responsibility and utmost capability in protecting their nation. Major General Jonathan Shaw of the British Cyber Command said that cyber attacks represent the greatest threat to national security. Cyber attacks affect everyone. Everyone therefore must contribute in the protection against the danger cyber attacks impose. 80% of the threats are the result of poor cyber hygiene (e.g., the lack or relevant laws). Every nation must utilize all multilateral and bilateral relations to ensure its cyber resiliency. Session Two Open Forum One of the participants asked Mr Laggui if the Monroe Doctrine4 is a sufficient framework to defend a nationâs security especially in the cyberspace. He also asked if there is a need for further definition of cyber war to set it apart from cyber attacks. He wanted to know from Mr Cutler how much should cyber security policies be flexible considering that _________ 3 According to Mr Laggui, countries with Level 1 Maturity (i.e., Ad Hoc Level) have key stakeholders as leaders championing management system of IT security. 4 The Monroe Doctrine is a policy of the United States introduced on December 2, 1823. It stated that further efforts by European nations to colonize land or interfere with states in North or South America would be viewed as acts of aggression requiring U.S. intervention.
- 19. 19ICT Development andCyber Security Reader the Treaty of Westphalia5 no longer holds and the dynamics in the cyber world are ever- changing. In response, Mr Laggui shared that the cyber version of the Monroe Doctrine4 allowed the US to identify its critical infrastructures and build up cyber resources to defend these assets. Meanwhile, Mr Cutler said that the Treaty of Westphalia is one of the many agreements that set up diplomatic relations among countries which lead to the nature of international community the world has today. Another participant wanted to find out from Mr Cutler the level of international cooperation in cyber security the Philippines has today. Mr Cutler opined that the countryâs progress is far from the state of cyber resiliency it needs to have. There is a lot of support from other countries (e.g., South Korea, Japan and the US). Other neighboring countries (e.g. Thailand, Malaysia, and Indonesia) are doing well in enhancing their cyber security. Meanwhile, Mr Laggui shared that the local financial industry has very mature IT governance. Most of the banks in the Philippines have Level 3 Maturity6 . Session Three: Cyber Security in Practice The Real Deal of Cyber Attack to National Critical Infrastructure Chaiyakorn Apiwathanokul, CEO, S-Generation, LTD, Thailand It is a general belief that linking the industrial control systems to networks and internet makes them more secure as it allows authorities to manage and control them anytime and anywhere from the planet. On the contrary, doing so only makes them harder to protect as anyone may access them using the right tools. In 2002, a nuclear power plant was forced to temporarily shut down due to a computer virus. When an operatorâs infected laptop was connected to the plantâs control system, the virus spread throughout the network incapacitating the safety monitoring system of the plant. Operations had to be temporarily terminated; there were massive blackouts for days. Industrial control systems are one of the most common targets of cyber attacks as they manage and control critical infrastructures in a country (e.g., plants, transport system, traffic system, and dams). Control systems will always have weak points that hackers can exploit. They develop computer viruses to exploit such vulnerabilities, one of the most recent and ill-famed of which is the Stuxnet. The government tries to protect these critical infrastructures through rules, guidelines and regulations. Operators must comply with these laws. Cyber Security: What to do in the event of Cyber Attack? Nebuchadnezzar S Alejandrino, Chief, DND Information Management Office There are three types of network system: 1) those that have already been attacked (e.g. the Vice Presidentâs website); 2) those that are to be attacked (e.g. DND website); and _________ 5 The Peace of Westphalia was a series of peace treaties signed between May and October of 1648 in OsnabrĂŒck and MĂŒnster. These treaties ended the Thirty Yearsâ War (1618â1648) in the Holy Roman Empire, and the Eighty Yearsâ War (1568â1648) between Spain and the Dutch Republic, with Spain formally recognizing the independence of the Dutch Republic. 6 According to Mr Laggui, Level 3 Maturity (i.e., Managed Level) implies a systematic process of handling IT security and governance.
- 20. 20 ICT Developmentand Cyber Security Reader 3) those that are currently under attack. The manifestations of cyber attack are very difficult to discern. Hacking a network is very easy given the right kind of tools. Some resources are available online; anyone can be a suspect. There are even alleged state-sponsored cyber crimes. Dir Alejandrino divided cyber attackers into twoânon-state attackers and state actors. The former are individuals or organizations to include the Anonymous7 . When an information system is under cyber attack, it typically hangs, unfamiliar images appear on the computer screens and the system slows down. A network can be penetrated whether it is online or offline. When connected to the internet, a system may get compromised from media or documents downloaded from the web. When offline, a system can still be infected through manual transfers e.g., using thumb drives. In the Department, classified documents are kept isolated and offline to ensure their safety. In case of cyber attack, the most important thing to remember is to not panic. Go offline immediately and report the incident to the local IT office and to the top management. Fortifying your defenses by establishing cyber security team proves to be useful. It is imperative to create a backup system for your network to ensure that operations will not be seriously disrupted. Session Three Open Forum A participant asked Dir Alejandrinoâs opinion on the security of cloud computing. Dir Alejandrino opined that cloud computing is not absolutely secure since one does not know to where the data is stored or who may have access to it. Meanwhile, Mr Laggui clarified on use of the term âsecurity.â He said that in the business industry, being secure means that the level of risks is acceptable vis-Ă -vis the operational requirements. A lot of military officials in the armed forces are exchanging data online via yahoo mail or g-mail. Mr Laggui does not recommend this as these data go to foreign computers. Security means trustworthiness. Trustworthiness means that one have the power to audit the system, verify the controls, and see demonstration of its safety and capability. Another participant emphasized the incidences reported in the presentations wherein states allegedly sponsored conducts of certain cyber crimes. He then asked Mr Apiwathanokul and Dir Alejandrinoâs view on whether these states can be considered as terrorist and if so, what crimes can be charged against them. Dir Alejandrino said that it is very difficult to associate acts of cyber crime sponsored by the state to acts of terrorism especially if a state had done it so in the name of national security. Meanwhile, Mr Laggui clarified that alleged state-sponsored cyber crimes are not typically called state-sponsored terrorism but exercise of political will with cooperation from other countries. One of the participants asked the speakersâ opinion on the government using open source8 software in their systems. Open source software can be audited to ensure that the software is free from tampering. With regard software auditing which allows users to examine the source code of software to ensure that it is not tampered, Mr Alejandrino informed the audience that the Philippines does not have an existing relevant law. Mr Laggui _______________________ 1 Anonymous (used as a mass noun) is a group, spread through the Internet, initiating active civil disobedience, while attempting to maintain anonymity.
- 21. 21ICT Development andCyber Security Reader added that software auditing is imperative as it ensures the safety and trustworthiness of software outsourced to handle the countryâs critical infrastructure. Summary and Way Ahead Abraham A Purugganan, MNSA Former Head, Task Force for the Security of Critical Infrastructures Mr Purugganan considers the cyberspace as the fifth battle space (in addition to land, air, sea, and space). It entails new rules, doctrines, and rules and regulations. We become increasingly dependent on information systems. Since its beginning in the 1990âs, internet reaches 2 billion people worldwide. Online information and resources (both public and private) have become so lucrative that they have become so inviting to criminal organizations as well as government and corporate organizations. The Information Age has empowered every citizen in the world; however, it has also enabled criminal elements to do evil things to an individual, organization, even a nation. In response, countries are establishing both defensive and offensive cyber capabilities. The Philippines has become a haven for cyber crime not only due to lack of technical know-how, and laws but also the lack of organized national effort. The country has existing cyber capabilities. The easiest way to wage a war is to launch a cyber war. Traditional forms of war entail a lot of resources. Cyber war, on the other hand, only needs a computer, internet connection, and a little programming knowledge. The Philippines has one of the brightest programmers but the country does not take advantage of this. The E-commerce law cannot bring hackers to justice. Local advocates have been lobbying for a cyber crime law for nearly a decade. Critical infrastructure must always be protected. Once cyber terrorists got control of them, government operations and national economy may get compromised. In cyber warfare, it is very hard to identify the enemy. Consequently, it may take a long time to craft an international Cyber ROE. Organized cyber crimes, both terrorist-lead and state- sponsored, are targeting defense industries because of useful information in weaponry and crucial military secrets. Private-public partnership in the country has its challenges. For one, private industries are reluctant to report, to law enforcers, hacking incidences for the fear of losing clients and investments. Nevertheless, the private sector holds most of the critical infrastructures in the country; partnership is imperative. It is also imperative for any information system to have standard countermeasures (e.g., procedures, protocols, and programs). In the National Cyber Security Plan, both the private and public sectors are encouraged to build their protective systems robustly. Industries must invest in security and backup systems to minimize disruptions in operation in the event of cyber attack. In the coming years, all manual ways of doing things may get digitized. As the levels interconnectivity and interoperability increases, vulnerability also increases. In enhancing the countryâs cyber resiliency, there is no need to reinvent the wheel in cyber security. There are lot of existing models and programs; all that is needed is implementation.
- 22. 22 ICT Developmentand Cyber Security Reader IV. Closing Ceremony Concluding Remarks by Fermin R de Leon Jr PhD, MNSA, President, NDCP Dr. de Leon expressed his gratitude to Vice President Jejomar C Binay and the DND Secretary Voltaire T Gazmin for being ardent supporters of the Colleges endeavor to engage various stakeholders in academic discourses on many issues and concerns that matters to the country to include cyber security. He also thanked the speakers for guiding the audience in traversing cyber security from theory to practice. He shared that while listening to the presentations, his belief about the contemporary way of living was reinforced. Indeed, as information technology moves forward peoplesâ lives become easier but, at the same time, harder. Since access to cyber technology has become universal, it has empowered not only the citizens of the world but criminal minds as well; evolution of technology brought evolution of threats alongside it. He confirmed that cyber technology has its predicaments but he also affirmed that it presents opportunities to include inter-agency and inter-sectoral, and inter-state collaborations. He is optimistic that the activity was able to impart the knowledge, insights, and even skills and values which will equip the participants in confronting the enormous and overwhelming challenges of the 21st Century. # # #
- 23. 23ICT Development andCyber Security Reader Second Forum on Cybersecurity Awareness and Collaboration 27 February 2012 NDCP Honor Hall, Camp Emilio Aguinaldo, Quezon City âHow Safe Is Your Money?: Rethinking Cybersecurityâ
- 24. 24 ICT Developmentand Cyber Security Reader Keynote Address Rethinking Cybersecurity Honorable Jejomar C Binay, MNSA Vice President of the Republic of the Philippines Speech read by DND Secretary Voltaire Gazmin during the Forum on âHow Safe Is Your Money?: Rethinking Cybersecurityâ held on 27 February 2012, 9 am, at the NCDP Honor Hall, Camp Emilio Aguinaldo, Quezon City. _______________________________________________________________________________ O ur topic this morning does not require all of us to be cyber experts. It merely requires us to be especially attentive to the new and ever-expanding security environment in cyberspace so as not to be left behind by fast-moving developments. We do not enter an arcane and unknowable world when we attempt to grapple with the issues of cyberspace. But we need as much as possible to move at a pace equal to the speed at which scientific and technical innovation is taking place and the various cyberspace actors are creating new situations for us to deal with. Security planners, as has been amply demonstrated elsewhere, have the burden of showing that cybersecurity does not have a military application alone. It has an equally extensive non-military application as well. Much of what we read about cyber warfare has little to do with cyber crime. There is a tendency on the part of the experts to distinguish sharply between the military threat and the threat to law and order. The distinction is often so sharply made that different agencies are placed in charge of the one and the other, and they hardly relate to each other.   This approach is not always helpful. It tends to ignore the possibility, or the fact, that many of those involved in cyber wars are also first involved in cyber crime; they could in fact use cyber crime as their training ground for their eventual engagement in cyber wars. Some authors have established this link among many non-state hackers who were involved in the Georgian and Gaza cyber wars. In cyber warfare, information weapons are used to attack state and military control systems, navigation and communication systems, and other crucial information facilities to create serious military and civil dysfunctions within a state. In cyber crime, they are used to attack critically important financial servicesâ banking and credit card transactions, insurance, trading, funds management, and other business and consumer activities that are delivered online to various parts of the economy. It generates untold profits for the cyber criminals with little or no risk at all. Deterrence is always hard in both cyber war and cyber crime. It is easier to detect attacks in cyber war than it is in cyber crime, but correct attribution, after detection, may be a lot harder in cyber war than it is in cyber crime.Â
- 25. 25ICT Development andCyber Security Reader In cyber war, the target knows immediately when it has been attacked; in cyber crime, it sometimes takes a long time before a financial institution realizes that it has been attacked. For instance, in 2009, the victim of the one of the biggest data breaches in us history, involving 130 million accounts, did not know that hackers had an uninterrupted access to its secure network until five months later. This was but one of the many cases reported or unreported that year. In the past six years, according to one online report, US companies have reported 288 other data breaches, which compromised at least 83 million records of private individuals. The cost to each individual usually runs high. Such cost is compounded when the sensitive nature of the victimâs business, like that of a bank, prevents it from reporting the breach to the appropriate authorities as soon as it is discovered, or if and when the attacked institution or the appropriate authorities do not have the legal means to swiftly and adequately respond to it. In one famous case last year, a US senator demanded to know why Citibank took about a month to report a breach affecting his credit card account and that of some 360,000 others in North America. The damage to the credit card holders was never disclosed, but the senator pointed out that the institution had a fiduciary and business responsibility to notify its customers about the breach, so they could protect themselves. This particular incident prompted calls for stronger legislation requiring breached businesses to notify their affected customers. Thus far only 45 U.S. States have such breach notification laws. Nothing similar exists in the Philippines. Of all transnational crimes, cyber attacks on financial institutions are said to be yielding the highest financial returnsââ higher than those from drugs and arms smuggling, kidnapping for ransom, human trafficking, and others.  And no one has been prosecuted for any of them. These high, risk-free returns are bound to encourage local criminals to exert a much larger influence on the cyberspace underground, just as they have done so in Russia, Japan, Hong Kong, the United States, among others.  This is where the real challenge lies. It is primarily a task for the law enforcers. There is an urgent need to intensify efforts at cyber crime prevention, detection and prosecution. We need to have the correct and adequate laws to protect our financial systems and institutions and private individuals, but these have to be supported with the appropriate and adequate facilities and manpower. Precisely because modern technology has made the financial services so sensitive and vulnerable to every slight disturbance, we need the best laws and practices to ensure the most reliable means to guarantee public confidence in our monetary system.  The Cybercrime Prevention Act of 2012, which has passed the senate, is a good start, but it barely scratches the surface and is just really a beginning. We need the most
- 26. 26 ICT Developmentand Cyber Security Reader comprehensive cyber security laws to put us ahead of the most determined elements who specialize in cyber crime. We also need to put good money into cybersecurity research, intelligence and analysis, and to collaborate with the private sector whenever government resources are lacking in order to undertake such research and put it into practice for better cybersecurity of the financial services sector. This is vital to the interest of both the public and private sectors. For this reason, it could be a most suitable project for the public-private sector partnership program of the administration. Working together, the public and private sectors have an easier way of advancing the state of the art in information technology and cybersecurity through innovations in mathematics, statistics and computer science, the development of measurements and standards for emerging information technologies, and the deployment of I.T. systems that are reliable, interoperable and secure. Together they also stand a better chance of protecting the physical and electronic infrastructure of the financial services sector. These are just some of my thoughts on the subject. I hope to learn more from the experts at this meeting.   Thank you and good morning. # # #
- 27. 27ICT Development andCyber Security Reader Highlights of the Second Forum on Cyber Security Awareness and Collaboration How Safe Is Your Money?: Rethinking Cyber Security I. Background T he Forum on âHow Safe is Your Money?: Rethinking Cyber Security was held at the National Defense College of the Philippines (NDCP) Honor Hall on 27 February 2012 in collaboration with the Office of the Vice President (OVP) and the NDCP Alumni Association, Inc (NDCPAAI). The forum provided a platform for information dissemination and awareness to participants from government agencies, private sector, and the academe. Key persons were invited as speakers to expand security awareness and education as well as ways to improve cybersecurity as a means to protect national security. The objectives of the forum were: 1) to promote awareness and advocacy campaign; 2) to mainstream cybersecurity concerns among various sectors, and 3); to discuss and share best practices in enhancing cybersecurity of various financial institutions. The forum is intended to serve as a platform to discuss and provide awareness and facilitate exchange of knowledge and ideas on current status of cybersecurity in the Philippines and what can be done to address current exigencies that are emerging because of the advancement of technology. In his opening remarks, Vice President Jejomar C Binay said that âthere are new situations to deal withâ because of the threat to cybersecurity where there is âcyber warfare that poses military risk and threat to law and order.â He emphasized that people who are involved in cyberwarfare must have first committed cybercrimes.â He defined cyberwarfare as activities in the cyberworld that have the potential to cause civil and military dysfunction. Cybercrime, on the other hand, may include attacks (e.g., data breach, disclosure of trade secrets) against financial institutions to generate unlawful profits. Moreover, he highlighted the need for an âaccurate attribution to cyberwar and cybercrimesâ because more often than not it âtakes a long time to ascertain when an institution is attacked.â The lack of related legal foundation in the country has to be addressed because currently there is no legal means to punish perpetrators unlike in the USA where there is a strong legislation for disclosure due to the fiduciary nature of business especially in the financial sectorâ. It is an issue of paramount importance because, no one has been prosecuted yet though cybercrimes are committed everyday. More importantly, cybersecurity encompasses a much larger influence because it is transnational. Consequently, there is an urgent need to intensify reports on cyber violations, provide enabling laws and practices so that publicâs confidence in the monetary system may be regained. The issue of cybersecurity is of vital interests to both private and public sectors; partnership is then necessary to eradicate the cybersecurity threats.
- 28. 28 ICT Developmentand Cyber Security Reader Six experts discussed the current practices in the Philippines regarding cybersecurity, its current status, development of products, and technological advancements today. Session One of the programme focused on the private and public sector perspectives of cybersecurity and how they have coped with the dynamics in the cyberspace. Meanwhile, Session Two focused more on security measures taken by the companies which provide information and communication technology. The summary of the proceedings was done by Attorney Ivan John Enrile Uy, Former Chairman of the Commission on Information and Communications Technology. The forum generally focused on public, private, and public-private initiatives to strengthen cybersecurity with a particular focus on the financial sector. In addition, measures which can be taken by the public to protect themselves amidst the growing technological advances today were also discussed. II. Opening Ceremony Welcome Remarks by Honorable Voltaire T Gazmin Secretary of National Defense (Speech read by Undersecretary Honorio Escueta) Sec. Gazmin focused on the expansion of cybersecurity awareness and education. He appealed to those present to contribute and do their part so that cybersecurity will be strengthened. He emphasized the need for initiatives to improve cybersecurity for protection of national interests and security. Keynote Address by Honorable Jejomar C Binay, MNSA Vice President, Republic of the Philippines and President & Chairman, NDCPAAI Currently, there are no laws in the Philippines which deal with cyberwarfare and cybercrimes. The lack of pertinent laws poses threat to peace and order. He emphasized that valuable information, which is disseminated with the use of technology can possibly cripple civil, military, as well as private institutions involved in the business of banking, financing, and insurance. Considering the dynamics of crimes committed in the cyberspace, Vice President Binay urged the audience to work together to enhance security in the cyberspace. Vice President Binay affirmed that the issue of cybersecurity is of great importance due to transnational nature and more so perpetrators are not easy to pursue. III. Plenary Sessions Session One: Public and Private Sector Relationship and Cybersecurity How Do Banks Secure Information Assets? byManuel Joey A Regala VP, Information Security Dept, Universal Bank President and Member, ISACA Manila Chapter Mr Regala reported how finance institutions set up security measures to protect their clientâs money. He stated that banks secure data, in digital form, which are valuable to the organization. He emphasized that assets are confidential. Banks have developed a formidable security module that recognizes that hackers now use improvised cameras that enable them to see a potential victimâs personal identification number (PIN) to cash out the
- 29. 29ICT Development andCyber Security Reader money from their clients. They also have improved their transaction receipts because now, it has marked account numbers to protect their clients. Banks, he said, have improved their security by providing an in depth defense mechanism in layers. This protects data and provides technical assurance that the risk of acquiring technological advancement with making banking easier will be managed. The mechanism includes the physical, host and data security. He underlined that data security goes through the process of encryption, authentication and use of password in every bank transaction. Mr Regala also stated that check and balance is done by the banks in order to meet certain standards and audit requirements set by the internal and external auditors of the Central Bank of the Philippines. Banks have also established security measures that consist of a perimeter network, operating system, application layer and final core. He said that the inner core is the âholy groundâ of the security system of banks and that the host hardens the operating system so that hackers wonât be able to penetrate the system and thus, effectively prevents intrusion. The system also protects itself from virus and has audit locks. This allows banks to ensure the safety of their clientâs money. Moreover, Mr. Regala emphasized that authentication is vital and that they have encrypted one time passwords, automatic timeout, digital certificates, and tokens to ensure that cyber banking is secure. His recommendation is to promote awareness for cybersecurity to enable human factors, interlinkages, culture, governance and support to come to fruition and strengthen cybersecurity. Cybercrime and How It Affects National Security Rear Admiral Vicente Agdamag, AFP (Ret) Deputy Director General, National Security Council (NSC) Admiral Agdamagâs presentation was about the role of the public sector with regard to cybercrime and the importance of cybersecurity as a national security issue. The first known incident that gave rise to the threat to national security in the Philippines is the âlove bugâ that damaged over 12 billion dollars worth of computers. There are also insurgences of cyberterrorism activities that attacks computer networks and ultimately destroy infrastructures. He noticed that there is lack of training with regard to cybersecurity that the national security is threatened. There is no information system on how such attacks can be dealt with. Moreover, there is no legal regime upon which cybersecurity measures can easily be distinguished and established. There are still questions on how to acquire jurisdiction and evidence. There is an urgent need to provide for laws that are apt to the current situation and threats to cybersecurity. There is even a development of HB 1246 Anti-cybercrime Act of 2011. It is wise to remember that the policy of the state is to undertake steps towards the enhancement of the Filipino people. Their welfare, protection of sovereignty, and protection of national territory must be taken into consideration. The state must continue to pursue regional cooperation in cybersecurity. In fact, the state has mandated that there should be five (5) groupings, which is divided into political group, diplomatic group, economic group, information group and military group. The political group will be led by Department of Interior and Local Government; the diplomatic group, by the Department of Foreign Affairs; the economic group, by the National Economic Development Authority; the information group, by the Communications department by the Office of the President; and the military, by the Department of National Defense. He
- 30. 30 ICT Developmentand Cyber Security Reader stated that the way forward is through information exchange, emergency response, research activities, and continuing efforts to combat threats to cybersecurity. Open Forum (facilitated by Atty. Ivan John Enrile Uy) Mr. John Ruero ISACA, ISA, and Philippine Society of IT Educators member commented that the academic sector was not represented in the presentation of the public sector. Admiral Agdamag, said that there is an assessment card where they are pushing for manpower development and human resources. The factors that were taken into consideration were legislation, budget, infrastructure, and equipment. Nathaniel Marquez of RC 46 asked if the government has come up with a national policy regarding information and types of information that needs protecting. Admiral Agdamag affirmed the need of this kind of policy not only as data management but also to increase awareness because information is now used as weapons to destabilize national security. However, he said that as of now such policies are just being developed. DOJ Response to the Challenge of Cybercrime ASec Geronimo L. Sy, Planning and Management Service, Department of Justice ASec Sy talked about the DOJ Response to the Challenge of Cybercrime. He talked about how cybersecurity is an encompassing concept where cybercrime is only a part of it. He thought that Senate and House Bills should include criminal reforms on crimes committed in the virtual world and should not be left to the information and technology committee. He also talked about the legal and technical competency of members of the proposed committee to ensure that laws meet global requirements. Moreover, he tackled the issue as to how laws should enumerate and distinguish each of the cybercrimes punishable under our law so that the DOJ can validly respond and propose a change in the Rules of Court to admit a procedure for cybersecurity violations. Open Forum Drexx Laggui a computer forensic expert posed the question as to when one should stop electronic discovery and what are the existing guidelines and limitations. ASec Sy answered that in Brussels, Belgium it takes 3-6 months for forensic investigation and at present, it is still a global problem that needs to be addressed. There has to be changes with the Rules of Court regarding procedure and at the moment, the DOJ is training prosecutors ready to try cyber cases. Ms. Cristina Exmundo, MNSA RC 47 student, said there are international laws that regulate war. She asked if it was also the case for cyberwarfare. ASec Sy shared that in the United States there is a scale that could amount to cyberwarfare. In the Philippines, the law is still in the development phase. General Ozeta posed the question as to what is the government policy on information and who is the manager of such information. ASec Sy answered that the DICT bill intends to give focus on the information anchor. He also said that the government is generating information for knowledge and guidelines. Although the DBM has the power of purse, there should still be check and balance with regard to the budget allocated for cybersecurity measures. LtCol. Roxas of Naval Plans Office asked whether the information warfare capability as a hacker and as a deception device can be
- 31. 31ICT Development andCyber Security Reader used in the military. ASec Sy answered that there is a multiple track approach and that there is no such policy yet because focus is more on physical equipment for the military. He also said that information policy should be relative to the national security policy so that it could be used as input into national defense. Dr. Lemuel Braña, UP Professor and advocate of information security identified specific problems, which are coordination and management and lack of standard to protect gateways or websites. ASec Sy agreed and said that the problem is human agency and there are vulnerabilities in the concept of cybersecurity which pose the question as to who is going to do it. Dir. Nebuchadnezzar S. Alejandrino, Chief, DIMO asked Mr Regala to rate the status of cybersecurity in the Philippines. Mr Regala, said that he agreed with ASec Sy that we are in the low level. However we are using âstealth technologyâ which is in a defensive mode and he considers this a great start for cybersecurity. Dir. Alejandrino asked ASec. Sy as to his legal standpoint on the need for a homeland security agency. ASec. Sy answered both yes and no. He said yes because there is a need for a coordination but he also said no because we do not need another super agency. He said that what we need is a âweb approachâ which is resilient for technological problems. He was asked if there are plans for homeland security; he said there is no DICT yet. Dir Alejandrino asked Vice President Binay for policies to address the issue of foreign countries training students to hack. The Vice President said there is no need to put a special body to do task like that; what needs to be addressed first is coordination to facilitate collaborative, multi-agency effort. The coordinating officials must have moral ascendancy. Lieutenant Feliciano shared that after training the police to highly technical experts they are tempted with more lucrative jobs in the private sector. In connection, he asked what the government current retention plans are. ASEC Sy answered that the qualification standards of Civil Service Law should be abolished since it has been promulgated in the 1960s and no longer covers jobs, which involves technology. He said that there should be results based governance. Mr Dan Crisologo, a former head of Cybersecurity of NBI, and is currently a member of the ICTO shared that the government has allotted one (1) billion pesos for cybersecurity to implement Executive Order 47. Session Two: Technical Specifications in Ensuring Cybersecurity in Gadgets and Operating Systems iOS Security, John Andrew Lizardo, Training Supervisor and Professional Business Unit Apple (PowerMac Center) Session Two focused more on the technicalities of how security measures have been undertaken by various companies to adapt to the concept of cybersecurity. The first presentor was Mr. Lizardo, which focused on the security features of the iPhone Operating System or iOS. The Layered security of iOs covers device security, data security, networking security and application security. In device security, the operating system has passcode, policies, and device restrictions. Passcode policies require passcode on device, allow simple value, require alphanumeric value, minimum passcode length, minimum number of complex characters and minimum passcode age.
- 32. 32 ICT Developmentand Cyber Security Reader Furthermore, a 256-bit AES hardware protection is always on all data. In data protection, there is a five-level encryption and mail and third party application. With regard to network security, encrypted network traffic, strong authentication, and end-to-end encryption in Message and Facetime. Application Security includes mandatory application signing, sandbox applications, encrypted keychain, security framework for development and managed application via Mobile Device Management (MDM). The MDM capabilities are to install and remove configuration policies, query devices, manage application, remote wipe and lock and clear passcode. However, in order to utilize the MDM, the user should be enrolled to it. If the user has already enrolled to MDM, he can perform authentication, certificate enrollment and device configuration. IT Security Best Practices for Windows Platform Freddy Tan, Cyber Security Strategist, Microsoft Asia Mr. Tanâs presentation started with addressing the question on who holds the responsibility and accountability in cybersecurity which is very important. He said that Filipinos are adapting Information Technology (IT) and that is a good sign. However, the country ranked 85 in 2010 and 86 in 2011 in Network Readiness. The ranking implies that the Philippines is not equipped in terms of networking. He mentioned that cyberwar, sabotage and political change are the threats in cyberspace. He also stated that a malware program like Stuxnet, a computer worm, is commonly used as a weapon to destroy the system. With respect to Microsoft security, he admitted that there are wide operating systems (OS), browsers and applications vulnerabilities and that Windows XP is the most infected OS. Therefore, if the user wants security, he should discontinue using XP and update the machine or the OS. He recommended that users have to buy the Windows 7- 64 bit if they want security. He opined that a well-managed secure infrastructure is the key and there should be a standard operating environment such as the US Airforce Standard desktop. Microsoft has rights management services, which include bit locker, network access protection, etc. Android Security Charo Nuguid, Java and Android Training and Development Consultant Co-Founder, MobileMonday Manila The presentation focused on Android Security Model, user behavior vs. permissions and best practices. The security features of Android are as follows: 1) Security at OS level through linux kernel; 2) Mandatory application sandbox for all applications; 3) Secure interprocess communication; 4) Application signing and; 5) Application-defined and user- granted permissions. It was discussed that Application Program Interface (API) may only be accessed by explicitly declaring permission. Based on a survey they conducted, 17% looked at permissions before installing and 56.7% do not install because of permissions. The survey wanted to show that an application security is still dependent to the user. The best practices to secure the files are: 1) Use Android SDK instead of native code; 2) users should only ask for needed permission; 3) do not load code from outside the application; and 4) use authorization tokens instead of storing usernames and passwords. Data storage was also discussed. Data storage is divided into internal storage and external storage. In internal storage, files created are only accessible by the application that
- 33. 33ICT Development andCyber Security Reader created it and local files may be encrypted as additional security for sensitive data. On the other hand, files created on the external storage are globally accessible and readable. In addition, data storage by content providers provides a structured storage mechanism that can be limited to the applications or exported to allow access by other applications and it is exported for use by other applications by default. Open Forum When if there are any efforts on the part of the providers to make settings understandable for them, Mr Tan answered that there are two sides of the coinâ if a person is not technical and they experienced technical errors, they should look for people who had experienced the same error and let them fix it. If a person is technical, on the other hand, they do it themselves because they understand it and can configure it on their own. Mr Lizardo answered the question by saying that there is online support i.e., www. apple.com where it is a knowledge base forum for all apple users to find the best practices in configuring apple devices. Ms Nuguid on the other hand said that everyone can access wifi and the network â these facts are known to the developer. However, there are still definitions or descriptions that are not for everyone to understand. What one can do is to tell their contacts at Google that everyone has a problem with this configuration and that there is an error. This error is due to the fault of the developer and it is the obligation of users to let the developers know so that they can be conscientious enough to know what could happen and what the user could do. Dir Alejandrino asked Ms Nuguid if she would recommend android for military usage. Ms Nuguid answered that it is good enough for military usage and that security depends on the user because the user should be conscientious enough to notice that there are applications which access data that it shouldnât be accessing. Security, ultimately, depends on the person holding the device. Dir. Alejandrino further asked if it could do telepresence (video conferencing). Ms Nuguid answered that it depends on the device you are using if it supports such applications. Usually such devices that support telepresence are ones that comes with two cameras. Dr. Diaz of MNSA Class 47 asked the speakers to expound on standardizing the operating system. Mr Tan answered that it is due to the Standardization of Global Policies or GPO. There is already a password, which is a form of configuration of the machine. It is also up to the user to install applications or to change firewall settings. The concept of standardization, which the US government is planning to publish, is being able to manage all types of desktop regardless of its type. Eugene Galang, ICTO, NDCP, asked if the companies they are representing ask help from ethical hackers to test newly developed systems before launching them. Ms Nuguid said that ethical hackers are those who get in the system, would tell the company what they should have done but they do not get paid. Usually ethical hackers remain anonymous. Unlike in the company of Oracle, they employ really good hackers to test their system. Mr Lizardo said that in Mac they have a developer system, which functions as a community where they sample codes for an operating system and then they give feedback. They test out compatibility issues and try new applications. This minimizes the attack that no such hacking would be done so long as one registers as a developer with them. Mr Tan said that there was a time when Bill Gates sent his employees back to school so that there would be
- 34. 34 ICT Developmentand Cyber Security Reader a security development project team. This enabled Microsoft to stay on top of its game. One participant asked, if the rival companies know the strength and weakness of each other and if they help each other to improve themselves? Ms Nuguid confirmed this but clarified that it is in an indirect manner because they get tips from the others through latest platforms each one launch. Mr Lizardo said that, Apple has provided others with tips. For example in 2006, there were a lot of improvements such as permissions and there were heads up from competitor companies. It has been Appleâs vision to have a peaceful co- relation with them. Mr Tan provided that programs provide information to other technical communities and that there is an MSDR, which is a research to disclose third party software to other companies. A participant further commented that they all share same information, same vulnerability and so everyone could address it. Summary Atty Ivan John Enrile Uy, Former Chairman, Commission on Information and Communications Technology (CICT) Atty Uy said that there should be collaboration from both public and private sectors to ensure that national security through cyberspace would be protected. As his last parting words before he gave the floor to Dr De Leon for his closing remarks, he said that it is everybodyâs duty to uphold and spread awareness for cybersecurity because we all share cyberspace as an information highway and therefore, we all have a stake at keeping it safe. IV. Closing Ceremony Concluding Remarks Fermin R de Leon Jr PhD, MNSA, President, NDCP Dr De Leon thanked Vice President Jejomar C Binay for the unrelenting support to the growing concern regarding cybersecurity. It is indeed important to know how to keep our money safe because we have worked hard for it. It is our endeavor to disseminate information to ensure cybersecurity so that there would be no cyberwarfare and cybercrimes. Everybody is involved in this because it is an issue that involves national security. Therefore, there should be cooperation and collaboration among public and private sectors to ensure that the threats would be addressed and ultimately, perpetrators would be held accountable. Moreover, he said that cyberspace is common to everyone and affects everyone because there is already a holistic view on national security and therefore, these information and assets vital to the national interests must be protected. Dr De Leon hoped that the forum enabled the participants to have new insight and knowledge that will allow them to disseminate information and awareness to confront the challenges posed by cybersecurity issues. # # #
- 35. 35ICT Development andCyber Security Reader Seminar-Workshop on Cybersecurity 6-8, 11 June 2012 Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City âTowards Information, Communication and Technology Development (ICTD) and Cybersecurity Enhancementâ
- 36. 36 ICT Developmentand Cyber Security Reader Opening Remarks ICT Development and Cybersecurity Enhancement USec Benjamin E Martinez Jr. Chief of Staff, Office of the Vice President Remarks delivered during the Opening Ceremony of the Seminar-Workshop Towards Information and Communications Technology Development and Cybersecurity Enhancement held on 6-8, 11 June 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. _______________________________________________________________________________ D r. Fermin R De Leon, Jr, President of NDCP, RAdmiral Roberto Estioko, Executive Vice President of the NDCP Alumni Association, Inc., distinguished speakers, participants to this seminar-workshop, guests, participants, ladies and gentlemen, a pleasant good morning. It is both an honor and a privilege to be with you today, as we open our, âICT development and Cyber security enhancementâ workshop. For the next three days, Subject Matter Experts shall provide us a wide spectrum of the cyber infrastructure enhancement and threats, from global crimes, terrorism, forensics, to its implications to our office and country. I advise you, to open your minds, solicit questions, proactively participate, and I assure you, you will gain enough, if not exceedingly. This venue, I believe, is most apt for us, as stakeholders, to come together and address the enduring problem we face. As our country continues to rely on technology, we have become no stranger to cyber crimes and cyber activism. We must recognize that our infrastructures and processes are now heavily dependent on Information, Communication Technology (ICT) specifically the internet; hence, we are vulnerable to threats as well. In our region, just April this year, during the height of the Scarborough Shoal standoff between the Philippines and China, the University of the Philippineâs portal was defaced which left a map of China on the main page. In retaliation, some suspected Filipino hackers strike back by also defacing Chinese websites. In the end, the incident left little room for prompt, amicable, and diplomatic agreement and eventually, only intensified the tension between the two states. The borderless arena of innovation has become a key player in developing multilateral ties and diplomatic relations among nations. In the business sector, with the high growth of the business process outsourcing (BPO) industry and its gross economic contribution to the country, securing the ICT infrastructure is most crucial. Potential cyber attacks are rendered detrimental to the business continuity of BPO operations. Our BPO establishmentsâ resilience to cyber attacks
- 37. 37ICT Development andCyber Security Reader or lack thereof, shall project what image our customers and competitors in the global market will see. Also, let us not forget our ethical and moral standards against cyber prostitution. Though millions or billions of dollars may be lost through cyber attacks, and denial-of- service attacks, the emotional and psychological damage cyber prostitution can have on people far exceeds such monetary damages. The internet and the cyberspace must always be treated with utmost care and diligence; we must protect it to protect our people. It is with this, that collaboration and cooperation between private and government stakeholders in reinforcing our cyber security threshold becomes our prime goal. There may still be much work cut out for us, to become a technological powerhouse. Yes, we may be constrained by financial adequacies. But more than that, we need to answer questions like-- what should be our National Vision on ICT and Cybersecurity? Where we are now on ICT development and Cybersecurity? What can be done now or what are the necessary first steps to be done? I donât have all the answers to these few questions. But the fact remains that for as long as we are here today and for the next few days, our adaptability and love for technology compel us to contribute to this national and global effort in fighting cybercrimes, strengthening cybersecurity, and enhancing our information and communication technology. We can only effectively push forward and strengthen our cyber environment through coordination and collaboration among all stakeholders. Rest-assured, our efforts will bring us far. Maraming salamat at mabuhay! # # #
- 38. 38 ICT Developmentand Cyber Security Reader Highlights of the Seminar-Workshop on Cyber Security Towards Information, Communication and Technology (ICT) Development and Cybersecurity Enhancement ____________________________________________________________________________________________________________________________________ I. Background The National Defense College of the Philippines (NDCP), in partnership with the Office of the Vice President (OVP) and the NDCP Alumni Association Inc (NDCPAAI) conducted a seminar-workshop entitled âSeminar Towards Information and Communications Technology (ICT) Development and Cybersecurity Enhancementâ held on 6-8 and 11 June 2012, 8:00AM- 5:00PM, at the NDCP Honor Hall, Camp Gen Emilio Aguinaldo, Quezon City. The four-day seminar, designed for executives and senior managers in the government and private sector, and senior military and police officers, aims to provide participants with a comprehensive understanding of cybersecurity from management to technology aspect. Intended for 60 participants, the seminar is rigorous, dynamic and interactive utilizing a combination of classroom-based lectures and learning events. Leading experts and practitioners from the industry were invited to speak including Dr Stephen Cutler of the Official Global Control Corporation, Mr Angel Averia and Mr Alberto Dela Cruz of the Philippine Computer Emergency Response Team (PhCERT), Â Dr Lorenzo Clavejo of the National Security Council, Mr Simoun Ung of the Philippine Veterans Bank (PVB) Card Corp, SI-III Joey Narciso of the National Bureau of Investigation (NBI), Dir Raymond Estioko of the Bangko Sentral ng Pilipinas (BSP), Mr John Abraham Ruero of the Information System Security Association (ISSA)â Manila Chapter, Ms Janette Toral of the Philippine Internet Commerce Society and PCInsp Felizardo Eubra of the Philippine National Police (PP). A total of 65 participants from various government agencies and private companies participated in the said seminar. Among the agencies represented include the Armed Forces of the Philippines (AFP), Philippine National Police (PNP), Commission on Elections (COMELEC), Department of Environment and Natural Resources (DENR), Senate of the Philippines, National Security Council, Department of Health (DOH), Metro Manila Development Authority (MMDA), Department of Science and Technology (DOST), Department of Tourism (DOT), Department of Trade and Industry (DTI), Office of the President (OP), Department of Interior and Local Government (DILG), Bangko Sentral ng Pilipinas (BSP), Office of the Vice President (OVP), Philippine Public Safety College (PPSC), Department of Energy (DOE) and the Department of National Defense (DND). Furthermore, private companies and international organizations represented include De La Salle University (DLSU), International Organization of Migration (IOM), Zperia and Asian Institute of Management (AIM).
- 39. 39ICT Development andCyber Security Reader II. Plenary Sessions Day 1: June 6, 2012 Session One: Cyber War and Cyber Terrorism, Stephen P. Cutler PhD Cyberspace as defined by the speaker, a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. Today, our nation faces an evolving array of cyber-based threats arising from a variety of sources. These threats can be classified as intentional and unintentional. Intentional threats are those attacks which come from different sources such as hackers, criminal groups, and terrorists. However, unintentional attacks are those caused inadvertently by the disrupt system such as defective equipment and system upgrades. Thus, securing oneâs nation against these evolving cyber-based threats depends entirely on the enhancement of national security and national defense strategy. The growing trend of cybersecurity is leading towards the increase of diverse criminal elements. These are the spamming, identity theft, dispersal of virus/worms, several types of fraud schemes, attacks on servers/systems and the like. Hence, the speaker clearly emphasized on the use of cyber space as a tool to commit crimes. This kind of threat continues to emerge and is rapidly changing. Given the situation occurring now, the nation should double its efforts in combating the continuous transmission of malevolent attacks in the cyberspace. In order for a nation to succeed and prevent the disaster that cybersecurity imposes, the speaker proposes that it should begin with a competitive plan for recovery, clear policies, strong foundation of leadership, diplomatic and economic efforts, strong and solid alliances and cooperation among the government, military and the private sector. Session Two: Philippine Cybersecurity: General Situation Angel Averia Jr. Cyberspace and the internet are interrelated. The speaker has shown a conceptual view of the cyberspace ecosystem divided into 5 categories: geographical location, people/ users, internet identities, IP addresses, and networks. Business relations and social interaction increase rapidly with the use of the internet as a tool to communicate. This new trend that the cyberspace executes leads us to a new global culture, which, on the other note brings harm and increase in the volume of sophistication of malevolent attacks. At present, the Philippine ICT is continuously enhancing its defense against cybersecurity. It has adopted several transformations such as migration to cloud services, increase in the use of social networks, rise of mobile devices and active internet exchanges operated by Telcos. But alongside with these changes, the country is vulnerable to cyber- attacks as discussed by Mr. Averia. He has presented several recorded incidents of identity thefts, hacking, scamming, harassment, estafa/fraud extortion, pornography and web defacement attacks from 2011 up to present. Furthermore, he also discussed the recently cyber-attacks in the Philippine government websites.
- 40. 40 ICT Developmentand Cyber Security Reader The method of cyber-attacks has grown over the years. It has become more organized, aggressive, well-resourced and extremely sophisticated. The Advanced Persistent Threats (APT) is a long-term pattern of targeted attacks aimed to disrupt the information system of the government, financial and industrial institutions, information security agencies, and research firms. On the other hand, the adversaries are nation-states, terrorist groups, criminals, hackers, and individuals or groups with the intentions of compromising the entire system. The speaker also presented a risk assessment of the national security of the Philippines towards ICTD and cybersecurity. He therefore suggests that the Philippines must have a central authority that will solely adhere to the issues of cybersecurity. The nation should also have comprehensive programs and preventive measures as well as an effective framework to fully address the possible cyber related threats and attacks in the future. Lastly, the speaker suggests to make cybersecurity a ânational securityâ concern. Session Three: Cyber Crime: How it Affects National Security Lorenzo Clavejo, DPA The Philippine cyberspace, as discussed by the speaker, is composed of cyber infrastructure such as transportation, information and communication, administration, banking and finance, education and distribution. These elements are indeed vital to the growth of the nation but are also vulnerable to threats. He cited the importance of banking and finance, as it is highly dependent on cyberspace. Threats to the financial systems will have dire consequences for a nationâs ability to operate effectively and efficiently. Transportation system is likewise important. The vast majority is managed by networked computer systems. Terrorists and/or criminals normally commit crimes using a transportation system or in areas where people can collectively be diminished. Dr. Clavejo also discussed about the different cyber related incidents in the Philippines and focuses on the Oplan Bojinka that was successfully terminated by the Philippine National Police. Oplan Bojinka was a plan of Al-Qaeda in 1995 to simultaneously destroy 11 passenger aircrafts over the Pacific Ocean. The Al-Qaeda group used a laptop computer which contained encrypted messages that could not be read by the police or intelligence officials. With the said incident, the use of computer forensic and computer investigation were indeed critical and vital. The cyber world evolves swiftly, as we get to introduce to the new technology, we should also have preventive measures for possible outburst of threats and cyber-attacks. Furthermore, the speaker suggests that the government should pursue a bilateral and regional cooperation to combat cybercrimes. Session Four: Introduction to Cyber Crime Investigation PC Insp. Felizardo Eubra, PNP As reported by the Philippine National Police, the Philippines is now a haven for transnational cyber-crime. This type of crimes includes cyber pornography, illegal online gambling, credit card fraud and identity theft. Due to the absence of a comprehensive cyber-crime law, there is a difficulty in establishing offenses to perpetrators and violators. Likewise, it is evident that the prosecutors and judicial body are unfamiliar and incapable
- 41. 41ICT Development andCyber Security Reader to combat cybercrimes. At present, the Philippine Department of Justice together with the United States Department of Justice conduct region wide training to prosecutors to improve their knowledge and technical skills in investigating cybercrime. Also, the CIDG in partnership with the National Bureau of Investigation are tasked to be the resource persons that facilitate trainings of cybercrime. Today, the growing trend of cybercrimes intensifies by the use of sophisticated technology. The PNP, particularly the Criminal Investigation and Detection Group (CIDG) are lagging behind in terms of training and equipment. The speaker has mentioned that most of their equipment used for investigating cybercrimes came from the United States as their donation. With the cyber threats rapidly increasing in the country, the PNP-CIDG is continuously enhancing their organizational and technical skills by undergoing several capacity and capability trainings. PC Insp. Eubra mentioned that the PNP-CIDG had received a total of 23 trainings from the U.S. Department of State, Anti-Terrorism Assistance Program, ICE, FBI, secret service in the field of cybercrime, white collar / financial fraud investigation and digital forensic examination. While, other trainings were sponsored by the INTERPOL, and other police counterparts globally. Session Five: Introduction to Computer Forensics Joey Narciso Computer forensics as defined by the speaker is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is acceptable in legal proceeding. It is a procedure combined and accepted by law and computer science that gather evidences and analyze data from the computer system. Furthermore, it is an in-depth procedure that delineates and examines the evidences presented for a cybercrime. The speaker discussed five steps in conducting and examining computer forensics: Policy and procedure development, evidence assessment, evidence acquisition (chain of custody), evidence examination (analysis of digital evidence), and documenting and reporting. As per cybercrime investigation, the speaker believes that the country can somehow administer it. However, in terms of computer forensic, he believes that we are still incapable as we are lack of tools and computer forensic experts. Most of our equipment is only donated by the US FBI and each tool costs an enormous amount of money. Moreover, comprehensive trainings and certification is needed in using these tools for computer forensic. In assessing the evidences, it should be thoroughly assessed with respect to the scope of the case to determine the correct course of action. It is highly done through the conduct of a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of hardware and software, potential evidences ought and the circumstances surrounding the acquisition of the evidence to be examined. Session Six: Cyber-security: Perspectives on Attacks John Peter Abraham Q. Ruero, PhD-Candidate, MSIM, ECE VP, Information Systems Security Association (ISSA) Philippine Chapter A lot has been said about cyber attacksâfrom simple website defacement to actual malicious activities like hacking, phishing, malware infection, and social engineering.
- 42. 42 ICT Developmentand Cyber Security Reader There are multitude of ways to gain access into computer systems without the approval or knowledge of systems and network administrators. These malicious hackers, known in cybersecurity world as black hats, use their technical skills either for financial gain, recognition, bragging rights, entertainment, and, more recently, the use of the Internet to promote a particular political, religious, social or scientific cause or ideology. Per 2010-2011 Computer Crime and Security Survey Report, malware (i.e., malicious software) continued to be the most commonly seen attack, with 67.1% respondents reporting it. Meanwhile, the Symantec Internet Security Threat Report Trends revealed that Brazil ranked third behind US and China in malicious activity in 2009. US, Indonesia, the Slovak Republic, Malaysia, and Poland had the most number of cyber attack victims. Most of the targeted ones were focused on enterprises. The top Web-based attacks primarily targeted vulnerabilities in Internet Explorer and applications that process PDF files. Though cyber attacks may come from all fronts at any time, there are some methods that can be employed to minimize to secure oneâs computer, one of which is the PDAD approach. PDAD approach uses three-step process to fortify a computer systemâs defense against attacks: 1) protection of critical information and technology infrastructure through the use of tools and software; 2) use of security analytics software, forensics, and deep analysis down to the packet level to track down malicious codes; and 3) Active Defense, intelligence tools and techniques to anticipate attacks. There should be exchange of IT and security best practices. IT security must be the core of awareness campaigns, training, and curricular reforms. Laws, policies, and regulations concerning cybersecurity need to be evaluated for their influence on how people use or misuse electronic information. Security ultimately is everybodyâs business. Computer forensic has three major phases: The acquisition phase, analysis phase and presentation phase. The acquisition phase deals on acquiring all the physical evidences such as the computer and other related materials to the crime. This will undergo a rigorous verification of files in order to extract all digital evidences for analysis. On the other hand, analysis phase deals with the physical and logical extraction of the digital evidences. It is then followed by a deeper analysis of the extracted data including the timeframe analysis, data hiding analysis, application and file analysis and ownership and possession. Lastly, the reporting phase is when all evidences has been analyzed and examined. The examiner must submit the accurate report for his findings as this will be the basis of the digital evidences for the criminal case. Day 2: June 7, 2012 Session Seven: Business Continuity and Disaster Recovery Program Dir. Raymond Estioko, Bangko Sentral ng Pilipinas (BSP) Director Estioko has presented a business management cycle being used by the Bangko Sentral ng Pilipinas (BSP) to prevent disaster and possible cyber threat attacks. The BSP aims to minimize the disruption of their basic financial services caused by intentional cyber threat attacks such as hackers, fraud activities, criminals and terrorists. The BSP also aims to resume critical operations within the shortest possible time whenever a cyber- attack would occur. Minimize financial losses, uphold consumer protection and avoidance of systemic impact within the financial services industry are also the other target of the bank.
- 43. 43ICT Development andCyber Security Reader The ultimate goal of the BSP is to prevent the risk and impact that the cyber threat brings. As a countermeasure, they are redefining and strengthening their risk assessment and business continuity plan. Also, they are continuously enhancing their IT infrastructure and information system-focused plan which is designed to restore operability of systems, applications, or computer facility infrastructure at an alternate site after an emergency. Session Eight: Social Media and Mobility by Ms. Janette Toral In the early 1990s, the use of the internet by the Filipinos is very minimal and is solely based on searching. However, ten years after, there was an immense shift of internet usage and it is now the primary source of acquiring information and also a great tool for communication. In 2010-2011, the rise of social media and social networks are unstoppable. People are now seeing these two things as an important aspect of living. As social networks and social media arise, the speaker sees this as a new threat to cybersecurity. The generations now, more so the youth can easily express their thoughts on every issue of the globe. In addition, the sharing of information via social networks and social media cannot be easily controlled and halted. Thus, it is vulnerable to cyber threats and malevolent attacks. The trend of social media now is based on influence. It is indeed the name of the game as per the speaker. People are easily fuelled on what they see or search on the internet. Moreover, the image of a person is based on how others have influenced them. This is also one of the reasons why the E-commerce in the Philippines is enormous and popular. Ms. Toral presented a summary statistics on the usage of E-commerce in the Philippines. The hotel booking remains the highest and is followed by airline bookings and reservations. Session Nine: Information Security Management Practice by Simoun Ung Mr. Ung presented his topic on managing information security in a business perspective. According to him, cybersecurity evolves and strengthens as people are continuously developing their knowledge and technical skills. Cyber-attacks are no longer being done by hackers and or criminals. It is now participated and sponsored by nation- states as a way to commence conflict. As of 2007, approximately 120 countries have been developing ways to use the internet as their weapon. On the other hand, the targets have also changed from a personal level to high value levels such as nation-state or institutions like financial, research facilities, information agencies, and critical infrastructures like power, transportation, communications and other significant facilities. Similarly, the methods of attacks have emerged from simple hacking to advanced and highly custom-designed attacks. The hackers today use complex methods such as root kits, malware, custom made cyber weapons and cyberespionage. Mr. Ung have expounded on several case studies presented about the security breach on global payments which affected 10 million cards. It vastly affected stock trades and businesses of major cards brands. Also, he has discussed about Flame as the most sophisticated malware to date. It can directly target and attack oneâs computer by taking screen shots, record audio conversation and key strokes. It can be deployed simply by the use of a USB thumb drive. It is indeed one of the terrifying malwares existed and it is suspected that the US and the Israel have created it. It is believed that it was use in a
- 44. 44 ICT Developmentand Cyber Security Reader previous collaboration of the two countries and they have created Stuxnet malware which targeted Iranâs nuclear facilities. Mr. Ung also presented OODA: Cybersecurity decision making. The decision life cycle is composed of four distinct phases: The Observation, Orientation, Decision and Action. He further illustrated the cycle by discussing each level in tactical level, operational and strategic level. In conclusion, enhancing cybersecurity should be set as a global standard. It should be strengthened by setting a law which will combat the breaches in every institution. Nations should work hand in hand to fully develop its defense in cybersecurity. The speaker therefore suggests to focus on the protection of the infrastructure by securing all of endpoints, including the growing number of mobile devices, along with messaging and web environments. Moreover, information should be highly protected regardless of its level of confidentiality. Day 3: June 8, 2012 III. Seminar-Workshop on ICTD and Cyber Security Enhancement Cybersecurity Workshop Guide Questions 1. What is the ICT and Cybersecurity situation in the country? Sub-questions: a) Would cyber attacks harm national interest? b) What immediate actions/s should the government take in addressing the issue of cybersecurity problems? 2. Is ICT important? 3. Is cybersecurity important? Why? Sub-questions: a) Do you think the government is taking the issue of cybersecurity seriously? b) In a scale of 1-10, rate the Philippines in terms of readiness in cyber security defense (1 being the poorest and 10 the highest?) 4. How can the government or the country make cyberspace a domain for public good? Sub-question: a) What mechanism or approach do you know has the government undertaken to address the issue of cyber security in this country? 5. How can the government or the country ensure public safety in the cyberspace domain? Sub-questions: a) Does the Philippines have sufficient available defense mechanism to halt any possible cyber attack of great magnitude?
- 45. 45ICT Development andCyber Security Reader b) Do you think we have enough laws and other mechanisms in place which would par up to the kind of defense needed to halt any form of cyber attack? 6.DoyoubelievethatICTdevelopmentandcybersecurityaretwinprogramsandareNational Security concerns therefore needing urgent and serious attention by the government? Sub-questions: a) Do you think there is a need for the government to invest in ICT development? Why? b) Do we have enough ICT programs in place as would secure cyberspace? 7. To pump-prime ICT Development and cyber security and integrate national effort (convergence of government, private sector, civil society, people efforts), do you think there is a need for the creation of an integrating body above departmental level? What kind of a body would this be? Sub-questions: a) Do you think we have sufficient laws and policies in place that address the ICT development and cyber security? b) Rate the level of awareness of the following on how the threat on cyber security is readily apparent, from 0- 5 0- not aware at all 1- little awareness 2- is aware but could not care less 3- has knowledge of cyber security but poorly informed of the nature and size of the threat 4- is aware and has fair knowledge of the threat 5- very aware and ready to face the threat) _____. The government _____. Our policy makers _____. Our law enforcers ( PNP, NBI, etc) _____.People in general 8. These concerns (ICTD and cyber security) require continuing studies and researches, especially as National Security factors; do you think there is a need to establish a âcybersecurity Instituteâ, which shall also be the center for training education on both concerns in correlation to National security? Sub question: a) In an ICT emerging country like the Philippines, is there a need to establish a government entity to manage the cyber security problem, like a Computer Emergency Response Team (CERT) or a National Cyber Security Council?
- 46. 46 ICT Developmentand Cyber Security Reader Suggested Guide Questions for Cybersecurity Workshop Group Report and Presentation I. Introduction II. What should be our National Vision on ICT and Cybersecurity? III. Where we are now on ICT development and Cybersecurity? IV. What can be done now or what are the necessary first steps to be done? Day 4: June 11, 2012 IV. Presentation of the Workshop Outputs Closing Remarks by Vice President Jejomar B Binay MNSA Chairman of the board and President of NDCPAAI VP Binay acknowledged the fact that we are now faced with a new battlefront, a battlefront considered unimaginable in the past, one which created a borderless world. As it is, he encourages everyone to be unified and continue to strengthen the collaboration not only with the private sector but also to global counterparts in gearing towards an improve resilience to cyber incidents and to proactively reduce cyber threats. And he also stated that through shared principles we shall build not only our stance as credible gatekeepers of cybersecurity but valuable guardians of national security. # # #
- 47. 47ICT Development andCyber Security Reader Third Forum on Cybersecurity Awareness and Collaboration 12 October 2012 Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City âCybercrime Law and Its Implications to National Securityâ
- 48. 48 ICT Developmentand Cyber Security Reader Highlights of the Third Forum on Cyber Security Awareness and Collaboration Cybercrime Law and Its Implications to National Security _______________________________________________________________________________ I. Background T he Office of the Vice President (OVP), in partnership with the National Defense College of the Philippines (NDCP) and the NDCP Alumni Association Inc (NDCPAAI), conducted a forum entitled, âCybercrime Law and Its Implications to National Securityâ on 12 October 2012, at the NDCP Honor Hall. The forum is organized for the stakeholders of Republic Act Number 10175 or the Cybercrime Prevention Act of 2012. It aims to present a comprehensive overview of the law, which includes its rationale and provisions; provide a platform for discussion on how to effectively implement its provisions; and identify the rights, responsibilities and possible contribution of each stakeholder. A total of one hundred (100) participants representing various stakeholders, including the Department of National Defense (DND), Armed Forces of the Philippines (AFP), Department of Justice (DOJ), Department of Science and Technology (DOST), National Bureau of Investigation (NBI), National Security Council (NSC) and other relevant members of the private sector attended the event. Experts from the government, the private sector, and the academe were invited to talk about issues, concerns, rights, and responsibilities concerning which was confronted by unwelcoming reaction from the public, particularly the countryâs cyber citizens. Finally, Atty Ivan John Uy, Former Commissioner, Commission on Information and Communications Technology (CICT) provided a synthesis and way ahead of the activity. II. Plenary Sessions Welcome Remarks by Fermin R De Leon Jr, PhD, MNSA President, NDCP On 12 September 2012, President Benigno Aquino signed RA 10175 (Cybercrime Prevention Act). The law states that the state recognizes the vital role of the information and communication industries. It declares the lawâs intention to create a cyber environment
- 49. 49ICT Development andCyber Security Reader which is free and secure from malicious and injurious intent which may cause havoc in the cyberworld. However, there are provisions of the law which caused public uproar; among them was libel through computer or other similar means. The ratification of the law has caused defacement of government websites by the so-called hacktivists, one of them is identified as the Anonymous. Academics, media, civil society organizations, and netizenz have aired reservations to the new law. There were cries of the flagrant reversal of the efforts to promote fundamental rights and freedom. The disdain to the law, whether in full or in part, has sparked an intense debate which involved the private and the public sectors alike. Amidst the challenges of the 21st century to national security, cyber space has truly become a host to public and political discussions and national security concerns and phenomena; it has become the 5th domain. Amidst the ongoing issue on the West Philippine Sea, there were attacks to defile both Philippine and Chinese websites. Given the expanding implications of cybersecurity in the political milieu, the OVP, the NDCP, and the NDCPAAI decided together, to conduct this Forum on the Cybercrime Law and its Implications to National Security. It seeks to contribute to the active and lively debate on the cybercrime law. As a society with many cyber security concerns, it is imperative to take a serious look on how this law will affect us. This forum seeks to float serious matters that may spring right in our faces later on, if we let them pass without healthy and friendly debate. On behalf of the organizers, I hope that this forum would gather all of our efforts and contributions to ensuring cyber security, upholding our national security, and protecting the fundamental rights and liberties of our citizens. Benevolent cyber citizens, cyber activists, cyber ranges, and cyber defenders we are all in this together. An Overview of the Rationale and Provisions of RA 10175 Hon Sigfrido R Tinga, Member of the House of Representatives When people talk about the Cybercrime Prevention Law, they usually fail to mention two wordsâcontext and change. What is the context which brought such law and what is happening in the world today? A decade ago, probably no one has heard about Twitter or Facebook. After a decade, our system of storage evolved from the floppy drive to Cloud. We experience drastic changes in a span of a decade. The world would change even faster. That is change for your and that is the context for me. Throughout history, we will have continual change and continual challenges. If you think the last 10 years is fast in terms of change, the next 5-10 years will shock you. Students will not be studying in school; people will not be working from offices; business models for the media will change; people will no longer use banks for their transactions; telecommunications industry will have to find new streams of revenues. We will be outsourced; all will be stored in the cloud. If you are losing x amount of peso in the real world crime; you will end up losing multiple of that online. Resistance to change, being comfortable with the status quo, and being safe and risk-averse are surefire recipe to extinction. Like any law made by man, the cybercrime prevention law is not perfect; nevertheless, the challenges of time require us to have one. If one would look at the House version of the law, it is not too bad. However, we come together in a compromise in coming up with a legitimate document that would
- 50. 50 ICT Developmentand Cyber Security Reader represent what we think is the best for the people. Arguments, debates, and concessions have lead to the cybercrime prevention law as it is today. The uproar the ratification of the law brought about signaled the need for transparency in the law making process. Had the law been scrutinized prior to its approval, there would have been no public clamor in the first place. If an act is illegal in the real world, it should be illegal in online. This logic floats ridiculous laws we have and make them appear more ridiculous. For instance, the Retail Act prohibits foreign retailers to operate in the country. With the cybercrime prevention law, can the Department of Justice (DOJ) shutdown Amazon and E-bay? The current times present a borderless world, a progressing world presents a challenge but at the same time, an opportunity. Open Forum During the discussion, a participant asked whether the 120-day temporary restraining order issued by the Supreme Court provide enough time to correct mentioned imperfections of the law imperfections. As discussed, there are multiple ways of curing these one of them; one of which is through the Implementing Rules and Regulations (IRR). Through the IRR, some of the issues and concerns can be clarified. One need not strike down the law entirely. It would not be the last cybercrime law; amendments will surely follow. There were also questions on the provision on online label, if it can considered one of the imperfections of the law. The question was answered based on the essence of the cyber crime lawâto criminalize online commission of acts which are considered prohibited in the real world. That means all the acts identified under the Penal code, including libel. If one wanted online libel to be decriminalized, the act should also be decriminalized in the real world. With regard to the Presidentâs support on the libel provision, there was a question on how the congress would balance this with many legislatorsâ plan to revise said provision. In this case, there was a recommendation to wait for the arguments in the Supreme Court. If the Supreme Court decided to return the law to Congress, then should be amend as decided. Towards a Comprehensive and Effective IRR of the Cybercrime Prevention Law by Director Philip Barilla, Information and Communications Technology Office, Department of Science and Technology (DOST-ICTO) The DOST, the DOJ, and the Department of Interior and Local Government (DILG) are tasked to craft the IRR for the cybercrime law. The cybercrime prevention law in summary provides definition of cybercrimes, the measures related to the prevention, investigation and suspension of such crimes and imposition of penalties. The salient features of the law talks about punishable acts and enumerates different cybercrime offenses. It groups offenses into three categoriesâagainst confidentiality, integrity, and availability of computer data; computer-related offense; and content-related offenses. The fist category, includes illegal access which experienced drastic increase worldwide; illegal interception which includes intrusion without right, interception of any
- 51. 51ICT Development andCyber Security Reader private transmission of data, and data interference or international alteration or damaging of computer data (e.g., website defacement); system interference or denial of service attacks; misuse of devices to use, produce, sell, procure, import distribute, or make available to commit cybercrimes; cyber squatting or acquisition of a domain name similar to a trademark or name of a person. Computer-related offenses, the second category, enumerate fraud, forgery, and identify theft. Phishing is one of the prevalent crimes in the Philippines. Credit card fraud and online fraud scams through email and other means are also increasing. Lastly, content-related crimes include cybersex, child pornography, unsolicited commercial communications (spam) and libel. There was a discussion earlier about clarifying in the IRR some provisions. The IRR can further clarify and clearly define acts which constitute cybercrime offenses. The DOST shall coordinate this with committee chairs of both houses. We will formulate the IRR in consultation with different committee secretariat of both chambers. The law provides a degree higher punishment on libel using ICT. Greater authority is granted to law enforcement agencies such as the National Bureau of Investigation (NBI) and the Philippine National Police (PNP). It mandates them to systematically provide reports for pre and post operations. The Regional Trial Court has the jurisdiction given that the offense is committed in the country; it was committed using a computer system physically located in the country; it caused damage to a natural or juridical entity while in the Philippines. The law also provides general principles for international coordination and cooperation which are hinged on international agreements on the basis of uniform or reciprocal legislation. The DOST-ICTO was made part of the Cybercrime Investigation and Coordinating Center (CICC) which is supposed to be under the administrative supervision of the Office of the President (OP). It is tasked for policy coordination and formulation on implementation of the Cybersecurity Plan. The CICC is mandated to craft National Cybersecurity Plan and prevent real time commission of cyber offenses through ASSERT, a computer emergency response team. It is also mandated to coordinate and prepare measures to prevent and suppress cybercrime activities through a consultation and coordination team. CICC is also tasked to monitor cyber cases and facilitate international coordination not just on cybercrime monitoring but also on awareness campaign and capability building, among others. It is also supposed to coordinate the support of local government units, private sector, and civil society organizations. CICC can also recommend reenactment of new laws related to cybercrime, and call upon the support of any government agency. Cybersecurity refers to the collection of tools, policies, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and userâs asset. This definition is in line with the definition of the international community. Cybersecurity aims to secure properties of an organization and userâs asset against threats posted in the cyber environment. Cybercrime is the offenses, and its prevention is part of promoting cybersecurity. The use of risk management approaches which include assessing threat, vulnerability, and consequence, identifying controls and mitigations, implementing controls, and measuring effectiveness will help us strengthen our cybersecurity practices.
- 52. 52 ICT Developmentand Cyber Security Reader There are a lot of best practices that we can adopt. The International Telecoms Union and other governments publish their reports online and we can use them. One critical activity in promoting cybersecurity is building partnership between the public and private sectors. It is also necessary to secure our critical information infrastructure; promote awareness in different sectors of the society; build our capability; establish systems in every agency and connect all of them seamlessly. Ultimately we need to develop a culture of cybersecurity. Open Forum A participant inquired on how the congress arrived at fifty (50) million pesos for setting up defense against cybercrime and on the corresponding plan of action, given the said amount. As gathered from the discussion, with the Senate is said to have introduce the amount during the bicameral conference committee. Further, adequate consultation in arriving on mentioned amount. If one will put cybersecurity center, fifty million is not enough, one can only conduct vulnerability assessment with the amount. A participant commented that typically government agencies do not perfectly cooperate and queried about the law draftersâ reasons for assigning the crafting of the National Cybersecurity Plan (NCP) to DOST, DOJ, and DILG. The reason of having a coordinating center, as mentioned, is to have the three agencies work together under one roof. It would be easier for this agency to coordinate and collaborate if they work under one roof. A basic premise of the law is that whatever act that is punishable in the first 4 domains should also be punishable in the 5th domain, the cyber world. However the draft IRR, states that the penalties for offenses committed online is a degree higher compared to those committed in the real world. A participant opined that it seems to be discrimination against the netizens. On the part of DOST, the speaker said that there are activities online which provide greater impact and therefore need greater deterrents. Given the case that one wrote a libelous statement on paper, scanned it, and posted it online, there was question on whether he will be charged under the Penal Code Libel, the Cybercrime Prevention Law Libel, or both. The speaker presented his personal interpretation of the law. The moment you posted that libelous statement online you are charged as provided by the cybercrime law. It may also depend on the one who is suing you, if he would sue you under the Penal Code or the new cybercrime law or on the judgment of court based on evidence and merits of the case. With regard to the second query, the speaker opined that cybersecurity is a bigger concept than cybercrime. Nevertheless, the cybercrime law also secures our cyber environment. In line with this thinking, a participant suggested establishing a Cyber Command to protect the 5th domain as a nation protect its land, sea, air, and space. It can be included on the Cybersecurity Plan. A participant commented that RA 10175 incorporated two entirely different concepts (i.e., cyber crime and cyber security) into one document. As the PNP and NBI are the only law enforcement agencies authorized to secure date from the ISPs, they are also involved in cyber security. He reminded the authorities to be careful in crafting the IRR as it provide as the measures and guidance in implementing the law. In clarifying issues, one may some provisions require amendments through legislation; the congress can also file an amendatory bill; issues can also be clarified through the IRR.
- 53. 53ICT Development andCyber Security Reader A participant requested for the timetable to finish the IRR. He also inquired on what will happen in the period between the cyber crime law and the IRR. On the timetable, the law defines a period in which the three departments can work on the IRR. Individually the three agencies will come up with inputs to the IRR and this coming November we will meet to discuss the inputs. With regard to the second question, it will not be retroactive; without the IRR, it is as if we do not have any law. A participant inquired if the law protects those who teach hacking to companies and government agencies to protect their system. As confirmed by another participant, teachers are not liable; they are protected by RA 10173. If the organization allowed you to hack their system for academic purposes, you will not be charged. There is another provision on the law that makes the possession of tools, programs, devices, etc. used for hacking is punishable by law. Ethical hackers and professionals use the tools hackers use to simulate an actual attack to a companyâs system. With regard to minors who committed offenses as provided by the law the court may file civil cases against the parents. Section 6 of the law covers both cybercrime and cybersecurity. All violations covered by the RTC and/or other special laws committed through ICT. However, it may not be very effective in terms of addressing cyber warfare and cyber terrorism. The law, like any other laws, is reactive. In case of hacking, websites are defiled. However, in the case of cyber warfare, your critical infrastructures are attacked. In terms of making another accountable it is very difficult because a country, for instance China, can use a proxy country, for instance, Singapore to attack the Philippines. Singapore is hardly liable to such offense. Cyber warfare is an act of nation-state and so far, there has been no proof cyber warfare in history. A representative from the uniformed forces inquired on their responsibilities vis-Ă -vis cybersecurity law. The speaker opined that government agencies should defend their own systems. Establishing your own CERT is a good start. It is up for any agency to establish its own CERT. It is also necessary for agencies to closely coordinate and facilitate a free flow of information to create the future of cybersecurity. A participant inquired on the differences of the National Cybersecurity Plan and the National Security Strategy Plan drafted by the National Security Council. The speaker responded that while the National Cybersecurity Plan is being drafted, there will be close coordination with the NSC. It was mentioned that online libel may be punishable in both Cybercrime Law and the Penal Code. A participant asked whether it is considered double jeopardy. According to the speaker, the DOJ will decide which law applies; it will not be double jeopardy. National Security Implications of the Cybercrime Law: The Defense Perspective by Director Nebuchadnezzar Alejandrino, DND Information Management Office In the international scene, the 2001 Budapest Protocol was supposedly the gold standard in cybercrime legislation. It was followed by the London Conference in 2011 and again the Budapest Convention which was conducted a week ago. From the 2012 Budapest Convention, it was discussed that the US was mostly concerned on the privacy of the cyberspace i.e., human rights. In relation to this, the European wants an open cyberspace for business purposes. In the Philippines, we are too preoccupied with crimes and I am not so sure if it is a good or a bad thing. The countryâs cybersecurity
- 54. 54 ICT Developmentand Cyber Security Reader plan is the cornerstone of its cybersecurity policies. The Philippines may be ahead of the crowd in terms of cyberspace awareness and legislation. The strategy of the Philippines in terms of promoting cybersecurity is said to be area-focused in the sense that it addresses the issue, through legislation, per category. For instance currently we are focused on addressing our cybercrime issues. Cybercrime should be under the purview of the DOJ; cybersecurity, on the hand, should be the mandate of DOST. Threats in cyberspace can be grouped in two categoriesâthreats brought by non-state actors and those brought by a state. Non-state actors are typically motivated by self-interest. On the other hand, state actors are those engaged in cyber warfare in the sense that they train people by the thousands. The cybercrime law empowers the law enforcement agencies in pursuing attackers whether they are state and non-state actors. The clamor brought by the provision for online libel is a blessing in disguise since it brought the reality of cyberspace and its threat to the general public. In prosecution of cybercrime offenses, there is a problem on attribution or identification. You can determine the IP address but is nearly impossible to determine who the actual person is. The implications of the RA 10175 have not reached a national level security concern yet. The local hacktivists, before they become so, are Filipinos first; they will never jeopardize the government. There is also a difference between national interest and national agenda. In the national agenda, the public participates on the debate. In national security, there is a sort of focus; the government is involved. The cybersecurity as the 5th domain and the new arena levels the battle field in favor of those with limited economic resources such as the Philippines. Asymmetrical warfare in this context becomes de facto major strategy. In this new reality, it is critical to raise the public awareness in ensuing relevant policies of the state in the context of promoting cybersecurity. The cybersecurity law is a demonstration that the country is preparing to grab the opportunity the emergence of cyber arena presents. The passage of the law ushered the era where cyberspace becomes not only a second nature but also a defense of our economic, social, and political and national security interests. The Defense Department welcomes the passage of the law as it will fast track the awareness level of our leaders and the public on the criticality of the 5th domain and the technology available to us in dealing with a more powerful adversary. Open Forum A participant asked when one considers protest as a threat to national security. According to the speaker, a protest becomes a threat to national security when freedom of expression cease to exist; when there is disruption on the peopleâs daily activities; when there is denial of basic services (e.g., food, electricity, water, transportation). A participant shared that hacktivism is not a new concept. In fact, in the late 1990âs, websites are already being defiled. People are already sending emails to system administrators informing them about loopholes on their web system. They did not get satisfactory responses from system administrators so they resorted to actually defacing the websites to prove their point. In early 2000, some of this hacktivists joined criminal groups,
- 55. 55ICT Development andCyber Security Reader using their intelligence to gain illicitly. Now we witness our youth counterattacking Chinaâs alleged attack to Philippine websites. If we would tolerate them, they may suffer the same faith as their predecessors did. The government can actually tap their intelligences so their actions are regulated and authorized. One of the participants presented a hypothetical questionâIn the instance when China attacked the Philippines using an ICT platform in Manila can we pinpoint if the attack came from China and not from within? Can we establish that China is the enemy?âThe speaker responded that though it is highly unlikely that China will launch a cyber attack against the Philippines, in the event that it did and it did so using a platform in the country, the authorities can detect the IP address, its location and launch a pursuit operation in a matter of hours. With regard to the speakers statement that the country has the capability to trace attacks and attackers, participants raised comments. The recent actions of local hacktivists seem to signal the contrary. Based on the series of website defacements they inflicted on the government they seem to be more than 100 percent sure that they cannot be traced. The Role of the Private Sector in the Effective Implementation of the Cybercrime Prevention Law by Angel T. Redoble, President and CEO, ARMCI Solutions & Consultancy The presentation revolved around three conceptsâCommunication, Cooperation, and Coordination (or Collaboration). Communication is a very big problem even in real world crimes. We do not usually report cybercrimes. Being part of the private sector, we have to report cybercrimes and criminals. In the real world, we are hesitant to report crimes because of the fear of retaliation from criminals. In the cyber world, the criminals cannot harm us physically. We have to call the experts. Amidst recent hacking incidents, affected parties did not complain; they did not give access to investigators. If the private sector will do the same, we cannot fully implement the law. After communicating, we have to cooperate. However, companies do not trust law enforcement agencies. They do not allow access to law enforcers for investigation; there is conflict of confidentiality. Law enforcement agencies are the only parties mandated to conduct investigation. If we fail to remove this barrier, there will be more cybercrime incidences. Once trust is established, we can provide full assistance to forensic examiners and investigators i.e., cooperation. However, even affected government agencies are not open to investigators which send a wrong message to the private sector. We have to avoid the do-it- yourself initiatives. IT professionals are not security experts; they are not fully knowledgeable of computer forensics. It is important to call security experts because litigating a cyber criminal involves digital forensics and process to follow. Any person can gather information from a computer, but the forensic element means it has to be gathered in a manner that makes it reliable to a court or other body and the information has to become evidence. One must follow the procedures of acquisition, identification analysis, reporting, and court presentation or else one will never have a successful litigation. Focusing on acquisition and identification, these are processes involving physically or remotely taking possession of computer data and network mapping from the external and physical storage. With the right acquisition procedures, one may proceed with identification wherein retrievable data
- 56. 56 ICT Developmentand Cyber Security Reader are identified and actually retrieved using forensic tools and software. There is a need of the law that will obliged companies to save log files, implement security measures, and have risk management process to facilitate easy gathering of evidences and presentation to court. There is a need to collaborate i.e., public-private partnership. We need to exchange knowledge and expertise. There are a lot of patriots willing to help and assist. The lack of skills must be recognized. Where there are lapses, the private sector can patch them up. Open Forum One of the huge issues in the cyber world is the botnet attacks. Critical infrastructures (e.g., power, financial, communication) are susceptible to such attacks. A speaker asked how one finds a botnet attack so that in launching retaliatory attack, the right people are targeted. Botnet is not a one-on-one issue. One can use a single computer in launching thousands of botnet attacks. One may also use hundreds of computers to launch a botnet attack. One may trace back up to an IP address but it is not 100 percent accurate. There is no such thing as absolute security but there is such thing as proactive security. This is where policies and standards come in. The presentation proposes what appears to be proposing that the government must issue guidelines or standards on the use of ICT much like zoning laws and building codes. At present, there is problem of accountability. In instances, where a hacker intrudes in an organizationâs system using another organizationâs network, the latter may easily get away because there are no exiting laws that promote accountability. The Philippine National Police (PNP) has information policy in place, which is why the PNP websites has never been hacked. We have issue-specific and in-depth defense strategies. The speaker added that is not enough to have policies; there is a need of manual or authority which will validate the effectivity of existing policies. The military is currently lacking of experts. It may afford the most expensive software or vendor, but still it lacks human resources. Those that we train are easily attracted by the lucrative opportunities offered by private practice. Academic Perspective by Atty Harry Roque, Professor, UP College of Law According to the United Nations (UN), criminal libel is contrary to freedom of expression. Nevertheless, in the Philippines, libel is still criminalized under the Revised Penal Code. The Cybercrime Prevention Act not only maintains this principle but also raised the penalties to a higher degree. On double jeopardy, Section 7 states that conviction under this law is without prejudice to conviction under the Revised Penal Code. Indeed there are many special laws that state the same. However, one may have multiple convictions if there are multiple elements on the crime the person committed. The elements of online libel as provided by the law exactly has the same elements as the real world libel under the Revised Penal Code except that the former was published online. One of the most controversial sections of the law is perhaps Section 19 which prohibits the court from invalidating individual provisions of the law; one my apply the
- 57. 57ICT Development andCyber Security Reader separability clause. The DOJ has the unilateral power to block websites motu propio based on prima facie evidences of violation of any provision of the law. This runs contrary to the principle of separation of powers as this makes the Secretary of Justice an enforcement agent in charge of investigation; prosecutor arm in charge of prosecution; and judicial because he or she may decide when to exercise the power. Jurisprudence demands that while you have these minimum provisions, you cannot invalidate parts of the law; you need to disregard the law as entire unconstitutional. Child pornography is one of content-based restrictions of the law. The offense is also defined under the Child Pornography Act 0f 2009. Same with online libel, the cybercrime law provides punishment of higher degree against child pornography. We patterned this provision under an American law which also sought to prohibit child pornography on the internet. However, this law was already declared unconstitutional in the US. Though child pornography is one of the exceptions to freedom of speech along with hate speech and speeches that may cause actual danger, the US Courts decided that regulating online contents based on child pornography presents a burden of restricting contents which adults, as provided by their constitution, may read or address to each other. Because this law prima facie infringes on freedom of expression, the law is presumed unconstitutional. This somehow is confirmed by the issuance of the temporary restraining order (TRO). TRO is issued when there is possible injustice and irreparable damages to the petitioner. There are other provisions that while not involving the constitution may present problems on the implementation. For one, the law demands that computer data be stored for six months. According to the UP Computer Center, this is going to be expensive. If this is to be done, the government should increase their budget by at least three times. While the law attempts to insulate computer use for criminal intent, let us remember that the internet was invented to manifest the free-market place. In prohibiting the criminals, we should not forget the intent of internet in the first place. Open Forum In cases when a country decriminalized libel a participant asked how one protects himself from politically motivated demolition jobs. For one, the UN Human Rights Committee stated civil libel as an alternative. Second, if one is a broadcast company owner, the possibility of going bankrupt because of humongous civil claim will prompt him to exercise more control what your writers write and your broadcasters say. If the libel provision will not be included in the law, a participant inquired on whether question the aiding and abetting sections of the law will be also put into question. The speaker recommended reexamining the provision stating that all prohibited acts under the Penal Code are punishable under the Cybercrime Law if committed electronically. Each crime is unique and conditions may alter once we shift from the real to the virtual world. Way Ahead by Atty Ivan John Uy The intention of the Cybercrime Law was to target the cybercrime aspect; it barely touched on the cybersecurity aspect. Nevertheless, as the presentations demonstrated, the two can be interrelated concepts.
- 58. 58 ICT Developmentand Cyber Security Reader The forum highlighted the struggle between governmental power and the rights of the citizens. When governmental power is increased the exercise of the citizenâs rights tends to decrease. Election is coming up and we must be extra sensitive and vigilant in selecting intelligent officials who can espouse our ideals, aspirations, and the principles we stand by. Indeed we need to pursue cybercriminals who, for the longest time, has remained unaccountable. These criminals act as if they are anonymous though the tools to trace them are available. The challenge is for the government is to hone and keep the talents that we have. Experts tend to leave government service because of the lucrative opportunities in private practice. There is need for cooperation not just among the government agencies and private sector within the country but also the international organizations. We are all here because we share a common need for accountability on the part of those who resort on illicit means for private gain. But we must also remember that in our zealousness, we also have rights to be considered and protected. There is always a room for compromise wherein we both protect our infrastructure and the citizensâ basic human rights. All of the debates that we had are a reflection of a healthy democracy that we have. With respect to the uniformed servicesâ sentiments on the lack of ability, we have friends from different embassies and countries whom we can engage in the exchange of experiences, practices, and expertise in enhancing our cybersecurity. Closing Remarks by Shirley Marie Pelaez-Plaza, MNSA Secretary-General, NDCP Alumni Association, Inc The past several weeks arguably have been the most challenging and most politically charged moment of the Philippine Cyberspace. Upon the reenactment of the RA 10175, sentiments against the law came rushing in like a tsunami that has swept away the executive and the legislative branches of the government and even the private sector. Yet if we are to conduct ourselves in an intelligent and civilized manner, everyone who has a stake in this issue should see through the fog and cut through the noises of knee- jerk reactions. This forum on RA 10175 organized by the OVP, NDCP, and NDCPAAI is our humble contribution to further encourage sober but intelligent but perceptive public discussion on the issue that has swept away our cyber citizens. There are three cardinal principles which must be observed at all times regardless of the ferocity of public debates and pressures: 1) Freedom of expression is a core element in a vibrant democracy. When an individual is allowed to speak about any issue without undue malice, public policy is well- informed. Feedback mechanisms brought about by this basic freedom provides pressure to government officials, both elected and appointed, to ensure that a healthy and vibrant democracy lives on. 2) Vaguenessontheprovisionsofthelawopenslegalgatesformalevolentinterpretation of the law. Amidst the vagueness of some of its provisions and the bothersome
- 59. 59ICT Development andCyber Security Reader implications of law enforcement, the online and offline public felt a great measure of anxiety. Those who expressed reservations to the law called its crafters and urged them to be more precise on the parameters and standards contemplated by the law. We should take the view that the undefined and unrefined provisions of the law constitute the black hole that zapped the law most if not all of its credibility. 3) No amount of public disgust can ever justify the cowardly acts of online vandalism and hacktivism. The public must be strongly discouraged to admire those who deface government websites to express opposition against an unpopular law. Apparently, unscrupulous hackers take advantage of the widespread contempt against certain provisions of the law in order to push for the total abandonment of the law which in the future will track down them. All opposition to this law or any other law for that matter must be expressed through proper means and channeled to the right forum. This cybercrime prevention act is a start manifestation of a work in progress. It should be seen as a sum total of our desire to protect not just the individual citizen but also the nation. # # #
- 60. 60 ICT Developmentand Cyber Security Reader Papers on ICT Development and Cyber security
- 61. 61ICT Development andCyber Security Reader WORKSHOP OUTPUT Prioritizing ICT Development and Cybersecurity: A Matter of National Security Policy AconsolidatedreportoftheparticipantsduringtheSeminarTowardsInformationandCommunications Technology Development and Cybersecurity Enhancement held on 6-8, 11 June 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. ____________________________________________________________________________________________________________________________________ Outline I. Introduction II. National Vision on ICT and Cybersecurity III. State of ICT development and Cybersecurity IV. Proposed Actions I. Introduction I nformation and Communications Technology (ICT) is a well-developed management tool and is widely used by government, private sector and individuals to communicate easier and faster in real time. The modes of communication have evolved from wired to wireless to cloud computing. ICT development is not just about the technology but also involved the human dimension of using these media. This can be a cybersecurity concern. Those with ill intentions can use the same technology to harm a person in particular, and the country in general. However,cybersecurityisinearlystagesofdevelopment.Cybersecuritymanagement processes are ad hoc at best and stove-piped. There are enthusiastic groups handling cyber security, but problems overtake solutions and situations occur ahead of legislations. ICTD is focused too much on websites and not on the interconnectivity. Presence of agencies in the internet is good but it is not yet transactional because of the need for more security features and procedures. Transparency and efficiency of services of government agencies are demanded through e-governance. The Philippines lags in ICT and cybersecurity compared to other developing countries in the region. The existing ICT systems are fragmented, i.e. each bureau has its own system. There is lack of integrated ICT development effort by the government and a common communications culture among stakeholders. There is a need to enact comprehensive law on cybercrime and cybersecurity as well as a need to enhance capacity of stakeholders on ICT access, use and skills, and literacy levels; also the need to improve systems of interconnectivity and interoperability and harnessing private resources and efforts is minimal.
- 62. 62 ICT Developmentand Cyber Security Reader Nonetheless, the Government is taking the issue of cyber-security seriously. No less than the Vice President himself is personally interested in the ICT governance and is committed to resolve the challenges such as the absence of national direction towards cybersecurity and fragmented Government efforts. As such, there is an urgent call to elevate ICT development and cybersecurity as a national agenda through formulation of national policies. There is a need to promote ICT development and cybersecurity as a matter of URGENT national security policy and a priority of the President. II. A National Vision on Information and Communications Technology (ICT) and Cybersecurity The following are the participantsâ visions on ICT and cybersecurity: âA digitally empowered, innovative, and globally competitive nation where ICT and Cyber Security work harmoniously to deliver reliable, affordable and secure information access in the Philippines. A government that leads and practices accountability and excellence in providing responsive and efficient online citizen-centered services.â âAn ICT that establishes an efficient, integrated, interoperable and secure information environment that enables national productivity and competitiveness and promotes Filipino values and human security.â âA nation with a fully developed ICT and Cybersecurity that support a viable and sustainable national development and national securityâ âA secure, friendly, reliable and effective ICT environment and cyber space for all citizens, residents and, business establishments in the Philippines; thus facilitating growth, safety, security and an enriching life for the peopleâ âA relevant and effective ICT and cybersecurity capabilities, which harness public and private partnership for the national interest and the common good by 2022.â âInternet enabled, digitally empowered, innovative, globally competitive and prosperous society where everyone has reliable, affordable and secure information access and adequate protection of their constitutionally- guaranteed privacy and human rights. A government that practices accountability and excellence to provide responsive online citizen- centric services. A thriving knowledge economy through public-private partnership.â
- 63. 63ICT Development andCyber Security Reader III. State of ICT development and Cybersecurity There is an increasing number of Filipinos using the cyberspace. The average age of internet users range between 22-24 years old. There are six international internet gateways which have bandwidth limitation and are disjointed. Because there are no significant coordination efforts across various segments to address cyber security issues, cybercrime incidents in the country are increasing with possibility of cyber-terrorism. There is an apparent lack of adequate resources and technology and solutions often fall short of expectations. The Philippines may be regarded as an âICT neo-colony.â Filipinos are mere IT- consumers and not producers. There is none Filipino-developed or owned cyber security implements. There is no real âPhilippine ICT-industry.â The level of awareness and readiness is deemed average for the Government (3) and even lower for the People (2) (1 lowest, 5 highest). The Government is still incapable of detecting threats embedded in available ITÂ and very weak in interdiction. Pirated software still proliferates in many government offices. Visioning and long-term planning is lacking. Implementation is weak, not cohesive, and lacks âcontinuity.â There is no authority on strategic ICT concerns or a âCyber Command.â Concern for cyber security has yet to cascade to the grassroots. Yet, Filipino youth are increasing to be cyber literate or are at least interested in science. IV. Proposed Actions Listed below are the proposals for actions categorized according to strategy, structure, legislation, system, staff and skills. 1. Strategy a) Include in the Governmentâs policy that cybersecurity is a matter of national security priority. b) Do not reinvent the wheel. Develop past initiatives i.e. Where to ICTO? The âPhilippine Digital Strategy 2010-2016â? and the âNational Cybersecurity Plan 2009â c) Develop a national policy on information as a resource d) Elevate Cybersecurity and ICT development as a national agenda through formulation of national policies e) Develop National ICT Development and Cybersecurity strategic Plans f) Plan for and hold a national Cybersecurity Summit g) Maximize use of locally available ICT resources h) Advocate for the enactment of policies/ laws on ICT and Cybercrimes to include Cybersecurity i) Cybersecurity awareness program for various sectors j) Encourage local and international ICT industry support and cooperation k) Improve citizen rights and strengthen laws to penalize use of cyberspace in criminal activities l) Cyber world is a âcommodified experience.â Review pertinent franchises and the main resource itself m) Government should have its own gateway/cables
- 64. 64 ICT Developmentand Cyber Security Reader 2. Structure a) To pump-prime ICT Development and Cybersecurity and integrate national effort (convergence of government, private sector, civil society, people efforts), an executive authority within the Government at the appropriate level may be designated as responsible for directing ICTD and Cyber security initiatives at the National level. b) The designated authority may be supported by an ICTD and Cyber Security advisory board comprising of members from Government Departments, Academic, Defense, Law Enforcement and Industry segments that support national critical infrastructure c) Create an inter-agency task force group to make an inventory of what we have, what the challenges are, and come-up with a solution/s for implementation across the whole government. It will be headed by the cybersecurity czar. d) Establish the following positions and organizations: â National Chief Information Officer (CIO) â Information governance â Secretary DICT â information management e) DICT agencies â component administration (automation, networking, communication, etc) f) Creation of a multi-sectoral Technical Working Group (TWG) and a Cabinet Level Committee g) Establishment/creation of a cabinet-level committee to recommend national cybersecurity initiatives h) Create a lead agency, a National Coordinating Center, to oversee the implementation of ICTD policies, plans and programs (DICT Bill) i) Initiatives to protect Philippine cyberspace by PhCERT and law enforcement agencies (PNP/NBI) 3. Legislation a) Prioritize pending legislation related to cybersecurity b) Pass the Department of Information, Communication Technology (ICT) bill c) Formulate a concrete and long term Policy/legislation focusing on Cyber Security Concerns (Cybersecurity Bill) d) Expedite passage of needed laws, craft implementing rules e.g. the Anti- Cybercrime Prevention Act of 2012 4. System a) Creating a government cyberspace infrastructure with its own Internet exchange connecting to the AP Region. Data and information in government are confidential in nature and thus it needs to be protected and monitored solely by the government. b) Establish a government intranet which will be used as network infrastructure for e-government applications c) Impose minimum standards and mandatory procedures for all agencies to follow d) Employ knowledge management to develop automated applications e) Set-up Incident Response Teams (IRTs) in all government agencies under the supervision of G-CSIRT f) Periodic vulnerability assessment of government cyber-infrastructure and websites g) Consider creating a government-owned cloud facility to house sensitive government data
- 65. 65ICT Development andCyber Security Reader h) Support the establishment of local internet exchange points i) Governance, Risk and Compliance management may be embedded into government ICT systems and services j) Regulate import and entry of dual purpose technologies and systems into the country k) Implement government controls on the access pathways to cyberspace (Register all internet connections, all SIM cards, all Satellite phones and Satellite terminals etc.) l) Ability to monitor and control contents delivery through cyber space to enforce mutual respects for civil liberties and national interests m) Acquire a communication Satellite or dedicated satellite transponders for engineering secure encrypted communication links for sensitive military and government communications to augment current commercial channels 5. Staff (Personnel) a) Create a top-caliber technical working group to pursue these initiatives and related concerns b) Create more ICT-savvy positions and plantilla c) Create a pool of ICT professionals d) Make salary and compensation of government ICT workers commensurate with the commerce and industry 6. Skill a) Implement continuing educational programs / capacity building b) Establish national level scholarships in ICT with service obligation (similar with DOST scholarship) c) Establish linkage with international educational organizations (i.e., Colombo plan, JICA, KOICA, etc) for ICT scholarship d) Adopt PPP approach for ICT education (IT companies will sponsor local IT schools) e) Education/awareness on the vital role of ICTD and Cyber Security targeting the Decision Makers as the priority. f) Disseminate pertinent information to the general public. Conduct an advocacy program g) Identify strategic capability building needs, develop training programsâ Set up a Cybersecurity institute h) Improve IT and science education â a scientifically literate citizenry is the best defense against cyber attacks i) Create a protocol â Who is in charge of ICTD and cyber security? i.e. âWho should we report to once a cyber threat is detected?â V. Conclusion The Philippine national security and national defense must take a âwhole of nationâ approach. It cannot be any longer the sole domain of those who wear uniforms, or serve in government. ICT networks are not the sole domain of the government. An attack that destroys the network owned by the power grid can break a nationâs will more quickly than a bombing sortie by an air force.
- 66. 66 ICT Developmentand Cyber Security Reader Uniformed services, such as the military and police, play a vital role in this defense of the nation, due to their ability to train and focus resources on issues. But other government offices play a role as well, through their regulatory, enforcement and licensing powers. Private industry is equal partners due to their ownership of targets, but also because of their expertise and willingness to protect their trade. This new dimension of national security and national defense requires an evolution of thinking. As one former FBI agent recountsâ The âoldâ threats are still present. But the ânew threatsâ require the national security administrators and professionals adapt to the new field. But it has to start from the precept that ICT development and cybersecurity is a matter of URGENT national security policy and a priority of the President. The nation must prepare for the new terrain. The nationâs security depends on it. # # #
- 67. 67ICT Development andCyber Security Reader Understanding Cyber Security from Global and Regional Perspective Stephen P. Cutler, PhD President, FSC Holdings (FBI Ret) Paper presented during the Seminar Towards Information and Communications Technology Development and Cybersecurity Enhancement on 6 June 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. _______________________________________________________________________________ The World of Today T he words âcyber securityâ often intimidate or discourage people who are not yet familiar with computers and networks, or âe-commerceâ and databases. It carries often emotional implications that it may be beyond their understanding, and they are incapable of accomplishing anything of value in the âcyber securityâ arena. This paper seeks to not only overcome that individual mind-set, but to demonstrate that national security depends on the involvement of all members of this nation, and those to which it is connected, in securing its networks, grids and even individual computers and users. The âtraditionalâ physical world concepts and ideas with which national security professionals are quite comfortable are easily adapted to and explained in the cyber context. Unlike the 1992 Disney song from the film Aladdin, this is decidedly not âA Whole New World.â Now, twenty years later and in a new century, the cyber and physical worlds are inter-mingled to a great degree. This mingling greatly affects the ability to secure nations, and requires an adaptation to the current global and regional perspectives to the concept of ânational security.â Before beginning a discussion of cyber security, it is of great value to give thought to some basic ideas. These touch points of understanding are often assumed to exist among those who discuss cyber security, but are just as often lacking in one party or the other. Thus, a common ground for the discussion, and for decision making based on solid sharing of information and commonality, is missing. For example, give serious thought to the very basic ideas below. o Are you able to describe a âbotnetâ to someone who is unfamiliar with computers? Are you able to describe in even a cursory and âplain Englishâ manner how it works? Are you able to describe how a computer becomes a âzombie?â securitypronews.com
- 68. 68 ICT Developmentand Cyber Security Reader o Are you able to define âphishingâ so that a person without a security background can understand the concept? Are you able to give an example of how phishing might be used to compromise data? o Are you able to explain âmalwareâ in a way that beginner level computer users are able to understand the idea, and its danger to individual computers and networks? o Are you able to express the concept of âsocial engineeringâ in a way that novices will understand the dangers of answering probing questions asked by unauthorized personnel? o Are you able to convey the value, but also the dangers, associated with a âUSBâ to networks and data storage? o Are you able to articulate, in a way that even non-engineers and non-security focused personnel can understand, the dangers of an âinsider attackâ to grids and networks? If pressed, and given time to formulate our thoughts, most of us will be able to describe these important concepts in a way that those who are quite comfortable with physical security will be able to understand. This is an important accomplishment, because it brings to bear many good minds and thinkers who are currently restricting their work to the physical world, but who have valid ideas to bring to bear on the cyber world. The Old Testament book of Ecclesiastes, chapter 1:9, says âSo, there is nothing new under the sun.â This ancient piece of wisdom is valuable to remember in the cyber security context. This is true as far as it goes. Many of the concepts, ideas and viewpoints of security are those many practitioners have practiced for many years, but applied to a different operating environment. However, the speed at which events happen in the cyber world, and the ability of people, or âactors,â to reach around the globe and cause events to happen, requires national security professionals to adapt and grow in skills and knowledge, and to make decisions, in unprecedented ways. In the physical world, a typical bullet fired from a .45 caliber pistol travels at perhaps 950 feet per second. A typical round fired from the cannon of an M1A2 Abrams tank travels perhaps 3,500 feet per second. Most current national security professionals are quite comfortable in discussing these parameters and their impact on security. In the cyber world, a byte of information or instruction from one computer to another travels at perhaps 186,000 miles per second. Thus, our operational and decision making cycles must adapt to this âspeed limit.â The ability to detect, deter, disrupt and dismantle groups, or the efforts of an individual, who intend to do us harm remains critically important to national security, but it must occur at a much faster pace than in the physical world. Trusted and trustworthy information sharing with allies and team members must be included in this growth area. The time-proven concepts of national sovereignty, territorial integrity and equality of nation states, and resulting mechanisms of treaty compliance, diplomatic notes and other means of information sharing, developed under ideas first embodied in the Treaty of Westphalia in 1648 are still valid. But they must be adapted to an environment that ties
- 69. 69ICT Development andCyber Security Reader nations together in unprecedented ways, an environment that allows virtually instantaneous communications between entities in various parts of the globe in ways not yet fully explored, and an environment that truly equalizes nations in ways that are also not yet fully understood. The cyber world not only equalizes nations in ways not yet understood, but it also equalizes people in ways that are not yet fully understood, nor even fully identified. The ability to act in the cyber world empowers individuals in the remotest areas of a nation in many of the same ways as it empowers the richest of citizens in the hubs and corridors of power in the biggest cities of the world. Threats The nation faces an evolving array of cyber-based threats arising from a variety of sources. Most of these may, at first glance, seem to affect only individual computers, or users, or even business networks. But all have an impact on national security since they impact the ability of the nation to participate reliably and safely in the worldâs economy and trade schema. It is of value to broaden the definition and view of the term ânational securityâ to include the entire range of activities within the nation that affect its ability to thrive and be competitive in the global economy. Thus, ânational securityâ must account for much more âThe cyber world not only equalizes nations in ways not yet understood, but it also equalizes people in ways that are not yet fully understood, nor even fully identified.â than numbers of jets in the inventory of the Air Force, or ships at sea for the Navy, and soldiers and Marines who are ready to march to combat. Unintentional threats to national security in the cyber field may arise from software upgrades that have been applied without systemic planning and coordination. Software, the programming that commands computers to act in certain ways, may contain instructions that conflict with other software already installed on the machine or network. These conflicts may cause system outages in the worst case, or simply cause inefficient and slow operations in other cases. In other instances, âdefectiveâ equipment may be used that inadvertently disrupts systems. Such equipment may be defective due to lack of maintenance or may develop defective operations due to actions or accidents from the environment in which the equipment is operated. Both software and hardware issues are often based upon or exacerbated by budget issues that inhibit proper planning and implementation of updates, and maintenance. Unintentional threats may also âset the stageâ on which actors with intent to do harm to the nation may perform their acts. Intentional threats are those that often come to mind, and more often make headlines. The nation is at risk of targeted and untargeted attacks from a variety of threat sources such as criminal groups, hackers, terrorists, organization insiders, and even foreign nations who conduct espionage and hostile acts in the cyber arena. Trends/Emerging Threats Threats to key critical infrastructure are of vital national security interest. Past thinking in the national security field often focused on uniformed military versus uniformed military, and it was often considered solely the domain of the uniformed services, or
- 70. 70 ICT Developmentand Cyber Security Reader entities closely aligned with those services. For the most part, this served nations well in the physical world, but may not serve so well in the cyber world. In the physical world, key critical infrastructure such as dams and bridges or armories and rail yards were, and still are, often government/publicly owned. Privately owned entities often suffered collateral damage, but were not usually the main targets of hostile acts. In the cyber world, however, key critical infrastructures are often owned by private entities. Publicly, i.e. government, owned critical infrastructures are networked into electronic ârelationshipsâ with private networks in unprecedented ways. Even more, many of these are networked into a web that has no true owner at all: the internet, or âworld wide web.â Among the highest priority targets for intentional threats are âSupervisory Control and Data Acquisition,â more commonly referred to by the acronym âSCADA Systems.â These systems are used to oversee and direct complex systems that are not easily otherwise monitored and controlled. For example, manufacturing processes that have many variables may be more easily monitored and controlled by computer than by an engineerâs sight and senses. But SCADA systems may be vulnerable to attack. This may alter the ability of the system to correctly control the process. A well-reported example of such an attack was named the âSTUXNETâ virus. This attack stopped all activity at a nuclear plant in Iran. A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. While the example given was operated by the Iranian government, other such systems are often under the control of private businesses, but affect the public. One example of this may be the dispatching and aircraft control systems operated by airlines. The national air traffic control system is operated by the government, but each airline also operates its own internal systems. Should those systems be disrupted, there will be a strong negative impact on the public transport systems. Financial systems are similarly situated. Greater use of cyberspace by the âbad guysâ must be taken into account by national security planners and implementers. The term sounds simplistic and juvenile, but is chosen on purpose to refer to a wide variety of âactorsâ who intend to harm, in any number of ways, the well-being of the nation. This group may include state or non-state actors, including single individuals, who want to disrupt commerce, or communications or the ability of a group or state to act in a particular issue. These groups may work to compromise secure systems handling national security classified information, but a wide variety of publicly available reporting indicates that their efforts provide great returns in disruptions and compromise of sensitive but unclassified (SBU) networks over which the bulk of the work of government and private entities are done. Use of this bandwidth to facilitate criminal activity is common according to public reporting. This may include traditional crimes such as extortion, thefts, stock manipulations, but may extend into non-traditional crimes such as national security espionage, commercial and trade secret espionage, and other such activity. Swarm Theory: A Changing Paradigm The national security apparatus is comfortable with dealing with threats. It may focus on an invasion by a foreign army, and strengthen beach defenses. It may focus on air assaults. It may focus on an insurgency, and bombings or ambushes conducted by irregular
- 71. 71ICT Development andCyber Security Reader forces. It may develop defenses that are employed during convoys and patrols. It may maintain information gathering efforts to learn of the capabilities of nations who may try to harm its own nation. It may deal with symmetric threats, which are those which have capabilities and thought processes substantially similar to its own. Or the national security apparatus may deal with âasymmetricâ threats, which have substantially differing from its own constructs of âhow the world works.â In the cyber world, the paradigms must adapt. Whereas physical attacks that pose an existential threat to a nation must utilize thousands, if not hundreds of thousands of people, with vast resources and time to develop and marshal capabilities, that time and effort is not necessary in the cyber world. It has been clearly demonstrated, in Estonia and Georgia, that nations may be attacked through their electronic networks. In the physical defense realm, its âplayersâ may be able to focus on relatively tight areas and directions of attack. Armies and nation level decision makers are familiar and comfortable with speaking in terms of âfrontsâ and ârearsâ, as well as âobliquesâ and âdefilades.â Those terms have little actual application in the cyber world. In the cyber world, the national security apparatus must become familiar and comfortable with operating in a âswarmâ environment in which attacks on the infrastructure and well-being of the nation come from many directions and in many forms virtually simultaneously. This requires a flexibility and rapidity of response that is difficult to master without practice and forethought. One may picture this as a being a child who has just disturbed a hornetâs nest, and is attacked by the hive. Thousands of hornets appear to act independently, flying in seemingly random and uncoordinated patterns to attack the target. And some get through the childâs swatting defenses to inflict painful stings on her. That is a simplified, but visually effective, way to explain a botnet attack that is aimed at denying service of targeted computer networks. The term âbotnetâ is shortened from ârobot network.â A defense against this cyber attack requires an adaptability and speed that isnât normally found in the physical world. For example, one of the reasons given in popular historical literature for the success of the Normandy invasion on 6 June 1944 is that the Nazi high command expected the actual invasion at Pas de Calais, miles away from Normandy. They heavily fortified that site, and refused to move those forces in a timely manner to reinforce Normandy. Thus, the Allies were able to gain control of the beachhead, and ultimately move inland. This lack of decisiveness and inability to respond to multiple attacks will result in much more rapid failure in the cyber world than in the physical world. How does a âbotnetâ work? In essence a hacker, or a group, will use a computer code to infect other computers, and allow the hacker to take control of those computers. These computers may be used by their normal users, while still under the control of the hacker for other uses. The normal, and authorized user, may or may not notice some diminution of speed in response of her computer. The hacker maintains control, and can use the computer to launch attacks against other computers. This intermediate computer becomes, simply, a ârobotâ on the hackerâs network of robot computers. Thus is born the term âbotnet.â The ârobotâ computer is often referred to as a âzombieâ since it has a âlifeâ under the control of unauthorized users. The hacker may be an individual actor, and may or may not be connected with a state. A state, or a criminal group, may pay or not for the hacker to conduct attacks. They
- 72. 72 ICT Developmentand Cyber Security Reader may simply acquiesce to the hackerâs work, realizing it achieves goals with which they are happy, but for which they bear no risk and responsibility. The hacker is likely to âtake overâ hundreds, thousands, hundreds of thousands, or more computers. These computers are then instructed to âswarmâ a target computer or network, and overwhelm its defenses so that it cannot operate as intended. This is known as a âdistributed denial of serviceâ attack, or âDDOS.â The DDOS attack was used to cripple both Estonia and Georgia in the last decade. The attack is still effective. What else can we do? A new paradigm of cooperation between the national security professionals and private industry must be developed. Law enforcement and military services, as well as other government entities such as the Department of Science and Technology, Department of Trade and Industry and others have a critical role to play. Many of the networks that are subject to attack are privately owned. In addition, botnet attacks may appear to originate in many different countries, from privately owned computers as well as those âIn the cyber world, the national security apparatus must become familiar and comfortable with operating in a âswarmâ environment in which attacks on the infrastructure and well- being of the nation come from many directions and in many forms virtually simultaneously.â owned by governments. It is difficult in the first critical stages of an attack to attribute the actual perpetrators with a great deal of certainty. The computers and the electronic signals of the attack do not wear uniforms, nor carry easily identified markings that one finds on enemy aircraft and warships. Without such certain attribution, it is difficult to launch offensive actions to disrupt the true source of the attack. Thus, it is critical to have a solid and well-practiced âwhole-of-societyâ response capability in these attacks, and develop attribution and counter-attacks as soon as feasible, but focus on defense and minimizing of damage at the initial stages. In this sense, the target system is not unlike a naval vessel under attack by numerous small and fast armed boats. Keeping afloat and undamaged is of paramount importance, while determining the âflagâ of the boats will be done in time. Mike McConnell, Director of the United States National Security Agency from 1992-1996, was quoted in the Washington Post in February 2010 as saying âNo doubt, such arrangements will muddy the waters between the traditional roles of the government and the private sector. We must define the parameters of such interactions, but we should not dismiss them. Cyberspace knows no borders, and our defensive efforts must be similarly seamless.â But these arrangements must be made within the nation, as well as regionally, and internationally. These arrangements must be practiced from time to time as well so that they may be correctly and timely used when needed. The United States Congressional Research Service wrote, in its paper entitled âBotnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congressâ issued in 2008 that âUltimately, reducing the threat to national security from cybercrime
- 73. 73ICT Development andCyber Security Reader depends on a strong commitment by government and the private sector to follow best management practices that help improve computer security.â Although their statement focused and stated âcybercrimeâ the ideas it propounds apply to all cyber threats and not just what are typically referred to as âcriminal.â In summary, physical world differentiations and divisions of national security into military, criminal and commercial areas are counter-productive and crippling to protecting the nationâs interests in the cyber world. The total nation must work together to protect its networks and infrastructure. The nation must work with other nations to develop trusted and secure but quick ways to exchange information that conforms to treaty requirements, and internationally accepted norms, while enabling appropriate responses to cyber emergencies. The nationâs security depends on it. # # # âUltimately, reducing the threat to national security from cybercrime depends on a strong commitment by government and the private sector to follow best management practices that help improve computer security.â ____________________ Steve is the President and Chief Executive Officer of FSC Holdings, a consultancy firm in Makati. He lectures frequently on technology, security, anti-money laundering and terrorism. He also has strong experience in data and physical security management, and disaster preparedness arenas. Mr. Cutler is retired from the U.S. Federal Bureau of Investigation.
- 74. 74 ICT Developmentand Cyber Security Reader Cyber War and Cyber Terrorism Stephen P. Cutler, PhD President, FSC Holdings (FBI Ret) Paper presented during the Seminar Towards Information and Communications Technology Development and Cybersecurity Enhancement on 6 June 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. _______________________________________________________________________________ C yber war. Cyber-terrorism. These are chilling words, and concepts that strike fear into our hearts. We have visions of dark cities, frozen bank accounts and financial ruin, airliners exhausting fuel supplies in mid-air because they canât land without coordination and communications from ground based air traffic controllers, and power plants running amok. The terms call to mind certain images. These may both illustrate the nature and magnitude of potential problems, but they may restrict our thinking as well. Attachment of a modifier to the word âwarâ puts that concept into an area that brings much emotional and subjective âbaggageâ with it. Visions of masses of uniformed troops, and weapons systems such as fighter or bomber jets, tanks and big ships with big guns come to mind. Death and devastation isnât far behind. The words may work well in the physical world, but may not serve us well in the cyber world. They carry the implication that wars are carried out by certain organizations, and not others. Wars are conducted by armies, and navies, and air forces, but not by civilians and civil forces. Wars are generally conducted under guidelines and the ârules of war.â Uniforms clearly identify, even from a distance, who belongs to which side. These concepts, the development of which began hundreds of years ago in an agrarian age, work fairly well if imperfectly in the physical world. They are less effective in the cyber, or non- physical, world. Just as Clausewitz wrote about the relationship between war and a nationâs interests and objectives, we must apply certain time-honored concepts to our policy development in the cyber arena. John B. Sheldon, a noted author in the field, writes âCyber power does indeed have strategic purpose relevant to achieving policy objectives. This strategic purpose revolves around the ability in peace and war to manipulate perceptions of the strategic environment to oneâs advantage while at the same time degrading the ability of an adversary to comprehend that same environment.â Sheldonâs observations demonstrate that the development of national policy on cyber security must take place as part of the overall scheme of securing the nationâs interests, development and competitiveness in the international arena. In that way, it is part and parcel with the evolution of policy on physical security and defense issues, and economic security and defense issues. Many of the same principals with which we are very familiar in the physical world may translate into the cyber environment. It is helpful to develop a common understanding of some terms that are frequently used. Sheldonâs views and explanations are, again, quite helpful. He sees âcyberspaceâ as âa
- 75. 75ICT Development andCyber Security Reader global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.â At first glance, this is quite a bit to understand. But upon reflection, the definition is quite simple. It emphasizes that the field of concern is global, and not necessarily restricted to the territory of a single nation or region. The field is networked, and not focused on discrete and separate parts. Thus, planning and responses, and the view or mind-set of national security professionals as they work in the field, must be much broader than what we find in the physical world. Sheldon elaborates that âcyberspace operations include the employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid.â This carries the strong idea that a single nation, or entity within the nation, must defend itself, but it also bears a responsibility for defense of the entire grid. This is a very large step forward in thinking for many national security professionals, and demands a change in âworld view.â Sheldon describes a âcomputer network attack,â or CNA, as those âactions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.â Unlike the physical world, the defense of the cyber world is focused on information and networks. These exist, but in forms that are not readily seen by the human eye. Thus, they carry with them some mystery and unfamiliarity. It is easy to deal with the speed of a bullet, or an artillery shell. The bullet fired from a .45 pistol travels at about 950 feet per second. The round fired from an M1A2 Abrams tanks covers about 3,500 feet per second. Digital bytes of information, code and âordersâ from one computer to another travels at about 186,000 feet per second, and is not restricted in impact to a single target. Multiple computers may receive the bytes at the same time, with no diminution of effect. The main difference in the physical world security concepts and their application to the cyber world is the speed at which events may happen, and the distances between âtrigger pointâ and âimpact point.â National security professionals must understand and become comfortable with the ability of an actor on any part of the globe to attack any other part of the globe at the speed of light. While this understanding and comfort level is daunting, it is doable. Sheldon further describes âcomputer network exploitation, or CNE, as âenabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.â This is a critical capability within the national security framework, so that a nationâs security apparatus may, so to speak, âplay on the same fieldâ as those who seek to harm the nation. In the physical world, national defense was thought of in terms of tanks, ships, jets and rifles. Ownership of these tools was restricted to the nation state. In the cyber world, however, most of the networks in which operations are conducted are owned by private entities. This new paradigm will require a degree of integration of âprivate and public partnershipsâ into the national security framework that has not been seen before. He writes of âcomputer network defense, or CND, as âactions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within the Department
- 76. 76 ICT Developmentand Cyber Security Reader of Defense information systems and computer networks.â This definition, written from a United Statesâ perspective, seems overly restrictive in a networked world, where the lines between âDepartment of Defenseâ and âotherâ systems are indistinct and immaterial. Sheldon elaborates by defining âcomputer network operations, or CNO, as being âcomprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.â This definition is not restricted to those networks belonging only to military and governments of nations. This is appropriate in the cyber world. What is âCyberspaceâ? Some context is valuable. In the physical world, access to a given area, or even a nation, was normally provided through certain gates, or ports. These entry points were identified, and âadvertisedâ in certain ways. Nations could defend these gateways. They could identify intruders. Doors could be closed. Guns could be trained on specific points. The âNewâ Gates to nations are electronic, and carried by cable, but the concept is the same as in the physical world. Access to the Philippines, for example, from other nations is gained through one of six cables that connect the Philippines to the world. Should these cables be disrupted in some fashion, by the hands of man or nature, the Philippines will lose all connection to the rest of the world, and all but internal commerce and trade will stop. But the defense of these ports of entry is still feasible, and imperative. It simply must be done with the same tools and mindset of the attackers, adapting to the threats faced. The threat constantly and rapidly changes Philippine national security and national defense must take a âwhole of societyâ mind set. It cannot any longer be the sole domain of those who wear uniforms, or serve in government. The concept of âtotal warâ in which civilian populations and civilian buildings were specifically targeted was clearly demonstrated in the American Civil War, as well as World War II. It finds application in the physical world today in the actions against terrorists, who kinetically target civilian populations to force governments to take certain actions. The cyber arena is also one in which the idea of âtotal warâ is played out. Networks are not the sole domain of the nationâs government. An attack that destroys the network owned by the power grid can break a nationâs will more quickly than a bombing sortie by an air force. Uniformed services, such as the military and police, play a vital role in this defense of the nation, due to their ability to train and focus resources on issues. But other government offices play a role as well, through their regulatory, enforcement and licensing powers. Private industry is equal partners due to their ownership of targets, but also because of their expertise and willingness to protect their trade. This new dimension of national security and national defense requires an evolution of thinking. The âoldâ threats are still present. But the ânew threatsâ require the national security professional to adapt to the new field. Together the nation must prepare for the new terrain. The nationâs security depends on it. # # #
- 77. 77ICT Development andCyber Security Reader Philippine Cyber Security: General Situation Angel S. Averia, Jr. The paper is a post-write up of the presentation with the same title delivered at the seminar, âTowards ICTD and Cyber Security Enhancementâ, held at the National Defense College of the Philippines on June 6-8 and 11, 2012. _______________________________________________________________________________ What is Cyber Space? B efore we begin to gain an understanding and appreciation of the Philippine Cyber Security Situation, let us first try to gain an understanding cyber space. There is an abundance of literature that chronicles the development of the Internet that evolved into a platform host of what we know today as cyber space. In the earlier days of the Internet, the interconnectivity of independent networks allowed for the basic exchange and sharing of data/information between and among select groups of individuals. The development of packet switching, IP addressing, and domain name systems, among others, provided the building blocks of the Internet. Advancesinthedevelopmentofapplicationslikebrowsers,web-basedapplications, and search engines provided efficiencies in information sharing and independent search for information, ushering the transformation of the Internet into cyber space. As electronic mail evolved in the Internet platform, groups or online communities started to develop and, with the development of enabling applications, transformed and expanded into what we now know as social networks. In the meantime, in parallel developments, online market places also started to evolve, triggering commercial and trading activities. Cyber space has not been fully defined, but it exists. As a virtual domain, cyber space consists of physical, logical, and social components. [See: TRADOC Pamphlet 525- 7-8, U.S. Army, Cyberspace Operations Concept Capability Plan 2016-2028 at www.fas. org/irp/doddir/army/pam525-7-8.pdf ] The cyberspace components are: 1. Physical a. Geographic Locations â locations in the physical world where computers, electronic devices, networks, wired and wireless telecommunications facilities and infrastructure, people, communities, and organizations may be found. b. Networks â the interconnected information system networks and devices and telecommunications infrastructure that make up the internet and allows easy connectivity 2. Logical a. IP Address â the logical address of devices connected to the internet, such devices are used to access cyberspace
- 78. 78 ICT Developmentand Cyber Security Reader 3. Social a. People and Juridical Entities â users in cyberspace b. Internet Identity â The identity of persons and organizations adopted by users in cyberspace, real or cloaked in anonymity The illustration below presents a conceptual image of cyberspace: Cyber space may be viewed as follows: âą a virtual domain where persons, natural or juridical, and communities operate, âą a venue for social interaction âą a new marketplace where products and services are traded âą the birthplace of a new global culture âą virtually reversed diaspora Cyber Security Concerns The internet is a vulnerable infrastructure. Its basic design goals are openness, ease of connectivity, physical resilience, and interoperability. Even as developers of devices and software adhere to security standards in designing new products, openness, ease of connectivity, and interoperability are paramount concepts that they have to meet. Security of devices, databases, and applications cannot be guaranteed a hundred percent. As internet users became netizens taking advantage of the benefits that cyber space offered, the same virtual domain gave birth to a culture with malevolent designs. Over the last 2 decades we saw an increase in the volume, velocity, and sophistication of cyber attacks targeted at individuals, communities, and business and government organizations. At the extreme, some attacks are aimed at the destabilization of the state. Status of the Philippine ICT Infrastructure With the foregoing as background, we now look into the status of the Philippine ICT infrastructure.
- 79. 79ICT Development andCyber Security Reader There are presently 6 internet exchanges operated by telecommunications companies which are not peered so that messages and data exchange are routed globally before said messages and data exchanged reach the intended local destination. Mobile devices and the use of the cloud infrastructure and social network sites have also been on the upswing, Amid the positive developments in cyber space, malevolent activities have also been noted. In 2011 alone, 57 local cases of identity theft, hacking, scamming, harassment, estafa/fraud, pornography, and extortion were recorded. Many more have gone unreported. Port 23/TCP scanning activities were also observed during the period December 1, 2011 to May 1, 2012. ICMP Port scan peaked at 14Mbps at 13:44 (GMT +8) on March 30, 2012. Port scanning is the precursor activity conducted by malevolent actors looking for vulnerabilities in networks prior to an attack. Philippine TLD Among the Riskiest In its Mapping the Mal Web Report, McAfee noted that Philippine Top Level Domain (TLD) ranked 6th in 2009 among the riskiest TLDs in the world. In 2010, Philippine TLD risk profile improved, ranked at 25th. Scarborough Shoal Territorial Dispute As the dispute between the Philippines and China heated up, defacement activities between the two countriesâ hacker groups over the period April 20, 2012 to May 11, 2012, though attribution cannot be confirmed, were noted. Hostage Incident Rewinding to 2010, within two weeks following the hostage incident involving Hong Kong nationals at the Quirino Grandstand in Manila, defacement of national and local government websites were recorded. More Web Defacements The 2011-2012 witnessed the defacement of a number of national and local government websites, including that of the Department of Transportation and Communication, Land Transportation Office, Vice President Binayâs website, and Bulacan government website. On the weekend of June 2-3, 2012, the websites of the Department of Justice, the Philippine Drug Enforcement Agency, and the National Economic Development Authority were likewise defaced. The list also includes the following: âą Technical Education and Skills Development Authority
- 80. 80 ICT Developmentand Cyber Security Reader ⹠Department of Health ⹠Department of Social Welfare and Development ⹠Bases Conversion and Development Authority ⹠Philippine Nuclear Research Institute ⹠Department of Trade and Industry ⹠Department of Interior and Local Government ⹠Philippine Information Agency ⹠Philippine Army, 4th Infantry Division in Mindanao ⹠Housing and Land Use Regulatory Board ⹠Office of the Ombudsman ⹠www.e.com.ph ⹠mandaluyong.gov.ph ⹠www.undp.org.ph ⹠www.bayan.ph/petition ⹠www.epa.org.ph ⹠www.philproperties.ph ⹠www.insurance.gov.ph ⹠www.popcom.gov.ph ⹠http://webgis.dost.gov.ph/mindanao The Culprits The perpetrators identified themselves as: ⹠PrivateX ⹠Philker ⹠iSKORPiTX - a Turkey based group of hackers ⹠China Hacktivist ⹠BatangMahiligMagbatibot ⹠Black AtTacKer ⹠MISTA Haxor ⹠Clienc0de bgh7 m3rcil3sS ⹠Freeman ⹠KuTaHYaLıBeLa ⹠team crimes linux - ⹠1923Turk Grup ⹠Ha[c]kingFor[c]es ⹠Mr-CaCaRoTe ⹠Saudi Arabia Hackers ⹠Ma3sTr0-Dz Phishing Phishing, a type of social engineering attack, is designed to lure netizens to provide personal information. Phishers (as perpetrators of phishing attacks are referred to) masquerade themselves by mimicking bank websites and requests random targets to update their account information. Three local universal/commercial banks were mimicked by phishers in 2011. Cost of damage is unreported as banks sought to protect their identities and reputation.
- 81. 81ICT Development andCyber Security Reader Spam Spam is basically an unsolicited communication (email or text/SMS) sent to random targets designed: âą To gather personally identifiable information and other sensitive data âą For commercial offers such as real estate, medicines (Viagra, cialis, etc.), high end watches, and other products âą For fraudulent offers, like fake lottery Cebu used to be the center of commercial type of spam. From snail mail to email, the Nigerian scam has also found its way in cyber space and has been translated in several languages. The Nigerian scam offers random targets access to large amounts of cash, which perpetrators claim to be funds provided by international funding agencies but which can no longer be returned to the donor. Random targets are asked to provide the perpetrators access to personal bank accounts where the funds can be remitted. To initiate the fund transfer, the perpetrators request the account owners to deposit a certain amount to fund the remittance fees. Another kind of spam requests financial assistance from random targets using email addresses known to random targets. The sender reports that he is in a foreign country and has fallen victim to thieves and lost everything, including cash, credit and ATM cards, and passport. Advanced Persistent Threats (APTs) APTs are the most sophisticated type of attacks to date, reportedly sponsored by nation-states. APTs are targeted at governments, financial institutions, industrial concerns like power generators, nuclear facilities (eg. Iran), research facilities (eg. Oakridge National Laboratory), and information security companies (eg. RSA), among others. An example of APT is Stuxnet. Analysts report that Stuxnet is a computer worm designed to target Siemens Industrial Software and Hardware. It reportedly includes a programmable logic controller rootkit, possibly a prelude to an artificial intelligence type of malware. In the case of the Stuxnet attack in the Iranian nuclear refinement facility, the computer worm reportedly altered operational data to show normal operations when in fact operating conditions were altered. The attack was reportedly launched through social engineering. Since the facility is not connected to the telecommunications infrastructure, reports indicate that attackers used USB thumb drives as attack vectors. USB thumb drives with the payload were dropped in strategic places at or around the nuclear facility in the hope that facility workers would find them. Flamer is reportedly a variant of Stuxnet. Cyber Warfare, Cyber Terrorism The 1st web war was launched against Estonia, the worldâs most wired nation with unified services. The unified services that sit on Estoniaâs ICT infrastructure put it at high risk to distributed denial of service attacks that crippled the nationâs integrated ICT infrastructure.
- 82. 82 ICT Developmentand Cyber Security Reader While the Philippinesâs disjointed ICT infrastructure appears to be at low risk, it still faces a concerted DDOS. National Security: Misuse, Abuse of ICT ICT can be used as a propaganda machinery and may be used to coordinate rebel activities. This has been demonstrated where mobile phones with unregistered prepaid SIM cards have been used to detonate improvised explosive devices. Threats from Within Global surveys have shown that internal users of information systems rank high in the vulnerability scale. Disgruntled workers may launch attacks to an organizationâs information systems, abusing their access credentials/privilege. Information may also be accidentally disclosed. Information may be used for personal (financial) gain. Readiness Assessment As previously pointed out, the Philippinesâs internet exchanges are not peered, exposing unencrypted data in transit to risks of pilfering as it traverses the global internet infrastructure. Government agencies face risks as evidenced by defacement of websites â an indicator of weak information security practice. Human capacity â skills and practice â need to be enhanced. Acquisition of technology resources is challenged by budgetary constraints. Government officials and workers use free email (gmail and yahoo, among others) to exchange data and messages. Information Security Practice To improve the countryâs information security posture, government needs to look outside of its borders. Some countries have set out to develop and implement information security plans and programs through the creation of information security agencies mandated to address information security concerns. Examples are: âą Korean Information Security Agency âą Cyber Security Malaysia âą Pakistan Information Security Agency Solutions and Practices The country needs to: âą establish and implement a well-defined set of information security policies and measures; âą develop and disseminate information security awareness programs; âą adopt and implement Information Security Management Systems in national and local government agencies, offices, and instrumentalities; âą use technology solutions such as intrusion detection and prevention sytems, firewalls, and other security solutions and must consider other security measures as migration to cloud services are considered to reduce and/or mitigate risks; and
- 83. 83ICT Development andCyber Security Reader âą adopt and institutionalize risk management practice Where are we? The Electronic Commerce Act or Republic Act No. 8792 was enacted in 2000. Section 33 of said law hacking or cracking as a criminal act: âą unauthorized access into a computer system/server âą unauthorized access into an information and communication system âą Interference in a computer system/server âą Interference in an information and communication system âą any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices âą the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic document The law, however, does not provide definitions for: âą unauthorized access âą interference âą virus A year after the enactment of RA8792, the Supreme Court promulgated the Rules on Electronic Evidence. There is, however, a need to train judges and lawyers. Proposed Legislation A Cyber Crime Bill is under consideration in Congress. The bill provides the following features: âą definition of illegal acts targeted at the integrity, confidentiality, and availability of information systems and data that reside in it: o Illegal Access o Illegal Interception o Data Interference o System Interference o Cyber Squatting o Misuse of Devices âą Definition of other illegal acts committed with the use of computers and the internet: o Computer-related Forgery o Computer-related Fraud o Cybersex o Child Pornography (in relation to RA 9775) o Unsolicited Commercial Communications o Libel (RPC Art. 355)
- 84. 84 ICT Developmentand Cyber Security Reader âą Definition of other illegal acts: o Aiding or Abetting in the Commission of Cybercrime o Attempt in the Commission of Cybercrime The proposed law also prescribes penalties for the illegal acts. Other features included are: âą Restricting or Blocking Access to Computer Data. â When a computer data is prima facie found to be in violation of the provisions of this Act, the DOJ shall issue an order to restrict or block access to such computer data. âą Creation of a Government Agency: Cybercrime Investigation and Coordinating Center (CICC), among the functions of which is: âą To formulate a national cyber security plan and extend immediate assistance for the suppression of real-time commission of cybercrime offenses through a computer emergency response team (CERT); Status of ICT Related Bills: âą Data Privacy â went through the Bi-Cameral Conference Committee on May 24, 2012 âą Cybercrime Bill â went through Bi-Cameral Conference Committee on May 31, 2012 âą Awaiting ratification of the Bicam Reports âą Will be endorsed to the President for promulgation into law after ratification Capability Building The Criminal Investigation and Detection Group of the Philippine National Police, over the last decade, has been building capacity and capability in addressing and investigating cyber crimes. It has established digital forensics laboratories in Cebu, Davao, Legaspi, Zamboanga, and in Quezon City. The National Bureau of Investigation has also created its Cyber Crime Unit and is presently building digital forensics capability. The Department of Justice has also launched a training program for prosecutors. Cyber Space Needs To recap, the country needs: âą A Central Authority that will address Cyber Security âą A cohesive Cyber Security Framework âą Cyber Security Plans and Programs âą Information Security Practice
- 85. 85ICT Development andCyber Security Reader âą Response Capability âą Address cyberspace security as a national security issue âą Create and promote awareness among citizens âą Collaborate with local and international experts and organizations _______________ The author is President, Philippine Computer Emergency Response Team (PhCERT), Business Continuity Planning and Senior Information Security Consultant, Rigeltech IT Consultancy. He is also a Resource person of the Supreme Courtâs Subcommittee on e-Commerce and Resource person of the Technical Working Group, House of Representatives and Senate, that assisted in the drafting of ICT related bills. About PhCERT The Philippine Computer Emergency Response Team (PhCERT) is a volunteer group of information security professionals and practitioners, responding to information security incidents. As a member of the Asia-Pacific Computer Emergency Response Team (APCERT), it serves as the countryâs point-of-contact, coordinating and collaborating with APCERTâs member economies and CERTs in other countries outside of the Asia- Pacific Region in addressing and resolving information security incidents. PhCERT also participates in policy development and legislation, conducts information security awareness programs, and provides consultative assistance in building incident response capabilities.
- 86. 86 ICT Developmentand Cyber Security Reader Historical Notes on Technology and Cyber Security Initiatives Dr. Lorenzo A. Clavejo, DPA Introduction This is an article written not to present a technical exposition or an in-depth treatise on a very challenging subject matter â Cyber Security, but a thinking aloud process of an IT user, an inquiry of where we are heading to with our cyber security discourses and the multiplicity of institutional initiatives we have noted within and outside our country. This article therefore, does not reflect any official perspective but that of the authorâs personal reflection. It does, however, present some courses of action and institutional initiatives applicable to all netizens of the world. Some Initiatives and Courses of Action Four months ago, last August 7-8, 2012, the APEC Ministers tasked for the TelecommunicationsandInformationIndustryconvenedinSt.Petersburg,Russia,andcame up with the firm commitment with their declaration âBuilding Confidence and Security in the Use of ICT to Promote Economic Growth and Prosperity.â One of the highlights of this declaration was the collective realization that there is a need to elevate the level of cyber security awareness and collaborate in the efforts of enhancing this awareness through such recognition as the APEC Cyber Security Awareness Day. Consequently, October 29, 2012 marked the third annual APEC Cyber Security Awareness Day with respective national efforts in upgrading the awareness level of the people on Cyber Security. Thus, APEC Telecommunications and Information Working Group came up with the Cybersecurity Top Tips that highlighted the following: A. Use Strong Passwords and Keep Them Secure: Use passwords that have at least eight characters and include both numbers and symbols. - Change your password regularly, at a minimum every 90 days. - Keep your password safe. Do not share it on the internet, over the phone, or over email. B. Use Security Technology and Keep It Up to Date: Protect your computer and all devices that connect to the Internet by using firewalls, anti-virus, anti- spyware and anti-phishing technology. - Along with computers, smart phones, gaming systems, and other web- enabled devices also need protection from viruses and malware. - Ensure your system and these programs are regularly updated and patched guard against known vulnerabilities. C. Stay Safe Online: Think before you act; do not open attachments or open links sent by individuals who are unknown to you or that you were not expecting. - Do not provide unnecessary private personal information on the net.
- 87. 87ICT Development andCyber Security Reader - Monitor your childrenâs internet activities. - When available, set the privacy and security settings on websites to your comfort level for information sharing. D. Secure wireless networks: Minimize the risk on your wireless network by enabling encryption, changing the default password, changing the Service Set Identifier (SSID) name (which is the name of your network) and using the MAC filtering feature, which allows you to designate and restrict which computers can connect to your wireless network. E. Be a Good Online Citizen: Safer for me more secure for all: What you do online has the potential to affect everyone â at home, at work and around the world. - Practicing good online habits benefits the global digital community. In addition to these top tips disseminated through various posters and national advisories by the APEC member countries, other efforts by the various working groups of APEC likewise intensified their courses of action and initiatives. Such APEC working group would include the Security and Prosperity Steering Group, whose scope of work focuses, among others, on the following: âą Promoting security, trust and confidence in networks/ infrastructure/ services / technologies / applications / e-commerce; âą Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs); âą Spam/Spyware; âą Cybercrime prevention; âą Human resource development and capacity building on combating cybercrime and implementing effective cyber security awareness initiatives ; and âą Business facilitation through discussions with the private sector on promoting security, trust and confidence in the use of ICT for business and trade. And what is Cyber Security then, in the eyes of researchers, policy analysts, and planners who are IT users and consumers? Thinking Aloud in the Market Place of Ideas For the past several years, since I came across such contingency challenge of the IT Industry, with the much anticipated computer glitz on the cross over year of 2000, globally termed âY2Kâ, IT practitioners and users have sustained that level of sophistication and technical expertise that somehow to ordinary computer literate person, like me, would stop and listen if only to learn some lessons on cyber security and its trajectory in the future. I have stopped being intimidated with terminologies such as URL, PDF, or getting into the superhighway with such esoteric concepts as protocol, lynx, mosaic, Mozillaâs Firefox, Safari and their related concepts. Over the years, my IT userâs instinct taught me to instead focus on what I could avail of in preparing reports, graphical illustrations and tabular presentations of studies and researches, of knowing the basic difference between an open office system from the Windows and the Microsoft systems.
- 88. 88 ICT Developmentand Cyber Security Reader What has changed over the years in this perspective, as probably shared by the cohorts of good netizens, are the anxiety and apprehensions that real international cyber threats and cyber crimes which affect not only individuals but strategic institutions and organizations anywhere and everywhere are rushing in much faster than the concerted efforts of putting up firewalls, virus scans and other preventive measures to combat these real cyber threats. Raising the alarm and providing advisories have become the regular activities of many institutions not only by the government agencies but also by the business sector, private enterprises, ranging from food, water supply, medicines, power and energy supplies, banking and finance, and trading, among others. In fact, in the Philippines, our Congress has just enacted the Law on Cyber Crimes. And faster than its application on the ground, was the flurry of dissenting opinions and opposing views of how to apply the same. Thus, cyber defence in the context of those defined cyber crimes have now become the subject matter of the continuing discourses among policy makers, policy implementors, law enforcers and businessmen both in the urban setting as well as in the rural environment of the country. Cyberspace is certainly expanding very fast to encompass the whole globe, from Asia to Africa, from Americas to Europe, and from insular and littoral states to mainland and continental countries. Our ball park estimates would indicate that there are more than a billion netizens, with mobile Internet promising to double that number; data and processes moving to the cloud; an Internet of things, with email addresses created or invented; where business and government agencies digitizing their core processes, and even online elections in some countries, to include the Philippines. To better understand the future direction of cyber conflicts, from our own limited perspective and level of experience as an ordinary IT users, as distinguished from those IT experts and specialists, who are the sources of our information, advisories and courses of action. We must listen to them and follow their advisories what with their wider glance and extensive experiences. On the other hand, the limited information being shared as well as the narrow perspective we developed could also be the source of our anxieties and apprehensions. With the number of focused group discussions and conferences that have been convened over the past decades, the focus has been much on the technology and compara- tively too little on the broader security issues and corollary implications. Looking back in the past, the industrialization in the 18th to 19th centuries started a process which led on the one hand to the West overtaking the Rest in wealth creation and ultimately in power and influence over the worldâs resources. This was then the divide. Unfortunately, it also created the instruments and vehicles for the industrialization of death and destruction in World Wars I and II. Consequently, it would be naĂŻve to think that technology enhances and facilitates wealth creation alone. For history has taught us some lessons that it also matters strategically, politically and morally. We need to keep in mind the bigger picture and what is at stake when we discuss different civilizations and nationsâ assumptions about the nature of technology such as now applied in the cyber space. These assumptions would define and describe that trajectory in terms of how the internet will be applied by some countries over other countries. The physical and the cyber worlds are converging and boundaries between the "cyber" and the "real" world have started to disappear. This in turn implies a convergence between cyber security and overall global security. And whether we realize it earlier or lat- er, we have entered into that age that does not anymore invent nor create âfuture shocksâ in the words of Alvin Toffler, but in the paradigm shift of cyber security initiatives for a
- 89. 89ICT Development andCyber Security Reader better world to live in. To many students of society, like us, perhaps understanding cyber space and information highway would be a good starting point. Perhaps, we can still say we trust in the goodness of man as a rational being, but we have to hastily add, however, that we must also realize that technology is very much neutral with its uses and applica- tions, for the driving forces and assumptions in the cyber space are dictated by conflicting interests and opposing world views. Perhaps, this is just an afterthought of reading Sam- uel Huntingtonâs clash of civilizations. Thinking aloud also necessitates allowing other ideas to sink into oneâs liberal mind if only to be rational and proactive in the cyberspace. # # # ________________ Dr. Clavejo, is connected with the National Security Council, as Director of Planning and Management Staff, Strategic Planning Office (PMS/SPO). His public service spanned more than thirty years starting as a tax researcher, provincial and regional manager in government corporation before joining in the security sector services. He earned post- graduate courses as fellow on development planning at the ITC, Enschede, the Netherlands in 1984; the advanced National Security Course in the 1990s at the National Security Bureau (NSB) in Taiwan and the Advanced Security Cooperation Course at the Asia Pacific Center for Security Studies (APCSS), Honolulu, Hawaii, in 2009. Director Clavejo holds a post graduate degree, Master of Science in Economics from Asian Social Institute, Manila and a doctoral degree, Doctor of Public Administration, from the National College of Public Administration and Governance, University of the Philippines, Diliman, Quezon City (2008).
- 90. 90 ICT Developmentand Cyber Security Reader Cyber security: Perspectives on Attacks John Peter Abraham Q. Ruero, PhD-Candidate, MSIM, ECE VP for Information Systems Security Association (ISSA) Phil Chapter Paper presented during the Seminar Towards Information and Communications Technology Development and Cybersecurity Enhancement on 6 June 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. ____________________________________________________________________________________________________________________________________ A lot has been said about cyber attacksâfrom simple website defacement to actual malicious activities like hacking, phishing, malware infection, and social engineering, and there seems to be a multitude of ways to gain access into computer systems without the approval or knowledge of systems and network administrators. These malicious hackers, known in cybersecurity world as black hats, have proliferated throughout the world using variety of sophisticated tools, and applying methods and techniques to perpetrate their âdark agendaââeither for financial gain, recognition, bragging rights, entertainment, and, more recently, the use of the Internet to promote a particular political, religious, social or scientific cause or ideology. Recently, in the 2010-2011 Computer Crime and Security Survey Report, one key finding was that malware (short for malicious software) continued to be the most commonly seen attack, with 67.1% respondents reporting it. Malware includes viruses, trojans and the like, capable of propagating the malicious codes into unsuspecting victims (that is, computer systems), thereby compromising critical information technology (IT) infrastructure. Further, in the Symantec Internet Security Threat Report Trends in 2009, there were interesting highlights on global trends on threats in information security. For instance, Brazil ranked third behind US and China in malicious activity in 2009. One of the attacks in Brazil resulted into a massive power grid blackout, while another one resulted in the exposure of valuable data and a USD 350,000 ransom request after a government website was compromised where more than 3,000 employees were unable to access the site for more than 24 hours. In 2009, India also accounted for 15% of all malicious activity in the Asia Pacific-Japan region, an increase from 10% from 2008, which consequently earned India its title of being the third highest country of spam origin globally. In January 2012, attack patterns like SQL injection attacks, in particular, the Mass SQLi automated attacks such as the lilupophilupop, had infected approximately 1.17M sites, with Netherlands topping the list, followed closely by Russia, France, Germany and the UK. In the same year, geographic distribution of attackers came from US (1st ), Korea (3rd ), France, Germany and Poland in the 4th -6th place, with a 26% unknown source of attacks (2nd ) . Russia, Thailand, Hongkong and Taiwan completed the top 10 list. In contrast, US, Indonesia, the Slovak Republic, Malaysia, and Poland were the top five geographic distribution of victims. Most victimized applications per top remote file include (RFI) attempts were Joomla and Wordpress. These were additional application vulnerabilities discovered on victimized servers.
- 91. 91ICT Development andCyber Security Reader On recent cyber attacks, most of the targeted ones were focused on enterprises, with 75% of enterprises surveyed experienced some form of cyber attack in 2009. âą Targeted attacks using advanced persistent threats (APT ) that occurred in 2009 made headlines in early 2010. Most notable of these was the Hydraq Trojan (a.k.a., Aurora). In January 2010, reports emerged that dozens of large companies had been compromised by attackers using this Trojan. âą In 2009, 60 percent of identities exposed were compromised by hacking attacks, which are another form of targeted attack. The majority of these were the result of a successful hacking attack on a single credit card payment processor. The hackers gained access to the companyâs payment processing network using an SQL-injection attack. The attackers then installed malicious code designed to gather sensitive information from the network, which allowed them to easily access the network at their convenience. The attacks resulted in the theft of approximately 130 million credit card numbers. Despite their beliefs, industry data shows the number of organizations under attack are closer to 100% (Fallon, 2012). Some companies are fighting intrusions and spend USD 50,000â100,000 a week (Baker, 2012). Web-based attacks take on all corners as well. The top Web-based attacks observed in 2009 primarily targeted vulnerabilities in Internet Explorer and applications that process PDF files, namely: âą Microsoft Windows SMB2 â_Smb2ValidateProviderCallback()â Remote Code Execution âą Adobe Reader and Flash Player Remote Code Execution âą Microsoft Internet Explorer 7 Uninitialized Memory Code Execution âą Microsoft Windows âMPEG2TuneRequestâ ActiveX Control Remote Code Execution âą Adobe Reader Collab âgetIcon()â JavaScript Method Remote Code Execution Hackers are not only exploiting vulnerabilities of the operating systems, web browsers, and web applications by using sophisticated coding techniques. They also have at their disposal, a toolkit that allows people to customize a piece of malicious code designed to steal data and other personal information. One such toolkit is called the Zeus crimeware kit, or simply Zeus kit. It can be purchased for as low as USD700. Crimeware kits like Zeus make it easier for unskilled attackers to compromise computers and steal information, and also allow anyone who buys them to customize based on the attackersâ own needs. In 2009, Symantec observed nearly 90,000 unique variants of the basic Zeus toolkit, and has been observed as the second most common new malicious code family observed in the Asia Pacific-Japan region. The attacks keep going, the more recent ones include large commercial banks, government sites, social network sites, and the biggest irony of it all, RSA was attacked. An increasing number of services offered in the cybercrime underground allow miscreants to purchase access to hacked computers at specific organizations. For just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks. (Wilson, cited in Krebsonsecurity, Oct 2012).
- 92. 92 ICT Developmentand Cyber Security Reader What do these attackers get from stealing information from compromised systems? The obvious reason is that the stolen information can be bought in the underground economy. It has become easier, even for neophytes, to operate in an online underground economy. The table below may give a âfairly good incentiveâ to these cybercriminals, as there is no financial crisis to think of. Table 1: Goods and Services Advertised on Underground Economy Servers (From Symantec Global Internet Security Threat Report Trends for 2009) What can be done? As the attacks proliferate, what can be done to minimize, if not eliminate, attacks that come from all fronts? What options are available? There are some methods that may be considered, and one of the more effective ones is to follow the three levels of responses known as the PDAD approach. a. Protect the critical information and technology infrastructure through the use of firewalls, intrusion detection and prevention systems, antivirus and anti-spam software utilities, monitoring tools, etc. b. Detect malicious codes through the use of security analytics software, forensics, and deep analysis down to the packet level. c. Active Defense, which is a âmilitary-styleâ approach through the use of intelligence tools and techniques to anticipate attacks, as well as effectively stop and potentially identify attackers once discovered in the infrastructure. This revolves around the concept of self-defense as a necessityâin order to interrupt an in-progress cyber attack and mitigate immediate harm to target system especially to protect critical infrastructure. Besides the PDAD approach, another effective method is to employ IT and security best practices in enterprises and community, including consumer best practices. Security Goods and Sevices Advertised on Underground Economy Servers* 2009 2008 2009 2008 Range of Prices 1 1 Credit card information 19% 32% $0.85â$30 2 2 Bank account credentials 19% 19% $15â$850 3 3 Email accounts 7% 5% $1â$20 4 4 Email addresses 7% 5% $1.70/MBâ$15/MB 5 9 Shell scripts 6% 3% $2â$5 6 6 Full identities 5% 4% $0.70â$20 7 13 Credit card dumps 5% 2% $4â$150 8 7 Mailers 4% 3% $4â$10 9 8 Cash-out services 4% 3% $0â$600 plus 50%â60% 10 12 Website administration credentials 4% 3% $2â$30 Overall Rank Percentage Item
- 93. 93ICT Development andCyber Security Reader technologies that rely on signatures should be complemented with heuristics, behavioral monitoring techniques, and reputation-based security. Generating awareness, training, and curricular reforms should integrate IT security as a core, and the exposure and immersion of the business, government, and academic communities in security technologies. Laws, policies, and regulations concerning cybersecurity need to be evaluated for their influence on how people use or misuse electronic information. Political forces need to be marshaled to support and fund the many lines of research that will be needed to accomplish the complex task of protecting cyberspace from attack. Attacks can come from all fronts. Although the forms, shape, technologies, and consequences may have changed dramatically, the motivations of the hackers and the hacking community still remain the same. Remember that security is everybodyâs business. # # # _____________________ John worked in IBM, Oracle, Misys, Accenture, and Macquarie Offshore Services holding positions of progressive responsibility, namely systems engineer, IT Manager, technical support, project manager, consultant, trainer, Associate Director, and others. He has taught in DLSU, ADMU, UAP, UIC and SISC. He is a PhD Candidate of Educational Leadership & Management in DLSU. He earned MS Information Management in ADMU, and BS ECE in DLSU.  He is the VP of Information Systems Security Association (ISSA) Philippine chapter, and VP Externals of Philippine Society of IT Educators (PSITE).  John has been involved in Information Security since 2005.
- 94. 94 ICT Developmentand Cyber Security Reader Cyberwar and Rules of Engagement Drexx D. Laggui CISA, CISSP ____________________________________________________________________________________________________________________________________ Definitions C YBERWAR is generally defined as a hostile, state-sponsored operation to conduct sabotage, espionage, or subversion through information systems, the Internet, or other telecommunications media referred to as cyberspace. Another widely accepted definition of "cyberwar" is the use of the Internet and related technological means by one state against political, economic, technological and information sovereignty and independence of any other state[1]. The employment of the word "war" is derived from a description of a conflict between state or non-state peoples, declared or undeclared actions, and highly-organized, politically controlled wars as well as culturally evolved, ritualistic wars and guerilla uprisings, that appear to have no centrally controlling body and may perhaps be described as emerging spontaneously[2]. Further, when considered from a strategic point of view, war in this context is an actual, intentional and widespread conflict between political communities [3], with the less violent design[4] of: - crippling economies, - manipulating political views, - undermining the authority of a state, - disturbing a state's relationship among its allies, - reducing a state's military efficiency if not their effectiveness in physical combat domains, - equalizing the fighting capacity of richer nations to that of third-world nations, and - denying access to a nation's critical infrastructure so they can be coerced to obey a dictated action. Long-term threats The conduct of cyberwar is an attractive option to a state because it is a relatively cheap activity with remarkable benefits, vis-Ă -vis very low short-term risks on the lives of its attacking combatants. However, the "use of force" in cyberspace can have violent or crippling effects in the physical world of the state's targets. As an identifiable long-term threat against Philippine national security, it is often misunderstood and thus not managed correctly, simply because cyber warriors are typically anonymous, that the individual users of ICT (information and communications technology) assets believe they are very familiar with technology, and ICT administrators can control cyber attacks in an ad hoc manner. The human mind reacts slowly to long-term
- 95. 95ICT Development andCyber Security Reader risks, thus comes the unfortunate realization that many elderly statesmen view cyberwar as merely an abstract restricted to the imagination of science fiction writers. The paradigm behind cyberwar is not a concept born out of a vacuum. Recent developments reported on international news media brings to light the beginning, but dramatically improving capabilities of state-actors. Famous examples include: - 2003 to 2006: Titan Rain was the designation given by the US government to a series of coordinated attacks on American computer systems by China [5]. - 2007: a three-week wave of massive cyber-attacks came upon Estonia by Russia, the first known incidence of such an assault on a state, caused alarm across the Western alliance, with NATO urgently examining the offensive and its implications [6]. - 2008: Weeks before bombs started falling, attacks against Georgiaâs Internet infrastructure were conducted by Russians. The cyberwar had the effect of silencing the Georgian media and isolating the country from the global community. Furthermore, the Georgian population experienced a significant informational and psychological defeat, as they were unable to communicate what was happening to the outside world [7]. - 2009:GhostNetisthenamegivenbytheInformationWarfareMonitortoalarge- scale espionage operation by China. High-value targets included ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters [8]. - 2010: Stuxnet is a highly sophisticated computer worm that sabotaged the uranium enrichment equipment of the Natanz nuclear facility in Iran, by Israel and USA [9]. This operation was deemed as a cheaper alternative than sending attack aircraft to bomb the nuclear facility. - 2011 and 2012: Duqu was found on 2011 [10], and Flame on 2012 [11]. Both worms are related to Stuxnet. - 2011: the Syrian Electronic Army used DDoS attacks, phishing scams, and other tricks to fight opposition activists where they're strongest, which is online[12]. Syrian President Bashar al-Assad's forces are currently in a state of civil war, and determined to defeat the protest movement that toppled fellow dictators in Egypt, Libya, and Tunisia. - 2012: Here at home, a barrage of website vandalisms and e-mail intrusion attempts were experienced and are co-related to the diplomatic tensions between the Philippines and China arising from territorial disputes in the West Philippine Sea. The events are tracked and reported by local news media[13].
- 96. 96 ICT Developmentand Cyber Security Reader Known State Actors Several nations have declared their respective government policies and military strategies on cyberwar. Basically, these nations have come up with their cyberwar doctrines and their rules of engagement, defined what can constitute an act of war, and have established what are their proper measures to take in response. The North Atlantic Treaty Organization (NATO) has established a strategic concept for the defense and security of their member states. On 19 November 2010, NATO stated that "We will ensure that NATO has the full range of capabilities necessary to deter and defend against any threat to the safety and security of our populations. Therefore, we will...develop further our ability to prevent, detect, defend against and recover from cyber-attacks, including by using the NATO planning process to enhance and coordinate national cyber-defence capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations[14]." Also on the later part of year 2010, U.S. DoD Deputy Secretary William J. Lynn III said that "the Pentagon has formally recognized cyberspace as a new domain of warfare. Although cyberspace is a man-made domain, it has become just as critical to military operations as land, sea, air, and space. As such, the military must be able to defend and operate within it. To facilitate operations in cyberspace, the Defense Department needs an appropriate organizational structure." [15] On May 21 of 2010, the U.S. Cyber Command (USCYBERCOM)achievedtheirinitialoperationalcapability,withGeneralKeithAlexander as their commander [16]. USCYBERCOM is a sub-unified command subordinate to U. S. Strategic Command (USSTRATCOM).Theirmissionstatementis"USCYBERCOMplans,coordinates,integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries." The work focus is that "USCYBERCOM will fuse the Departmentâs full spectrum of cyberspace operations and will plan, coordinate, integrate, synchronize, and conduct activities to: lead day-to-day defense and protection of DoD information networks; coordinate DoD operations providing support to military missions; direct the operations and defense of specified DoD information networks and; prepare to, and when directed, conductfullspectrummilitarycyberspaceoperations.Thecommandischargedwithpulling together existing cyberspace resources, creating synergy that does not currently exist and synchronizing war-fighting effects to defend the information security environment. USCYBERCOMwillcentralizecommandofcyberspaceoperations,strengthenDoD cyberspace capabilities, and integrate and bolster DoDâs cyber expertise. Consequently, USCYBERCOM will improve DoDâs capabilities to ensure resilient, reliable information and communication networks, counter cyberspace threats, and assure access to cyberspace. USCYBERCOMâs efforts will also support the Armed Servicesâ ability to confidently conduct high-tempo, effective operations as well as protect command and control systems and the cyberspace infrastructure supporting weapons system platforms from disruptions, intrusions and attacks."
- 97. 97ICT Development andCyber Security Reader IntheUnitedKingdom,theUKCyberSecurityStrategy[17]publishedonNovember 2011, called for the creation of a dedicated and integrated civilian and military capability within their MoD, and setting up the Defence Cyber Operations Group (DCOG)[18]. An interim DCOG is supposed to be in place by April 2012, and is expected to achieve full operational capability by April 2014. The DCOG "will include a Joint Cyber Unit hosted by GCHQ at Cheltenham whose role will be to develop new tactics, techniques and plans to deliver military effects." "A second Joint Cyber Unit embedded within the centre at Corsham will develop and use a range of new techniques, including proactive measures, to disrupt threats to (UK's) information security." Basically, DCOG is developing an offensive capability to respond to UK's enemies who are trying to launch attacks against their critical infrastructure, detect and disrupt espionage operations, or disable weapons of mass destruction through cyber attacks. Many counter-terrorist operators in the world appreciated a taste of British humor, when MI6's "Operation Cupcake" became public on June 2011 [19]. British intelligence penetrated an al-Qaeda online magazine and replaced bomb-making instructions with a recipe for cupcakes. Australia's Cyber Security Operations Centre (CSOC), based within the Defence Signals Directorate (DSD), focuses on identifying and responding to cyber incidents of national significance[20]. It is interesting to note that the language used by CSOC is less aggressive than their American and British counterparts. Unit 8200 is from Israel, and known to be one of the most active and advanced group of cyberwar operators in the world[21]. Although they are the largest unit in the Israel Defense Forces (IDF), and their alumni have started-up many international high-tech companies like Check Point Software Technologies, there is not much information known about them. It is observed that their missions fit very well the Israel's defense doctrine, including conduct of pre-emptive strike operations, and that any combat should take place on enemy territory as much as possible. In the South East Asian region, South Korea's Ministry of National Defense [22] launched a Cyber Command on January 2010, under the control of their Defense Security Command (DSC). They also added that with their 200 specialists, they have the capability to conduct both defensive and offensive cyber operations, under the direction of the defense minister. Meanwhile, North Korea's Reconnaissance Bureau of the General Staff Department [23] is credited to be trailing only with the capabilities of the Americans and the Russians [24]. On April 28 until May 13 of 2012, GPS signals were jammed in S. Korea by the electronic combatants of N. Korea, causing difficulties in air and marine traffic controls. Senior Colonel Geng Yansheng, spokesperson for the China's Ministry of National Defense as well as director-general of the Information Office of the Ministry of National Defense, announced on May 2011 that their People's Liberation Army (PLA) established an "Online Blue Army" in order to enhance Chinese troops' network protection only [25]. Many observers worldwide however, believe that their unit with at least 30 operators, organized under the Guangdong Military Command, is an essential part of China's assets who are responsible for being the single largest source of cyber attacks [26].
- 98. 98 ICT Developmentand Cyber Security Reader Very recently however, Chinese telecom companies Huawei and ZTE are tagged by the U.S. Congress as a security threat to the critical infrastructure of the United States, by providing equipment that are alleged to be capable of relaying American secrets back to China. In their intelligence report, the Americans state that "China has the means, opportunity and motive to use telecommunications companies for malicious purposes." "Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems," the report says [27]. Casus Belli Article II, Section 2, of the 1987 Constitution of the Philippines states that our nation "renounces war as an instrument of national policy, adopts the generally accepted principles of international law as part of the law of the land and adheres to the policy of peace, equality, justice, freedom, cooperation, and amity with all nations" [28]. Article II, Section 7 also says that "The State shall pursue an independent foreign policy. In its relations with other states, the paramount consideration shall be national sovereignty, territorial integrity, national interest, and the right to self-determination." The Philippines is a very peaceful nation, and throughout history, it has never even dreamt of occupying another nation-state. On the contrary, the Philippines have been occupied by other nation-states in its hundreds of years of existence as a nation. The rejection of war as a national policy is consistent with the Charter of United Nations, which says in Chapter I, Article 1, that "All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations" [29]. However, the 1987 Constitution of the Philippines only disowns aggressive war, but not defensive war which will only for the preservation of national honor, integrity, and the security of the Filipino. The nation-state of the Philippines will not waive the fundamental right of self-preservation. President Benigno S. Aquino III upholds the 1987 Constitution by documenting his statement of principles in his National Security Policy 2011-2016, saying that "The Philippines needs to develop a defensive capability against perceived or real external security threats" [30]. The National Security Policy intends to promote internal socio-political stability by: ensuring the effective delivery of basic services; helping to protect the nation's natural resources and reducing the risks of disasters; promoting economic reconstruction and ensuringsustainabledevelopmentthroughincreasedinvestmentsincriticalinfrastructures; pursuing reforms in the security sector; strengthening institutions and internal mechanisms to safeguard public order and security; contributing in the strengthening of the rule of law throughout the country; promoting the peace process as the centerpiece of the Internal Security Program; and launching a holistic program to combat terrorism. The National Security Policy also wants the Philippines to develop a defense capability to protect its soveriegnty and strategic maritime interests. The term "critical infrastructure" has been officially defined and recognized back in 24 September 2003 when the Cabinet Oversight Committee on Internal Security
- 99. 99ICT Development andCyber Security Reader (COC-IS) created the Task Force for Security of Critical Infrastructures (TFSCI), headed by Undersecretary Abraham Purugganan [31]. Critical infrastructures are vital not only for economic growth and development, but also as necessary means for the conduct of each Filipino's daily lives. Critical infrastructure include assets or facilities for: energy generation, transmission and distribution; information and communications systems; transportation systems; public health facilities; financial services; government public safety and emergency services; agriculture and food production and distribution; strategic commercial centers; as well as religious and cultural centers. TFSCI, now defunct, then coordinated all government efforts to manage and mitigate any threats against the critical infrastructure as those are deemed threats to the national security of the Philippines. Any threat or attack conducted through cyberspace, against the national security of the Philippines, should be identified, assessed, and then mitigated, if not eliminated. These threats involve espionage, terrorism, sabotage, or subversive activities. If an attack through the domain of cyberspace by another state yields death or physical injury of people, property damage, disruption of critical infrastructure, overthrow of the legitimate government of the Philippines, hostile disclosure of state secrets, with an outcome equivalent to a conventional military attack, then that event should merit an appropriate military action. The amount of damage caused by the cyber attack, whether actual or implied, should be used a metric as to what will justify proper retribution. To add to previously mentioned real-world examples of cyberwar operations, other scenarios that could cause harm to the national security of the Philippines are not limited to: opening of dams to intentionally drown entire communities; disruption of air traffic navigation controls to chaos in, or death from the skies; suppression of TV or public radio infrastructure; theft of confidential e-mail containing state secrets regarding the diplomatic position of the Philippines versus China, in relation to disputes in economic trade as well as territories in the West Philippine seas; as well hijacking of phone and Internet assets for espionage purposes. The guidelines set by the National Security Policy of President Aquino may be interpreted to allow only the undertaking of defensive actions in a foreign state, or if within the Philippines, only if reliable intelligence reports indicate that there is a clear and present danger against national security, that would have disastrous consequences like death or loss of critical infrastructure. This practically means that the Armed Forces of the Philippines may not be tasked to employ kinetic weapons against the aggressor, but instead employ cyberwar operations to stop the source of cyber attacks. Rules of Engagement (ROE) The directive that controls the use and degree of force, how and when, for what duration and what target, that generally specifies the circumstances and limitations for engagement, is called the Rules Of Engagement. The complexity and technical aspect of a cyber attack operation, coupled with the fact that targets may appear or disappear in a matter of seconds, would required careful planning and development of the ROE.
- 100. 100 ICT Developmentand Cyber Security Reader Guidelines for crafting the ROE ROE must take into consideration all applicable domestic and international law, operational concerns, and political considerations [32]. The recommended underlying doctrine for drafting the ROE should be Bellum Iustum, or the Just War theory. Part 3, Section 2, Chapter 2, Article 5, Paragraph 2309, from the Catechism of the Catholic Church [33], gives us the following "conditions that are subject to the prudential judgement of those who have responsibility for the common good." - The damage inflicted by the aggressor on the nation or community of nations must be lasting, grave, and certain; - All other means of putting an end to it must have been shown to be impractical or ineffective; - There must be serious prospects of success; - The use of arms must not produce evils and disorders graver than the evil to be eliminated. In general peacetime conditions, which the Philippines expect to find itself in most of the time, the ROE is to be dictated by the principles of necessity and proportionality [34]. "Necessity" requires that cyber operations conducted in self-defense require that a hostile act occur (i.e. acts of espionage, sabotage, or subversion), or a force or terrorist unit exhibit hostile intent. An example would include a cyber attack on a positively identified target that has been qualified by reliable intelligence reports. The "proportionality" principle states that the force used must be reasonable in intensity, duration, and magnitude, based on all facts known to the cyber commander at the time, to decisively counter the hostile act or hostile intent. Components, other than hostile threat or hostile act, that affect the principles of necessity and proportionality may include: - Threat sources and their identification, capabilities of the adversary, characteristics of adversary's intent, how the adversary analyzes their target, and range of effects for non-adversarial threat sources - Threat event identification, and its relevance - Vulnerabilities of Philippine critical infrastructure and other assets affecting national security, pervasiveness and severity of the said vulnerabilities - Likelihood of the hostile threat to occur - Impact or effects on critical infrastructure and other assets affecting national security After the ROE has been analyzed, and permissions have been granted to the cyber combatant by the commander, the following steps may occur in the cyber attack: Set Mission Objectives > Establish Baseline Condition of Targets > Recon: Research Target Information > Discover and Assess Vulnerabilities > Analyze Situation; Plan Attack > Execute War Plans; Exploit Vulnerabilities; Escalate System Privileges > Re-Engage Other Targets > Produce Analysis and Report > Re-Set Targets Information Systems to Original Condition (Optional)
- 101. 101ICT Development andCyber Security Reader Conclusion Mary Ann Davidson, the Chief Security Officer of Oracle Corporation, testified on 10March2009totheHomelandSecuritySubcommitteeonEmergingThreats,Cybersecurity and Science and Technology. She says that there are a few challenges to when applying the American's Monroe Doctrine on Cyberspace [35]. - Credibility: the deterrence strategy needs teeth to be credible. - Invocation Scenarios: there should be an escalation framework, where some instances can invoke cyberwar. - Attribution: Detecting attacks is hard enough already, and attributing them correctly is even harder, but not impossible. Taking those said technical and ethical challenges into consideration, the unsettled doctrine guiding cyberwar, the unformulated jus ad bellum of cyberwar, while state and non-state actors in cyberspace build up their capacity for initiating threat events, the time to recognize cyberspace as a new combat domain, is now. The correct time to investigate the Philippine capacity to engage in cyberwar, should be prior to the conduct of cyber operations, not during an emotional or desperate situations, or after being shamed on the international scene. The Philippines have all the pieces to put a Cyber Command in place, and can have it done right from the start, to engage, sustain, and achieve objectives in cyberspace. # # # Endnotes [1] Alexander Merezhko; International Convention on Prohibition of Cyberwar in Internet; http://www.Politik.org.UA/vid/publcontent.php3?y=7&p=57 [2] Alexander Moseley; The Philosophy of War; http://www.IEP.UTM.edu/war/ [3] Brian Orend; War; http://Plato.Stanford.edu/entries/war/ [4] Sandro Gaycken; Cyberwar â Das Internet als Kriegsschauplatz;, https://www. OpenSourcePress.DE/index.php?26&tt_products=313 [5] Nathan Thornburgh; The Invasion of the Chinese Cyberspies; http://www.Time. com/time/printout/0,8816,1098961,00.html [6] Ian Traynor; Russia Accused Of Unleashing Cyberwar To Disable Estonia; http:// www.Guardian.co.UK/world/2007/may/17/topstories3.russia [7] Capt. PShakarian; The 2008 Russian Cyber Campaign Against Georgie; http://USACAC.Army.mil/CAC2/MilitaryReview/Archives/English/ MilitaryReview_20111231_art013.pdf [8] Information Warfare Monitor; Tracking GhostNet; http://www.InfoWar-Monitor. net/research/ [9] NateAnderson;Confirmed:UsAndIsraelCreatedStuxnet,LostControlOfIt;http:// Arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost- control-of-it/ [10] Budapest University of Technology and Economics; Duqu: A Stuxnet-Like Malware Found In The Wild; http://www.CrySys.HU/publications/files/ bencsathPBF11duqu.pdf [11] Kim Zetter; Meet âFlame,â The Massive Spy Malware Infiltrating Iranian Computers; http://www.Wired.com/threatlevel/2012/05/flame/
- 102. 102 ICT Developmentand Cyber Security Reader [12] Max Fisher & Jared Keller; Syria's Digital Counter-Revolutionaries; http:// www.TheAtlantic.com/international/archive/2011/08/syrias-digital-counter- revolutionaries/244382/ [13] Chiara Zambrano; Chinese Hackers Have More Sinister Plans; http://rp1.ABS- CBNnews.com/nation/04/27/12/chinese-hackers-have-more-sinister-plans- experts-warn [14] NATO; Active Engagement, Modern Defence; http://www.NATO.int/cps/en/ natolive/official_texts_68580.htm [15] William J. Lynn III; Defending a New Domain; http://www.Defense.gov/home/ features/2010/0410_cybersec/lynn-article1.aspx [16] https://www.CYBERCOM.mil (Access restricted.) [17] The UK Cyber Security Strategy; http://www.CabinetOffice.gov.UK/sites/default/ files/resources/uk-cyber-security-strategy-final.pdf [18] http://www.MoD.UK/DefenceInternet/AboutDefence/WhatWeDo/ DoctrineOperationsandDiplomacy/JFC/ [19] http://www.Telegraph.co.UK/news/uknews/terrorism-in-the-uk/8553366/MI6- attacks-al-Qaeda-in-Operation-Cupcake.html [20] http://www.DSD.gov.AU/infosec/csoc.htm [21] http://Dover.IDF.IL/IDF/English/News/today/2008n/09/0101.htm [22] http://www.KoreaTimes.co.KR/www/news/nation/2009/12/205_56502.html [23] http://www.GlobalSecurity.org/intell/world/dprk/rb.htm [24] Choi He-Suk, The Korea Herald; N. Korea Has Third Most Powerful Cyberwar Capabilities; http://www.Stripes.com/news/pacific/n-korea-has-third-most- powerful-cyberwar-capabilities-1.179826 [25] http://English.People.com.CN/90001/90776/90786/7392182.html [26] http://www.FoxNews.com/tech/2011/05/26/china-confirms-existence-blue- army-elite-cyber-warfare-outfit/ [27] U.S. House of Representatives; Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE; http:// Intelligence.House.gov/sites/intelligence.house.gov/files/documents/Huawei- ZTE%20Investigative%20Report%20%28FINAL%29.pdf [28] The 1987 Constitution Of The Republic Of The Philippines; http://www.Gov. PH/the-philippine-constitutions/the-1987-constitution-of-the-republic-of-the- philippines/the-1987-constitution-of-the-republic-of-the-philippines-article-ii/ [29] Charter of the United Nations; http://www.UN.org/en/documents/charter/ chapter1.shtml [30] National Security Policy 2011-2016: Securing the Gains of Democracy; http://www. Gov.PH/2011/08/18/national-security-policy-2011-2016/ [31] Rose Palacio; Task Force To Protect Critical Infrastructure; http://Archives.PIA. gov.PH/?m=12&sec=reader&rp=1&fi=p040916.htm&no=7&date=09/16/2004 [32] https://rdl.Train.Army.mil/catalog/view/100.ATSC/0EF89CA1-2680-4782-B103- D2F5DC941188-1274309335668/7-98-1/chap2l4.htm [33] Catechism of the Catholic Church; http://www.Vatican.VA/archive/ENG0015/__ P81.HTM [34] Defining The Rules Of Engagement; http://www.GlobalSecurity.org/military/ library/report/call/call_96-6_roesec2b.htm [35] MaryAnnDavidson;TheMonroeDoctrineinCyberspace;http://www.WhiteHouse. gov/files/documents/cyber/Davidson%20MaryAnn%20-%20The%20Monroe%20 Doctrine%20in%20Cyberspace.pdf
- 103. 103ICT Development andCyber Security Reader The Evolving Landscape on Information Security Wilfred G. Tan, Carlos T. Tengkiat & Simoun S. Ung Introduction W e all have a preconceived notion on information technology security; however for a lot of organizations this value is subjective because there is an acceptability of risk. This is not to imply a particular organization is unaware of the value of security; it may simply be that the organization needs to consider the allocation of its resources for security relative to the value of the asset being protected. A large number of organizations, as evidenced by strong growth and interest in security standards such as PCI-DSS [1], either depend on or follow guidelines set forth by government institutions and standards bodies. Conventional wisdom dictates that following guidelines is normally a good approach. As a security officer, planner or executive, one should always consider going beyond the existing standard and to be reminded that the security standards are developed in response to already recorded and occurring incidents. Moreover, security standards take time for the standard setting bodies to create, review, approve and implement. Security is a living practice and needs the proper attention, time and consideration. Laying out and maintaining a comprehensive cyber security plan not only requires expertise, but also involves careful thought, assessment, and constant refinement and adjustments. In addition, legal frameworks differ from country to country; therefore, best practices in one country are not directly portable to a different country, even within similar industries. Unlike more traditional crimes such as theft and robbery, the specific rules and regulations tend to be varied at best for cyber-security and cyber-crime related incidents. Computer security related incidents have risen significantly over the past decade [2] and there is every indication that this trend will continue for the foreseeable future. The Global Security Report of Trustwave[3] presents the origin of cyber-attacks: Russia leads the statistics with 29.6% in the data[3]. However, because 32.5% of all attacks are from of unknown origin, it can be as likely (or equally unlikely) that any one nation is the single source or culprit of all of the incidents. Pinpointing the location in a timely manner is very difficult, if not impossible, given that the technology today allows users to use anonymous proxies to connect to the Internet which further compounds the problem. This article is written for non-technical executives and policy makers, whose responsibilities require them to interact with information security professionals, as a primer on the current landscape of information security as well as its likely evolution. Security professionals and practitioners are already well-versed in the material contained herein. The paper examines the motivation behind cyber-attacks followed by a survey of common threats and attack variants. It then presents the popular defensive strategies followed by a discussion of future challenges and developments.
- 104. 104 ICT Developmentand Cyber Security Reader Motivation Behind all threats and cyber security breaches are either individuals or organizations. Cyber security incidents do not occur in a vacuum. Generally, the motive behind a cyber- attack can be classified as follows: personal reasons, unlawful profiteering, corporate or national interests, and other purposes. Personal Reasons Personal reasons for conducting a cyber-attack include peer recognition, revenge, personal gain or satisfaction, and even curiosity. Some intruders derive a perverse sense of fun from conducting the attack and revel in the psychic income of being noted for notoriety. Unlawful Profiteering Perhaps the most common motivation for conducting a cyber-attack is financial gain. The primary goal of fraud is to gather information that can be used to access funds of other entities for illicit proceeds. Popular targets include savings accounts and payment, debit and credit, card data. Organized criminal syndicates are the primary perpetrators of these attacks. Inopportunely, the skill and savoir-faire developed are often adopted for use in cyber-terrorism and other cyber-attacks. Although there is no data for the Philippines, a study conducted by eWEEK Europe in 2010[4] on a simulated auction of stolen data determined that the relative value of data
- 105. 105ICT Development andCyber Security Reader is primarily determined by purchaser. The end goal remains the same, obtain information through illegal and fraudulent means which can be used for financial gain. Information itself has become a commodity; it can be traded, bought and sold. Corporate or National Interests The strategic objectives for a corporation or nation-state are sometimes achieved by attacking others using cyber-warfare capabilities. The intent may be to disable a nuclear enrichment program or a more mundane purpose such as spy, steal or subvert a rivalâs plans and secrets. In mid-2010, Stuxnet was discovered. The singular target of this worm was to disable and destroy Siemens industrial equipment which were specifically used to control centrifuges that create nuclear material for a fissionable weapon. According to a study by Symantec in August, 2010 [5], 60% of the computers infected by Stuxnet were in Iran suggesting a highly âtargetedâ operation. The wormâs sophistication and intelligence suggested a nation-state level of sponsorship; speculation was rife that the United States and Israeli forces were at least partially responsible for the development and deployment of the worm.[5] Threat Evolution Approaches to attacks have evolved over time, adapting to developments in technology. Tools for exploiting systems have evolved considerably; likewise, tools that are available for testing and exploiting vulnerabilities are readily available in the market. There are even attack platforms freely available that ironically were intended to test the security of a system. Several of the more common threats are outlined below: physical, cyber-stalking, social engineering, phishing, distributed denial of service, network attacks and malwares. Physical In the 1980s, the common practice was to actually go onto the premises of the target company or to harvest data from unprotected sources. Criminals would find ways to physically obtain storage media or hardcopies of data. Dumpster diving, or the sifting through garbage and trash to find bits and pieces of information, is still practiced today. The careless disposal of seemingly innocuous information such as an obsolete version of an information security plan, PIN mailers, passwords, social security numbers, et cetera can facilitate an attack via social engineering or phishing. Today, practices have improved to include tapping into data cabling that are accessible from unsecured areas and the access of unlocked, accessible computer servers and systems. It is still a common occurrence for unencrypted, sensitive data to be lost or stolen from physical media such as USB flash drives, laptops and cellular phones. Cyber-Stalking Cyber-stalkers assault their victims using electronic communication: email, instant messaging (IM) and/or posts to a website or discussion group. While most cyber-attacks target an organization, cyber-stalking tends to be of a more personal nature. Cyber-stalkers
- 106. 106 ICT Developmentand Cyber Security Reader typically gather personal and private information about their target then send them harassing or threatening messages. Trolling is a form of cyber-stalking in which negative posts, comments or other defamatory statements are made which are injurious to the reputation or emotional health of the victims. When committed by more than one individual, trolling is also known as cyber-bullying. Sadly, there are cases involving teens which have resulted in the victims committing suicide. Social Engineering Social engineering cyber-attack involves the manipulation of people to perform certain actions that can compromise security; this requires a solid understanding of human responses and behaviour. Although physical contact is not necessary, some form of trickery to gain the confidence of the target is employed. Social engineering attack occurs in two phases: information gathering then the pretext stage in which a believable story is crafted in order to earn legitimacy and gain the trust of the target. Social engineering is not strenuous on the attacker, thus it is normally employed in conjunction with other forms of cyber-attack. The insertion of malware into otherwise hardened, secure systems is a common combination with social engineering. Many enterprise systems are well protected and require significant time and effort to breach. However, if the attackers are able to use social engineering to insert physical media such as USB flash drives into the internal network, then all the external defences are immediately bypassed. Based on recently conducted social engineering study[6], companies with well- implemented security awareness protocols are more resistant to social engineering tactics. Participants in the oil industry fared better compared to less security aware industries like retail. This study was designed such that questions were designed that would expose security design and architecture of the respondentâs organization: The study[6]revealed that certain data can be harvested from the internet itself. Researchers were able to utilize the data culled from the internet in their social engineering tasks to profile a targetâs internal security implementation. The table below displays the details gathered from the questionnaire above in blue while the additive information garnered from the internet is shown in red: Recently, face-to-face social engineering tactics have been increasing; this is disquieting since it may expose the targeted individual to physical danger.
- 107. 107ICT Development andCyber Security Reader
- 108. 108 ICT Developmentand Cyber Security Reader Phishing Phishing is an email-based fraud method using legitimate looking email designed to gather personal and financial information from its targets. Crafting emails blending a false premise while spoofing trustworthy websites, victims are encouraged to click on links, send information and otherwise respond. The attackers then use social engineering techniques to extract information to steal personal and financial information. Since emails are generally from an external source, incorporating dangerous payloads in the message requires negligible effort. There are several types of phishing techniques: · Phishing â Emails are masqueraded so as to obtain usernames and passwords from the users via electronic communication. · Spear Phishing â Targeted phishing to specific individuals, personal information on target are gathered to increase probability of success. · Clone Phishing â A previously legitimate and delivered email is used as a template and cloned; the cloned email, with links and attachments modified, is resent to the victim. This method exploits the social trust between the parties that sent the email. · Whaling â Phishing targeting high profile victims. Phishing is not restricted to electronic information nor to electronic communication channels. Some phishing emails contain telephone numbers, purporting to be customer service; the unsuspecting victim is lured to call and unwittingly give personal information that can later be used by the attacker. One of the best known phishing emails is the âNigerian scam.âAlthough there are many variations, the content is essentially the same with the sender pretending to have access to large amount of funds and requiring the assistance of the victim to gain access to the said funds: FROM: MR DAN PATRICK. DEMOCRATIC REPUBLIC OF CONGO. ALTERNATIVE EMAIL: (patrickdan@rediffmail.com). Dear Sir, SEEKING YOUR IMMEDIATE ASSISTANCE. Please permit me to make your acquaintance in so informal a manner. This is necessitated by my urgent need to reach a dependable and trust wordy foreign partner. This request may seem strange and unsolicited but I will crave your indulgence and pray that you view it seriously. My name is. DAN PATRICK of the Democratic Republic of Congo and One of the close aides to the former President of the Democratic Republic of Congo LAURENT KABILA of blessed memory, may his soul rest in peace. Due to the military campaign of LAURENT KABILA to force out the rebels in my country, I and some of my colleagues were instructed by Late President Kabila to go abroad to purchase arms and ammunition worth of Twenty Million, Five Hundred Thousand
- 109. 109ICT Development andCyber Security Reader United States Dollars only (US$20,500,000.00) to fight the rebel group. But when President Kabila was killed in a bloody shoot-out by one of his aide a day before we were schedule to travel out of Congo, We immediately decided to divert the fund into a private security company here in Congo for safe keeping. The security of the said amount is presently being threatened here following the arrest and seizure of properties of Col. Rasheidi Karesava (One of the aides to Laurent Kabila) a tribesman, and some other Military Personnel from our same tribe, by the new President of the Democratic Republic of Congo, the son of late President Laurent Kabila, Joseph Kabila. In view of this, we need a reliable and trustworthy foreign partner who can assist us to move this money out of my country as the beneficiary. WE have sufficient ââCONTACTSââ to move the fund under Diplomatic Cover to a security company in the Europe in your name. This is to ensure that the Diplomatic Baggage is marked ââCONFIDENTIALââ and it will not pass through normal custom/airport screening and clearance. Our inability to move this money out of Congo all This while lies on our lack of trust on our supposed good friends (western countries) who suddenly became hostile to those of us who worked with the late President Kabila, immediately after his son took office. Though we have neither seen nor met each other, the information we gathered from an associate who has worked in your country has encouraged and convinced us that with your sincere assistance, this transaction will be properly handled with modesty and honesty to a huge success within two weeks. The said money is a state fund and therefore requires a total confidentiality. Thus, if you are willing to assist us move this fund out of Congo, you can contact me through my email address above with your telephone, fax number and personal information to enable us discuss the modalities and what will be your share (percentage) for assisting us. I must use this opportunity and medium to implore You to exercise the utmost indulgence to keep this Matter extraordinarily confidential, Whatever your Decision, while I await your prompt response. NOTE: FOR CONFIDENTIALITY, I WILL ADVISE YOU REPLY ME ON MY ALTERNATIVE EMAIL BOX (patrickdan@rediffmail.com).Thank you and God Bless. Best Regards, MR DAN PATRICK.
- 110. 110 ICT Developmentand Cyber Security Reader Distributed Denial of Service (DDOS) DDOS is one of the older forms of attacks that are still popular today. In a DDOS attack scenario, the victim typically finds their system slows to a crawl or unable to respond at all. There are several variants that are commonly used such as ICMP Flooding, SYN flooding, Teardrop, and others. The defining aspect of DDOS attacks is the rendering of the target system crippled or inoperable, thereby denying service to the systemâs legitimate users. As recent as mid-2012, DDOS attacks against major financial institutions such as HSBC, Bank of America, and JP Morgan Chase were recorded. [7] The duration and severity of the attack is dependent on the number of zombies, or slave computers, used by the attacker, and the resiliency of the target computer(s) to withstand the attack. A DDOS attack may be used in conjunction with other attacks to exploit vulnerabilities exposed while the DDOS attack is in progress; sometimes, a DDOS attack is a diversionary tactic to enhance the probability of success of other attack methods. Major disruptions to critical infrastructure like defense, utilities and banking will result not only in mere inconvenience due to loss of services but cause significant financial and economic losses. Network attacks TheU.S.DepartmentofDefensereferstonetworkattacksasââŠactionstakenthrough the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.â[8]If an attacker successfully connects to the network of the target, innumerable opportunities to launch attacks are made available. Commonmistakesinnetworksecurityareweak,defaultornon-existentadministrator passwords. Moreover, ill-designed networks also allow easy access to database servers, the usual targets for data mining. Attackers can use SQL injection, in which direct SQL text is encoded as part of the attack stream, in an attempt to subversively access a back-end database system. Malwares The current trend of cyber-attacks is predominantly associated with malwares. Trustwave defines malware as â⊠often purposefully designed to capture and extricate data, provide remote access, or automate compromised systems into a botnet â or to just cause general mayhem.â[9]Malware comes in a myriad of types and varieties. The common categories known today include computer viruses, worms, trojan horses, spyware, adware and root kits. Entire software product suites and solutions have been created to combat malwares. However, malwares have evolved and continue to do so; they are constantly being updated to meet challenges of exploiting new vulnerabilities and avoid detection by the users and by third-party security products. These accounts for the discouraging statistics that show infections often go undetected. The popularity of malware as an attack vector is evident in the fact that by 2007 the number of malwares created on that one year alone is the equivalent to the combined total of the previous twenty years.[10]
- 111. 111ICT Development andCyber Security Reader Malwares are used with great efficacy to achieve a beachhead in infiltrating systems. Some of the recent incidents involving malware are listed below: Flame Discovered by the Iranian National Computer Emergency Response Team (CERT), Kaspersky and CrySyS Lab, Flame is widely considered as one of the most sophisticated malware ever created.[11] It spreads via local area network or USB. Infected computers act as a bluetooth beacon and attempts to harvest contact information from nearby bluetooth- enabled devices. At twenty megabytes, Flame is uncharacteristically large for a malware. Its capabilities include recording of audio, keystrokes, screenshots and Skype conversations; thus Flame is deemed a cyber-espionage tool. RSA Breach RSA experienced a security breach in 2011.[12] The attack vector was an email sent to an employee with an Excel attachment that contained a malware. This malware exploited vulnerabilities in Adobe Flash and installed a variant of Poison Ivy, a common remote administration tool. The attackers then obtained critical information including the token seeds in SecureID and algorithm designs used by RSA; consequently, the RSA security tokens were rendered vulnerable for exploitation. This directly resulted in cyber-attacks against Lockheed Martin and L3 Communications, both US military contractors. Malwares have proven to be a very effective and potent tool for cyber-attacks and their continued use will foster further evolution in sophistication and complexity. Organizations should take steps to detect and eradicate malwares; depending solely on the hardening of perimeter defense is a common fallacy to prevent malwares from infiltrating an organization. Common Defensive Strategies Information security personnel and teams tend to use several common defensive strategies. Unfortunately, there is no perfect defensive strategy; therefore, to be effective, a defensive strategy must be continuously upgraded and assessed against the constantly evolving cyber-attack mechanisms and methodologies. Physical There are numerous physical defensive strategies; the most common are the following: 1. Deployment of access systems secured by biometric, ID card, PIN and/or a combination thereof; 2. Closed circuit TV (CCTV) security cameras; and 3. Doors, cages, locks and man-traps. One of the simplest and cost-effective strategies is to locate critical servers and systems in a secure facility; failing that, the servers and systems should be locked in a cage to prevent unauthorized tampering and access.
- 112. 112 ICT Developmentand Cyber Security Reader Education, Awareness and Security Policies One of the most effective tools to implement or improve security is education and awareness. Increasing awareness among the staff, peers, management and other employees is crucial in building support towards implementation of an effective defensive strategy. Unfortunately, countless executives fail to appreciate the value of security; security seems to be an afterthought at best, rather than being a critical factor designed into systems and procedures. Part of the education and awareness processes involve formulating, disseminating and implementing security policies. This is one of the most effective shields against social engineering attempts by reducing the chances of an employee being fooled to divulge crucial information. The value of information security is not apparent until after an intrusion or breach occurs. Once such an event occurs, organizations suffer at the minimum reputational damage. Oftentimes, banks and other financial institutions prefer to pay off the perpetrators in order to preserve their image since the loss of confidence in their security could cost them their entire client base. Prevention The old adage, âan ounce of prevention is better than a pound of cureâ, is certainly applicable to information security. Pro-active measures implemented to prevent a cyber- attack is more cost-effective than reactive security patches and hardware upgrades in response to a security incident. In recent months, several Philippine government websites have been defaced. Most agencies repaired the damage within several hours then simply moved on. Popular sentiment was that since there is no physical harm done, such acts, while not condoned, should be tolerated as a form of expression. On the other hand, the U.S. Congress has enacted laws that consider any form of computer attack on any level against any U.S. government website as an act of war against the United States. Although defacing a website does not necessarily compromise any data, the economic cost and reputational damage that such attacks should be considered and an appropriate, measured response executed. Anti-Virus / Anti-Malware Anti-virus and anti-malware software packages are basic tools of the defensive trade. A properly updated program helps secure the systems and protects users when they inadvertently browse or visit pages with malicious content. Most popular packages now include features and functionality to help protect a web browser. Patch Management There is no perfect software. As such, the software industry relies heavily on patches or upgrades to address flaws in the design, implementation, or performance of the software. Malware exploit known flaws in the installed software to subvert and ultimately gain control over a machine. Therefore, as a defensive strategy, applying patches on the operating systems, anti-virus, anti-malware, and other applications help safeguard computer systems by fixing the known flaws and vulnerabilities. Beyond the issue on intellectual
- 113. 113ICT Development andCyber Security Reader property rights, this is the most important, self-serving incentive to procure properly licensed software as it guarantees that there will be support and maintenance. With open- source software, it is critical to implement a maintenance cycle to ensure that any bugs or vulnerabilities in the software are patched quickly and consistently. Firewalls Firewalls are network devices that filter traffic; it attempts to segregate public or open traffic that exist beyond the organizationâs network perimeter. Firewalls range from the basic that protect your home network costing a few thousand pesos to the enterprise versions costing several millions. There are many brands of firewalls from manufacturers: Cisco, Juniper, Checkpoint, Fortinet, Huawei, ZTE among others. Of special interest lately is the Congress of the United States position that Huawei and ZTE pose a security threat. [13] A properly configured and maintained firewall defends against many threats. It is a key component in many security strategies implemented today. Ensuring that the firewall is properly patched is another important key to having a good defensive strategy. Regular Testing and Backups Regular tests of information security systems are crucial in maintaining readiness. Internal and external penetration tests, scans, and verification procedures all contribute towards ensuring that systems are configured properly. Regular backups are akin to buying insurance. Failures are an unavoidable part of the human experience and information systems are not exempt. Having a ready backup is no longer a luxury but a necessity. Intrusion Detection Systems/Intrusion Prevention Systems Intrusion detection and intrusion prevention systems(IDPS) are a class of devices that have come into the forefront of defensive arsenal about a decade ago. Such devices are capable of detecting incidents by monitoring events or inspecting packets and, at the start of an incident, trigger some automated response including reconfiguration of firewalls, sending out alerts by SMS or email, locking down ports, et cetera. Most systems in the market today involve the deployment of hardware appliances, few are software based, and these are usually installed in-line either behind, or adjacent to the firewall(s) in an organizationâs network. The NIST[14]lists four types of technologies available today: 1. Network based: examination and detection based on network segments, or network and application protocol. 2. Wireless: examination of wireless network traffic. 3. Network behaviour analysis: examination of system-wide behaviour including the sudden rise of packets, policy violations, et cetera. 4. Host-based: limited to single host examination and events linked to the single host.
- 114. 114 ICT Developmentand Cyber Security Reader IDPS are useful in detecting and identifying potential incidents. Therefore, they are an indispensable tool in the defensive toolkit of many information security managers. An IDPS provides intrinsic value by adding automated detection, logging, recording, and monitoring capabilities to an organization, when configured and maintained properly. Outsourcing of information security Within the Philippine context, many organizations, including government agencies, do not have the budget, expertise or capability internally to properly secure their information systems. Accordingly, to properly prepare for a cyber-attack, organizations may resort to outsourcing, analogous to the deployment of private security guards for the protection of physical assets. There is a prevailing misconception regarding the role of law enforcement in information security. By definition, law enforcement agencies provide post-incident investigation, apprehension and filing of charges against suspected perpetrators. Their responsibilities do not include ensuring an organizationâs systems are safe and secure. Typically, a Computer Security Incident Response Team (CSIRT) or a Computer Emergency Response Team (CERT) is engaged to assist an organization to prepare, simulate cyber- attacks and conduct post-assessments of information security systems. Future Developments and Challenges Current technological trends are likely to continue in the foreseeable future. With the rapid and accelerating pace of change in technology, a discussion of the pervasive technologies and their prospective impact to information security is warranted. Mobile technology Todayâs smart phones are truly mobile computers; some have greater processing power than desktops from less than a decade ago. Penetration rates in more advanced countries have exceeded 50% and have reached 78% in the United States. [15] This trend will rapidly be replicated in emerging markets like the Philippines, particularly with the commonplace availability of smart phones retailing for less than one hundred US dollars. With the advent of mobile commerce and the Philippine propensity for rapid adoption of mobile phones, there will be a host of new, unforeseen security challenges. This will be accelerated by the deployment of LTE empowering mobile broadband by the local telecommunication carriers. Compounding the security challenges with mobile is the lack of a legal framework and the non-existent registry of mobile SIM cards: attackers utilizing a mobile platform will enjoy even greater anonymity. Initial malware on the mobile platform were largely limited by the fragmented, proprietary operating systems that ran the previous generation of phones. The industry has already consolidated to four major mobile platforms: Appleâs IOS, Googleâs Android, Windows Mobile and Blackberry. With this convergence, the mobile platform presents a tantalizing target for cyber-attackers. There have been numerous incidents involving social engineering with deceptive messages sent to victims asking them to send money to process their contest winnings or to help a friend or relative in a supposed emergency situation.
- 115. 115ICT Development andCyber Security Reader Video/Voice Over IP (VOIP) Skypeâą was one of the pioneers that allowed people to make voice calls, later adding video calls, for free utilizing IP technology. Nowadays, multi-party video conferencing is already commonplace. The National Telecommunication Commission has issued VOIP licenses for several years already. From an implementation and technology angle, VOIP is terrific: provision of clear communications enabled by constantly improving compression technology. Commercialized form of 3-D hologram communication may soon be achievable. Cyber-attackers recognize that networks carrying voice and video data as an attractive target. A Brazilian CERT noticed an upsurge in scanning for VOIP traffic in their honey pot network. [16] Intruders that gain access to a VOIP system would potentially be able to monitor, access and even reroute all communications made through it. Outsourcing cyber-attacks Insofar as protecting information security systems are being outsourced to trusted professionals, cyber-attackers have also begun to resort to outsourcing. The Russian underground market in cybercrime is vibrant. The inexpensive cost for outsourcing of various methods of cyber-attacks is alarming; a sampling of the available services and its prices is listed below: [17] Service Price in US dollars Hiring a DDOS attack $30 to $70 per day Email spam $10 per million emails Bots for a botnet $200 for 2,000 bots ZeuS source code $200 to $500 Hacking a Facebook or Twitter acct $130 Hacking a Gmail account $162 Scans of legitimate passports $5 each Traffic $7 to $15 per 1,000 visitors from US & EU As cyber-attacks continue to grow in sophistication, this development of outsourcing cyber-attacks will not only continue unabated, but likely escalate geometrically. Conclusion The notion of information security tends to be organization-specific. In the Philippine context, there is a relatively high tolerance for risk. Even within the defence establishment, some of the prevailing attitudes are best characterized by the tongue-in- cheek responses gathered in a series of interviews: âOur approach is security through obsolescenceâ and âItâs only 1âs and 0âs anyways, who can read it?â With the pervasiveness of the internet and technology in human society today and the resultant diminishing barriers of distance and geopolitical borders, information security must be everyoneâs problem and responsibility. The Information and Communications Technology Office under the Department of Science and Technology has already set policy that information and communications
- 116. 116 ICT Developmentand Cyber Security Reader technology must be governed due to its pervasive and essential nature in todayâs society. [18] The recent attacks to deface government websites should serve as a clarion call for imperative action. Perhaps due to the technical or the rapidly evolving nature, some of the national leadership still do not recognize the gravity of the situation, or lamentably, simply choose to believe it will go away. For some context within the Philippine environment, consider the IT-BPO industry, a sunshine and rapidly growing sector of the Philippine economy:[19] 2011 2012 2013 Industry revenues (USD) $11 Billion $13.6 Billion $16 Billion Full-time employees 638,000 772,000 926,000 How much loss, potential or otherwise, must be suffered by the Philippine economy for information security to be considered a matter of national security? What is the impact to this single sector of a single or a series of cyber-attacks or data breaches exacerbated by inadequate response from government? Government and the private sector must work together to secure our national interest. This article presented an overview of the current landscape of information security. From the motivational aspects behind cyber-attacks to a review of current common threats and attack variants to a presentation of the popular defensive strategies ending with a forward look to future challenges and developments. Although technology and methodologies continue to evolve, the human factor, not rapid technological advancement, continues to be the biggest source of vulnerability: · Many continue to blindly follow security standards set by governments and standards bodies without proper evaluation of their suitability for their own situation. · Lax stewardship is the leading cause of security breaches in established organizations. · Social engineering is still the most prevalent cause of data compromises. · Senior leadership, especially at the national level, typically fail to recognize the critical nature of information security to their organizations until after a breach or other incident has occurred. If the Philippines were to experience a cyber-attack today, there is no single office of primary responsibility within government to mount a coordinated response. At best, the country can only rely on the Philippine Computer Emergency Response Team (PHCERT), â⊠a non-profit aggrupation of Information Security Professionals providing Technical and Policy Advisory Services Pro Bono Publico.â[20] The National Computer Center recognizes the limited programs and projects that PHCERT can support: âPHCERT ONLY accepts security incident reports from its members. Technical advice may be provided depending on volunteer availability. Forwarding and coordination to the appropriate law enforcement agency can also be done if the situation warrants or member organization desires to do
- 117. 117ICT Development andCyber Security Reader so.â[21] On the legal front, although the Philippines recently enacted the Cybercrime Prevention Act of 2012,Republic Act 10175, to empower law enforcement to better combat cybercrime, the Supreme Court issued a Temporary Restraining Order delaying its implementation by 120 days in response to questions about the constitutionality of certain provisions. Information security is so pervasive that even a superpower like the United States and advanced societies like Japan with relatively unlimited budgets find it difficult to cope with the immense challenges. Government and private sector must cooperate to make significant progress in this regard. Forging ahead, given the current landscape of information security and its likely progression, the Philippines must take two foundational steps to improve its information security: 1. Government must designate a single office of primary responsibility to prepare, mitigate, and coordinate a response to cyber-attacks; and 2. Government and the private sector must work together and establish a pro-active, independent, fully-functional Computer Emergency Response Team (CERT) and/ or Computer Security Incident Response Team (CSIRT). # # # References This article relied extensively on the collective knowledge-base and experience of the authors as well as sources from both the internet and printed material. Similar references were grouped together for brevity. 1 http://blog.elementps.com/element_payment_solutions/2011/11/visa-releases-pci-compliance- level-stats.html 2 http://www.pcworld.com/article/79303/article.html 3 http://2011.appsecusa.org/p/gsr.pdf 4 http://www.techweekeurope.co.uk/news/experts-admit-motivation-for-cyber-attacks- overlooked-6696 5 http://www.symantec.com/connect/blogs/hackers-behind-stuxnethttp://www.symantec.com/ connect/blogs/stuxnet-introduces-first-known-rootkit-industrial-control-systems; http://www. airdemon.net/stuxnet.html; http://www.reuters.com/article/2010/09/24/security-cyber-iran- idUSLDE68N1OI20100924 6 http://www.social-engineer.org/social-engineering-ctf-battle-of-the-sexes/ 7 http://arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no- stuxnet/;http://nakedsecurity.sophos.com/2012/09/27/banks-targeted-ddos-attacks/; http://www.bloomberg.com/news/2012-09-28/cyber-attacks-on-u-s-banks-expose-computer- vulnerability.html; http://threatpost.com/en_us/blogs/historic-ddos-attacks-against-major-us- banks-continue-092712 8 U.S. Department of Defense, Joint Publication 1â02: DOD Dictionary of Military and Associated Terms (November 8, 2010, as amended through May 15, 2011). 9 http://www.iseprograms.com/lib/Trustwave_2012GlobalSecurityReport.pdf 10 http://web.archive.org/web/20071207173837/http://www.f-secure.com/2007/2/ 11 http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat- targets-middle-east; http://www.crysys.hu/skywiper/skywiper.pdf 12 Cyber-warfare â The new battlefront for Defence Forces by Dr. Peter Holliday
- 118. 118 ICT Developmentand Cyber Security Reader 13 http://www.forbes.com/sites/simonmontlake/2012/10/08/u-s-congress-flags-chinas-huawei- zte-as-security-threats/; http://online.wsj.com/article/SB100008723963904436158045780419 31689859530.html; http://www.reuters.com/article/2012/10/08/us-usa-china-huawei-zte- idUSBRE8960NH20121008 14 Guide to Intrusion Detection and Prevention Systems - http://csrc.nist.gov/publications/ nistpubs/800-94/SP800-94.pdf 15 http://www.wired.com/beyond_the_beyond/2011/12/42-major-countries-ranked-by- smartphone-penetration-rates/; http://www.thinkwithgoogle.com/mobileplanet/en/ 16 CyberSecurity Challenges in Developing Nations âDissertation by Adam C. Tagert 12/1/2010, Carnegie Mellon University 17 âRussian Underground 101â by Max Goncharov, Trend Micro Incorporated Research Paper 2012 -http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp- russian-underground-101.pdf 18 â2012 Programsâ Presentation of the Undersecretary Louis Casambre, Executive Director of the Information & Communications Technology Office of the Department of Science and Technology on 21 June 2012 at the Chancery Hall of the US Embassy Manila. 19 IT-BPO Road Map 2011-2016 Business Processing Association of the Philippines www.bpap.org/ publications/breakthroughs?download 20 http://www.phcert.org/ 21 http://www.ncc.gov.ph/default.php?a1=2&a2=5&a3=1&a4=PQRS&a5=114 ___________________ Simoun is the current Vice Chairman of the Overseas Security Advisory Council of the U.S. Embassy Manila, a federal advisory committee under the State Department. He also serves as the Chairman of the Security Disaster Resource Group of the American Chamber of Commerce of the Philippines. He was a Consultant to the Office of International Policy and Special Concerns of the Department of National Defense and an Advisor to the Supreme Court. He was formerly with the Philippine Coast Guard Auxiliary 101st Squadron, where his last rank was Commander prior to retirement. He holds a Master of Business Administration from the Ivey School of Business, University of Western Ontario, Canada, and a Bachelor of Arts degree in Psychology and Economics from the University of British Columbia. He is currently the CEO and President of PVB Card Corporation, and the Vice Chairman of Bastion Payment Systems in the Philippines, and serves at the boards of several listed firms, both in the Philippines and United States. Simoun has also been tapped as the speaker and lecturer for many engagements, including the Federal Bureau of Investigation and the National Defence College of the Philippines. Wilfred is the founding CEO and President of Bastion Payment Systems. He formerly worked at Unisys for over a decade, where he was involved deeply as a senior systems architect on several notable IT projects of the Philippine government including the National Statistics Office Census Registry System (CRS-ITP), Land Transportation Office, Philippine Ports Authority, and others. Beyond this, Wilfred also worked on many international, government and financial sector projects in the United States, China, Singapore, Hong Kong, Sri Lanka, Vietnam and Australia. Wilfred holds a Master of Science in Computer Science degree from De La Salle University, Manila (with high distinction), and a Bachelor of Science in Computer Science from the same school. He is a Certified Rational Unified Process Consultant. Carlos is the current Chief Security and Operating Officer of Bastion Payment Systems. He was formerly the assistant director at the Computer Center of the University of Santo Tomas, where he continues today as a senior instructor for computer science. Carlos holds a Bachelor of Science in Computer Science from Chiang Kai Shek College Philippines and masterâs degree units from De La Salle University. He is a certified Cisco Networking Academy Instructor, and a Microsoft Certified Professional.
- 119. 119ICT Development andCyber Security Reader The Need to Secure Our Cyber Space Angel T. Redoble President and CEO, ARMCI Solutions & Consultancy A paper presented during the Cybercrime Law and its Implication to National Security on 6 October 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. _______________________________________________________________________________ T he recent passing of RA 10175 has shifted netizensâ (Cyber Citizens) anxiety and wrath from the RH Bill, into cybercrime. While the âCybercrime Prevention Act of 2012,â aims to protect the same people who are now protesting, various opinions are now arising and questioning whether the law is constitutional and necessary to begin with. I have been an IT and Cyber security practitioner for 16 years, and I have been pushing in my personal capacity this agenda (Cyber space protection) for over a decade now. Witnessing how cyber attacks have become dramatically sophisticated, I have foreseen the possible catastrophic impact should these malicious hackers launch an attack against our critical infrastructures. So if you will ask me whether we need this cybercrime law or not, then my answer is YES we definitely need the law. In fact we needed it 10 years ago. I believe, however that the law was incorporated with some provisions that deviated from its original objective; and that is to prosecute cyber criminals. But then again, the definition of what constitutes a cyber crime is very crucial in the implementation of the law. From a cyber perspective, a cyber crime includes (but is not limited to) the following: Identity theft, compromise of confidentiality and integrity of information, distribution of worms and Trojans, disruption of online services (DOS/DDOS), systems intrusions, unauthorized modification of data and other online information, information theft and installation and distribution of unlicensed software. As we all know, the libel provision in RA 10175 pushed our netizens to all the more commit cyber crime by attacking websites owned by the different government agencies. While I do not agree with the way these perpetrators have aired their opposition to the said law, I, on the other hand also agree that libel shouldnât be considered as cyber crime and that those who commit libel with the aid of ICT cannot and shouldnât be branded as cyber criminals. The Cybercrime law is obviously not a perfect law, but then again, nothing is perfect in this world of ours, such as life, and such as the cybercrime law. It still needs to be perfected. The libel clause, has caused wide-spread pandemonium with netizens and has been used as an excuse for the recent activities, or rather âhack-tivitiesâ. This flagrant demonstration of disagreement by vandalizing government websites is exactly what the Cybercrime Law aims to prosecute. These âhac-tivitiesâ not only were counter-productive, but also showed to the whole world, how vulnerable our systems are and how easy it is to disrupt online services in the Philippines. This is sufficient enough to conclude that the Cybercrime Law is indeed necessary and must be implemented as soon as possible. But above Cybercrime, what worries me more is the bigger threat to our cyber space, the threat of cyber war. The main actors in cyber war have evolved from script kiddies and hacktivists to cyber terrorists and nation-state sponsored hackers whose objective is no longer
- 120. 120 ICT Developmentand Cyber Security Reader Goods and Sevices Advertised on Underground Economy Servers* 2009 2008 2009 2008 Range of Prices 1 1 Credit card information 19% 32% $0.85â$30 2 2 Bank account credentials 19% 19% $15â$850 3 3 Email accounts 7% 5% $1â$20 4 4 Email addresses 7% 5% $1.70/MBâ$15/MB 5 9 Shell scripts 6% 3% $2â$5 6 6 Full identities 5% 4% $0.70â$20 7 13 Credit card dumps 5% 2% $4â$150 8 7 Mailers 4% 3% $4â$10 9 8 Cash-out services 4% 3% $0â$600 plus 50%â60% 10 12 Website administration credentials 4% 3% $2â$30 Overall Rank Percentage Item Goods and Sevices Advertised on Underground Economy Servers* 2009 2008 2009 2008 Range of Prices 1 1 Credit card information 19% 32% $0.85â$30 2 2 Bank account credentials 19% 19% $15â$850 3 3 Email accounts 7% 5% $1â$20 4 4 Email addresses 7% 5% $1.70/MBâ$15/MB 5 9 Shell scripts 6% 3% $2â$5 6 6 Full identities 5% 4% $0.70â$20 7 13 Credit card dumps 5% 2% $4â$150 8 7 Mailers 4% 3% $4â$10 9 8 Cash-out services 4% 3% $0â$600 plus 50%â60% 10 12 Website administration credentials 4% 3% $2â$30 Overall Rank Percentage Item to merely deface websites and steal facebook accounts, but to disrupt and compromise the economic security of our country. By definition, one of the pillars of National Security is Economic Security. And in cyber war, the enemy can successfully take down the economy of a nation or state, by merely pressing the enter button. A cyber terrorist can cause havoc without necessarily blowing himself up. A nation spy can steal and gather vital information about a specific country without being physically present in the target country. In this modern and technology- driven world, the war has shifted from guns and bombs to bits and bytes. And it has been perceived that a war using cyber space can be won without firing a single bullet. On the other hand, the Cybercrime law, while necessary, is also limited in terms of proactively protecting our cyber space. It is by nature reactive. And much like our other laws, âNo crime, no useâ. In addition, there is also the issue of attribution, âWho has done it?â. While others claim that it is easy and possible to trace the real source of an attack and identify the real perpetrator, I have to disagree in the strongest possible term. Having been exposed to the defensive and offensive areas of cyber security, I can categorically say that it is very difficult and almost impossible to trace the real source of an attack, much more identify the real identity of the perpetrators. Using various hacking tools, hackers may â In this modern and technology- driven world, the war has shifted from guns and bombs to bits and bytes.â launch cyber attacks while sitting in an internet cafĂ© or a coffee shop in Manila, Philippines, yet make it appear like the attack is coming from other cities or countries. I believe that this is exactly the reason why the hackers responsible in the recent cyber attacks are so defiantly aggressive- the fact that they are certain that they cannot be traced or that they know that the government is not equipped enough to trace and identify them. Make no mistake, Cyberspace is a borderless world and the internet provides a perfect cover and refuge to everyone, and these hackers have almost perfected the skills anonymity. I never failed to mention in all of my speaking engagements that there is a growing need to protect the Philippine cyberspace from all potential external threats. Cybercrime deals with internal/local threats, while Cyber security, on the other hand, is more aligned with National Security. Paired together, you become secure both from internal and external cyber threats. As a private company, we can always deploy all policies and security mitigations to protect our organization, but who will protect our communication once it exits our organizationâs area of network responsibility? What will happen to the Philippine economy if our telecommunication providers are taken down by massive and organized Denial of Service attack coming from both internal and external threats? Given the fact that our BPO businesses are heavily dependent on these telecommunication companies, there is a possibility of losing the more than 10 billion pesos revenue and more or less the 900,000 jobs provided by the BPO industry. What will happen to our country if cyber terrorists and nation-state sponsored hackers attack our power grids and distribution companies? Knowing for a fact that these companies have SCADA (Supervisory Control and Data Acquisition) systems deployed and are using the internet as a means of connectivity?
- 121. 121ICT Development andCyber Security Reader Considering the recent surveys conducted by different entities, the number and financial impacts of cyber attacks have increased at a rate faster than ever, even though cyber security measures are improving and becoming more sophisticated. This could only mean one thing, that the people behind these attacks are always one step ahead of those who develop cyber security measures. The imminent danger posed by cyber terrorists, cyber criminals and hostile countries, to launch attacks that could cause grave damage, potentially leading to economic failure in our country must be considered as a basis to why there is a need to implement an effective cyber security policy and address the broader issue of cyber warfare. There is no middle ground in cyber warfare; you can either be a victim or a pawn used to hide identities or to be used as a strike point to attack other nations. The increasing complexity of cyber weapons and cyber warfare issues makes it more difficult to deter cyber security threats. These facts make it all the more important for our country to address cyber threats from an international perspective down to the national level. As focus grows on cyber security all over the world, nations are now seriously considering cyber security threat as a national security issue. A threat that if realized could possibly affect a nationâs very reason of existence. A threat that could easily be exploited by cyber criminals, cyber terrorists and rogue nations who are continuously seeking to take down other nations considered to be an adversary. Compromising the critical infrastructureâs network system of our country could provide a catastrophic effect on our capability to function economically and socially. The focus now, should no longer be directed to âwhether the Cybercrime law was necessaryâ but rather, in calling both private and government entities to actively respond to the call for Cyber security. A strong relationship, cooperation and coordination between all government agencies together with the private sector would be a key factor in the success of deterring cyber threats. Cyber war cannot be won by merely calling in the military. While integrating cyber security issues to the military doctrine is a good idea, as well as formulating cooperation and coordination strategy internationally, the involvement of the private sector is still an integral part to effectively defend our cyber space. # # # _________________ Angel is the President and CEO of ARMCI Solutions & Consultancy. He is a holder of an MA degree in Information Security Management from UPSAM-ASIMILEC in Madrid, Spain. Angel is a Certified Ethical Hacker and Computer Hacking Forensic Investigator with over 16 years of local and international experience in consultancy related to cyber security. His extensive experience includes vulnerability assessment, penetration testing, cyber warfare, enterprise security risk assessment with focus on information security threats and vulnerabilities. A Certified Lead Auditor of ISO 27001 Information Security Management System and completed the Cyber Warfare: Weaponry and Strategies of Digital Conflict program from Technolytics Institute (USA), he is a founding board member and Director for International Society of Cyber Security Professionals focusing on Cyber Warfare Research and Capability and is a member of the Association of Certified Fraud Examiners (ACFE).
- 122. 122 ICT Developmentand Cyber Security Reader National Security Implications of R.A. 10175: A Defense Perspective Director Nebuchadnezzar S. Alejandrino I Chief, Information Management Office, DND ________________________________________________________________________ 5th Domain Cyberspace is the 5th Domain the other four are Land, Air, Water, and Space. It is now fast becoming a reality that no modern army in the world can defend its territory and people without strengthening and securing her cy- berspace where government, commerce, and industry are highly dependent. Asymmetrical Warfare The Philippines, having lesser economic resources and military assets at her command, to contend against external enemy equipped with modern arsenals, is left without a choice but to bring the future battle to a manageable and winnable chance based on what she has. And that manageable and winnable chance is offered in the battle for control of the 5th Domain. Asymmetrical warfare, in this context does not become an attractive proposition, but also becomes a de facto major strategy. Cybercrime Law: First Logical Step Thus it follows that when that country whose winnable chance in defending the country against a formidable foe is in cyberspace, must begin to educate its lead- ers in this new reality and prepare the minds of the public in the ensuing strategies and policies of the state. And that strategy is seen in the passage of RA 10175. It is an understatement that the countryâs passing of this law is not only the first important step, but the first, logical, and critical step in building her defense and assuring her people that the government is on top of the situations. For the government will be remised not to use all the options available in defending her territory and people. Cyber Patriots If one perceived and or imagined enemy has been reported to be train- ing 28,000 cyber warriors, then preparing the Filipino patriots to defend the country in any way they can, is not too much to ask in this time of technologyâs untried and untested times. The passage of the cybercrime law ushered that era where cyberspace becomes not only a byword and a second nature to all, but also an active defense to social, economic, political, and national security threats.
- 123. 123ICT Development andCyber Security Reader National Security Implications The implications of RA 10175 in national security are simple and obvious. We need it to open our eyes to the technology available to us and the strategy it offers. We have to wake up to the sad facts that we have inferior defense against a modern adversary. We need to convince all the leaders to get their acts together. The cybercrime law is not only a law to punish criminals and civil offenders, but also, it is a law that places everybody on notice, that WE have to ACT, and to act NOW to confront first the criminal elements, then the emergent enemies of the state. Revolution In Military Affairs The Department of National Defense, the government agency constitu- tionally mandated to defend our territory, the state, and her people welcomes RA 10175. For it will not only fast track the awareness level of our leaders and people on the criticality of the 5th Domain and the technology available to us in dealing with a more powerful adversary, but it will also prod the people to learn to engage this new technology in constructive ways and in conflict. Hence, we need to be inventive and creative in confronting national security challenges both in real mode and virtual mode in cyberspace. The recognition of this new paradigm and the AFPâs revolution in military affairs (RMA) that the âcyberspace awarenessâ may consequently bring to fore, is an important, logical, and critical step towards staking our claim to independent nationhood. Incipient Issue There is a developing incipient concern that is doubtful. That concern is the cry of alarmists that the prevalence of critiques and objections to the cybercrime law will mushroom into a situation that may eventually affect national security. The contrary opinion on this issue, however, assumes that it is in the interest of the State to allow the healthy debate not only as a release valve, but in democratic country like ours, every voice must be heard. I believe that the noise that the Cyber Crime Prevention Act of 2012 generated will neither flourish in the shorter term nor in the longer term. The Filipino culture, our respect for authority, and the majority of the 100 million Filipinos, will serve as the enemy of our future enemies. # # #
- 124. 124 ICT Developmentand Cyber Security Reader Fighting the Crime of the Future: Responding to the Challenges of Cybercrimes Assistant Secretary Geronimo L. Sy Department of Justice _______________________________________________________________________________ ICT Impact on Crime and Security Countries and states around the world today experience the endless challenges of the use and abuse of modern technology. Technology provides ease and comfort and the benefit of applying science to problems. It can also be used to harm humans and society. Our need for technology is evident in almost every aspect of our lives: health, education, economy, and governance and law enforcement. Leveraging technology for justice is a most novel and pressing need today. As civilization influences, inspires, and forces the global population to upgrade and transcend the current state and quality of life, the Philippine government is now faced with the current challenge of coping with the strained capacity to provide protection to lives and justice for the people. Indeed, the internet is a promising zone for advanced communications and near limitless space for information and data sharing which authorities must engage, harness and optimize. When crimes or criminal behavior extends to the cyberspace, the hand of the law must extend and operate to ensure the same level of protection and safety. Cybercrime: The Crime of the Future Cybercrimes are committed with or through the use of ICTs such as television, radio, cellular phone, computer and computer network, and other communication device or application. Cybercrimes are punishable under special cybercrime laws and subject to distinct law enforcement provisions. This much is acknowledged from a global perspective. When compared to counterpart crimes committed in the physical world, multiple unlawful acts can be executed or performed by a single cybercriminal for a very short period of time potentially affecting a vast number of users. In particular and for example in cases of child pornography, the spread of the illegal criminal material can easily reach a wider and more perverted audience. Culprits can hide themselves, their locations and identities because of the cloak of anonymity that is the internet. The impression that cyberspace is a zone of impunity that is beyond the law or regulation is not misplaced.
- 125. 125ICT Development andCyber Security Reader There are various types and kinds of cybercrimes, based on the strictness and scope of categorization. The International Convention on Cybercrime (CoC),1 the first international treaty that seeks to address computer and internet crimes through international cooperation, categorizes cybercrime offenses into four: (1) offenses against the confidentiality, integrity and availability of computer data and systems; (2) computer- related offenses; (3) content-related offenses; and (4) offences related to infringements of copyright and related rights.2 Cybercrimes in the Philippines In a 2010 report of the security software firm Symantec, 87% of Filipino internet users were identified as victims of crimes and malicious activities committed online. The following activities were: (1) malware (virus and Trojan) invasion; (2) online or phishing scams; (3) sexual predation; and (4) services in social networking sites like Facebook and Twitter. Since its creation in 2003, the Anti-Transnational Cyber Crimes Division of the Criminal Investigation and Detection Group (ATCCD-CIDG) in the Philippine National Police (PNP) has already investigated 2,778 cybercrime cases.3 ATCCD-CIDG Cyber Crime Cases Investigated Statistics CY 2003-2012 ________________________________________________________________________ Year 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 No. of 30 50 155 523 171 300 268 286 433 562 Cases ________________________________________________________________________ Cybercrime Convictions The first case of âcybercrimeâ in the Philippines in recent times was in 2000 with the onset of the âI Love Youâ virus. The case filed against De Guzman was dismissed at the first stage because there was no law punishing the deed as of that time in May 2000, in the Philippines.4 On 14 June2000, Republic Act 8792 or the Electronic Commerce Act was signed into law. The E-Commerce Act positioned the Philippines as the third country to enact an e-commerce law, next to Singapore and Malaysia. It placed the Philippines on the list countries which penalize cybercrime. The first cybercrime conviction was in September of 2005, which was filed by the PNP-CIDG. The accused was convicted for hacking of the government portal âgov.phâ and other government websites.5 A case investigated by the National Bureau of Investigation (NBI) led to the second cybercrime conviction in 2006. The accused was employed in a business process outsourcing (BPO) provider in the country and illegally secured credit card information from the companyâs sister firm. The said cases were the only cybercrime convictions in the Philippines which were secured under the provisions of E-Commerce Law.6
- 126. 126 ICT Developmentand Cyber Security Reader Presently, cybercrime cases are still dealt with using existing cybercrime-related laws. These laws are as follows: RA 10173 or the Data Privacy Act of 2012; RA 9995 or the Anti-Photo and Voyeurism Act of 2009; RA 9775 or the Anti-Child Pornography Act of 2009; RA 9208 or the Anti-Trafficking in Persons Act of 2003; RA 8792 or the E-Commerce Act of 2000; RA 8484 or Access Devices Regulation Act of 1998; and RA 4200 or Anti- Wiretapping Law. Cybercrime Prevention Act of 2012 President Benigno Aquino III signed into law RA 10175 or the Cybercrime Prevention Law on 12 September 2012, which adopted the basic approach of the CoC. It took effect on 3 October 2012 and was immediately challenged by 15 petitions which questioned the constitutionality of some of the lawâs specific provisions, among others the sections on: cybercrime offenses (Sec. 4); inclusion of RPC and special laws-defined and penalized crimes and imposing higher penalty when these are committed through or with the use of ICTs (Sec. 6); real-time collection of traffic data (Sec. 12); restricting or blocking access to computer data (Sec. 19); and the provision on noncompliance (Sec. 20). The Supreme Court subsequently issued a temporary restraining order (TRO)on the law on9 October2012. The TRO is set to last for a period of 120 days, ending on 6 February 2013, while oral argumentations are scheduled on 15 January 2013. On the same date when High Court issued a TRO, the Department of Justice (DOJ), in partnership with the Information and Communications Office of the Department of Science and Technology (ICTO-DOST), held the first ever cybercrime forum that was live-streamed on the internet. The forum was attended by different organizations and institutions from the government, private sector, media, academe, non-government organizations and civil society clubs.7 The forum sought to clarify misgivings about the law, and muster the support of various sectors and transform it into a multidisciplinary coalition that will help craft the implementing rules and regulations (IRR) of RA 10175. International Cooperation The Cybercrime Prevention Act is not a Filipino invention. Elsewhere in the world like the United States, Japan, and European Union, there are existing policy models and template laws that are of great standard, and are endorsed for emulation and adoption. In our case, RA 10175 was largely based on the provisions of the CoC of the Council of Europe (COE). The Philippines was invited to accede to the CoC in 2008. A cybercrime law like the RA 10175 that is compliant to the provisions of the convention is primarily needed for the country to be a signatory to it.8 It is constructive for the country to be part of this very first International CoC because of the transnational support and cooperation that will be established and strengthened among the nations party to it. The Justice Department is set to cooperate with the US Department of Justice (US DOJ), International Criminal Police Organization (INTERPOL), and European Police Office (EUROPOL), for mutual legal assistance and to work on extradition cases involving cross-border crimes.
- 127. 127ICT Development andCyber Security Reader The government must support the participation of our national law enforcement units in the Cybercrime Technology Information Network System along with 9 other cybercrime enforcement units in Asia namely China, Hong Kong S.A.R., India, Indonesia, Korea, Malaysia, Singapore, Thailand, and Japan.9 This further improves our linkages to fight cybercrimes. Discussion The Need for an Effective Anti-Cybercrime Law The policy aim of Cybercrime Prevention Act of 2012 is to establish and protect an ICT environment that would lead to a safe participation in the modern systems of exchange and provision of data and knowledge. It also aims to safeguard the integrity of the systems and networks of computers and communications, and databases, and protect the integrity, confidentiality, and availability of information and data stored within from abuse and misuse. Furthermore, it aims to strengthen the cooperation of Philippine anti-cybercrime authorities and bodies with their counterparts in other countries. The law also provides empowerment and mandate, to the LEAs such as the NBI and PNP with regard to the collection, recording, preservation, disclosure, search and seizure, custody, and destruction of electronic information or data. The law also states as a requirement the cooperation and assistance that service providers10 should give to LEAs in relation to the said enforcement and implementation functions. AlthoughtheoriginalintentofRA10175istofocusonpunishingthecorecybercrime offenses like cyberterrorism, hacking, phishing, child pornography and cybersex, our own legislative process resulted to the creation of a law that has a mixed up structure and imprecise phraseology, where the focus is held in disarray and distanced from its genuine intent. The enacted law has a provision that punishes online libel with a heavier penalty. This archaic provision of the law runs contrary to the growing international trend of decriminalization of libel that is in line with the Philippine governmentâs mandate to protect and promote civil and political rights of its people.11 The law also has a provision on cyber-squatting that should not be part of a major penal legislation on cybercrime but of another piece of statute or public-private partnership efforts. The legislation also confuses cybercrime with cybersecurity, even though the two are different concepts and have a lot of separate areas of concerns. Cybercrime is a penal legislation while cybersecurity is an information technology (IT) policy framework.12 It would have been better if the Congress had passed separate bills on cybercrime and cybersecurity to give clearer focus on the importance of each of the major ICT concerns. The provision on cybersex13 makes prostitutes and sexually exploited and trafficked women liable to the law. This provision, among other provisions discussed in this paper, needs to be clarified in the IRR once the suspension of the law implementation is already lifted.
- 128. 128 ICT Developmentand Cyber Security Reader Furthermore, RA 10175 also punishes all crimes under the Revised Penal Code (RPC) and other special laws which are committed through and with the use of ICTs with penalties one degree higher than those provided for by those laws.14 The philosophy of the law15 meting out heavier punishment for people who use modern technology for crimes is already out-of-date, for even the government itself can have the advanced technological capability to seize law violators and combat State enemies. Moreover, that provision does not recognize the Philippine societyâs rapid and radical transformation in the direction of the digital era. The law must not deviate from its original purpose. A cybercrime prevention law should punish ICT crimes which were not covered and anticipated by the RPC and other special laws.16 The timeline of cybercrime legislation A cybercrime prevention law should be used against transnational organized crimes and national criminal syndicates, and not against the principled media, not against the exploited and abused victims, and not against lawâabiding everyman who exercises his right to free speech and expression.17 DOJâ Comprehensive Implementation Plan18 Substantially formulated between 2006 and 2007, and finalized after the first International Cybercrime Conference (ICC), a consolidated cybercrime bill was produced after weaving and harmonizing the provisions of numerous versions of the bill. The government then created the ICT legislation strategy which aims to adopt a three-pronged approach in crafting ICT-related laws to highlight priority areas with a consideration of the dynamics of passing ICT-related bills. The three domains are data privacy, cybercrime and cybersecurity. Revised Penal Code Revised Penal Code Revised Penal Code Special Penal Laws Special Penal Laws Cybercrime 1932 1960s 2000 2012 (E -Commerce Act)
- 129. 129ICT Development andCyber Security Reader The three-pronged approach of ICT legislation strategy The DOJ participated in the crafting of the Data Privacy Act, which the President signed into law on 15 August 2012. What followed was the enactment of RA 10175 but not without challenges and difficulties as explained previously. RA 10175 designates DOJ as the central authority for the implementation of the law that entails international mutual assistance and cooperation in prevention and investigation of cybercrimes which naturally cut across borders.19 Once fully operational, the DOJ Office of Cybercrime20 shall achieve the following tasks and steps: 1. Creation of a Joint Investigation Manual for Law Enforcement and Prosecutors 2. Creation of a Question-and-Answer Guide on Cybercrime 3. Issuance of a DOJ Guide on Electronic Evidence including a directory of specialized forms 4. Accession to the CoC of the COE. 5. Building of a network of investigators, prosecutors and state counsels nationwide for timely response to cybercrime incidents. Due to the nature of cybercrime and the growing threat it poses to the institutions of society and to the aspects of nation-building, a united front composed of various sectors coming from different community levels is an ideal formation against cybercrimes. Local task forces and anti-cybercrime report and monitoring centers are envisioned to be created through the partnership of civil society and our police forces. Information, education and communication (IEC) campaigns for cybercrime awareness and prevention are to be held by businesses, schools and media for their own constituents, and conducted with resource support from the anti-cybercrime experts from the government and IT professionalsâ organizations. There shall also be clear guidelines and rules for cooperation between service providers and LEAs in order to develop mutual and beneficial relationships between the parties. World without Crime or Cybercrime? There is no such thing as a perfect crime, likewise a perfect cybercrime. These crimes will surely leave traces and details which will inevitably lead cybercrime investigators, police forces, and courts of our justice system to pursuing, prosecuting, and convicting cybercriminals. Intâl Cybercrime Conference (2007) Data Privacy Cybercrime Cybersecurity
- 130. 130 ICT Developmentand Cyber Security Reader Equally, there is no such thing as a perfect law that can absolutely annihilate and prevent cybercrimes. Laws are as good as their implementers. Effective laws shape themselves in the enforcement process; and a good system of laws and lawmaking is the one which accommodates changes and overhauls imperfections and deficiencies of existing laws based on evidence-based inputs and feedbacks from the enforcers of the law. The optimum solution to combatting cybercrime and foiling its threats to society would be to embrace a proactive approach in the application of the law. There is a need for stepping up of community efforts and forging stronger cooperation between the LEAs and the society at large. Only then can we effectively secure ourselves from the abuse and misuse of ICTs. Only then could we aspire for a cybercrime-free society â a world that is future perfect. # # # Endnotes 1 Because the CoC was opened for signature on November 23, 2011 in Budapest, Hungary, it is also called the Budapest Convention on Cybercrime. 2 The categories of crimes specified are titles of cybercrime offenses stated in the text of the Budapest Convention on Cybercrime. 3 See Accomplishment Report of PNP Anti-Transnational and Cybercrime Division (ATCCD-CIDG) Provision of the E-Commerce Law. 4 See ATCCD-CIDG Chief Col. Gilbert C Sosaâs Country Report on Cybercrime. 5 Ibid. 6 The writer was responsible for the two cybercrime convictions as a young prosecutor in the Justice Department 7 See news article âDOJ sets forum on cybercrime,â posted on DOJ website on 5 October 2012 8 See Cybercrime legislation â country profile: Philippines, Council of Europe Project on Cybercrime 9 See Accomplishment Report of PNP Anti-Transnational and Cybercrime Division (ATCCD-CIDG) Provision of the E-Commerce Law 10 RA 10175 defines service provides as (1) âany public or private entity that provides to users of its service the ability to communicate by means of a computer systemâ; and (2) âany other entity that processes or stores computer data on behalf of such communication service or users of such service.â 11 See news articleâSec. De Lima welcomes Presidentsâ stance on the possible decriminalization of libel and passage by Congress of the Anti-Enforced Disappearance Bill,âposted on the DOJ website on 18 October 2012. 12 See the presentation of the writer titled âFighting Cybercrime, Fighting for Integrity in Cyberspaceâ during the 9 October 2012 Forum on Cybercrime Prevention Act that was hosted by the DOJ and the Department of Science and Technology. 13 RA 10175 refers to cybersex as âThe willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favor or consideration.â 14 See Section 6 of RA 10175. 15 See Article 14(20) of Chapter 4, Book 1 of the Revise Penal Code of the Philippines.
- 131. 131ICT Development andCyber Security Reader 16 See statement of Justice Secretary Leila de Lima on the Cybercrime Prevention Act, posted on the DOJ website on 1 October 2012. 17 Ibid. 18 This subsection was part of a memorandum submitted by the writer to the Justice Secretary regarding the comprehensive plan of action of the DOJ Office of Cybercrime 19 See Section 23 of RA 10175 20 The writer was officially designated by the Justice Secretary as the Assistant Secretary- in-Charge for the Office of Cybercrime effective 01 October 2012 as per Department Order No. 816 Sources 1. ASEAN-EU Programme for Regional Integration Support â Phase II (APRIS II) 2. Council of Europe, European Treaty Series â No. 185: Budapest Convention on Cybercrime 3. Department Order No. 816: Designation of Personnel for the Office of Cybercrime 4. DOJ sets forum on cybercrime, http://doj.gov.ph/news.html?title=DOJ%20sets%20 forum%20on%20cybercrime&newsid=130 5. DOJ Statement on the Cybercrime Prevention Act, http://doj.gov.ph/news. html?title=DOJ%20Statement%20on%20the%20Cybercrime%20Prevention%20 Act&newsid=129 6. Full Transcript of the Forum on Cybercrime Prevention Actof 2012, 9 October 2012 7. Memorandum for the Justice Secretary: Comprehensive Plan of Action for the DOJ â Office of Cybercrime 8. Norton Cybercrime Report for 2011, http://www.symantec.com/content/en/us/home_ homeoffice/html/ncr/ 9. Philippine National Police, Accomplishment Report of Anti-Transnational and Cyber Crimes Division (ATCCD-CIDG) on the Enforcement of Cybercrime Protection of the E-Commerce Law 10. Republic Act No. 10173: Data Privacy Act of 2012 11. Republic Act No. 10175: Cybercrime Prevention Act of 2012 12. Revised Penal Code of the Philippines 13. Sec. De Lima welcomes Presidentsâ stance on the possible decriminalization of libel and passage by Congress of the Anti-Enforced Disappearance Bill, http://www.doj. gov.ph/news.html?title=Sec.%20De%20Lima%20welcomes%20Presidentsâ%20stance%20 on%20the%20possible%20decriminalization%20of%20libel%20and%20passage%20by%20 Congress%20of%20the%20Anti-Enforced%20Disappearance%20Bill&newsid=134 14. Sosa, Gilbert C., Country Report on Cybercrime: The Philippines(Paper) 15. Sy, Geroniomo L., Fighting Cybercrime, Fighting for Integrity in Cyberspace (Lecture)
- 132. 132 ICT Developmentand Cyber Security Reader Key Structuring Principles in the Cybercrime Law Discourse Ms Shirley Pelaez-Plaza, MNSA Secretary General, NDCP Alumni Association, Inc. Closing Remarks presented during the Cybercrime Act and its Implication to National Security on 6 October 2012 at the Honor Hall, NDCP, Camp General Emilio Aguinaldo, Quezon City. _______________________________________________________________________________ T he weeks that followed the promulgation into law of Republic Act 10175 also known as the âCybercrime Prevention Act of 2012â had been the most challenging and politically charged in the history of Philippine cyberspace. Upon the enactment of the controversial law, sentiments against it, or some of its provisions, came rushing in like a powerful tsunami that has swept both the executive and the legislative branches of government. Commentators, journalists, activists, members of the press, and a huge volume of netizens here and abroad expressed utter disgust toward the new law and toward those who have contributed to its eventual enactment. If only to invite prodigious amount of attention to the complexities of cyberspace vis-Ă -vis the day-to-day workings of our people and nation, this Cybercrime Law really made great headway. Suddenly, Filipinos have become intensely interested in having a deeper appreciation of the nexus between and among the elements and influences of cyberspace, cybersecurity, criminality, constitutional rights, and politics. Netizens here in the Philippines and elsewhere have been closely following developments on this issue, indicative of the wide awareness on how such legislative handiwork will impact directly on their offline and online activities. Indeed, if there is any consolation to this massive uproar against Cybercrime Law, it must be the heightening of public attention on matters of public policy, national interest and security. If we are to conduct ourselves in a very civilized and intelligent manner, everyone who has a stake in this issue should be able to clear out the fog and cut through the noise of knee-jerk reactions. We need to step back a little as we appreciate the bigger picture by looking both at the upsides and downsides of the Cybercrime Prevention Act relative to the basic tenets of our democracy, as well as the multitude of threats and opportunities that exist in cyberspace. In order to structure and further focus existing efforts to merge and reconcile conflicting viewpoints on the Cybercrime Prevention Act, there are three cardinal principles that must be observed at all times regardless of the ferocity of public debates and pressures. First, freedom of expression is a core element in a vibrant democracy. Our Constitution is a monumental testament to how this nation suffered from and reacted to a regime that had suppressed a long list of inalienable rights for a very long time. The framers
- 133. 133ICT Development andCyber Security Reader of the 1987 Constitution, guided by the spirit of that time, paid great emphasis on the nationâs desire to preserve elemental rights and freedoms, including freedom of expression. There can be no debate about the fact that freedom of expression is one of the basic foundations upon which our democracy flourishes. When one is free to express his or her opinion on just about anything without undue malice, public policies and governance are effectively enriched and well informed. Feedback mechanisms brought about by this basic freedom put pressure on government officials, both elected and appointed, to ensure that a healthy and vibrant Philippine democracy lives on. To take away such basic freedom is a regrettable betrayal of the sacrifices of those who worked and died for our it, and a step backwards in our collective and continuous effort to nurture our relatively young democracy. Second, vagueness in the law opens the legal gate for malevolent interpretations. Since the news of the enactment of RA 10175 broke out, much of public indignation centered on its shadowy provisions whose potential to wreak havoc on our constitutionally guaranteed rights sends a chilling effect especially on those whose professions, passions, and interests find safe refuge in cyberspace. Because of the perceived vagueness of some of its provisions and the bothersome implications to law enforcement, the online and offline public felt a great measure of anxiety, most especially on how the executive branch will interpret, substantiate, and execute the law. Such palpable confusion in the minds of the educated public sits at the very heart of the debate. Those who have expressed reservations to this law rightly called the attention of its crafters, urging them to be more precise in the parameters and standards contemplated by RA 10175. These undefined and unrefined provisions constitute the âblack holesâ that had sapped the law of most, if not all, of its credibility. Should policy-makers fail to plug these holes, the public will really find it extremely difficult to appreciate its other good and well-intentioned provisions. Third, no amount of public disgust can ever justify the cowardly acts of online vandalism and hacktivism. The public must be strongly discouraged against the temptation to admire those who deface government websites as a way to express opposition to a very âWhen one is free to express his or her opinion on just about anything without undue malice, public policies and governance are effectively enriched and well informed.â unpopular law. Although it is commendable that the public is very much engaged in this issue, it also must be ensured that they are equally informed about the nuances and merits of the law they so despise. RA 10175 also seeks to go after those cyber predators that thrive in child pornography, identity theft, cyber-squatting, hacking, and other unpleasant acts. Apparently, unscrupulous hackers take advantage of widespread contempt against certain provisions of the law in order to push for the wholesale scrapping of RA 10175, which, for sure, will track them down someday. It is indeed mortifying that hackers, amidst the fury over the RA 10175 and under the banner of fighting for freedom, victimized government websites whose functions are very crucial in the day-to- day workings of our economy and the delivery of basic
- 134. 134 ICT Developmentand Cyber Security Reader services. What is even more bothering is that some, if not many, of our netizens seem to have even come to the defense of these wrongdoers. It must be emphasized that the passion to defend basic rights should never eclipse fair and intelligent discussion of the issues. All opposition to this law, or any other law for that matter, must be expressed through proper âThe controversy about the Cybercrime Prevention Act presents another channel by which the people can influence policies with direct impact on national security.â means and channeled to the right forum. Dastardly acts of hacking and defacement cannot blur the unmistakable boundary between intelligent discourse and barbaric saber-rattling. These important principles must be taken to heart by those who genuinely intend to take part in fruitful and civilized public debates. ThecontroversyabouttheCybercrimePrevention Act presents another channel by which the people can influence policies with direct impact on national security. The security landscape has significantly evolved to include a wide array of issues that defy the traditional notion of security. As the influences of cyberspace percolate through all of the aspects of our individual lives and national security, it is therefore an imperative to make sure that this gift of modern technology and human ingenuity will always serve to protect the peopleâs collective interests, societal values, and national security. It should not be mistaken that there are those who really seek to sow destruction and chaos in cyberspace, for they know that much of our day-to-day workings depend on it. These dangerous elements are not a figment of anyoneâs imagination; they really do exist. Thus, the country cannot afford to let cyberspace fall into the hands of those who seek to pursue malicious and pernicious ends vis-Ă -vis national security. This Cybercrime Prevention Act is a stark manifestation of a work in progress ⊠a work that should be seen as a sum total of our desire to protect not just the individual citizen, but also the nation. As relevant stakeholders continue to debate on the matter, it should never escape our consciousness that ours is a free and democratic country, faced with a slew of cyber threats. Everyone should be hopeful that the nation can arrive at something way better ⊠something that is more responsive to cyber threats and more observant of our democratic credentials. # # #
- 135. 135ICT Development andCyber Security Reader New Frontiers In CyberSecurity: Its Adverse Impacts in the Philippines and ASEAN Region Prof Chester B Cabalza MNSA Module Director (NSA 204), NDCP _______________________________________________________________________________ T he second decade of the 21st century has beckoned rapid and massive importance of the information age. The boom of the internet, social media, wireless and â4Gâ technologies, or the new media, and other forms of Information and Communications Technology (ICT), have indeed inescapably transformed today and tomorrowâs pace of living. The birth of the âdotcomâ era likewise decongests and shrinks the world into a global village. In effect, cybercriminals vis a vis cyber terrorists have learned and acquired sophisticated technology, and exploit it as new weapon of mass destruction. Furthermore, cyber security1 inclusive of cybercrime and cyberterrorism, form part of the human- induced disasters in the crisis management discourse.2 As information and communication technology continue to invade and pervade human life; the risks for cybersecurity, without doubt will continue to grow. Certainly, the use of technology by cybercriminals and cyberterrorists attacks is plausible. Our very global way of life depends on the secure and safe operations of critical systems that depend on the cyberspace. Precisely, ensuring cybersecurity requires a high degree of competency and technical expertise from both government and private sectors and other concerned agencies.3 Cognizant of the imminent dangers caused by the emergence of cybersecurity as one of the security concerns that the ASEAN region must address and confront with, the nature of top security issues in Southeast Asia are more or less transnational, encompassing more than one country. It is also a crisis management4 dilemma which may involve plans and institutional arrangements to engage and guide the efforts of government, non- government, voluntary and private agencies, in comprehensive and coordinated ways to respond to the spectrum of crisis needs. However, much of this does not mean that Southeast Asiaâs resurgence can be attributed to a relatively stable regional security situation which set the stage for continued integration of the regionâs economies. Nevertheless, this does not mean that ASEAN region does not face significant security challenges. Being part of the larger regional security complex of the Asia-Pacific, it also faces wide range of traditional, non-traditional, and transnational challenges. Obviously one of which is the complexity of cybersecurity. The challenges, both old and new, affect the security interests of all nation- states in the region, and because of the increasing economic significance of Asia, that of
- 136. 136 ICT Developmentand Cyber Security Reader nations around the world. The transnational nature of cybersecurity underscores the need for transborder cooperation and dialogue since this threat cannot be solved by any one nation. The Power of Social Media in Southeast Asia Southeast Asia is ably considered as one of the promising techno hubs for young and gadget-oriented consumers in the world. With over half a billion population livable with hip and young dynamic peoples and growing economy, it is only fitting to admit that this region will have tremendous contributions and adaptations to the interactive and high-tech world of social media. Expectedly, there are also dangers caused by the phenomenal success of social networks in the regionâs cybersecurity infrastructures. Social Media is defined as a group of new kinds of online media, which shares most or all of the following characteristics that [1] encourages participation, [2] open to feedback, [3] two-way conversation, [4] forms communities, and [5] thrives on connectedness (Mayfield, 2008). Henceforth, social media has created, mobilized, and demonstrated waves of consciousness and action that reach much more people than traditional industrial media. As much as social media has the ability to draw together mass involvement in a personalized way, it also does so in an unsupervised manner, thus crafting it as a potential threat to human security. Consequently, this formulates social media to be a tool that both augments and degrades human security (Romero, 2009) with leveled off boons and banes of cybersecurity landscapes in the current deterritorialized playing field. A 2012 report released by Nielsen revealed that social media receives a strong trust rating among consumers in the ASEAN region particularly in Vietnam, Thailand, the Philippines, and Indonesia. Accordingly, although television still reigns (9 out of 10 people in Southeast Asia watch âFree to Air TVâ), but online has grown rapidly in reach and influence in the last decade.5 Others would believe that there are benefits of social media marketing that includes the following: [1] it generates exposure for the products/business, [2] it improves web traffic and the opportunity to build new partnerships, and [3] it generates qualified leads. In the sphere of social media to date, Twitter â a popular microblogging service that was launched in July 2006 claims popularity based on userbase in the world, topping all other social networking services. In a report by the social media monitor Semiocast revealed that in the âTwitterverseâ two Southeast Asian countries, namely, Indonesia which ranks 5th spot while the Philippines which places 10th spot are hooked to Twitterâs ever growing 517 million users based from the worldwide rankings (Montecillo, 2012). Initially, it was Facebook that held the most popular spot among the social networking sites around the world having 835,525,280 users as of 31 March 2012. The Wall Street which purports to offer analysis and commentary for investors proclaimed the Philippines as the âSocial Networking Capital of the World,â (Hamlin, 2011). Furthermore, in a 2008 study conducted by McCann Universal, Filipino netizens ranked: first in social networking, first in sharing photos, first in viewing videos, second to South Korea in reading blogs, second to Brazil in sharing videos, fourth in writing blogs,
- 137. 137ICT Development andCyber Security Reader fourth in downloading podcast, and sixth in using RSS/feeds. Accordingly, email (63%), instant messaging (63%), and search (58%) are the most common online activities for Filipino internet users with social network site usage at (51%).6 Reasonably, the Philippines is leading other member-countries of ASEAN in examining conscientiously many pivotal issues of cybersecurity threats in the region. Having been recently achieved the newly-industrialized country status, our country is now becoming a hot player and emerging powerhouse in the global villageâs playing field when it comes to ICTs. It is now ranked as the global topnotch for Business Process Outsourcing (BPO) in the voice sector; still considered as the âtextingâ or SMS capital and one of the active hot players in social networking around the world. Previously, the Philippines was cited in 2002 by Global New Economy Index of the Meta Group for its âexcellent availabilityâ of skilled IT workers with compliment for the Filipinosâ technical and business skills, such as in mainframes, minicomputers, and microcomputers, and for their technical and business skills in ICT projects.7 Thus with the expanding sphere of influence of social media worldwide, it has led many governments to acknowledge the power of social media to engage its citizens to participate in state-sponsored activities such as elections and policy-making. Now individuals with well-known reputations such as journalists have a well-established readership. Other individuals have emerged as âstarsâ within the political blogosphere, developing an established network of contacts and readers. Popularity is driven by group identity be it race, ethnicity, gender or sexual orientation. These blogs draw readers that are untapped by traditional media. Thus, blogs facilitate the creation of a network of like- minded individuals (Pole, 2010). However, there are various social media governance issues that must be addressed, as pointed out by experts and practitioners, such as the following: [1] how should organizations regulate and mange the use social media by their staff during work hours? [2] what sort of risks do organizations face, in terms of potential data loss, unregulated communication of confidential information and work time? [3] should social media sites be blocked or disallowed in government institutions and private firms as a whole? [4] how should the government address the use and abuse of social media in its campaign for transparency, fair and open exchange of information, and reducing corruption to ensure wise use of resources? and [5] how to define and adopt a social media policy, including roles and responsibilities, communications and training, and metrics and monitoring? (Malacaman, 2010). New Forms of Cybercrimes The cyberspace has led to some government and private experts to conclude that cybercriminals are at the threshold of using the internet as a direct instrument of heinous crimes and bloodshed. The new threat bears little resemblance to familiar financial disruptions by hackers for viruses and worms (Cabalza, 2011). The United Statesâ Federal Bureau of Investigation (FBI) recently estimated that the âlovebugâ8 made by a Filipino student in 2000 has caused worldwide damage amounting to approximately USD$12 billion. Hence, threats to the financial systems will have dire consequences for nationsâ ability to operate effectively and efficiently.9
- 138. 138 ICT Developmentand Cyber Security Reader Criminals look for easy prey. But states can combine the criminal hackerâs tricks, such as spear-pishing, with the intelligence apparatus to reconnoiter a target, the computing power to break codes and passwords, and the patience to prob a system until it finds a weakness. Computer bugs can bring down military email systems, oil refineries and metro trains derail, financial data are scrambled, and electrical grid goes down. As a matter of fact, cyber-espionage is the biggest intelligence disaster since the loss of the nuclear secrets.10 The Economist report divulged about nine-tenths of the 140 billion e-mails sent daily are spam; of these about 16% contain money-making scams, including âphisingâ attacks that seek to dupe recipients into giving out passwords or bank details. The amount of information now available online about individuals makes it even easier to attack a computer by crafting a personalized e-mail that is more likely to be trusted and opened; and this is known as âspear-phisingâ.11 The Philippinesâ National Bureau of Investigation (NBI) had handled 30 various cybercrime cases as of 2005. These would include the following: computer fraud, internet pornography, hacking, computer emails, violation of the E-commerce law, and verification. 12 Partly a primary cause of alarm is the reality that cybercrimes are new forms and tools of destruction and explosives or other deadly weapons. It can violate oneâs freedom to life, liberty, property, and security. Furthermore, the resources to launch cyber attacks are very easy to access and one may not even know the attack has taken place until only sometime after it was launched. In April 2012, a two-man Philippine contingent, including the author himself had proposed the inclusion of cybersecurity as one of the top security threats in Southeast Asia, after which he drafted the Chairmanâs Report on the adoption of cybersecurity in the Fifth Meeting of ASEAN Defence and Security Institutions (NADI) at Siem Reap in Kingdom of Cambodia. In the said 5th NADI Chairmanâs Report,13 participants made a consensus pronouncement on the issue of cyber security to call for a collective action to look at the problemofjurisdictionandlackofharmonizationoflawsrelatedtocybersecurityinASEAN countries. The presence of such harmonization would enable effective prosecution of cyber criminals. ASEAN needs to build cooperation and networks for intelligence reports, on a voluntary basis, among member-countries, including governments and private sector cooperation. This is to increase intensive research on the security of the regionâs cyber infrastructures to minimize duplication of efforts. But legally speaking, what happens when enacted laws on cybercrimes become disharmonized? A case in point is the Philippinesâ Republic Act No. 10175, otherwise known as, The CybercrimePreventionActof2012,whichhasbeenlabeledasoneofthehighlycontroversial cybercrime laws enacted in Southeast Asia on a wider scale related to cybercrimes that was recently implemented but currently withheld. The hyperbole of calling it as the âDigital Martial Lawâ recalls many of its flawed provisions that may threaten fundamental rights and freedoms with its repressive perspective and regressive view of technology.
- 139. 139ICT Development andCyber Security Reader The brawling debates over the new statute centered on cyberspace becoming a platform of the best and worst things that people can come up with when they are online. While it might be considered as a hotbed of game-changing ideas and artistic expression, it has also turned into a breeding ground for trolls and cyberthugs ranging various felonies. Cyberterrorism as the Other Face of Cybersecurity Cyber terrorism is any premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against non-combatant targets by sub-national groups or clandestine agents.14 However, my initial theoretical framework as a social scientist on terrorism vis a vis cyberterrorism as one of its domains, is the underlying factor that Andersonâs (1983) historical examination on the concoction of nationalism seems to have merit. In his analysis, he leaves open the idea that âimagined communitiesâ is an ongoing and dynamic process. His framework lays the foundation for future examinations of âimagined communitiesâ in new forms, and could be transformed into a virtual reality whereas the incursion of ICT via the borders of cyberspace is now being felt.15 In Southeast Asia alone, audio-visual and print, especially the internet have now emerged as the principal medium to disseminate subversive ideologies. Intelligence reports suggest that this capability is used for communicating with terrorist cells in selected countries in the region as well as throughout the world for gathering and mining intelligence targets, spreading propaganda, and for recruitment. The weapons of terrorism are no longer simply the guns and bombs that they always have been, but now include the mini-cam and videotape, editing suites and attendant production facilities, professionally produced and mass-marketed CD-ROMS and DVDs. And most critically, the laptop and desktop computers, CD burners and email accounts, internet and worldwide Web access that have denied the information revolution today (Hoffman, 2006). The appalling side of new media is the quiet emergence of hundreds of uncensored websites and social network sites that cling to rampant disinformation that may entice millions of netizens. Given the scenario that the information superhighway may trespass a countryâs sovereignty, and given that there is little regulation on the internet; hackers mete out wide-scale reparations, malicious and damaging softwares that can ultimately create havoc without fear of prosecution.16 Thus, the conjunction of 21st century internet and 21st century fanaticism has turned the world into a tinderbox. Virtually every terrorist group in the world today has its own internet web site and, in many instances, maintains multiple sites in different languages with different messages tailored to specific audiences (Brown, 2005). The fluidity of cyberspace absorbed by the virtual regional or global community could succumb to further tension and deepen international debate caused by escalating schism or difference among conflicting groups. This will also create a new online forum for worldwide information warfare and a novel force in transforming todayâs virtual geopolitical in a fast deterritorializing world. Without much ado, cyberterrorists will grab every opportunity to foster their own ideals in the netscapeâs increasing bastion of freedom of expression that will resonate effectively from their supporters.
- 140. 140 ICT Developmentand Cyber Security Reader In addendum, it would not be surprising, if by all means government official websites, usually hosted by sloppy private industriesâ Internet Service Providers (ISP) could increase espionage from cyberterrorists and can cause massive electronic attacks due to lack of security mechanisms on computer systems. Violations occur when unauthorized user illegally accesses network computers that are forbidden to access. Recently, alien or foreign hackers and cyber attackers infiltrated some Philippine government sites.17 Thus, study would show that there is leeway that they could scythe even critical and vital military, commercial, or monetary institutions from remote locations to disrupt the free worldâs defense and communications systems. Possibly, attackers could hack into computer systems for information gathering or data altering, sabotage, and installing malicious codes. These malicious codes may be distorted in the forms of Trojans, worms, and viruses. There are also Deadly Distributed Denial of Service (DdoS) attacks which employ âzombieâ machines that are controlled by a master server. More or less, it has the ability for taking down entire networks. Cyberterrorists could also apply information hiding by means of stegonography where one can simply take one piece of information and hides with another picture or document. This well-planned strategy could cripple infrastructures and bug down key government sites and services.18 They have the clout to destroy and disrupt critical infrastructures in split seconds. With just the hit of a keystroke, one can send a fatal blow by simply sitting in his armchair, from thousands of miles away. That could wreak greater threats to a wider gamut of annihilation from a mere nuisance to a larger national security problem. Jurisdictional Problems And Lack Of Laws On Cybersecurity I would still cling with my advocacy for a collective action to look at the problem of jurisdictional and lack of laws related to cybersecurity in Southeast Asia and other regional blocs in the world that may impede investigations on cyber crimes and cyber terrorism. The task of enforcing laws would legitimize the prosecution and extradition of cyber criminals in a globalizing world and transnational border. I am optimist that cyber terrorism is now being fought at the international level and recently the UN Counter Terrorism Committee (UNCTC) is responsible for coordinating cyberterrorism-related response and information exchange. Meanwhile, legal and security practitioners must keep abreast of this emerging non-traditional security and must be trained conscientiously with the fast-changing fads of technology and the many surprises of the internet. I would still suggest the same mechanisms I addressed in 2007 for the ASEAN member-countries to achieve a more responsive policy in a volatile and gullible security environment of cybersecurity. Southeast Asia, which has tremendously experienced different facets and prisms of terrorism, is now experiencing the effects of cybercrimes and cyberterrorism. Therefore, I propose that ASEAN countries should forge realistic agreements based from the following recommendations: [1] to build cooperation and networks for intelligence reports among ASEAN countries; [2] to engage in government andprivatecooperation.Toundertakecollaborativecollectionandanalysisofcybersecurity
- 141. 141ICT Development andCyber Security Reader related information; [3] to increase intensive research on the security of the regionâs cyber structures and minimize duplication of efforts, [4] to organize fora/forums for stakeholders (e.g. enforcers, prosecutors, and cyber users); and [5] to forge cooperation and international treatise initiated by governments and private cyber industries in the region that are necessary mainly because cybercrime and cyberterrorism are multi-jurisdictional and cuts across border. Hence, there is a need to increase and ignite high-awareness level on cybersecurity. Conclusion The regional security outlook in Southeast Asia is indeed faced with a wide range and/or combination of traditional, non-traditional, transnational, and crisis management challenges. The weight of cybersecurity which I proposed and adopted as one of the top five security issues in the region,19 during the Fifth Network of ASEAN Defense and Security Institutes (NADI), is an affirmation that cyber infrastructures apparently affect regional and worldwide security. Future norms on this emerging security threat in the region must be further enhanced now to lessen the burden of destruction of life, liberty, property, and security of individuals and nation-states. Cybersecurity is a new battlefront considered unimaginable in the past, one which created a borderless world. Cyber attacks on national scale can make or break a nationsâ political and economic position. Nations with differences in policy and particular matters of state interest will look beyond the traditional means of solving disputes and resort to these cyber attacks. However, he still encouraged everyone to be unified and continue to strengthen the collaboration not only with the private sector but also to global counterparts in gearing towards an improved resilience to cyber incidents and to proactively reduce cyber threats. Through shared principles, countries in the region as well, will build not only stance as credible gatekeepers of cybersecurity but valuable guardians of national security (Binay, 2012). In the end, the proper handling of related information through the use of various cyber investigative techniques is very significant to help eliminate or reduce such threats. Sustaining institutionalized cybersecurity programs in Southeast Asia region will be helpful to continuously develop and improve the competency and skills of leaders and law enforcers in confronting this international security threat. # # # Endnotes 1. Cybersecurity is the protection of data and systems in networks that are connected to the internet. See information security, as defined in http://www.newswithviews. com/Trinckes/john100.htm. 2. Cited from Chester Cabalzaâs blog article on, âCyberterrorism and Its Implications on Global-Local Discourse in Southeast Asia,â uploaded on October 2009 at http:// cbclawmatters.blogspot.com/2009/10/cyberterrorism and-its-implications-on.html.
- 142. 142 ICT Developmentand Cyber Security Reader Originally presented in the 2nd Graduate Forum on Southeast Asia Studies, Asia Research Institute (ARI), National University of Singapore (NUS), July 26-27, 2007. 3. Ibid. The same texts are also quoted from the paper of the same author, presented in the 5th Meeting of the Network of ASEAN Defense and Security Institutes (NADI), entitled âStrengthening Institutionalized Security Cooperation Stemming from Transnational and Crisis Management Issues in the ASEAN Region,â page 9, held on April 1-4, 2012 in Siem Reap, Kingdom of Cambodia. 4. TheworkingdefinitionofCrisisManagementisquotedfromtheglossaryoftheNational Crisis Management Draft Manual of the Philippinesâ National Security Council (NSC), page 12, in collaboration with the Development Academy of the Philippines (DAP) and the National Defense College of the Philippines (NDCP), 2012. 5. In Nielsen Holdingsâ The Asia Media Landscape is Turning Digital, accessed from http://www.nielsen.com/content/dam/corporate/au/en/reports/2012/changing- asian-media-landscape. 6. In Tonyo Cruzâs The Philippinesâ Social Media and Mobile Statistics, accessed from http://tonyocruz.com/?p=22866. 7. Citedinhttp://cbclawmatters.blogspot.com/2010/02/hot-cyberparks-in-philippines. html. 8. In 2000, a solitary cyber law was implemented in the Philippines pertaining to the internet and electronic communications called as Republic Act 8792, known as the Electronic Commerce Act or E-Commerce Act which was signed into law on June of that same year after the I Love You worm proliferated in the United Kingdom (UK) from the Philippines. At that time, there was no law yet to penalize an offender against such perpetuation. 9. In PowerPoint presentation of Rear Admiral Vicente Agdamag (Ret) on Cybercrime: How it Affects National Security, template number 9, in the Cybersecurity Forum at NDCP, February 26, 2012. 10. Ibid. A case in point is the fiasco on the global Wikileaks. 11. The Economist, Cyberwar: War in Fifth Domain at http://www.economist.com/ node/16478792. 12. Because of the evolving domains of cybersecurity, Senator Santiago in 2009 passed a bill in the Senate called, Cybernet Peeking, after the sexual videos of popular celebrities in the country went viral. If passed into law, it would punish violators (uploaders) into two crimes: (1) capturing on photos and/or videos of the sexual act without the partnerâs consent, and (2) broadcasting these publicly without the consent of the aggrieved partyâs (even if s/he consented to record the act to private viewing). Three years after, the Cybercrime Prevention Act of 2012 is now a newly enacted statute after the bicameral conference committee has approved the consolidated versions of the measure from the Senate and the House of Representatives using the senate version of the bill as its working draft. This covers the offenses such as hacking, identity theft, cyber-squatting, cyber-bullying, illegal access, child pornography, defamation and other internet-related crimes and seek to establish legal framework
- 143. 143ICT Development andCyber Security Reader for the investigation, apprehension, and prosecution of cyber criminals (Cybercrime Act Consolidated Versions Okayed, Manila Bulletin, dated June 8, 2012, http://www. mb.com.ph/articles/361474/cybercrime-act-consolidated-versions-okayed). 13. Full text of the Chairmanâs Report of the 5th Meeting of Track II Network of ASEAN Defence and Security Institutions (NADI) can be downloadable at http://www.rsis. edu.sg/nadi/pdfs/nadi5/Final%205th%20NADI%20of%20chairmanâs%20report. pdf. 14. Definition presented by the Federal Bureau of Investigation (FBI), available at http:// www.crime-research.org/articles/putting_cyberterrorism. 15. Cited from Chester Cabalzaâs paper on Deconstructing Human Security in the Philippines which won the SMI-IFFSO Prize for Social Science Award (an international recognition) from the International Federation of Social Science Organizations in 2011 for his legal propositions to amend the anti-terrorism law in the Philippines. 16. In Chester Cabalzaâs blog article on Cyberterrorism and Its Implications on Global- Local Discourse in Southeast Asia. 17. With the escalation of conflict on the contested Scarborough Shoal between China and the Philippines, Chinese and Filipino âhactivistsâ recently engaged in a raging battle online, rendering Philippine government sites inaccessible for some time. 18. In reference to the examples cited from the training manual entitled Investigating Cyberterrorism by the US Department of State. 19. The top five security issues identified in the 5th NADI Meeting which is an annual meeting of member-countries in the ASEAN are the following: Water and Food Security, Maritime Security, Disaster Relief and Management, Terrorism and other Transnational Crimes, and Cybersecurity. References A. Books / Academic Articles / Training Manual Anderson, B., (1983). Imagined Communities: Reflections on the Origin and Spread of Nationalism, London: Verso. Cabalza, C., (2011). Deconstructing Human Security in the Philippines, page 3, International Federation of Social Science Organizations (IFSSO). Cabalza, C., (2011). Luwaran.com: Mouthpiece of the Bangsamoro in Southern Philippines, page 154, Asian Politics and Policy, Volume 3, Number 1, Wiley-Blackwell. National Security Council, (2012). National Crisis Management Manual (Draft), page 12, in collaboration with the Development Academy of the Philippines (DAP) and National Defense College of the Philippines (NDCP).
- 144. 144 ICT Developmentand Cyber Security Reader Pole, A., (2010). Blogging the Political, page 8, New York: Routledge. Romero, S., (2009). Social Media and Human Security, page 35, National Defense College of the Philippines, Quezon City. US Department of State and US Embassy Manila, (2006). Investigating Cyberterrorism (A Training Manual), in cooperation with NDCP, Quezon City. B. Speeches / PowerPoint Agdamag, V., (2012). Cybercrime: How it Affects National Security, powerpoint template numbers 4 and 9, Cybersecurity Forum, National Defense College of the Philippines, Quezon City. Binay,J.,(2011).Speechattheseminar-workshopentitledSeminarTowardsInformationand Communications Technology Development (ICTD) and Cybersecurity Enhancement, National Defense College of the Philippines, Quezon City. Hoffman, B., (2012). The Use of the Internet by Islamic Extremists, Testimony before the Permanent Select committee on Intelligence, U.S. House of Representatives. Malacaman,J.,(2010).SocialMediainInformationSecurity:LessonsandIssues,powerpoint template numbers 7-10, National Defense College of the Philippines, Quezon City. C. News Articles / Blogs / Websites Brown, T., (2010). Death by Error. The Washington Post. Retrieved November 19, 2010 from http://ics.leeds.ac.uk/papers/vpo1.cfm?outfit=pmt&requesttimeout=500&fold er=891&paper=2368. Cabalza, C., (2009). Cyberterrorism and its Implications on Global-Local (Glocal) Discourse in Southeast Asia, http://cbclawmatters.blogspot.co/2009/10/cyberterrorism-and- its-implications-on.html Cabalza, C. (2010). Cyberparks in the Philippines, http://cbclawmatters.blogspot. com/2010/02/hot-cyberparks-in-philippines.html. Federal Bureau of Investigation (2007), Cyberterrorism, http://www.crime-research.org/ articles/putting_cyberterrorism/ Hamlin, M.A. (2011). The Philippines: Now the Worldâs BPO and Social Networking Capital, The Manila Bulletin, 18 May 2011, accessed from http://www.mb.com.ph/ articles/318677/the-philippines-now-world-s-bpo-and-socialnetworking-capital. Mayfield, A., (2008). What is Social Media? E-book from iCrossing, accessed from http:// www.icrossing.co.uk/fileadmin/uploads/eBooks/What-is-Social-Media-iCrossing- ebookk.pdf.
- 145. 145ICT Development andCyber Security Reader Montecillo, P. (2012). Philippines has 9.5M Twitter Users, Ranks 10th, Philippine Daily Inquirer accessed from http://technology.inquirer.net/15189/philippines-has-9-5m- twitter-users-ranks-10th. Torregoza, H., (2012). Cybercrime Act Consolidated Versions Okayed, Manila Bulletin, dated June 8, 2012, http://www.mb.com.ph/articles/361474/cybercrime-act- consolidated-versions-okayed. _____________________ Professor Cabalza is the Module Director for the Socio-Cultural Dimension of National Security at the NDCP, and concurrently works as the Supervisor of the Academic Support Section. He obtained his BA Anthropology (2001) and MA Asian Studies (2008) from the University of the Philippines at the same time works part-time as a Senior lecturer in the graduate and undergraduate programs of the Department of Anthropology in UP Diliman. He became a Fellow of the PLA National Defense University in Beijing, China (2011). He also sits as Board of Trustee and Chairman of Research and Special Projects of the Ibanag Heritage Foundation, Inc (IHFI). He maintains a blog aptly called âLaw and Societyâ at http://cbclawmatters. blogspot.com/. His blog follows the principle of lex et societies which contains research papers, commentaries, case digests, laws and jurisprudence, virtual ethnography, essays on domestic and foreign issues. As a scholar, he has presented his papers in various international and local academic fora and published scholarly articles for peer-reviewed domestic and foreign journals. He was a recipient of the Angara Scholarship Award in UP Diliman (2006-2008) and the Southeast Asian Regional Exchange Program (SEASREP) by the Japan Foundation (2000). In 2011, he won the SMI-IFSSO Prize for the Social Sciences Award (an international recognition) for his legal propositions to amend the anti-terrorism law in the Philippines. Prof Cabalza also wrote the Political Dimension of National Security (International) Module for the e-distance learning of the MNSA.
- 146. 146 ICT Developmentand Cyber Security Reader References
- 147. 147ICT Development andCyber Security Reader S. No. 2796 H. No. 5808 Republic of the Philippines Congress of the Philippines Metro Manila Fifteenth Congress Second Regular Session Begun and held in Metro Manila, on Monday the Twenty-fifth day of July two thousand eleven. [Republic Act No. 10175] AN ACT DEFINING CYBERCRIME, PROVIDING FOR THE PREVENTION, INVESTIGATION, SUPPRESSION AND THE IMPOSITION OF PENALTIES THEREFOR AND FOR OTHER PURPOSES Be it enacted by the Senate and House of Representatives of the Philippines in Congress assembled: CHAPTER I PRELIMINARY PROVISIONS SECTION 1. Title. â This Act shall be known as the âCybercrime Prevention Act of 20123 . SEC. 2. Declaration of Policy. â The State recognizes the vital role of information and communications industries such as content production, telecommunications, broadcasting electronic commerce, and data processing, in the nationâs overall social and economic development. The State also recognizes the importance of providing an environment conducive to the development, acceleration, and rational application and exploitation of information and communications technology (ICT) to attain free, easy, and intelligible access to exchange and/or delivery of information; and the need to protect and safeguard the integrity of computer, computer and communications systems, networks,
- 148. 148 ICT Developmentand Cyber Security Reader and databases, and the confidentiality, integrity, and availability of information and data stored therein, from all forms of misuse, abuse, and illegal access by making punishable under the law such conduct or conducts. In this light, the State shall adopt sufficient powers to effectively prevent and combat such offenses by facilitating their detection, investigation, and prosecution at both the domestic and international levels, and by providing arrangements for fast and reliable international cooperation. SEC. 3. Definition of Terms. â For purposes of this Act, the following terms are hereby defined as follows: (a) Access refers to the instruction, communication with, storing data in, retrieving data from, or otherwise making use of any resources of a computer system or communication network. (b) Alteration refers to the modification or change, in form or substance, of an existing computer data or program. (c) Communication refers to the transmission of information through ICT media, including voice, video and other forms of data. (d) Computer refers to an electronic, magnetic, optical, electrochemical, or other data processing or communications device, or grouping of such devices, capable of performing logical, arithmetic, routing, or storage functions and which includes any storage facility or equipment or communications facility or equipment directly related to or operating in conjunction with such device. It covers any type of computer device including devices with data processing capabilities like mobile phones, smart phones, computer networks and other devices connected to the internet. (e) Computer data refers to any representation of facts, information, or concepts in a form suitable for processing in a computer system including a program suitable to cause a computer system to perform a function and includes electronic documents and/ or electronic data messages whether stored in local computer systems or online. (f) Computer program refers to a set of instructions executed by the computer to achieve intended results. (g) Computer system refers to any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automated processing of data. It covers any type of device with data processing capabilities including, but not limited to, computers and mobile phones. The device consisting of hardware and software may include input, output and storage components which may stand alone or be connected in a network or other similar devices. It also includes computer data
- 149. 149ICT Development andCyber Security Reader storage devices or media. (h) Without right refers to either: (i) conduct undertaken without or in excess of authority; or (ii) conduct not covered by established legal defenses, excuses, court orders, justifications, or relevant principles under the law. (i) Cyber refers to a computer or a computer network, the electronic medium in which online communication takes place. (j) Critical infrastructure refers to the computer systems, and/or networks, whether physical or virtual, and/or the computer programs, computer data and/or traffic data so vital to this country that the incapacity or destruction of or interference with such system and assets would have a debilitating impact on security, national or economic security, national public health and safety, or any combination of those matters. (k) Cybersecurity refers to the collection of tools, policies, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and userâs assets. (l) Database refers to a representation of information, knowledge, facts, concepts, or instructions which are being prepared, processed or stored or have been prepared, processed or stored in a formalized manner and which are intended for use in a computer system. (m) Interception refers to listening to, recording, monitoring or surveillance of the content of communications, including procuring of the content of data, either directly, through access and use of a computer system or indirectly, through the use of electronic eavesdropping or tapping devices, at the same time that the communication is occurring. (n) Service provider refers to: (1) Any public or private entity that provides to users of its service the ability to communicate by means of a computer system; and (2) Any other entity that processes or stores computer data on behalf of such communication service or users of such service. (o) Subscriberâs information refers to any information contained in the form of computer data or any other form that is held by a service provider, relating to subscribers of its services other than traffic or content data and by which identity can be established:
- 150. 150 ICT Developmentand Cyber Security Reader (1) The type of communication service used, the technical provisions taken thereto and the period of service; (2) The subscriberâs identity, postal or geographic address, telephone and other access numbers, any assigned network address, billing and payment information, available on the basis of the service agreement or arrangement; and (3)Any other available information on the site of the installation of communication equipment, available on the basis of the service agreement or arrangement. (p) Traffic data or non-content data refers to any computer data other than the content of the communication including, but not limited to, the communicationâs origin, destination, route, time, date, size, duration, or type of underlying service. CHAPTER II PUNISHABLE ACTS SEC. 4. Cybercrime Offenses. â The following acts constitute the offense of cybercrime punishable under this Act: (a) Offenses against the confidentiality, integrity and availability of computer data and systems: (1) Illegal Access. â The access to the whole or any part of a computer system without right. (2) Illegal Interception. â The interception made by technical means without right of any non-public transmission of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data. (3) Data Interference. â The intentional or reckless alteration, damaging, deletion or deterioration of computer data, electronic document, or electronic data message, without right, including the introduction or transmission of viruses. (4) System Interference. â The intentional alteration or reckless hindering or interference with the functioning of a computer or computer network by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data or program, electronic document, or electronic data message, without right or authority, including the introduction or transmission of viruses.
- 151. 151ICT Development andCyber Security Reader (5) Misuse of Devices. (i) The use, production, sale, procurement, importation, distribution, or otherwise making available, without right, of: (aa) A device, including a computer program, designed or adapted primarily for the purpose of committing any of the offenses under this Act; or (bb) A computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed with intent that it be used for the purpose of committing any of the offenses under this Act. (ii) The possession of an item referred to in paragraphs 5(i)(aa) or (bb) above with intent to use said devices for the purpose of committing any of the offenses under this section. (6) Cyber-squatting. â The acquisition of a domain name over the internet in bad faith to profit, mislead, destroy reputation, and deprive others from registering the same, if such a domain name is: (i) Similar, identical, or confusingly similar to an existing trademark registered with the appropriate government agency at the time of the domain name registration: (ii) Identical or in any way similar with the name of a person other than the registrant, in case of a personal name; and (iii) Acquired without right or with intellectual property interests in it. (b) Computer-related Offenses: (1) Computer-related Forgery. â (i) The input, alteration, or deletion of any computer data without right resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible; or (ii) The act of knowingly using computer data which is the product of computer- related forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest design. (2) Computer-related Fraud. â The unauthorized input, alteration, or deletion of computer data or program or interference in the functioning of a computer system,
- 152. 152 ICT Developmentand Cyber Security Reader causing damage thereby with fraudulent intent: Provided, That if no damage has yet been caused, the penalty imposable shall be one (1) degree lower. (3) Computer-related Identity Theft. â The intentional acquisition, use, misuse, transfer, possession, alteration or deletion of identifying information belonging to another, whether natural or juridical, without right: Provided, That if no damage has yet been caused, the penalty imposable shall be one (1) degree lower. (c) Content-related Offenses: (1) Cybersex. â The willful engagement, maintenance, control, or operation, directly or indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system, for favor or consideration. (2) Child Pornography. â The unlawful or prohibited acts defined and punishable by RepublicAct No. 9775 or theAnti-Child PornographyAct of 2009, committed through a computer system: Provided, That the penalty to be imposed shall be (1) one degree higher than that provided for in Republic Act No. 9775. (3) Unsolicited Commercial Communications. â The transmission of commercial electronic communication with the use of computer system which seek to advertise, sell, or offer for sale products and services are prohibited unless:(i) There is prior affirmative consent from the recipient; or (ii) The primary intent of the communication is for service and/or administrative announcements from the sender to its existing users, subscribers or customers; or (iii) The following conditions are present: (aa) The commercial electronic communication contains a simple, valid, and reliable way for the recipient to reject. receipt of further commercial electronic messages (opt-out) from the same source; ( b b ) T h e c o m m e r c i a l e l e c t r o n i c c o m m u n i c a t i o n d o e s n o t p u r p o s e l y d i s g u i s e t h e s o u r c e o f t h e e l e c t r o n i c m e s s a g e ; a n d (cc)Thecommercialelectroniccommunicationdoesnotpurposelyincludemisleading informationinanypartofthemessageinordertoinducetherecipientstoreadthemessage. (4) Libel. â The unlawful or prohibited acts of libel as defined in Article 355 of the Revised Penal Code, as amended, committed through a computer system or any other similar means which may be devised in the future. SEC. 5. Other Offenses. â The following acts shall also constitute an offense: (a) Aiding or Abetting in the Commission of Cybercrime. â Any person who willfully abets or aids in the commission of any of the offenses enumerated in this Act shall be held liable.
- 153. 153ICT Development andCyber Security Reader (b) Attempt in the Commission of Cybercrime. â Any person who willfully attempts to commit any of the offenses enumerated in this Act shall be held liable. SEC. 6. All crimes defined and penalized by the Revised Penal Code, as amended, and special laws, if committed by, through and with the use of information and communications technologies shall be covered by the relevant provisions of this Act: Provided, That the penalty to be imposed shall be one (1) degree higher than that provided for by the Revised Penal Code, as amended, and special laws, as the case may be. SEC. 7. Liability under Other Laws. â A prosecution under this Act shall be without prejudice to any liability for violation of any provision of the Revised Penal Code, as amended, or special laws. CHAPTER III PENALTIES SEC. 8. Penalties. â Any person found guilty of any of the punishable acts enumerated in Sections 4(a) and 4(b) of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two hundred thousand pesos (PhP200,000.00) up to a maximum amount commensurate to the damage incurred or both. Any person found guilty of the punishable act under Section 4(a)(5) shall be punished with imprisonment of prision mayor or a fine of not more than Five hundred thousand pesos (PhP500,000.00) or both. If punishable acts in Section 4(a) are committed against critical infrastructure, the penalty of reclusion temporal or a fine of at least Five hundred thousand pesos (PhP500,000.00) up to maximum amount commensurate to the damage incurred or both, shall be imposed. Any person found guilty of any of the punishable acts enumerated in Section 4(c)(1) of this Act shall be punished with imprisonment of prision mayor or a fine of at least Two hundred thousand pesos (PhP200,000.00) but not exceeding One million pesos (PhP1,000,000.00) or both. Any person found guilty of any of the punishable acts enumerated in Section 4(c)(2) of this Act shall be punished with the penalties as enumerated in Republic Act No. 9775 or the âAnti-Child Pornography Act of 20093 : Provided, That the penalty to be imposed shall be one (1) degree higher than that provided for in Republic Act No.
- 154. 154 ICT Developmentand Cyber Security Reader 9775, if committed through a computer system. Any person found guilty of any of the punishable acts enumerated in Section 4(c)(3) shall be punished with imprisonment of arresto mayor or a fine of at least Fifty thousand pesos (PhP50,000.00) but not exceeding Two hundred fifty thousand pesos (PhP250,000.00) or both. Any person found guilty of any of the punishable acts enumerated in Section 5 shall be punished with imprisonment one (1) degree lower than that of the prescribed penalty for the offense or a fine of at least One hundred thousand pesos (PhP100,000.00) but not exceeding Five hundred thousand pesos (PhP500,000.00) or both. SEC. 9. Corporate Liability. â When any of the punishable acts herein defined are knowingly committed on behalf of or for the benefit of a juridical person, by a natural person acting either individually or as part of an organ of the juridical person, who has a leading position within, based on: (a) a power of representation of the juridical person provided the act committed falls within the scope of such authority; (b) an authority to take decisions on behalf of the juridical person: Provided, That the act committed falls within the scope of such authority; or (c) an authority to exercise control within the juridical person, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Ten million pesos (PhP10,000,000.00). If the commission of any of the punishable acts herein defined was made possible due to the lack of supervision or control by a natural person referred to and described in the preceding paragraph, for the benefit of that juridical person by a natural person acting under its authority, the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Five million pesos (PhP5,000,000.00). The liability imposed on the juridical person shall be without prejudice to the criminal liability of the natural person who has committed the offense. CHAPTER IV ENFORCEMENT AND IMPLEMENTATION SEC. 10. Law EnforcementAuthorities. â The National Bureau of Investigation (NBI) and the Philippine National Police (PNP) shall be responsible for the efficient and effective law enforcement of the provisions of this Act. The NBI and the PNP shall organize a cybercrime unit or center manned by special investigators to exclusively
- 155. 155ICT Development andCyber Security Reader handle cases involving violations of this Act. SEC. 11. Duties of Law EnforcementAuthorities. â To ensure that the technical nature of cybercrime and its prevention is given focus and considering the procedures involved for international cooperation, law enforcement authorities specifically the computer or technology crime divisions or units responsible for the investigation of cybercrimes are required to submit timely and regular reports including pre-operation, post-operation and investigation results and such other documents as may be required to the Department of Justice (DOJ) for review and monitoring. SEC. 12. Real-Time Collection of Traffic Data. â Law enforcement authorities, with due cause, shall be authorized to collect or record by technical or electronic means traffic data in real-time associated with specified communications transmitted by means of a computer system. Traffic data refer only to the communicationâs origin, destination, route, time, date, size, duration, or type of underlying service, but not content, nor identities. All other data to be collected or seized or disclosed will require a court warrant. Service providers are required to cooperate and assist law enforcement authorities in the collection or recording of the above-stated information. The court warrant required under this section shall only be issued or granted upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce and the showing: (1) that there are reasonable grounds to believe that any of the crimes enumerated hereinabove has been committed, or is being committed, or is about to be committed: (2) that there are reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the solution of, or to the prevention of, any such crimes; and (3) that there are no other means readily available for obtaining such evidence. SEC. 13. Preservation of Computer Data. â The integrity of traffic data and subscriber information relating to communication services provided by a service provider shall be preserved for a minimum period of six (6) months from the date of the transaction. Content data shall be similarly preserved for six (6) months from the date of receipt of the order from law enforcement authorities requiring its preservation. Law enforcement authorities may order a one-time extension for another six (6) months: Provided, That once computer data preserved, transmitted or stored by a service provider is used as evidence in a case, the mere furnishing to such service provider of
- 156. 156 ICT Developmentand Cyber Security Reader the transmittal document to the Office of the Prosecutor shall be deemed a notification to preserve the computer data until the termination of the case. The service provider ordered to preserve computer data shall keep confidential the order and its compliance. SEC. 14. Disclosure of Computer Data. â Law enforcement authorities, upon securing a court warrant, shall issue an order requiring any person or service provider to disclose or submit subscriberâs information, traffic data or relevant data in his/its possession or control within seventy-two (72) hours from receipt of the order in relation to a valid complaint officially docketed and assigned for investigation and the disclosure is necessary and relevant for the purpose of investigation. SEC. 15. Search, Seizure and Examination of Computer Data. â Where a search and seizure warrant is properly issued, the law enforcement authorities shall likewise have the following powers and duties. Within the time period specified in the warrant, to conduct interception, as defined in this Act, and: (a) To secure a computer system or a computer data storage medium; (b) To make and retain a copy of those computer data secured; (c) To maintain the integrity of the relevant stored computer data; (d) To conduct forensic analysis or examination of the computer data storage medium; and (e) To render inaccessible or remove those computer data in the accessed computer or computer and communications network. Pursuant thereof, the law enforcement authorities may order any person who has knowledge about the functioning of the computer system and the measures to protect and preserve the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the search, seizure and examination. Law enforcement authorities may request for an extension of time to complete the examination of the computer data storage medium and to make a return thereon but in no case for a period longer than thirty (30) days from date of approval by the court. SEC. 16. Custody of Computer Data. â All computer data, including content and traffic data, examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the period fixed therein, be deposited with the court in a sealed package, and shall be accompanied by an affidavit of the law enforcement authority
- 157. 157ICT Development andCyber Security Reader executing it stating the dates and times covered by the examination, and the law enforcement authority who may access the deposit, among other relevant data. The law enforcement authority shall also certify that no duplicates or copies of the whole or any part thereof have been made, or if made, that all such duplicates or copies are included in the package deposited with the court. The package so deposited shall not be opened, or the recordings replayed, or used in evidence, or then contents revealed, except upon order of the court, which shall not be granted except upon motion, with due notice and opportunity to be heard to the person or persons whose conversation or communications have been recorded. SEC. 17. Destruction of Computer Data. â Upon expiration of the periods as provided in Sections 13 and 15, service providers and law enforcement authorities, as the case may be, shall immediately and completely destroy the computer data subject of a preservation and examination. SEC. 18. Exclusionary Rule. â Any evidence procured without a valid warrant or beyond the authority of the same shall be inadmissible for any proceeding before any court or tribunal. SEC. 19. Restricting or Blocking Access to Computer Data. â When a computer data is prima facie found to be in violation of the provisions of this Act, the DOJ shall issue an order to restrict or block access to such computer data. SEC. 20. Noncompliance. â Failure to comply with the provisions of Chapter IV hereof specifically the orders from law enforcement authorities shall be punished as a violation of Presidential Decree No. 1829 with imprisonment of prision correctional in its maximum period or a fine of One hundred thousand pesos (Php100,000.00) or both, for each and every noncompliance with an order issued by law enforcement authorities. CHAPTER V JURISDICTION SEC. 21. Jurisdiction. â The Regional Trial Court shall have jurisdiction over any violation of the provisions of this Act. including any violation committed by a Filipino national regardless of the place of commission. Jurisdiction shall lie if any of the elements was committed within the Philippines or committed with the use of any computer system wholly or partly situated in the country, or when by such commission any damage is caused to a natural or juridical person who, at the time the offense was committed, was in the Philippines.
- 158. 158 ICT Developmentand Cyber Security Reader There shall be designated special cybercrime courts manned by specially trained judges to handle cybercrime cases. CHAPTER VI INTERNATIONAL COOPERATION SEC. 22. General Principles Relating to International Cooperation â All relevant international instruments on international cooperation in criminal matters, arrangements agreed on the basis of uniform or reciprocal legislation, and domestic laws, to the widest extent possible for the purposes of investigations or proceedings concerning criminal offenses related to computer systems and data, or for the collection of evidence in electronic form of a criminal, offense shall be given full force and effect. CHAPTER VII COMPETENT AUTHORITIES SEC 23. Department of Justice (DOJ). â There is hereby created an Office of Cybercrime within the DOJ designated as the central authority in all matters related to international mutual assistance and extradition. SEC. 24. Cybercrime Investigation and Coordinating Center. â There is hereby created, within thirty (30) days from the effectivity of this Act, an inter-agency body to be known as the Cybercrime Investigation and Coordinating Center (CICC), under the administrative supervision of the Office of the President, for policy coordination among concerned agencies and for the formulation and enforcement of the national cybersecurity plan. SEC. 25. Composition. â The CICC shall be headed by the Executive Director of the Information and Communications Technology Office under the Department of Science and Technology (ICTO-DOST) as Chairperson with the Director of the NBI as Vice Chairperson; the Chief of the PNP; Head of the DOJ Office of Cybercrime; and one (1) representative from the private sector and academe, as members. The CICC shall be manned by a secretariat of selected existing personnel and representatives from the
- 159. 159ICT Development andCyber Security Reader different participating agencies. SEC. 26. Powers and Functions. â The CICC shall have the following powers and functions: (a) To formulate a national cybersecurity plan and extend immediate assistance for the suppression of real-time commission of cybercrime offenses through a computer emergency response team (CERT); (b) To coordinate the preparation of appropriate and effective measures to prevent and suppress cybercrime activities as provided for in this Act; (c) To monitor cybercrime cases being bandied by participating law enforcement and prosecution agencies; (d) To facilitate international cooperation on intelligence, investigations, training and capacity building related to cybercrime prevention, suppression and prosecution; (e) To coordinate the support and participation of the business sector, local government units and nongovernment organizations in cybercrime prevention programs and other related projects; (f) To recommend the enactment of appropriate laws, issuances, measures and policies; (g)Tocalluponanygovernmentagencytorenderassistanceintheaccomplishment of the CICCâs mandated tasks and functions; and (h) To perform all other matters related to cybercrime prevention and suppression, including capacity building and such other functions and duties as may be necessary for the proper implementation of this Act. CHAPTER VIII FINAL PROVISIONS SEC. 27. Appropriations. â The amount of Fifty million pesos (PhP50,000,000.00) shall be appropriated annually for the implementation of this Act. SEC. 28. Implementing Rules and Regulations. â The ICTO-DOST, the DOJ and the Department of the Interior and Local Government (DILG) shall jointly formulate the necessary rules and regulations within ninety (90) days from approval of this Act, for its effective implementation.
- 160. 160 ICT Developmentand Cyber Security Reader SEC. 29. Separability Clause â If any provision of this Act is held invalid, the other provisions not affected shall remain in full force and effect. SEC. 30. Repealing Clause. â All laws, decrees or rules inconsistent with this Act are hereby repealed or modified accordingly. Section 33(a) of Republic Act No. 8792 or the âElectronic Commerce Actâ is hereby modified accordingly. SEC. 31. Effectivity. â This Act shall take effect fifteen (15) days after the completion of its publication in the Official Gazette or in at least two (2) newspapers of general circulation. Approved, (Sgd.) FELICIANO BELMONTE JR. Speaker of the House of Representatives (Sgd.) JUAN PONCE ENRILE President of the Senate This Act which is a consolidation of Senate Bill No. 2796 and House Bill No. 5808 was finally passed by the Senate and the House of Representatives on June 5, 2012 and June 4, 2012, respectively. (Sgd.) MARILYN B. BARUA-YAP Secretary General, House of Representatives (Sgd.) EMMA LIRIO-REYES Secretary of the Senate Approved: SEP 12 2012 (Sgd.) BENIGNO S. AQUINO III President of the Philippines
- 161. 161ICT Development andCyber Security Reader Types of Cybercrime âą Hacking âą Denial of Service Attack âą Virus Dissemination âą Software Piracy âą Pornography âą IRC Crime âą Credit Card Fraud âą Phishing âą Spoofing âą Cyber Stalking âą Cyber Defamation âą Threatening âą Salami Attack âą Net Extortion HACKING The act of gaining unauthorized access to a computer system or network and in some cases making unauthorized use of this access. Hacking is also the act by which other forms of cyber-crime (e.g., fraud, terrorism, etc.) are committed. Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user. DENIAL OF SERVICE ATTACK This is an act by the criminal, who floods the band width of the victimâs network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide. VIRUS DISSEMINATION Malicious software that attaches iitself to other software. (virus, worms, Trojan Horse, Time bomb,Logic Bomb, Rabbit and Bacterium are the malicious soft wares) SOFTWARE PIRACY Theft of software through the illegal copying of genuine programs or the counterfeit- ing and distribution of products intended to pass for the original. Retail revenue losses world wide are ever increasing due to this crime. Can be done in various ways such as end user copying, hard disk loading, Counterfeiting, Illegal downloads from the iinternet etc. PORNOGRAPHY Pornography is the first consistently successful ecommerce product. It was a deceptive marketing tactics and mouse trapping technologies. Pronography encourage custom- ers to access their websites. Anybody including children can log on to the internet and access website with pronography contents with a click of a mouse. IRC CRIME Internet Relay Chat (IRC) servers have chat rooms in which people from anywhere the world can come together and chat with each other Criminals use it for meeting coconspirators. Hackers use it for discussing their exploits / sharing the techniques. Paedophiles use chat rooms to allure small children.
- 162. 162 ICT Developmentand Cyber Security Reader CREDIT CARD FRAUD You siimply have to type credit card number into www page off the vendor for online transaction If electronic transactions are not secured the credit card numbers can be sto- len by the hackers who can misuse this card by impersonating the credit card owner. NET EXTORTION Copying the companyâs confidential data in order to extort said company for huge amount. PHISHING It is technique of pulling out confidential information from the bank/financial institu- tional account holders by deceptive means. SPOOFING Getting one computer on a network to pretend to have the identity of another com- puter, usually one with special access privileges ,, so as to obtain access to the other computers on the network. CYBER STALKING The Criminal follows the victim by sending emails, entering the chat rooms frequent- ly. CYBER DEFAMATION The Criminal sends emails containing defamatory matters to all concerned of the victim or post the defamatory matters on a website. (disgruntled employee may do this against boss, ex-boys friend against girl, divorced husband against wife etc) THREATENING The criminal sends threatening email or comes in contact in chat rooms with victim. (Any one disgruntled may do this against boss, friend or official) SALAMI ATTACK In such crime criminal makes insignificant changes in such a manner that such changes would go unnoticed. Criminal makes such program that deducts small amount like 2.50 per month from the account of all the customer of the Bank and deposit the same in his account. In this case no account holder will approach the bank for such small amount but criminal gains huge amount. ________________________ Source: http://cybercrimes09.blogspot.com/2009/10/types-of-cybercrime.html
- 163. 163ICT Development andCyber Security Reader Cybercrime Cybercrime is one of the fastest growing areas of crime. More and more criminals are exploiting the speed, convenience and anonymity that modern technologies offer in order to commit a diverse range of criminal activities. These include attacks against computer data and systems, identity theft, the distribution of child sexual abuse images, internet auction fraud, the penetration of online fi- nancial services, as well as the deployment of viruses, Botnets, and various email scams such as phishing. The global nature of the Internet has allowed criminals to commit almost any illegal activity anywhere in the world, making it essential for all countries to adapt their domestic offline controls to cover crimes carried out in cyberspace. The use of the Internet by terrorists, particularly for recruitment and the incitement of radicalization, poses a serious threat to national and international security. In addition, the threat of terrorism forces authorities to address security vulnerabilities related to information technology infrastructure such as power plants, electrical grids, information systems and the computer systems of govern- ment and major companies. The changing nature of cybercrime In the past, cybercrime has been committed by individuals or small groups of individuals. However, we are now seeing an emerging trend with traditional organized crime syndicates and criminally minded technology professionals work- ing together and pooling their resources and expertise. This approach has been very effective for the criminals involved. In 2007 and 2008 the cost of cybercrime worldwide was estimated at approximately USD 8 billion. As for corporate cyber espionage, cyber criminals have stolen intellectual property from businesses worldwide worth up to USD 1 trillion. INTERPOLâs role INTERPOLâs cybercrime programme is built around training and operations and works to keep up with emerging threats. It aims to: - Promote the exchange of information among member countries through regional working parties and conferences; - Deliver training courses to build and maintain professional standards; - Coordinate and assist international operations;
- 164. 164 ICT Developmentand Cyber Security Reader - Establish a global list of contact officers available around the clock for cy- bercrime investigations (the list contained 131 contacts at the end of 2011); - Assist member countries in the event of cyber-attacks or cybercrime inves- tigations through investigative and database services; - Develop strategic partnerships with other international organizations and private sector bodies; - Identify emerging threats and share this intelligence with member coun- tries; - Provide a secure web portal for accessing operational information and docu- ments. Source: http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime
- 165. 165ICT Development andCyber Security Reader MNSA Thesis Abstracts
- 166. 166 ICT Developmentand Cyber Security Reader MNSA Thesis (Abridged) Cybersecurity Capability of the Armed Forces of the Philippines in the Midst of Computer Threats Col Arturo A Larin PN(M), MNSA Regular Class 46 Abstract The research problem of this study is to assess the AFP personnel capability development program for cybersecurity. The researcher first review applicable laws, military doctrines, standard operating procedures and letter directives to understand AFP guidelines/policies on cybersecurity. Then, data on IT related training courses and seminars conducted by CEISS units and attended by AFP personnel were gathered and collated. The courses/training were then tabulated as to basic, standard and advance skill ratings as per ISO 27001 standards. These personnel capability in terms of skills/training was then compared to ISO 27001 standards. A proposed AFP unit which is ISO 27001 compliant is then staffed with the AFP personnel who had undergone IT training to know if the AFP has enough personnel to man it. Subject Matter Expertsâ interviews were also taken to get their opinion on what are still to be done by the AFP to achieve cyber security. The result of the study are: a) The Philippines lack laws to fight cyber crimes and it needs to formulate its own doctrine on cybersecurity operations; b) The AFP CEISS training program in relation to cybersecurity preparedness are mostly basic training/seminars, c) The AFP personnel cybersecurity preparedness capability failed the ISO 27001 standards test due to lack of qualified personnel with advance training, d) If an AFP unit for cybersecurity will be created and manned in accordance with ISO 27001 in terms of skill a few positions requiring advance training will be left vacant and e) The Subject Matter Expertsâ opinion validated the documents research and the results of the survey. Introduction The fast development in technology that lowered the cost of computers and the availability of the Internet spurred the widespread use of computers both in government and private sectors. Computers and wireless electronics devices that can connect to the World Wide Web are today routinely used in homes, schools, financial services, energy, communications, manufacturing, health care, transportation, emergency services and military establishments. The Internet made communication and exchange of information very fast and easy. With different countries connected by a single worldwide network, companies can hold teleconferencing with their personnel in their branches in other countries as if they are all inside one conference room. People can withdraw money without going to their banks by using the Automated Teller Machines (ATMs) and their ATM cards. Sending money even to other countries are easier and faster, in fact, banks transact millions through Internet. Buying goods are also a lot easier by using credit cards or through e-commerce at Internet.
- 167. 167ICT Development andCyber Security Reader The widespread use of computers also caused the proliferation of educational institutions that train the personnel required to man or operate the systems mentioned above. With more men trained in information technology come more experts whose expertise can be channeled into wrong or criminal acts given the incentive of financial gain or other personal motive â both good and bad. The use of computers with links to Internet makes it vulnerable to penetration by persons, groups or organizations, criminals and terrorists and even nation-states. Hackers and crackers who penetrate networks and deface websites abound with some stealing data and corrupting the contents. Terrorists can use cyberspace to conduct cyber terrorism and asymmetrical war against governments. Spying is made much easier using the cyberspace with the victim unaware of it occurring. With gigabytes of information transferred per second within a flick of a finger. It is estimated that losses per year in cybercrimes amount to billions of dollars. Incidents of Cyber Attacks International One of the most recent cases involving computer security is the WikiLeaks case. WikiLeaks is an international new media non-profit organization that publishes submissions of otherwise unavailable documents from anonymous news sources and leaks. Within a year of its launch, the site claimed a database that had grown to more than 1.2 million documents. WikiLeaks has won a number of awards, including the 2008 Economist magazine New Media Award. In June 2009, WikiLeaks and Julian Assange wonAmnesty Internationalâs UK Media Award (in the category âNew Mediaâ) for the 2008 publication of âKenya: The Cry of Blood â Extra Judicial Killings and Disappearancesâ, a report by the Kenya National Commission on Human Rights about police killings in Kenya. In April 2010, WikiLeaks posted video from a 2007 incident in which Iraqi civilians and journalists were killed by U.S. forces, on a website called Collateral Murder. In July of the same year, WikiLeaks released Afghan War Diary, a compilation of more than 76,900 documents about the War in Afghanistan not previously available for public review. In October, the group released a package of almost 400,000 documents called the Iraq War Logs in coordination with major commercial media organisations. In November 2010, WikiLeaks began releasing U.S. State department diplomatic cables. The site is available on multiple online servers and different domain names following a number of denial-of-service attacks and its severance from different Domain Name System (DNS) providers (Wikipedia 2010). Stuxnet is a Windows-specific computer worm first discovered in July 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems, the first to include a programmable logic controller (PLC) rootkit, and the first to target critical industrial infrastructure. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the PLCs and hide its changes. The wormâs probable target is said to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm
- 168. 168 ICT Developmentand Cyber Security Reader might have damaged Iranâs nuclear facilities in Natanz and eventually delayed the start up of Iranâs Bushehr Nuclear Power Plant. Although Siemens has stated that the worm has not caused any damage, on November 29, Iran confirmed that its nuclear program had indeed been damaged by Stuxnet. Russian digital security company Kaspersky Labs released a statement that described Stuxnet as âa working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.â Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60% of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted âwith nation-state supportâ, making Iran the first target of real cyberwarfare (Saade 2010). On April 1, 2001, an American EP 3-E Aries II reconnaissance plane collided with a Chinese F-8 fighter about 70 miles off the coast of China. The American plane emergency landed at Chinese airfield in Hainan Island while the Chinese jet and its pilot were lost at sea. Tech-savvy Americans angry over the detention of the EP-3 crew, expressed their outrage by defacing or vandalizing at least sixty-five Chinese websites. In response, a group calling itself Hackers Union of China, declared war on their American counterparts and took credit for shutting down or altering multiple government websites. The hackers ended their war after claiming to have hacked a thousand American websites (Creekman 2003). Most prolific worms are suspected of being created in response to political events. If maximum destruction is a hostile adversaryâs goal, worms are a cost effective way to disrupt information infrastructures. Cyber attacks cause financial losses, theft of proprietary information, vandalism, and loss of services, consumer confidence, and reputation. An appropriate response is to increase research and development investment on information assurance as well as engineering practices and protocols that limit damage from distributed attacks. International cooperation and collaboration is critical. On February 2000, some of the Internetâs most reliable sites were rendered nearly unreachable by DDoS attacks. Yahoo took the first hit on February 7, 2000. In the next few days, Buy.com, eBay, CNN, Amazon.com, ZDNet.com, E*Trade, and Excite were taken down by DDoS attacks. Though damage estimates vary widely, the FBI estimates that the companies suffered $1.7 billion in lost business and other damages. These intrusions are of great concern to businesses and government. The theft of money, credit card numbers, proprietary information, or sensitive government information can have devastating consequences. In 2001, a series of actions originating in Russia, collectively known as Moonlight Maze, intruded into US government systems over a period of several years. The first attacks were detected in March 1998 and hundreds of unclassified networks in the Pentagon, Department of Energy, National Aeronautic and Space Administration (NASA) and other defense contractors were compromised. Cyber attackers can employ sophisticated attack tools and techniques to disrupt or compromise critical infrastructure systems in response to a US and allied military strike during the war on terrorism (Cortes 2004).
- 169. 169ICT Development andCyber Security Reader In 1998, in order for US and NATO to bomb Serbian targets successfully in Kosovo, the USA needed to hack into the Serbian air defense system and trick the Serbian Air Traffic Controllers. The US accomplished its goal so well that there was concern about continuing or escalating the attacks because the US didnât want to hack into any further Serbian targets because of fear of damaging civilian targets. In 2007, the United States government suffered an âan espionage Pearl Harborâ in which an âunknown foreign power broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information. On May 17, 2007 Estonia came under cyber attack. The Estonian parliament, banks, ministries, and media were targeted. The attackers went after their financial systems. On March 28, 2009, a cyber spy network, dubbed GhostNet, using servers mainly based in China has tapped into high-value political, economic classified documents from government and private organizations in 103 countries, computer systems belonging to embassies, foreign ministries and other government offices, including the computers of Tibetan exiles were compromised, but China denies the allegations. In July 2009, there were a series of coordinated cyber attacks against major government, news media, and financial websites in South Korea and the United States. In December 2009, a cyber attack, dubbed Operation Aurora, was launched from China against Google and over 20 other companies. Domestic In his study, Andolong (2009) stated that the Armed Forces of the Philippines had experienced cyber attacks several times in the past. The Philippine Army website was hacked and defaced in 2001 to embarrass the Army. Sometime in 2002, the computer of the Intelligence Division of the Philippine Marine Corps was penetrated and data was stolen. Again in 2009, certain computers at the Headquarters Philippine Navy were also attacked and data stolen and corrupted. Due to high level of secrecy in these cases, the type and nature of data stolen were not made public. All in all, the PN website was hacked seven times. Then in May 18, 2009, the Philippine Air Force website was hacked and defaced. Last December 07, 2010, the official website of Philippine Armyâs 4th Infantry Division in Mindanao was hacked. The 4th Infantry Division website is one of nine that can be found at the official website of the Philippine Army at http://www.army.mil.ph. A computer virus dubbed the âLove Bugâ forced email servers to shut down in Europe and the US. The new virus originates in an email entitled âI love you.â Once the attachment is launched, the virus sends copies of the same email to everybody listed in the userâs address book. Anti-virus firm Symantec released an update to its software to combat the virus, but warned computer users not to open any âI love youâ messages. The email said the company had reports from over 20 countries. The âLove Bugâ epidemic exceeded other viruses in both speed and destructiveness. The virus originated in the Philippines and has been nicknamed the âKiller from Manilaâ. The culprit, Onel de Guzman, was found but could not be prosecuted because the Philippines did not have laws against cyber crime. This incident prompted the Philippines to change its laws (Cortes 2004). In a September 2010 NICA reported the following:
- 170. 170 ICT Developmentand Cyber Security Reader 1. From 2004 to 2006, the Philippine government website www.gov.ph was defaced at least 4 times and National Transmission Corporation (TransCo) was penetrated using a rootkit. On March 2009 the Department of Foreign Affairs was attacked and hacked by China-based cyber spy network called Ghostnet. 2. And in the following years, more government websites were defaced. The recent attacks victimized the following government agencies: Department of Health (DOH), Technical Education and Skills Development Authority (TESDA), Philippine Regulatory Commission (PRC), etc. The NICA report further said that basing on the list of hacked domains, except for some local talents, the attackers came from different countries (SYRIAN-HACKER, Persian Boys Hacking Team, 1923 Turk, etc). This only means one thing; that the international hackers have already been very interested in probing our cyberspace and testing our cybersecurity capability. We may feel confident that these attacks were purely web defacement and did not harm any of our critical infrastructures, however bear in mind that these attacks are reported attacks, but what about those that are more sophisticated attacks? If the attacker didnât want to be known, if the attacker would want to stay invisible so he can access the system anytime he wants in the future? What if our critical infrastructures are already compromised, and a backdoor has already been planted or an electronic time bomb has already been installed and can easily be activated anytime by the attacker when an all-out cyberwar erupts? Military establishments also use computers for their command and control, weapon systems and a variety of other uses. Military aircraft, ships, satellites, tanks and missiles use computers. These make military websites and or networks natural targets for hackers, terrorists and intelligence services of other nations to penetrate and steal data. The Armed Forces of the Philippines (AFP) even if considered not highly technologically advance is not spared from this threat. With the Philippines facing two insurgencies - the Communists and the Southern Philippines Secessionists Groups (SPSGs), and its alliance with the much-targeted United States of America (USA), the threat of cyber attack or cyberterrorism against the AFP is not remote. With so much at stake, network security pose complex problems that reach into new areas for national security and public policy. It is in this context that the AFP must be prepared to prevent these cyber attacks and ensure the development of adequate capability for its information security. Statement of the Problem The purpose of this study is to determine the current capability of the AFP against cyber attacks and to recommend such measures as may be necessary to cope with the threat of cyberwarfare. So far, the AFP personnel capability development for cybersecurity has not yet been determined. Objectives General Objective: To assess the capability of the AFP to defend against cyber attacks
- 171. 171ICT Development andCyber Security Reader by looking at its personnel development/training program for cyber warfare. Specific objectives: 1. To determine the existing laws, military doctrines, and other AFP policies related to cyber security. 2. To determine the existing Communications, Electronics and Information Systems Service Armed Forces of the Philippines (CEISSAFP) training program in relation to cyber security preparedness. 3. To determine the AFP personnel cybersecurity preparedness capability versus ISO 27001 standards. 4. To propose an AFP unit for cybersecurity in accordance with ISO 27001 in terms of skill manning which is the current best practice in the private sector. 5. To determine from the Subject Matter Expertsâ perspective what are the things that still need to be done by the AFP to achieve cyber security preparedness. Significance of the Study The significance of the study will be: 1. By assessing the skills, training and capabilities of personnel vis a vis their duration in the CEIS units, profiling can be done. Gaps in the required skills can be addressed by training which can be included in planning. 2. Likewise, right skill/knowledge- mix in every unit will be identified. 3. Recruitment or return to unit (RTU) of personnel to their mother unit/major services by GHQ AFP will be based on the skills; likewise, retention of personnel in the major services will also be based on the required skills. 4. The study will enhance personnel management. The importance of correctplanning for training and for rotation/retention of personnel in GHQ/ major services will be highlighted. 5. The study intends to enhance AFP existing plans and projects for cyberterrorism preparedness by submitting the result of the study to the Department of National Defense for possible policy making. Scope and Limitations The study focused on personnel in GHQ AFP and CEIS units specifically assigned as computer encoders or as computer maintenance because the information in these units are highly classified compared to subordinate units and requiring higher security clearance. Their skills and knowledge were assessed using the ISO 27001 as the standard and their skills on their entry level determined.
- 172. 172 ICT Developmentand Cyber Security Reader The study focused on the skills/training of the organic personnel of CEISSAFP (GHQ), Army Signal Regiment (PA), NCEISC (PN) and 950th CEISS (PAF), the AFP units involved in cyber security and AFP personnel who took Information Technology (IT) related courses/training conducted by these units in the last three (3) years (2008-2011). Due to security and sensitivity of the some of the data and necessity of experts view, data collection will be done through survey and interviews and secondary data from offices and units of the AFP involved in Information Technology security and also from private IT practitioners. Data analysis will be done using percentages and proportions of personnel with skills and knowledge based on the types of training/courses undertaken. Likewise, same was applied to proportion of personnel by unit assignment in relation to their training and skills on cyber security preparedness. Summary, Conclusions and Recommendations Summary The study focused on the AFP CEISS personnel capability for cybersecurity preparedness. The study started by reviewing RA 8792 also known as the E â Commerce Act, which is the only law enacted by the Congress of the Philippines related to cybersecurity. It is always important to have legal mandate for every AFP actions. The study also looked into the AFP regulations, SOPs and letter directives to see if the AFP is giving proper guidance to its personnel pertaining to cybersecurity of its internet network and facilities. The study then gathered data on the skills/training of AFP personnel assigned in CEISS units, from CEISSAFP down to the major services. Data on AFP personnel who had undergone IT related training/seminars from CEISS units and outside institutions for the last three years (2008â2011) were also gathered. These were tabulated to form a database of AFP IT trained/skilled personnel. These skills or AFP personnel capability for cybersecurity were then compared to ISO 27001 standards which is the best minimum practice of private IT corporations to establish if the AFP personnel skills/training were at par with the ISO 27001 standards. Then an ISO 27000 compliant AFP unit dedicated to cyberwarfare/security was proposed. The skills/training required by each position was then matched with the inventory of AFP personnel with IT training to get a better perspective of the status of training being acquired by AFP personnel compared to the requirements as per ISO 27000 standards. Finally, Subject Matter Expertâs opinion both from the AFP and private sector were taken to have better understanding of the stakeholdersâ idea of what are still to be done by the AFP to attain respectable cybersecurity preparedness. Conclusions The following are the conclusions of the study:
- 173. 173ICT Development andCyber Security Reader 1. The Philippines lack laws relating to cybercrimes. There was only one (1) law that is related to cybersecurity that was found in the conduct of the study. RA 8792 or more known as the E-Commerce Law is the only enacted law relating to cybercrimes. It legally recognizes the use of electronic documents in both public and private transactions. Although it penalizes electronic fraud, hacking, cracking/defacing, piracy and internet pornography, it is really more concerned with the banking transactions using the internet. RA 8792 has no provisions for cyberespionage, cyberterrorism and other serious cybercrimes. The AFP needs to formulate its own doctrine for cybersecurity preparedness. Although the AFP has released regulations, SOPs and letter directives giving guidance to its personnel on cybersecurity, a doctrine will consolidate all these guidelines into one manual for easy reference of the AFP CEISS personnel. 2. The AFP CEISS training program in relation to cybersecurity preparedness are mostly basic training/seminars. These training are tailored for ordinary office work like encoding, preparation of briefing and making databases. Standard training are rarely held and advance training are not available at CEISS units. AFP CEISS personnel have to enroll in colleges, universities and other learning institutions for advance training/courses. 3. The AFP personnel cybersecurity preparedness capability failed the ISO 27001 standards test due to lack of qualified personnel with advance training. The training being offered by CEISS units to AFP personnel is not attuned with the fast paced development in IT. Since ISO 27001 is the best minimum requirements for IT corporations, the AFP must pass the said standard. It is not only qualifying for ISO compliance but more importantly to fill-up the AFP own requirement for IT skilled personnel. 4. If an AFP unit for cybersecurity will be created and manned in accordance with ISO 27001 in terms of skill a few positions requiring advance training will be left vacant. Although all the officersâ position will be filled â up and the EP/civilian positions will be 93% filled up, the few vacant positions requiring advance training are critical to smooth and proper operation of the unit. 5. The Subject Matter Expertsâ opinion on what are the things that the AFP still needs to be done to achieve cybersecurity validated the documents research and the results of the survey. The points raised by the experts are the following: a) Enactment of laws covering cybercrimes and crafting an AFP doctrine on cybersecurity operations, b) The need for a continuous program of advance training of its IT personnel to keep abreast of the fast development in this field and c) Creation of an AFP cyber warfare unit. Recommendations 1. The AFP must work together with other government agencies, private IT companies and other stakeholders to support the enactment of stricter laws to prevent and curve cybercrimes such as cyber terrorism and cyber espionage. There will be no crime committed if there is no law against cyber espionage and cyber terrorism. Nobody can arrest and prosecute hackers and other cyber criminals. The AFP must also craft its own cybersecurity doctrine to guide its CEISS personnel in its cybersecurity operations. Although there are other AFP policies which
- 174. 174 ICT Developmentand Cyber Security Reader gives guidelines in cybersecurity preparedness, the creation of a doctrine will integrate all these guidelines into a single paper for easy reference during cybersecurity operations. 2. More standard and advance training must be programmed and offered to CEISS personnel. Training and the experience required to become an IT specialist will mean investment in terms of money, time and personnel. The AFP must start now to develop its own personnel in terms of advance courses and skills required for the positions needed in the creation of a cybersecurity unit of the AFP. 3. All CEISS units of the AFP must study and implement solutions, renovations and improvements to their training programs in order to comply with personnel capability development which is compliant to ISO 27001. Adherence to ISO 27001 standards will give uniformity to all the CEISS operations thereby ensuring a smooth working inter - relationship between GHQ and the major services. 4. Creation of Cybersecurity Command under GHQ, AFP with the personnel positions as shown in Tables 24 - 27 (Manning Diagram). The lack of current personnel with advance training can be remedied by: a. Call to Active Duty (CAD) of IT expert practitioners from the private sectors. b. Use of affiliated reserve units from telecom companies and other IT related private business firms for the development of cybersecurity preparedness of the AFP. Strict security clearance process must, however be observed. c. Recruit personnel who are graduates of BSEE, BSCEE, BS Computer Science, BSIT and other IT related courses and sending these young personnel for further studies in IT fields for future manning of cybersecurity units and offices of the AFP and the Department of Defense. d. Consider the establishment of a Cyber Center for the Department of National Defense, possibly as an added capability of the NDCP. 5. Support creation of a national body that will serve as focal point of all activities/ initiatives by stakeholders to achieve cybersecurity. A national cybersecurity committee must take charge of all activities/initiatives on cybersecurity to avoid duplication and to have better cooperation among all the stakeholders. It will also ensure prompt actions during cyber attacks and fast dissemination of warning and/or solutions to all stakeholders regarding such attacks. # # # BIBLIOGRAPHY Aldrich, Richard W. Cyberterrorism and Computer Crimes: Issues Surrounding the Establishment of an International Legal Regime. April 2000. Retrieved on October 29, 2010. http://www.au.af.mil/au/awc/awcgate/usafa/ocp32.pdf Andolong, Arsenio R. An Exploratory Study of the AFP Cyber Warfare Experience: Initial Lessons Learned. August 2009. National Defense College of the Philippines Ashley, Bradley K. Anatomy of Cyberterrorism: Is America Vulnerable? A Research Paper. February 27, 2003. Retrieved on October 29, 2010 from http://www.au.af.mil/ au/
- 175. 175ICT Development andCyber Security Reader awc/awcgate/awc/ashley.pdf Berner, Sam. Cyber-Terrorism: Reality or Paranoia? March 2003. Retrieved on October 29, 2010. http://www.samberner.com/documents/KM/cyber.pdf Bootnets, Cybercrime and Cyberterrorism:Vulnerabilities and Policy Issues for Congress. CRS Report. January 29, 2008. Retrieved on October 29, 2010 from http://www. fas.org/sgp/crs/terror/RL32114.pdf Bosch, Olivia. Cyber Terrorism and Private Sector Efforts for Information Infrastructure Protection. May 2, 2002. Retrieved on November 6, 2010 from https://www.itu. int/osg/ spu/ni/security/workshop/presentations/cniBosch%20paper.pdf Chu, Hai-Cheng, Deng, Der-Jiunn, Chao, Han-Chieh, Huang and Yueh-Min, Next Generation of Terrorism: Ubiquitous Cyber Terrorism with the Accumulation of all Intangible Fears. June 25, 2009. Retrieved on October 29, 2010. http://www.jucs. org/ jucs_15_12/next_generation_of_terrorism/jucs_15_12_ 2373_2386_chu.pdf Clem, A., Galwankar, Sagar and Buck, George. Health implications of Cyber-Terrorism: Special Report. March 15, 2004. Retrieved on October 29, 2010. http://pdm. medicine.wisc.edu/Volume_18/issue_3/clem.pdf Colarik, Andrew Michael. Managerial Guide for Handling Cyber-Terrorism and Information Warfare. Common Law Copyright. 2005. Retrieved on October 29, 2010. http:// www.andrewcolarik.com/docs/ManagerialBookQuestions.pdf Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. CRS Report. April 1, 2005. Retrieved on October 29, 2010. http://www.ait.org.tw/ infousa/enus/government/overview/docs/RL32114.pdf Conway, Maura. Cyberterrorism: Media Myth or Clear and Present Danger? 2004. Retrieved on October 29, 2010. http://doras.dcu.ie/505/1/media_myth_2004.pdf Conway, Maura. Reality Bytes: Cyberterrorism and Terrorist âUseâ of the Internet. 2002. Retrieved on October 29, 2010. http://doras.dcu.ie/498/1/first_mon_7_11_2002. pdf Creekman, Daniel M. A helpless America? An Examination of the Legal Options Available to the United States in Response to Varying Types of Cyber-Attacks from China. 2003. Retrieved on October 29, 2010 from http://www.auilr.org/pdf/17/17-3-4.pdf Cyber Operations and Cyber Terrorism. DCSINT Handbook No.1. A Guide to Terrorism in the 21st Century. US Army TRADOC 2005 Version 3.0. August 15, 2005. Retrieved on November 6, 2010 from http://www.hitechcj.com/ sitebuildercontent/ sitebuilderfiles/ us.army.guide.supp.two.pdf Denning, Dorothy E. Chapter 8: Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy. Dec 10, 1999. Retrieved on October 29, 2010 from http://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf Denning, Dorothy E. A View of Cyberterrorism Five Years Later. 2007. Retrieved on October 29, 2010 from http://www.symantec.com/avcenter/reference/cyberterrorism. pdf Denning, Dorothy E. Cyberterrorism Testimony Before the Special Oversight Panel on Terrorism Committee on Armed Services US House of Representatives. May 23,2000. Retrieved on October 29, 2010. http://www.stealth-iss.com/documents/ pdf/ CYBERTERRORISM.pdf Dyson, Jay D. The Myth of Cyber-Terrorism. Retrieved on October 29, 2010. http:// www.treachery.net/articles_papers/tutorials/the_myth_of_cyber-terrorism/ The_Myth_of_Cyber-Terrorism.pdf Fiore, Frank and Francois, Jean. Cyberterrorism Prevention List. Retrieved on October 29, 2010. http://ptgmedia.pearsoncmg.com/images/art_fiore-francois1_doz/ elementLinks/ dozenlst.pdf
- 176. 176 ICT Developmentand Cyber Security Reader GHQ, DND. AFP Regulations G 200-014. Security of Classified Matter. September 14, 2010. IBM Center for the Business of Government. Cybersecurity Management in the States: The Emerging Role of Chief Information Security Officers. (2010) Gordon, Sarah and Ford, Richard. Cyberterrorism? Retrieved on October 29, 2010 from http://www.symantec.com/avcenter/reference/cyberterrorism.pdf Gordon, Sarah. Cyberterrorism and the Home User. A White Paper. Retrieved on October 29, 2010 from http://www.symantec.com/avcenter/reference/cyberterrorism. and.home.user.pdf Hardman, Jason S. Cyber-Terrorism. April 24, 2006. Retrieved on October 29, 2010. http:// flatline.darkwynter.com/compSci/CyberTerrorism1.pdf Hoffman Dr., Bruce. Use of the Internet by the Islamic Extremists. 2006. Retrieved on October 29, 2010 from http://www.rand.org/pubs/testimonies/2006/RAND_CT262-1. pdf Jachowicz, Lucasz. How to Prevent and Fight International and Domestic Cyberterrorism and Cyberhooliganism. January 2003.Retrieved on October 29, 2010. http:// honey.7thguard.net/essays/cyberterrorism-policy.pdf ISO/IEC 27000-series. http://standards.iso.org/ittf/licence.html. Retrieved on July 25, 2011 Jacinto, Al. Official Website ng Army Na-hacked. December 07, 2010. Retrieved on December 08, 2010. http://abante.com.ph/issue/dec0710/vismin02.htm. Jahangiri, Ali. Cyberspace, Cyberterrorism and Information Warfare: A Perfect Recipe for Confusion. Retrieved on October 29, 2010. http://www.alijahangiri.org/ publication/ Cyberspace-Cyberterrorism-and-Information-Warfare-A-Perfect- Recipe-for-Confusion.pdf Jain, Gaurav. Cyber Terrorism: A Clear and Present to Civilized Society? August 12, 2005. Retrieved on November 6, 2010 from http://isedj.org/3/44/ISEDJ.3%2844%29. Jain.pdf Janczewski, Lech J. and Colarik, Andrew M. Cyber Warfare and Cyber Terrorism. Retrieved on October 29, 2010. http://storage.worldispnetwork.com/books/Cyber.Warfare. and. Terrorism.pdf Kim, Jong-Tae and Hyun, Tchanghee. Status and Requirements of Counter-Cyberterrorism. 2005.Retrieved on October 29, 2010. http://www.waset.org/journals/waset/v6/ v6-6.pdf Lewis, James A. Assessing the Risk of Cyber Terrorism, Cyber War and other Cyber Threats. December 2002. Retrieved on October 29, 2010 from http://www.steptoe.com/ publications/231a.pdf Libicki, Martin C. Cyberdeterrence and Cyber War . 2009. Retrieved on October 29, 2010 from http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf McGregor, Pat. CyberTerrorism: A Bloodless War? Oct 3, 2001. Retrieved on October 29, 2010. http://www.witsa.org/presentations/McGregor-CyberTerrorism.pdf Mitliaga, Varvara. Cyber-Terrorism - A Call for Governmental Action? April 2001. Retrieved on October 29, 2010. http://www.bileta.ac.uk/document%20library/1/cyber- terrorism%20-%20a%20call%20for%20governmental%20action.pdf Mussington, David. Concepts for Enhancing Critical Infrastructure Protection. 2005. Retrieved on October 29, 2010 from http://www.rand.org/pubs/monograph_ reports/2005/MR1259.pdf Nagpal, Rohas. Cyber Terrorism in the Context of Globalization. September 2002. Retrieved on October 29, 2010. http://www.ieid.org/congreso/ponencias/Nagpal,%20 Rohas.pdf
- 177. 177ICT Development andCyber Security Reader National Strategy for the Protection of Critical Cyber Infrastructure: Strengthening Cyber Security Through Public-Private Partnership. Republic of the Philippines Cabinet Oversight Committee on Internal Security (COC-IS) and Task Force for the Security of the Critical Infrastructures (TFSCI) Report. June 2004. NICA Report. Cyberwarfare. September 2010. OJ6. AFP CEIS Letter Nr. 2009-05. October 16, 2009. OJ6/OTAG. Standard Operating Procedure Nr. 4. July 30, 2010. Okichich, Aron. Cyber-Terrorism Fact or Fiction? Retrieved on October 29, 2010. http:// cit-dept.calumet.purdue.edu/liless/media/Okichich-Cyber-Terrorism.pdf Okichich, Aron. 2005. Running Head:Cyber-Terrorism Retrieved on October 29, 2010 from http://cit-dept.calumet.purdue.edu/liless/media/Okichich-Cyber-Terrorism. pdf Prichard, Janet J and MacDonald, Laurie E. Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks. Journal of Information Technology Education. Volume 3. 2004. Retrieved on October 29, 2010 http://jite.org/ documents/Vol3/v3p279-289-150.pdf Puruganan , Abraham A Maj PA. Protecting the Philippine Cyberspace: Design Elements for a National Security Plan 2001 Republic of the Philippines Eleventh Congress. RA 8792. Electronic Commerce Act. June 14, 2000. Saade, Tareq. The Stuxnet Sting. Microsoft malware protection center dec. 3, 2011. Retrieved onDecember 5, 2010. http://blogs.technet.com/b/mmpc/archive/2010/07/16/ the-stuxnet-sting.aspx Volino, Linda and Robinson, Stephen R. Principles and Practice of Information Security. Retrieved on October 29, 2010 from http://elib.tu-darmstadt.de/tocs/114615195. pdf Walker, Clive. Cyber-Terrorism: Legal Principle and Law in the United Kingdom. July 7, 2006. Retrieved on October 29, 2010. http://www.court21.ac.uk/docs/penn07d. pdf Weimann, Gabriel. Cyberterrorism: How Serious is the Threat. Special Report. US Institute of Peace. December 2004. Retrieved on October 29, 2010. http://www.agentura.ru/ press/about/jointprojects/bigpolitics/cyberterrorism/cyberterror.pdf Wikipedia. WikiLeaks. Retrieved onDec. 7, 2010. http://en.wikipedia.org/wiki/ Wikileaks Wilson, Clay. Botnets, Cybercrime and Cyberterrorism: Vulnerability and Policy Issues for Congress. January 29, 2009. Retrieved on October 29, 2010 from http://www.fas. org/sgp/crs/terror/RL32114.pdf Wilson Clay. Computer Attack and Cyberterrorism : Vulnerability and Policy Issues for Congress. CRS Report.April 1, 2005. Retrieved on October 29, 2010. http://www. iwar.org.uk/cyberterror/resources/crs/45184.pdf Wilson, Peter A. Cyberwarfare and Cyberterrorism: Implications for Defense and R&D. May 3, 2001. Retrieved on October 29, 2010. http://www.aaas.org/spp/yearbook/2002/ ch17.pdf Yunos, Zahri. Putting Cyber Terrorism Into Context. February 24, 2009. Retrieved on October 29, 2010. http://www.cybersecurity.my/data/content_files/13/526.pdf?. diff=1236049372 Yu, Peter K. What Businesses Should Know About Cyberterrorism. October 2001.Retrieved on October 29, 2010. http://www.peteryu.com/gigalaw1001.pdf
- 178. 178 ICT Developmentand Cyber Security Reader MNSA Thesis (Abridged) The Effects of the Internet Age on National Identity and National Security Nathaniel Ordasa Marquez, MNSA Regular Class 46 Abstract This study, which is exploratory and descriptive in nature, aimed to bring to focus the effect of the Internet age on national identity and its implication on national security. It is exploratory in nature and it answers the research hypothesis: âDoes the Internet Age affect the development of the National Identity of a country?â The following research seeks to answer the following questions : Who are the Filipino users today? Who are the users of the Internet and what are they doing in the Internet? What are the levels of maturity and advancement of their usage? How are they using the Internet? What are the Internet drivers that affect National Identity? What are the social structure and cultural values of Filipinos that is affected by the Internet? How can the government participate in the race for the information and drive the national interest to the citizenry thru this medium? And what are the implications of an Internet-influenced Identity to the National Security? The answer to Filipino users demographic was focused on the exploratory data of the trendsetter group the Knowledge and Social users of the Internet. Among the recommendations derived from this study was to establish an inter-agency committee with multi-sectoral participation tasked to create the Philippine Strategic Information Management Campaign Plan to be led by the Department of Science and Technology under the newly reorganized Office of the Information Communication Technology in coordination with the National Commission for Culture and the Arts. Background Information pervades our daily life. We donât even mind if the information we take in is for good or not. The exposure of the citizenry to Quad Media â from the traditional Television, Radio and Print to the now dominant and fastest growing medium that is the Internet â presents a lot of questions and challenges that we must face in this Age of Information, where âthe one who holds, controls and keeps the information is king.â He, who controls information and captures the mindshare of the greater populace, now with a very thin line separating global, regional and national information, can directly affect and influence an individualâs identity and how he contributes to a nationâs sovereignty. Studies have been made and even earlier philosophical statements said about the Information Age wherein the one who controls information is the one who wields the power. Globalization has forced countries to adopt information technology (IT) to enable and strengthen governance, public service, defense and security, as well as the financial mover - commerce and economic trade in order to address the demands and interests of their stakeholders. As we embrace the latest technology, we enjoy the benefits innovation
- 179. 179ICT Development andCyber Security Reader brings. However, in the process of using it, we sometimes ignore one fact â that we are exposing ourselves to new and unforeseen threats, possible abuse and exploitation. If we simply ignore these threats, the impact of technology on the citizenry can have an effect on the nationâs sense of nationalism, therefore compromising the socio-cultural sovereignty of an independent state. As countries jump into the âGlobal Villageâ created by the Internet, physical boundaries are no longer a hindrance in communication and collaboration of virtual societies. Therefore, Internet technologies are enablers for humanity to embrace and join the global community. In his book Understanding Media (1964), Marshall McLuhan stated: âToday, after more than a century of electric technology, we have extended our central nervous system itself in a global embrace, abolishing both space and time as far as our planet is concerned.â He emphasized that with the enhanced speed of communication online and the ability of people to read about, spread, and react to global news very rapidly, the Internet forces us to become more involved with one another from countries around the world and be more aware of our global responsibilities. Access to global information is already available in the tip of the fingers of almost everybody; the growth of pervasive devices that can connect to the Internet is exponential, communication technology whether wired or wireless is reaching out to the farthest ends of the archipelago and has become affordable to the masses. Pretty soon the whole country will be interconnected and there is no stopping this phenomena from happening. We are all moving to an Information Network Society, forming new sociological structures within the context of culture. Information Age versus the Internet Age The industrial revolution started during the period of the 18th and 19th century where industries such as manufacturing and distribution, transportation and mining as well as modern agriculture started booming. This started from the first world countries, which has competing with each other industrially or because of the demand of the outbreak of war. After the era of industrialization, comes the age of information. The information age is also known as the digital age, the computer age, or the information era. The theme of this era is the time when machineries are no longer just used as simple automation tools or equipment. These simple industrial tools have evolved into machines called computers with the primary purpose of storing, processing and manipulating information and harnessing knowledge for people to communicate information or data faster and more efficiently. It is a radical shift from the industrial revolution to the concept of digital information in the modern economy. The Information era can be divided into a two phases of evolution: the Information Age and the Internet Age. The early part of the information era was dominated by proprietary technologies from different providers and different network protocols were still being used. The information age was all about the traditional servers, host-centric and stand-alone computing systems mostly used by top corporations and large government establishments during that era. The new phenomenon started with the entry of a global interconnectivity protocol â the Internet. The Internet was originally conceived as a fail-proof interconnectivity protocol for defense and education purpose. It was designed similar to the concept of the spider web,
- 180. 180 ICT Developmentand Cyber Security Reader where the system links information in a web-like fashion and where if one strand were cut, the other web on the network would continue to support the system. That is why they refer to the Internet as the World Wide Web, where the availability of information is persistent. The Defense Advanced Research Projects Agency (DARPA), an agency of the United States Department of Defense, the inventor of the Internet, has been using the initial application of mail and file exchange on the system since 1969. But it was when British scientist Tim Berners-Lee invented the World Wide Web (WWW) in 1991 that the Internet became the global protocol and the Internet Age phenomenon began. (âA brief history of Cyberspaceââ www.zdnet.com/products/vrmluser/perspectives/mp.history.html) The Global Protocol - TCP/IP (Transmission Control Protocol/Internet Protocol) is a model of computer network communication standards that describes a set of general design guidelines and implementations of specific networking protocols or what they call âCommon Languageâ to enable computers to communicate over a single network, however big or small. (www.wikipedia.org) With the coming of a global protocol and a global language, the phenomenon accelerated and evolved at tremendous speed. From 16 million users in December of 1995 to 458 million in March of 2001 to a tremendous 1.5 billion Internet users worldwide in January of 2009, its expansion is even faster than the human population growth. In his presentation last Oct. 4 â 7, 2010, Richard C. (Dick) Schaeffer, Jr. of Riverbank Associates, LLC, supported by W.D. Sincoskie, Telcordia Technologies, predicted the number of Internet hosts would definitely exceed the human population. Estimated number of Internet hosts will be more than 10 billion by 2015. Dr. Virginia Watson, PhD, from the Asia-Pacific Center for Security Studies, also supported this statement during her roundtable discussion at the National Defense College of the Philippines, where she stated that, âBy the year 2012 to 2015 timeframe â âCities of Informationâ will out-populate âCities of People.â Wherein the new problem setting is now at the time of network convergence, which defines cyberspace as an era, which promises economic prosperity but however presents a great threat in the concern on privacy and civil liberties, public safety and law enforcement and the greater concern on national security of the country vis-a-vis the world.â In the Philippines, according to the National Telecommunications Commission, Internet Service Providers (ISPs) reported only a conservative 4.3 million users in 2010, but this figure can easily be disputed because of the absence of a true subscriber record system especially in the prepaid marketing. However, if you take the number of mobile phones that already have Internet access via mobile Internet or wireless hotspots, the total can be doubled or tripled. The Internet today has evolved from a simple means of information connectivity to become the largest form of media. It has even surpassed the capability of traditional information channels and is now the new battleground for information dominance. Statement of the Problem The problem of the research seeks to understand the trends and possible scenarios in the Internet Age, define the variables of the use of the Internet and its effects an individualâs state of mind and its effect to the overall state of National Identity and the potential impact to a countryâs sovereignty.
- 181. 181ICT Development andCyber Security Reader a. Who are the Filipino users today? · Who are the users of the Internet and what are they doing in the Internet? · What are the levels of maturity and advancements of their usage? · How are they using the Internet? b. What are the Internet drivers that affect National Identity? c. What are the social structure and cultural values of Filipinos that is affected by the Internet? d. How can the government participate in the race for the information and drive the national interest to the citizenry thru this medium? e. What are the implications of an Internet-influenced Identity to National Security? Objectives 1. To determine the socio-demographic characteristics of Filipinos exposed to the use of the Internet 2. To determine the level of use of Filipinos & the type of application and information they access in the Internet 3. To compare the Filipino Identity in the different eras and how they have changed in the era of the Internet Age 4. To explore the different Filipino socio-cultural traits that will be affected by the Internet 5. To define National Identity in the Internet Age and determine the level of awareness of its effects to National Security. Scope and Delimitation of the Study This study focuses only on the Internet as the convergent and most diversified source of information. With the developments on information technology, all medium of information, whether television, radio, movies and videos, telephony and even social networks, are now all available on the Internet. As much as I would like to expound on the realm of Information Operation as the new theater in the Information Age and expound on various threats in the Cyberspace, this study primarily focused on social trends and phenomenon in the areas of knowledge management and primarily on social capital in the interest of national security. Strategic Information Operation in the Internet Age is proposed for future studies. Due to the limited time provided, this study focuses only on the knowledge workers and social users of the National Capital Region, the trendsetter and fastest growing users of the Philippines because of their pervasive access to Internet connectivity and online information and whoâs line of work is related to the uses information technology.
- 182. 182 ICT Developmentand Cyber Security Reader Significance of the Study This study is relevant and significant because it serves to create awareness that in the Age of the Internet, where a countryâs national identity is at risk because of the humongous amount of information that can invade the minds of its citizenry, the state should not take this phenomenon sitting down. This study presents the current trends on social networking and its effect on the societyâs culture and traditions. This research forms part of my research with regards to the impact of the Internet Age to the global society and how it can directly to affect the countryâs identity and national security. This research is presented as reference to policy formulation on national information management as well as for the national information security policies, capitalizing on the power and potentials of the Internet to forward the interests of the country. Assumptions This research assumed that Internet trends in the next five years will not deviate much, no disruptive technology will happen and the current trends on social networking will still be the major driver for information campaigns in the Internet regardless of whatever communication channels or technology is made available in the market. Summary, Conclusions and Recommendations Summary In this study, the delineation of the Information Age and the Internet Age was defined. Information Age is the era after the industrial revolution, which started around 1970 highlighted because of the abundant publication, consumption and manipulation of information brought about by tri-media especially when it was sped up by industrial machinery, first generation proprietary computing platforms and islands of the computer networks. The Internet Age is the umbrella term of the 21st century, marked down when TCP/IP became the global protocol for interconnectivity which pave the way for information travel around the world and is made available to more countries than ever before. It is also characterized by high-speed communications, convergence of computers and consumer electronics such as wireless devices. Surveys were conducted among knowledge workers and social users of the Internet in the National Capital Region â the pioneering region in Internet adoption. Two social classes were determined to simulate the scenario of advance and casual users so we can map out their different perceptions and opinions if indeed the drivers on the Internet affect their individual identities. Internet users in the NCR are mostly in the age bracket of 15 â 45 years old, have pervasive access to the Internet via wireless/wired broadband, Wi-Fi, from home and office, and even from public areas via Internet cafĂ©s or mobile phone Internet access. They go online daily and will not let the week pass without checking-in online. Some users even have the connected syndrome, which means they want to be online all the time so they can receive real time updates from social network posts and blogs. Filipino Internet users today go online to communicate and collaborate with family, friends and colleagues. They
- 183. 183ICT Development andCyber Security Reader also perform research on personal interest, employment opportunities and school/work- related information. They also find news and current events from websites, social network and blogs, which they deem credible. They also go online for entertainment, games and shopping as part of their regular social life. When collaborating online, Filipino Internet users prefer using free email and collaboration services such as Google, Skype and Yahooâs free email, chat, search engine, video and voice services. The Internet becomes the primary connecting and communication medium of Global Filipino â our new heroes, the OFWs. Filipino Internet users who are looking for entertainment online prefer playing single player games and Massive Multiplayer Online Role Playing Games (MMORPG) still digs online music, videos and sports related information. The average Filipino Internet user has three to four online identities, such as email addresses, online accounts and membership in social networks. Surprisingly, some users claim to have only two to three true identities leaving some accounts fictitious or private aliases. From a target audience perspective, the online community population can actually be bloated, because some of the users may have one to two accounts per social network. Similar to the demographics of the mobile phone subscriber in the Philippines, most have two to three phone numbers already simply to avoid the high cost of interconnectivity. Some of the top social networking sites used by Filipino Internet users are Facebook, Friendster, Twitter, Linked-In and Multiply. Products and services that Filipinos prefers to be bought online are airfare, hotel accommodation, technology products and personal accessories. The Internet poses threats to national security when it used as an instrument for information propaganda. In this day and age, the war is already in the battle of the minds and not in conventional warfare. All stakeholders in the Internet are after in pushing forward their interest that can have an impact in all the aspects of national security. A typical scenario is the political situation of the Arab countries fighting for liberty and democracy; social media were able to influence indirectly their citizen thus sparking those series of revolt for their aspiration to adopt democracy. Therefore for the state, the Internet is a critical driver and issue for governance since it cannot be regulate, monitor nor even control the access of information. The best way to address this is for politicians to use the Internet to their advantage, whether in governance or propaganda, so they can manage their constituents to a common goal. Majority of the Filipino Internet users believe that there is a developing social culture in online communities in the Internet. In fact, when asked if the Internet has affected their social and personal identities, majority said yes indeed. To put this hypothesis answer to test, several perception indexes were asked in the survey. Filipinos nowadays are conforming to the global time or what they call Internet time rather than the usual Filipino time. They have never the lost the character of being helpful even online, the concept of âBayanihanâ is alive and kicking in online websites. However, social media is taking over our characters of âDelicadezaâ or tastes of manners as well have made our self-esteem stronger. The Filipino character of âCarinosoâ lives and stays even with the adoption of the global language and ease of access to information publication is within anybodyâs reach. Filipinos mostly use emoticons and âJejemonsâ to put some tone of feelings on their online communication.
- 184. 184 ICT Developmentand Cyber Security Reader All this character he exercises on various social networks, connecting with their family, friends and colleagues, forms part of the Filipinosâ social life despite the absence of physical interactions. Although the Internet is a great driver for socio-cultural, economic and political developments, it also implies threats and problems in these national security dimensions. Amongst which is the management of human resource and capital. When the country decided to jump on the bandwagon of globalization, together with it began the unending cycle of search for competitive knowledge and skills training in order to compete in a global market. Filipinos need to find their niche in the global workforce requirement pool thatâs why eServices will be the best way for the country to capitalize in the wide knowledge capital it has. Economic threats are still in the area of IT security operation. There is a need for technology to support the development in industries, create the spark that will kick start stakeholders to become competitive players in the global market. These trends are clearly happening and are presented thru the global shift of knowledge based services such as business process outsourcing. A more dynamic, transparent and accountable political leadership will definitely be the key in all of this strategy. eGovernance is the best way to go forward in order to seamless manage the complex bureaucracy, this strategy is the integration factor for both Private and Public stakeholders, so we can align to a common goal, serving the national interest at all times. In summary, the drivers and variables presented in this studyâs conceptual framework have will affect the development of the Filipino Identity and have great implications to National Security. Socio-cultural cohesion is the key in bonding together a country that is now borderless in the sphere of the Internet. The Filipino family values should be enhanced and protected with the use of the social media. Moral and spiritual molding and âmind-formattingâ strategies should be more effective in creative marketing since you are competing with tremendous information on the web. Education should be enhanced with creative learning styles by using new forms of media sources available online. Increasing penetration of access to the Internet is not enough. The educational system should change from standard fix curriculum based programs to education formatting â filtering information from scholarly and SMEs sources and allowing the students to explore and expound more in creating knowledge out of this online information guide education format. The government should capitalize on the economic potential of the Internet by promoting online entrepreneurship attuned to both local and global culture. The government should increase the adoption of technology to provide online transparency on governance to foster accountability in the political leadership. All of this factor will affect all the aspect of National Security, thus the increased adoption is recommended yet all safeguards to protect our National Identity should be in place. Conclusions a. The National Capital Region is actively using the Internet in collaborating, commerce, social and economic activities, as well as in politics and education. The demand for real-time information is increasing and will drive the development of the services, commerce and infrastructure development of the country. There
- 185. 185ICT Development andCyber Security Reader are threats and benefits in the areas of socio-cultural, techno-scientific, economic, politics and security dimensions of the nation. b. Though the positive potentials and wide acceptance of the Internet seem to outweigh the threats presented, Internet users still need to be aware of the operational risks and security threats of getting on the Internet. Users need to remain vigilant and should actively challenge information they receive because on a greater scale it is hard to have a country with citizens with questionable allegiance since their minds are Internet-influenced. c. The Filipino core characters throughout the time have been resilient to radical change. Filipinos have survived and have adapted to change in different eras of our history. Along the way he picks up and develops new characteristics, culture, language and beliefs. The greatest challenge now is the preservation and the passing on of the positive characteristics, particularly in the era of the Internet, where interpersonal relations are replaced with virtual interactions. d. There is still a continuous threat to personal identification theft, violation of rights to privacy as well as other online criminal activities. This also includes operational threats such as viruses, phishing, hacking and cyber attacks. The greater risk is the risk to unknown propaganda and manipulated information or what is sometimes called as psychological warfare. e. Based on review of related literatures and laws, the bureaucracy is not aligned or ready to implement a full nationwide information and communication management and technology enablement plan. Different charters are scattered around the bureaucracy and the missions of these government agencies have been out grown already through time. They need to be attuned with the new Age of the Internet and should be Globalization Ready. f. There is a need to change the view of the Filipino on how to value information and communication management. Strategic information is vital in making strategic decision therefore should be the alter ego of the political leadership. Policies need to be aligned, the bureaucracy streamlined and reorganized, and ones properly planned and aligned to a strategic direction, that strategy should become the beacon our political leadership and the rest of the country should follow. Recommendations 1. Creation of an inter-agency committee with multi-sectorial participation tasked to create the Philippine Strategic Information Management Campaign Plan to be led by the Department of Science and Technology under the newly reorganized Office of the Information Communication Technology in coordination with the National Commission for Culture and the Arts. The Philippine Strategic Information Management Campaign plan will include but not limited to the following objectives: a) a more thorough and in-depth study of the anthropological history of the Filipino Identity and its current cultural definition in the modern times;
- 186. 186 ICT Developmentand Cyber Security Reader b) visioning exercise that will determine where we want to drive the mind set of our people in the Internet Age by capitalizing on the power of social media and tri-media which has a perfect cultural fit; c) an operational plan that will orchestrate and align the programs of the bureaucracy in developing the drivers that affects national identity such as technology enable education, cultural integration and cohesion, moral and spiritual values, transparent political governance and stronger family relations. Thru this campaign plan, a strategic direction will be derived and will help rationalize overlap functions of the bureaucracy towards the achievement of a common goal. 2. Stakeholders from the legislative, executive together with the private and other multi- sectoral groups should work on a policy that will promote the use of information management as strategy enabler for the clear definition of the Filipino National Identity, attuned to the times with a clear vision on where we want to go as a people that will form as the backbone of our national development efforts. Safeguards should also be in place for the protection of identity and privacy, proactive information management, responsible social communication in social media, adoption of industry standard security practices and policies for the promotion of security consciousness, awareness and self- protection. 3. The NDCP may consider in its Masters in National Security Administration curriculum a separate module or sub-module under Techno-Scientific Dimension â âStrategic Information Management.â Another module name can be Information and Communication Management. This module will include an executive overview on the use of Information Management, Information and Communication Technology, Strategic Communication and Executive Decision Making. # # # Bibliography Books Abinales, Patricio N. (2005). State and Society in the Philippines. Manila: Anvil Publishing. Clawell, James. (1983). The Art of War: SunTzu. Concord, CA: Delta Books. Constantino, Renato. (2000). Identity and Consciousness: The Philippine Experience. New York: Monthly Review Press. (Original work published in 1975) Cross, R & Israelit, S. (2000). Strategic Learning in a Knowledge Economy: Individual, Collective and Organizational Learning Process. Boston, USA: Butterworth â Heinemann. Disini Jr., J.M. (2000). The Electronic Commerce Act â The Rules on Electronic Evidence. Manila: Philippine Exporters Confederation, Inc.
- 187. 187ICT Development andCyber Security Reader Friedman, T. (2005). The World is Flat. Farrar, Staus & Giroux Gladwell, M. (2000). The Tipping Point: How Little Things Can Make a Big Difference. New York: Little Brown Publishing. Jocano, F.L. (1998). Filipino Social Organization â Traditional Kinship and Family Organization. Series - Anthropology of the Filipino People III. Metro Manila, Philippines: Punlad Research House. Jocano, F.L. (1998). Towards Developing a Filipino Corporate Culture. Metro Manila, Philippines: Punlad Research House. Lesser, E. L. (2000). Knowledge and Social Capital â Foundations and Applications. Boston, USA: Butterworth â Heinemann. McLuhan, M. (1964). Understanding Media. Corte Madera, CA: Gingko Press. Price, M. E. (1995). Television, The Public Sphere and National Identity. Oxford: Clarendon Press. Romana-Cruz, N. S. (1997). You know youâre a Filipino ifâŠ: A pinoy primer. Metro Manila: Tahanan Books. Toffler, A. & Toffler, H. (1995). War and Anti-War. New York: Warner Books. Thesis Andalong, A. R. (2009). An Exploratory Study of the AFP Cyber Warfare Experience: Initial Lessons Learned. Unpublished Masterâs Thesis. National Defense College of the Philippines. Cantos III, A. G. (2008). Improving Employability of Information Technology Workers in Metro Manila. Unpublished Masterâs Thesis. National Defense College of the Philippines. Purugganan, A. A. (2001) Protecting the Philippine Cyberspace, Design Elements for a National Security Plan. Unpublished Masterâs Thesis. National Defense College of the Philippines. Torresyap, S. P. (2000) An Assessment of the Internet Use in Metro Manila and its Implications for National Security. Unpublished Masterâs Thesis. National Defense College of the Philippines. Veloso-Zapanta, A. E. (2007) The Role of Television News Media in the Conflict Between the Government of the Republic of the Philippines and The CPP/NPA/NDF. Unpublished Masterâs Thesis. National Defense College of the Philippines. Wee, D. G. (2008) A Comparative Study of the DND and CPP Website: Internet-Based Communication As a Tool To Enhance National Security. Unpublished Masterâs Thesis. National Defense College of the Philippines.
- 188. 188 ICT Developmentand Cyber Security Reader Presentations Watson, V. (2010, November 17). Science, Technology and Security. Lecture presented in NDCP Roundtable, CGEA,, Quezon City. Schaeffer, R. Jr. (2010, October 4-7) The Interface of Science, Technology and Security by Riverbank Associates, LLC Ojeda, N. Jr. (2010, June 15) DND Information Management Concepts, DND, CGEA, Quezon City Ojeda, N. Jr. (2010, July 7) Securing Cyberspace: Issues and Challenges. Nanyang Technology University, Singapore Estrada-Claudio, S. (2011, February 4). Filipino Identity, Personality and Relationships: A Gender Analysis. Lecture presented to Regular Class 46 of Masters in National Security Administration, National Defense College of Philippines, Camp Aguinaldo, Quezon City. Online Journals Jolly, R and Ray, D. B. (2006). The Human Security Framework and National Human Development Reports. United Nations Development Programme. Retrieved on 8 July 2011. http://hdr.undp.org/docs/nhdr/thematic_reviews/Human_Security_ Guidance_Note.pdf Cameron, K. (2005). The Laws of Identity. Washington: Microsoft Corporation. Retrieved on 10 July 2011. http://www.identityblog.com/stories/2005/05/13/ TheLawsOfIdentity. pdf McKay, D. (2010). On the Face of Facebook: Historical Images and Personhood in Filipino Social Networking. History and Anthropology, Vol 21, No. 4, December 2010, , pp 479 â 498. Retrieved on 22 January 2011. http://dx.doi.org/10.1080/02757206.2010.522311 Legal References Office of the President of the Philippines. (2011). Executive Order No. 47 - Reorganizing, renaming and transferring the Commission on Information and Communications Technology and its attached agencies to the Department of Science and Technology. Manila: Malacañang Palace. Office of the President of the Philippines. (2004). Executive Order No. 334 â Abolishing the Information Technology and Electronic Commerce Council and transferring its budget, assets, personnel, programs and projects to the Commission on Information and Communication Technology. Manila: Malacañang Palace. Office of the President of the Philippines. (2004). Executive Order No. 268 â Creating the Commission on Information and Communications Technology. Manila: Malacañang Palace. Office of the President of the Philippines. (1992). Republic Act No. 7356 â An act creating the National Commission for Culture and the Arts, establishing a National Endowment Fund for Culture and the Arts, and for other purpose. Manila: Malacañang Palace.
- 189. 189ICT Development andCyber Security Reader MNSA Thesis (Abridged) Electronics Security System of Universal Banks in the Philippines: An Assessment Engr. Rodrigo I. Espina, Jr. MNSA Regular Class 46 Abstract This study determines the current and emerging cyber crimes affecting the universal banks in the Philippines and the preparedness of the banking system in addressing the frauds and threats. Primarily, the following questions were asked: What are the current and emerging crimes experienced by universal banks in the Philippines? How prepared are universal banks for these evolving threats? What are the best practices in electronic banking by universal banks in the Philippines and the specific strategies and solutions they employ to fight fraud? What is the extent of the universal banking sectorâs compliance to regulations of the Bangko Sentral ng Pilipinas (BSP)? In answering the aforementioned problems, the study employed a mixed method of analysis, which includes survey among the current universal banks in the country, interviews of key informants and document validations. The study concludes that biggest hindrance to properly addressing cyber threats and frauds is attributed not primarily to the absence of banking regulations and/or policies but more to the hesitance of the banks to cooperate with proper authorities especially in reporting cybercrime incidences because of reputational risks. Considering the dramatic developments in information technologies, the study underscored an urgent need for Philippine legislature to create laws that would address the new and difficult challenges presented by such developments, particularly to prohibit computer crimes and outline appropriate punishments for those crimes. Any lapses in the electronics security management will extremely expose the banks to risks and vulnerabilities which can lead to the collapse of the banking sector which is a huge setback to the already struggling economy of the nation. The Problem Many banks have established presence on the Internet using web technologies by providing customers with the opportunity of performing interactive retail banking transactions (Aladwani, 2001), round-the-clock availability, ease of transactions, and avoidance of queues and restrictive branch operating hours (Khalfan et al., 2006; Almogbil, 2005). Overall customer satisfaction in this type of banking through electronic channels, sometimes referred to as âe-banking,â or virtual bank without visiting a building (International Business Management, 2010) or a brick and mortar institution (Jimenez and Roman, 2006), has resulted to an upsurge of online bankers worldwide, increasing by 39 percent in the Philippines for the period January 2010 to January 2011 from 377,000 to 525,000 (comScore, 2011). Along with the rapid diffusion of the internet and the convenience it brought to the banking and financial services industry, however, came various schemes on bank frauds committed through identity theft, hacking of bank information and defacing of large
- 190. 190 ICT Developmentand Cyber Security Reader banking corporation websites. CyberCrimesPhilippines.org in 2009 announced that 47 âgov. phâ websites of local government units in the Philippines were defaced by Arabian hackers. With the number of cyber crimes constantly rising worldwide and breaching national borders, banking institutions dash to combat attendant problems. Ironically, though, the established banking institutions are the most vulnerable considering that they are the ones who have made huge investments in security management systems and technology that are now rendered almost useless as they are very quickly outmoded. Tens of millions of dollars are being stolen from corporate bank accounts every month by cyber criminals, but the victims are largely reluctant to acknowledge the scope of the problem (InformationWeek, 2009). Global crime in cyberspace is going up and the overall number of attacks is growing substantially. According to Symantec, in 2008 there were almost 1.7 million new malicious code threats, 2-3 times more than in 2007 and almost 12 times more than in 2006. Businesses have now moved to a world of international criminal networks. The threat has been increasing, and the financial and national security implications are increasingly serious. In May 2009, a survey by Actimize found that 81% of financial services organizations expect an increase over the next year in ATM/debit card fraud. A Verizon study found that computer hackers stole more sensitive records in 2009 than in the previous four years combined, with ATM cards and PIN information growing in popularity. Organized criminal groups orchestrated nine in 10 of the most successful attacks, with 93% of the records exposed coming from the financial sector. Symantec, McAfee, and Trend Micro are the world leaders in providing the highest levels of security to business customers. Zeus and Clampi botnets, which steal online account credentials with a focus on bank accounts, have gained in size and strength in recent months. Cheap ($700), and easy-to-use toolkits that hackers can purchase to control botnets are widely available online. (http://www.actimize.com/index. aspx?page=news196) In 2008 alone, industry estimates of loss from intellectual property data theft range as high as $1 trillion.(http://www.verizonbusinFess.com/about/news/displaynews. xml?newsid =25282&mode=vzlong) McAfee reports nearly one-third of companies it surveyed suffered large scale distributed-denial-of-service attacks multiple times each month, and nearly two-thirds of those said such attacks impacted operations. (Annual Security Report,â Cisco, 2009) The number of crimes are steadily increasing by the year, in fact, dubbing 2010 as the âYear of Fraud.â In the Philippines, crimes and losses of banking institutions are reported only by the resources that had been lost valued in pesos or in US dollars. These countless instances of bank fraud in the Philippine banking industry remain unreported, the reasons for which are attributed by McConell International (2000) to the banking institutionsâ fear of exposing vulnerabilities, the potential for copycat crimes, and the loss of public confidence. While the Basel Committee on Banking Supervision (Bank for International Settlements) believes that âit is incumbent upon the Boards of Directors and banksâ senior managementâ to take prudent âsteps to ensure that their institutions have reviewed and modified where necessary their existing risk management policies and processes to cover their current or planned e-banking activities,â (Basel, 2003) the BSP, as early as 2000 upon the enactment of the Electronic Commerce Act, has issued various implementing circulars for electronic banking, specifically Circular 240 and 269, to mitigate and ensure proper control of operational risks that are inherent to the technology.
- 191. 191ICT Development andCyber Security Reader Objective of the Study and Statement of the Problem The primary objective of this study is to determine the current and emerging cyber crimes in the Philippines and the preparedness of the banking system in addressing the frauds and threats. Specifically, the study sought to answer the following questions: 1. What are the current and emerging crimes experienced by universal banks in the Philippines? 2. How prepared are universal banks for these evolving threats? 3. What are the best practices in electronic banking by universal banks in the Philippines and the specific strategies and solutions they employ to fight fraud? 4. What is the extent of the universal banking sectorâs compliance to regulations of the BSP? To answer these problems, questions in an Information Systems Survey were formulated under the following key themes: 1) Top Threats and Frauds in the Banking Sector; 2) Resources Used by Organizations to Combat Cyber Threats and Frauds; 3) Need for Awareness and New Tools Against Cybercrimes Significance of the Study There is a need for government to establish tools, methods or approaches in identifying current and emerging cyber threats and vulnerabilities, and respond to entities that jeopardize the operations of the banking system. Some threats and risks are too complex as to subject the banks to vulnerabilities exposure to operational losses causing tremendous impact on the banking sector and, inevitably, to national security. This study will be useful to the following: 1. Policymakers, particularly the BSP so that they can put the findings into a public policy context, with implications for actions, particularly in combating cyber crimes affecting the banking sector; 2. Banking sector and regulatory bodies, so that they would improve their information security capabilities; 3. Researchers and scholars, so that they could replicate this study and enhance the literature on information security of the banking systems. Scope and Delimitations of the Study For the purposes of this study, the researcher limited the conduct of the information security systems to the universal banks in the Philippines with focus on computer related frauds. The sample is considered sufficient as the universal banks account for almost 85% - 90% of the national financial infrastructure systems in the country.
- 192. 192 ICT Developmentand Cyber Security Reader Review of Related Literature The customer is the focus of the banking business and the safety of his funds cannot be compromised at any cost (Gillis, 2010). Given the present knowledge-based, global and competitive environment, particularly the speed of the evolution of banking technology systems, demand of stakeholders for convenience and continuous upgrade of banking facilities and their attendant risks has correspondingly become greater. Technology, though, cannot alone keep the customer satisfied. Following the series of scandals, frauds, financial scams, irregularities, and misconducts committed by both corporate entities and individual fraudsters anywhere and everywhere in the world, âthe need for good corporate governance and application of ethical values and principles in the conduct of business operations at every level of a corporate organization right from top level is felt more relevant now than before to serve the varied needs, aspirations and expectations of different segments of stakeholders who have a stake in the healthy functioning of a corporate entity as a socially responsible member of the civil society. Business ethics, professionalism and corporate governance are the important imperatives for survival and growth of a modern business organization confronted with multiple challenges. In addition to full disclosure of the workings of the company, a professional and good management has to identify and quantify the risk being undertaken by various stakeholders.â (U.S. Department of Commerce, 2004). Indeed, good risk management can help mitigate the impact of negative outcomes and help companies take advantage of positive ones (Brodeur and Gunnar, 2008). Policy, Legal and Regulatory Framework for Electronic Banking in the Philippines The 1987 Philippine Constitution recognizes âthe vital role of communications and information in nation-buildingâ (Art. II, Sec. 24). This role can be best contextualized by considering how the country is composed of over 7,000 islands, millions of overseas Filipino workers and one of the worldâs major players in the call center/business process outsourcing industry. Information and communication technologies (ICTs), as such, play a crucial role in linking Filipinos across the archipelago, linking their families around the world, and providing crucial support services to companies from different nations (Mendes, et al., 2007). The Bangko Sentral ng Pilipinas was established on July 3, 1993 pursuant to the provisions of the 1987 Philippine Constitution and the New Central Bank Act of 1993. The BSP took over the Central Bank of Philippines, established on January 3, 1949, as the countryâs central monetary authority. The BSP enjoys fiscal and administrative autonomy from the National Government in the pursuit of its mandated responsibilities. The Philippines is largely dependent on the Information and Communication Technology (ICT) operations. Almost all sectors of the government depend on ICT. The banking sector is the sector which is very much dependent on information and communications. In the Philippines the whole sector of the government largely depends on third party providers for their ICT needs. This means that all data and electronic contents of every transaction shall pass through the channels of an external environment. Thus, exposure to different threats and vulnerabilities is high. In 2000, the Philippines was classified by
- 193. 193ICT Development andCyber Security Reader McConnel International, a UK based cybercrime analyst, as one of the ten countries in the world with outstanding cybercrime laws. However, as cybercrimes continue to proliferate, there is a need to amend such laws. Executive Order (EO) 269 created the Commission on Information and Communication Technology (CICT) which shall be the primary policy, planning, coordinating, implementing, regulating, and administrative entity of the executive branch of Government that will promote, develop, and regulate integrated and strategic ICT systems and reliable and cost-efficient communication facilities and services. Strict adherence of the banking sector to all policies and regulations is vital to the success of the banking industry. Both internal and external operations of the bank shall be prudently monitored. As mandated by the Electronic Commerce Act of 2000, the BSP has issued two general Circulars for electronic banking, specifically Circular 240 and 269, Series of 2000. These Circulars set the basic and general rules and regulations for electronic banking services in the banking sector. For instance, banks wishing to provide and/or enhance existing electronic banking services shall submit to the BSP an application describing the services to be offered/ enhanced and how it fits the bankâs overall strategy. This shall be accompanied by a certification signed by its President or any officer of equivalent rank and function to the effect that the bank has complied with the following minimum pre-conditions (www. bsp.gov.ph/downloads/Regulations/MORB.pdf): a. An adequate risk management process is in place to assess, control, monitor and respond to potential risks arising from the proposed electronic banking activities; b. A manual on corporate security policy and procedures exists that shall address all security issues affecting its electronic banking system, particularly the following: i. Authentication - establishes the identity of both the sender and the receiver; uses trusted third parties that verify identities in cyberspace; ii. Non-repudiation â ensures that transactions cannot be repudiated or presents undeniable proof of participation by both the sender and the receiver in a transaction; iii. Authorization â establishes and enforces the access rights of entities (both persons and/or devices) to specified computing resources and application functions; also locks out unauthorized entities from physical and logical access to the secured systems; iv. Integrity â assures that the data has not been altered; v. Confidentiality â ensures that no one except the sender and the receiver of the data can actually understand the data. c. The system had been tested prior to its implementation and that the test results are satisfactory. As a minimum standard, appropriate systems testing and user acceptance testing should have been conducted; and d. A business continuity planning process and manual have been adopted which should include a section on electronic banking channels and systems. The Electronic Commerce Act of 2000 (Republic Act No. 8792) has laid down basic legal and regulatory framework for electronic commerce in general which includes aspects of electronic banking. Similarly, the General Banking Law of 2000 (Republic Act 8791) mandated the BSP to regulate electronic banking activities. In response, the BSP issued
- 194. 194 ICT Developmentand Cyber Security Reader Circulars 240 and 269 Series of 2000 which provided the basic and general rules and regulations for electronic banking services in the Philippine banking sector. It also built up its capacity to respond to the needs of the electronic banking environment through the Creation of a Core Information Technology Specialist Group (CITSG) within BSP as the central group to address electronic banking issues (Encinas, 2009). Subsequently, the BSP issued Circular 471 in 2005 for the mandatory registration of RAs/ MCs for AML Compliance, Circular 511 in 2006 on Technology Risk Management to focus on operational, compliance, reputation and strategic risks associated with tech-related products, and Circular 542 also in 2006 on Consumer Protection for E-banking, to focus on board oversight and internal controls on security, authentication, customer origination/ verification, monitoring and reporting, disclosure and complaint resolution The BSPâs Guidelines on Technology Risk Management ensure that banks have the knowledge and skills necessary to understand and effectively manage technology-related risks. It contains the following: 1) outline of primary risks related to use of technology; and 2) description of risk management process to manage the risks (www.bsp.gov.ph /downloads/ Regulations / attachments / 2006 / c511.pd). On the other hand, the Consumer Protection for Electronic Banking governs the implementation of e-banking activities of banks to comply with the requirements to: 1) Safeguard customer information; 2) Prevent money laundering and terrorist financing; 3) Reduce fraud and theft of sensitive customer information; and 4) promote legal enforceability of banksâ electronic agreements and transactions. Erring banks and/or its officers shall be imposed monetary penalties and/or suspension of electronic banking activities for failure to seek prior BSP approval and for failure to submit within prescribed deadline required information/documents. Likewise, in January 2009, the BSP issued Circular 649 regulating the issuance of electronic money. The aforementioned BSP initiatives resulted in the increase in electronic banking activities (and ATMs) in the banking system. For example, as of December 2005, there were no rural banks with electronic banking services. As of December 2006, there were already 36 rural banks with electronic banking services out of the 80 banks with electronic banking service. Most of these e-banking functions of the 36 rural banks are related to mobile phone banking. (Encinas, 2009). The BSP has the authority to conduct inspection and determine compliance to the said provisions. Also, BSP is legally bound to impose penalties on banks that violate and circumvent the regulations. The following BSP guidelines on bank protection mandate all banks to adopt an adequate security program commensurate to its operation, taking into consideration the size, location, number of offices, and business operations (www.bsp.gov. ph/downloads/Regulations/MORB.pdf)Â Also, as stipulated, the primary objectives of the regulations are designed to: a. promote maximum protection of life and property against crimes (e.g. robbery, hold-up, theft, etc.) and other destructive causes; b. prevent and discourage perpetration of crimes against banks; and c. assist law enforcement agencies in the identification, apprehension, and prosecution of the perpetrators of crimes committed against banks. The guidelines also mandate the manner of designating a security officer of the
- 195. 195ICT Development andCyber Security Reader bank. It emphasizes the importance of assuring the competencies of security officers who directly report to the president of the bank. Aside from minimum security measures such as adequate physical security (personnel), banks are also mandated to establish a security program defining measures and procedures in detecting and preventing the commission of bank crimes, as well as providing contingency plans in case of calamities, terrorist attacks, and other emergency situations. As a matter of procedure, banks are required to submit to the BSP reports regarding the conduct of reviews and self-assessment of their security programs. Updated security programs shall also be submitted to BSP for further analysis and feedback. Also, data regarding the crimes and losses incurred by the bank shall be reported to BSP for documentation. BSP circulars, however, have not gone to the extent of proposing risk management solutions but allowed them to design their own programs to mitigate risks. Findings Based on Industry Studies Bank Frauds and Cyber Crimes According to the National Cybersecurity Coordinating Office, incidences of cyber crimes in the country have steadily increased from 2003 to 2011, penetrating all sectors of society and posing imminent danger to all technologically- driven sectors. The usual types of cyber attacks are shown in Table 1. More recent schemes on bank frauds committed through identity theft are âOver the shoulder lookingâ scheme (involves the offender observing his potential victim making financial transactions and recording the personal information used in the transaction); âPhishingâ scheme (perhaps the oldest form of identity theft stems from the two words âpasswordâ and âfishingâ that entails sending email scams and mail supposedly from the consumerâs bank as a way to obtain the consumerâs personal information, social insurance number, and in this case their online banking username and password; and âTrojan Horseâ
- 196. 196 ICT Developmentand Cyber Security Reader scheme (when malicious software (malware) or embeds to a consumerâs computer without the consumer being aware of it in links or as attachments from unknown email senders and the records, username and password are transmitted to the offender when the account holder accesses online banking sites.) In an advisory released in January 2011, computer security vendor Trend Micro (Pinaroc, 2011) confirmed several phishing attacks had occurred in the Philippines, mainly against major banks and credit card companies, particularly the United Coconut Planters Bank (UCPB) when security experts retrieved e-mail messages from the UCPB which were found to be suspicious and contained warnings of âunauthorized attemptsâ to log into its customersâ online accounts. The security company said the messages contained information on a supposed partnership between the bank and a foreign outsourcing services provider, but the links contained in the e-mail âaimed to collect banking credentials from unwitting users.â Trend Micro reported that similar phishing cases have been reported by the Bank of the Philippine Islands and Banco de Oro in February 2011 but noted that due to the Philippinesâ comparatively small credit card user base, the problem is not as widespread as other countries. Types of Attacks Among the other effects of cyber crimes, web defacement of any sector of the government has the highest percentage of occurrence. Effect of this in the banking sector is perceived to be costly and would even mean loss of profit and bankruptcy. Banking Industryâs Preparedness The BSP issued at guidelines and memoranda in the conduct of electronic banking in the Philippines. 1. Circular No. 240 dated 5 May 2000 which prescribes prior clearance of the BSP before banks can provide electronic banking services. Circular No. 240 elaborated all the requirement of the banks prior to engaging in electronic banking. This is to ensure that the banks have enough resources, adequate risk management, infrastructure and safe and secure medium to handle electronic banking.
- 197. 197ICT Development andCyber Security Reader 2. Memorandum to All Banks dated 19 June 2000 reiterated the provisions of Circular No. 240 and reminded the banks of compliance in such provisions. 3. Circular Letter dated 8 August 2000 clarified that there are some exemptions to the provisions of Circular 240. Among these are the electronic banking services engage purely informational in nature. 4. Circular No. 269 dated 21 December 2000 is the amendment of Circular No. 240. It strengthened the provisions in electronic banking and requiring more safety and security procedures in handling electronic banking. Online Banking Best Practices The Bank of San Antonio in Texas, USA, despite its sophisticated IT systems, recognize that cyber criminals are likewise becoming extremely sophisticated, and that criminal hackers move very, very quickly and the stolen funds are typically not recovered.  It believes that the key to fighting this type of fraud and crime for a company is to take action to strengthen internal procedures and online banking procedures before becoming the victim of such an attack. It then suggests the following procedures and tools to help prevent criminals from accessing company accounts: a. Strict monitoring of all accounts b. Implement a system of dual control and approval. Prior approval dual control means one employee originates/initiates the transaction or batch, and a second employee must authorize transaction or batch prior to the Bank processing it. Dual control for initiation does not occur when one person can initiate and approve the transaction themselves, and a second employee receives the confirmation after the money has been sent. c. Never share User IDs, passwords, PIN numbers, dynamic tokens, etc., with anyone, and do not leave any such information or items in an area that is not locked/secured. Do not use the login or password for your financial institution on any other website or software. d. Obtain and install antivirus, anti-malware and anti-spyware software, and consider installation of a firewall. Make sure it is active and automatically updated by the vendor (or take necessary steps to keep it updated). This measure will help protect against known viruses, malware and adware, but many viruses, malware and adware are undetectable by such data security programs, so this step is one of several security protection measures that should be followed. e. Limit or eliminate unnecessary web-surfing and/or email activity, including personal activity, on computers used for online banking. Many hacking attacks use social networking sites (such as FaceBook) to transmit computer viruses. Criminal hackers even use information on such social networking sites to âspear phish,â or target specific individuals, such as a companyâs chief treasury management person or chief financial officer. f. Consider a dedicated computer for online banking that is never used for e-mail or general internet browsing/surfing.
- 198. 198 ICT Developmentand Cyber Security Reader g. Educate all personnel on good cyber security practices, clearing the internet browserâs cache before visiting the financial institutionâs website, and how to avoid having malware installed on a computer. For example, if a media player needs to be updated, go to the official media player website to install the update. Clicking on a fake update installation link could just mask a criminal hacker downloading malware onto the computer. h. Verify use of a secure session (âhttps://â and not âhttp://â), and avoid saving passwords to a computer. i. Never leave a computer unattended when using any online banking or financial services, and always lock computer when logging off such sites and leaving it unattended. j. Change, revise and re-visit the IT employees who have âkeys to the kingdomâ access for user approval, access rights and deleting/adding new users. While many attacks occur from outside hacking, insider hacking does occur, and dividing or rotating âkeys to the kingdomâ IT authority can cut down on opportunities for insider fraud. k. Never access the financial institutionâs website for online banking (or any privileged or sensitive computer system) from a public computer at a hotel/motel, library or public wireless access point. l. Understand and carefully control the authorized users and permissions granted to any of the bankâs employees who are approved for online banking use and are issued unique User IDs, passwords (and tokens, if applicable). m. Immediately report any suspicious activity in the bankâs accounts to Bank personnel; there is a limited recovery window and a rapid response may prevent additional losses. n. Do not click on a link in any e-mail purported to be sent from Bank; Bank official e-mails will always instruct user to log in to online banking for updates, instructions, notifications, account statements, etc. o. Be suspicious of e-mails purporting to be from other financial institutions, federal, state or local government departments or agencies, or taxing authorities that request account information, account verification or banking access credentials such as User IDs, passwords, PIN codes and similar information. Opening attachments, or clicking on links in such suspicious e-mails, can also expose your computer to malicious code or malware that will be installed to your computer. Remember, legal process, subpoenas, and information from government agencies still generally comes as regular snail-mail. Bankâs online banking website is only scheduled for downtime for regular maintenance at certain times late in the evening/early morning, and never during prime business hours. If you log into online banking and receive a message such as âplease wait for website update, which will take approximately 15-20 minutes,â immediately contact Bank personnel to determine if it is a legitimate delay in online banking services caused by the Bank.
- 199. 199ICT Development andCyber Security Reader On the other hand, the Nordics continue to be one step ahead of the other European countries in terms of Internet banking penetration. The estimate is that 43.0 per cent of banking customers in the Nordic region bank online, with Germany having the highest number of customers banking online (Business Wire, 2007). Egg Banking is a British internet bank owned by Citigroup, with headquarters in Derby and London, England. Egg was born out of Prudentialâs initial banking arm (Prudential Banking plc) that had been established in 1996. Egg itself was launched in 1998 and is now the worldâs largest internet bank in that it is only possible to operate an Egg account over the internet, or via their call centre. Egg specializes in savings, credit cards and general insurance but no longer offers loans or mortgage products. (Egg. com) Fineco is an Italian online bank and brokerage. It is the largest online brokerage firm in Italy with over 800,000 customer accounts. It was founded in 1999 and then integrated with Capitalia. It is now part of the Unicredit Group after its acquisition of Capitalia in 2007. It is a niche player aiming at becoming the bank of choice for digital customers. Alliance & Leicester in an online bank that is now part of Santander, one of the worldâs biggest banks. The lender is enjoying significant success in terms of Internet sales and servicing. The OP Bank Group of Finland focuses on encouraging customers to use online self-service functionalities. Finland has one of the highest online banking penetrations in Europe. Providing excellent and advanced banking services has contributed in establishing OP Bank Group as the leading online players in the Finnish banking industry. Being a country which strives for technological innovation, the economic policies of Hong Kong always is favorable towards attracting new businesses. One aspect of this attraction is the legislature which governs certain business activities. Hong Kong is one country which laid down their own legislature in governing âinternet bankingâ to avoid scams and fraudulent activities which would otherwise make the customers to lose faith in the system and thus the businesses to be less attracted in doing their business. There are several legislatures in Hong Kong that are being enacted to regularize the process of internet banking and to avoid any vulnerability that is considered a threat to the process. (Hong kong e-commerce legislation, http://www.Lowtax.Net/Lowtax/H tml/Hongkong/ Jhkeleg.html) Compliance of the Banking Sector to BSP Regulation. Compliance to the regulations is ordinary to the banking sectors. Meeting the minimum requirements as stipulated in the BSP regulations would suffice their compliance to the provisions. With a primary objective of avoiding penalties and sanctions to be imposed on them by BSP, bank management through the security officers developed a system in monitoring the compliance of their banks to BSP regulations. However, compliance to the regulations of the BSP does not mean utmost security from the different threats and vulnerabilities of the bank. Data submitted to the BSP by different banks reflected some losses and frauds, both internal and external causes. This
- 200. 200 ICT Developmentand Cyber Security Reader means that the security management being implemented by the banks are far from being holistic. Some sectors argue that the regulation of BSP is too shallow. A simple implementation of technology, notwithstanding the effectiveness of the system, would already mean stamp of compliance from BSP examiners. BSP in its regulation emphasizes the cost implications of the systems, so the responsibility of implementing the required security technologies is the burden of the banking sectors. Core Information Technology Specialist Group (CITSG) of BSP is very strict in the implementations of regulations pertaining to online banking operations. Stringent requirement have to be followed before going into operations. Aside from that, all personnel of the group developed expertise in their own field and acquired certifications from reputable institutions to be able for them to be equipped and implement the BSP regulations with full authority. CITSG maintained the standards that all examiners and auditors of information security systems are Certified Information System Auditor (CISA). Aside from the BSP, there are other government sectors imposing regulations on security. City or municipal administrators have their own ordinance and regulations for the implementation of security infrastructures and technologies. Generally, a governmental regulation does not specify what technology is required in order to meet its requirements. In fact, many regulations do not even specify any details of an effective internal control.Therefore, administrators and compliance officers are left to determine what methods they will use to meet the often vague requirements within each regulation. BSP is mandated to conduct examination and inspection of all banks in the Philippines. All aspects of the banking system are being examined, including the compliance to the BSP rules and regulations regarding bank protection. To ensure compliance, the reports submitted by the bank examiners are counter-validated by management. Banking sectors, however, are more focused on regulatory compliance involving financial reporting, security, and data privacy. Achieving compliance alone is simply meeting the requirements of the law. But improving security management coupled with business performance, in the context of compliance, involves using the processes in accordance with and technology changes to help increase the efficacy of the business. This is where the real benefits of compliance are achieved. Taking full advantage of the opportunity requires an environment that allows âcontinuous compliance.â It is an integrated approach that helps permanently improve compliance processes and practices beyond individual projects or efforts. This requires compliance to be cost-effective, with appropriate controls, proof of controls, and the ability to securely manage public-facing assets such as security management applications system. This requires a strong security infrastructure that protects the systems, applications, data and, processes from unauthorized use or access. Companies that commit themselves to developing an integrated security management infrastructure for continuous compliance will initially focus on four critical capabilities: Identity Administration, Provisioning, Access Management, and Monitoring and Auditing.
- 201. 201ICT Development andCyber Security Reader Summary of Findings, Conclusions and Recommendations Summary of Findings The summary of the most essential findings of the study are as follows: Objective No. 1: To determine the scale of multi-faceted fraud and threats to universal banks in the Philippines. · Topping the list of frauds that universal banks experienced in 2010 are Phishing/ vishing, credit/debit card frauds incidents, third party POS skimming, and check fraud incidents. · Fraud losses are measured mainly by the amount of money lost in the fraud incident (thirteen out of fifteen UBâs); · Because of fraud incidents, 60% suffered non-financial losses, particularly concerning regulatory or other compliance issues, and loss of customer confidence and reputational loss (53.3%); Objective No. 2: To assess the industryâs preparedness for evolving threats. · Universal banks detect fraud usually during the actual account audit reconciliation of data, upon third party notification, and during actual transaction. Organizationâs action in response to fraud incidents is by increasing efforts to improve customer awareness (100%) and increased internal monitoring (86.67%); · Most of the respondents do not have a way of knowing the impact of electronic fraud on the reputation of the financial service industry; · Majority of the organizations employ a combination of manual reports (86.67%) in-house fraud detection systems (87.67%); and independent fraud detection tools and technologies (46.67%) as fraud detection tools; · Most of the organizations assign between 6 and 25 people (60%) to fraud prevention; 20% between 1 and 5; 13.33% between 25-100; and 6.67% with more than 100; · Majority (86.67%) do not know whether the organization has plans to increase or decrease resources towards fraud prevention; Objective No. 3: To identify specific strategies and solutions employed by banking/ security leaders to fight fraud. · Majority of the organizations intend to use the following technologies as part of their organizationâs on-going fraud prevention and detection program: end-to-end encryption (73.33%); authentication technologies (53.33%); fraud case management system (43.67%); intrusion prevention technologies (13.33%); others (6.67%). · Majority (86.67%) consider customer awareness emphasizing the techniques used as the most effective way to prevent fraud: customer awareness emphasizing the techniques used (86.67%), employee education emphasizing education (80%), and fraud detection tools and technologies (40%);
- 202. 202 ICT Developmentand Cyber Security Reader · Majority (66.67%) perceive the effectiveness of the organizationâs fraud awareness programs for customers as needing improvement (66.67%), while 26.67% perceive them as extremely effective. Objective No. 4: To determine the extent of compliance of the banking sector, in general, to BSP regulations. · Compliance to the regulations of the BSP does not mean utmost security from the different threats and vulnerabilities of the bank. Data submitted to the Security, Investigation and Transportation Department of BSP by different banks reflected some losses and frauds, both internal and external causes. This means that the security management being implemented by the banks is far from being holistic. Conclusions The study revealed that cyber attacks in the Philippines are real, although they do not affect as much the liquidity of the banking sector at the moment. Some respondents to the study, however, warn about the tremendous impact of cybercrime problems on financial institutions, and underscored the need to address the problems by mitigating its effects, foremost of which is investing in technology, training of personnel, greater transparency in addressing such crimes, and increased coordination and cooperation with other sectors of society. The respondents cite as the biggest hindrance to properly addressing cyber threats and frauds not primarily the absence of bank regulations and/or policies but more to the hesitance of the banks to cooperate with proper authorities especially in reporting cybercrime incidences because of reputational risks. While the magnitude of cyber crimes in the Philippine banking system is not as high and do not seem to have significant effects on the banking sector at this point in time, the threats and perceptions of future attacks at the most damaging magnitude are realistic. The issue of cybersecurity is something that has to be given attention within every organization; everyone who uses the Internet needs to be aware of the need for cybersecurity. Every bank official should know that insuring the security of their network is fundamental to the continued smooth operation of their business. Recommendations Considering that banks typically refuse to discuss security issues for fear of reputation damage and potential liability, and in view of their hesitance for government to be involved in the monitoring of private sector networks or internet traffic, the BSP should formulate policies that increase security while preserving privacy, civil liberties and innovation. Companies, as well as the education system, should work hard to train on the importance of cybersecurity by embarking on research and development activities in the field, focusing primarily on information and communications technology. Awareness and ethical practices shall also form part of the teaching curriculum.
- 203. 203ICT Development andCyber Security Reader Computer crimes pose a daunting task for bank security personnel because they are highly technical crimes. It is also important that bank officials and other members of the organization are knowledgeable about computer crimes in order to reduce the threat they pose. They should go beyond awareness. All personnel and agencies involved must have a measurable competency, proficiency, licenses, such as AMLC certifications. Banks should hire or outsource certified computer fraud examiners to properly investigate computer related crimes and initiate a proactive approach in mitigating cyber frauds. Also, all personnel of the banks engage in the electronic banking operations must have certification such as Certified Information Security Auditor (CISA) or equivalent from any reputable institution. Considering the dramatic developments in information technologies, there is an urgent need for Philippine legislature to legislate cybercrime laws that would address the new and difficult challenges presented by such developments, particularly to prohibit computer crimes and outline appropriate punishments for those crimes. Lastly, it is strongly recommended that all banks shall strictly follow the banks regulations imposed by the Bangko Sentral ng Pilipinas specifically on the online banking issues. Recommendation for future studies For future studies, the next researcher could focus on the baseline standards for the technology the banks may implement. Since the cost of technology may impact on the capitalization of the banks, especially on banks with lower capitalization, the researcher may study the appropriate technological solutions that may have lesser impact on the cost. One area of interest is the creation of a third party network solution that will be centralized and equipped with a foolproof technology. The future researcher may likewise replicate this study to the other types of banks stated in the current list of financial institution being regulated by BSP (see Annex), composing of 18 commercial banks, 73 thrift banks; and 635 rural banks and cooperative banks, as of April 1, 2011. The future researcher may use the template of this study or any other techniques applicable for the purpose. Another area of interest could be the assessment on the liabilities and vulnerabilities of all internet service providers (ISP) serving the banks. It would be interesting to research on the safety procedures and risk management aspects of the providers. Implications on National Security Any lapses in information security management of the bank make it more vulnerable to frauds and threats exposure. As the computer related frauds evolved and becoming more organized, the banking system in the Philippines is facing real threats that must be looked at. Strategic approach must be done to avoid any potential damages that would lead to the collapse of the banking sector which is a huge setback to the already struggling economy of the nation.
- 204. 204 ICT Developmentand Cyber Security Reader Political. The legal framework and regulatory policies necessary for the adaptation of the key solutions to the stated problems are political in nature. The legislation of cyber crime law will be the strategic guidelines of future decision makings and strategies of the key actors in the preventions of computer related frauds. Techno-Scientific. The fraud itself is technology driven and innovates in a very fast phase. Generally, technology would be the primary consideration in coping up with the strategic solutions in the preventions of computer related frauds. However, because of the high cost of technology development, it is sometimes being neglected and become secondary. Technology innovations may not be the only solutions to the problem but it poses a very important role in the preventions of computer related frauds and at the same time play an important role in the national security and development. Economic. The absolute end goal of the study is achieving economic sustainability which is free from frauds and threats brought about by cyber crimes. The economic activities in the country draws it strengths from the stability of the banking sectors. A better banking system would somehow contribute to the economic development of the country. Socio-Cultural. The evolution of computer related frauds affects the social activities of the nation. Frauds directly affect the bank customers. With this reality, the effects of it will ripple down the system and will affect the whole community, as well. Military. Peace and security of the nation will be at stake if the effect of the computer related frauds in the banking systems could not be controllable. The military could contribute to the strict implementations of laws that could help in the preventions of frauds. # # # Bibliography Books Cruz, Marcelo (2003). Developing an Operational VAR Model using EVT. In: (Eds.) Advances in Operational Risk. Second edition, 109-119.London: Risk books in association with SAS UK. Toral, Janette (2009) E-Commerce for Entrepreneurs: Volume 1: Internet Userâs Guide to E-Commerce Policies Unpublished Studies Almogbil, A., (2005). Security, Perceptions, and Practices: challenges facing Adoption of Online Banking in Saudi. Unpublished Ph.D. D i s s e r t a t i o n , G e o r g e W a s h i n g t o n U n i v e r s i t y , W a s h i n g t o n . Articles in Books, Journals, Newspaper and Magazines Ahuja, Ashal Vashumal (2010) Cyber Crime in Banking Sector, Retrieved 23 April 2011 http://www.scribd.com/doc/28079943/Cyber-Crime-in-Banking-sector Bank for International Settlements (2003). Risk management principles for electronic
- 205. 205ICT Development andCyber Security Reader banking, July. Available at http://www.bis.org/publ/bcbs98.htm. Accessed on 10 March 2011. Bardoloi, Sabyasachi Bardoloi (2004). Operational risk: A new dictum in financial service industry emerges. 8 March. Available at http://www.techrepublic.com/article/ operational-risk-a-new-dictum-in-financial-service-industry-emerges/5162451. Accessed on 19 March 2011. Bies, Susan Schmidt (2006). BIS review, 62. Geneva: A BIS publication. Brodeu, AndrĂ© Brodeur and Pritsch, Gunnar. Making risk management a value-adding function in the boardroom. September. McKinsey&Company. Available at http:// www.mckinsey.com/clientservice/risk/pdf/making_risk_management.pdf. Accessed on 10 March 2011 Colville, Robert (May 5, 2011) Weekeend Read: Cyber crime goes global. Computer Crime Research Center. Retrieved 04 June 2011 from http://www.theprovince.com/ news/ Weekend+Read+Cyber+crime+goes+global/ 4698925/story.html#ixzz1LUz3cZyp Comscore (2011). Internet banking surges in Southeast Asia. 9 March. Available at http:// www.physorg.com / news / 2011-03 â internet â banking â surges - southeast-asia. html. Accessed on 10 March 2011. Encinas, Rogelio (2009). Regulating Mobile Banking: The Philippines Perspective. Available at www.bsp.gov.ph. Accessed on 10 March 2011. Espenilla, Nestor (2007) Banking supervision and examination in the Philippines. A paper presented at the Conference: The Financial stability and financial sector supervision: lessons from the past decade and way forward. Organized by IMF Regional Office for Asia and the Pacific (OAP),Keio University-21. Century COE-Market Quality Project and The Financial Research and Training Center (FRTC) of Japanâs Financial Services Agency (FSA), 17 December, Tokyo, Japan. Available at http://www.imf.org / external / np / seminars / eng / 2007 / fsa / pdf / s2/9_s2_speak 4bgp.pdf Gillis, Art. (2010). What India Provides in Low Labor Rates, U.S. Can Return in High Experience. 23 November. Availableat http://www.banktech.com/blogs/228300421. Accessed on 10 March 2011. Grundy, Emma (1993) Computer Fraud: A People Problem. Journal of Financial Crime. Retrieved 10 May 2011 from http://www.emeraldinsight.com/journals. htm?articleid=1650220 International Business Management (2010). An Overview of Internet Banking. Available at http://www.wcdarc-ohrid.org/overview- internet - banking.html. Accessed on 11 March 2011. Jayamaha, R (2005). BIS Review, 88.Geneva: A BIS publication. Jimenez, Eduardo C. and Roman, Pia Bernadette (2006). Electronic Banking: Delivering Microfinance Services to the Poor in the Philippines: Case Study on the Philippines. Available at http://www.bwtp.org/pdfs/arcm/ Jimenez.pdf. Accessed on 10 March 2011. Khalfan, A., Yaqoub, S.Y., Alrefaei, Y., Al-Hajery, M. (2006). Factors influencing the adoption of Internet banking in Oman: a descriptive case study analysis. International Journal of Financial Services Management 1 (2), 155â172. Lee, AS (March 12, 2009) Fighting Fraud With Computer Forensics. Security FAQs. Retrieved 5 June 2011 from http://www.security-faqs.com/fighting-fraud-with-computer- forensics.html McConnell International (2000), Cyber crime . . . and punishment? Archaic laws threaten global information, December. Available at http://www.witsa.org/papers/McConnell- cybercrime.pdf. Accessed on 10 March 2011. Mendes, Shawn, Erwin alampay, Edwin Soriano and Cheryll Soriano (2007). The Innovative
- 206. 206 ICT Developmentand Cyber Security Reader Use Of Mobile Applications In The Philippines â Lessons For Africa.. Swedish International development Cooperation Agency, September. MetricStream, Inc. (2011). Basel II Operational Risk Management Solutions. Available at http:// www.metricstream.com/solutions/operational_risk_management_banking. htm. Accessed on 10 March 2011. Mukhopadhyay, CS Sushita (April 6, 2010) Cyber Crime and Cyber Terrorism: The need to know cyberlaws. CA Club India. Retrieved o8 May 2011 from http://www.caclubindia. com/articles/cyber-crime-cyber-terrorism-the-need-to-know-cyber-laws-5153.asp Nielsen Media Research Group (2007), The online Filipino: Philippine Internet landscape, National ECommerce Congress, Dusit, March. Oprisk & compliance (2006).Volume 7, 27-29. London: Incisive Media publications. Pandey, Dayanand (2006). Operational Risk: Measurement Issues, Basel-II and UAE banks. Paper presented to the 6th Global Conference on Business and Economics. 15-17 October. Gutnam Conference Center, USA. Puthuseeri, Vinod (2010) Information Security, Information Security Risk Assessment, Risk Assessment. Available in http://infosecminds.com/tag/recent-security-breaches/. Accessed on 10 March 2011. Spatarella, Joe (January 5, 2010) Online Banking Solutions.Bank Systems and Technology. Retrieved 06 April 2011 from http://www.banktech.com/articles/227101021 Standler, Ronald B. (2002) Computer Crime. Retrieved 6 May 2011 from http://www.rbs2. com/ccrime.htm Thomas, Brian J. (January 14, 2011) Computer crimes can affect your bottom line. Dallas Business Journal. Retrieved 04 April 2011, from http://www.bizjournals.com/dallas/ print-edition/2011/01/14/computer-crimes-can-affect-your-bottom.html Tripier, Dave (2010), CMO at IronKey; Organized Cyber Crime and Corporate Bank Takeovers Retrieved from http://www.ethicalhacker.net/content/view/335/2/ U.S. Department of Commerce (2004). Business Ethics: A Manual For Managing A Responsible Business Enterprise In Emerging Market Economies. Washington, DC, USA. Villafuerte, Fitz (2009) Business, Investments and Personal Finance. Available at http:// fitzvillafuerte.com/philippine-banks-that-offer-online-banking.html. Accessed on 8 March 2011. Yadab, Apoorva (October 3, 2007) Banking Fraud: Preventiona and Control. Ezine Article. Retrieved 08 April 2011 from http://ezinearticles.com/?Banking-FraudâPrevention- and-Control&id=772623 Official / Government Documents Bangko Sentral ng Pilipinas (BSP) Circular No. 587 Series of 2007 (11 October 2007): Revised Format of Report on Crimes and Losses, and Other Related Policy Guidelines Bangko Sentral ng Pilipinas (BSP) Circular No. 542 Series of 2006 (11 August 2006): Consumer Protection for Electronic Banking Bangko Sentral ng Pilipinas (BSP) Circular No. 269 Series of 2000 (8 December 2000): New Guidelines Concerning Electronic Banking Activities Bangko Sentral ng Pilipinas (BSP) Manual of Regulations for Banks (MORB) Sub Section X621.1: Grant of Conditional Approval To Provide Electronic Banking Service
- 207. 207ICT Development andCyber Security Reader Bangko Sentral ng Pilipinas (BSP) Manual of Regulations for Banks (MORB) Sub Section X621.4: Grant of Final Approval To Provide Electronic Banking Service Republic Act No. 8484 or An Act Regulating the Issuance and Use of the Access Devices. Prohibiting Fraudulent Acts Committed relative Thereto, Providing Penalties and For Other Purposes (February 11, 1998) Republic Act No. 8792 or An Act Providing for the Recognition and Use of Electronic Commercial and Non Commercial Transactions and Documents, Penalties for Unlawful Use Thereof and for Other Purposes (July 26, 1999)
- 208. 208 ICT Developmentand Cyber Security Reader DIRECTORY OF PARTICIPANTS MR FREDDY TAN CISSP (ISC)2 ftan@isc2.org COLONEL ROMEO S BORRES PAF 950 CEISG, Philippine Air Force 950ceisg.gc@paf.mil.ph LT COL LARRY Z AQUINO AFP Command and General Staff College larryaquino90@gmail.com MR GEORGE C TAN Anti-Money Laundering Council Secretariat gtan@bsp.gov.ph ATTY VIVIAN F MAGNO Anti-Money Laundering Council Secretariat MagnoVF@bsp.gov.ph MS RACHELLE D ACUPAN ARMCI Solutions & Company rachelle.acupan@bdo-advisory.com BGEN NICOLAS D OJEDA JR AFP (RET) Armed Force & Police Mutual Benefit Association Inc (AFPMBAI) nd.ojedajr@afpmbai.com.ph COL ROCKY J BINAG PAF Armed Forces of the Philippines rocky394@yahoo.com SSG RANDEL A GANTALAO Armed Forces of the Philippines gantalaorandel@yahoo.com MR CLAYTON JONES Asia-Pacific (ISC)2 cjones@isc2.org LTC JEAN A LATOJA WAC Assistant Chief of Staff for Communication, Elec- tronics and Information Systems, MC6 jlatoja@yahoo.com MS DECY L SIAO Bangko Sentral ng Pilipinas siaodl@bsp.gov.ph MR PATRICK JOSEPH M SADORNAS Bangko Sentral ng Pilipinas sadornaspm@bsp.gov.ph COL NOELITO C ALBANO (GSC) PA AFP Bids and Awards Committee, AFP noal84@yahoo.com SGT DARIO G PASCUAL PA Caree Management Division, OJ1, GHQ, AFP hacking_1289@yahoo.com MR OCTAVIOUS CAESAR D MACUSI Career Executive Service Board odmacusi@yahoo.com CDR CORNELIO RODEL D MAGO CEISSAFP magocrd@afp.mil.ph CAPT VICENTE L CEJOCO PN (GSC) CEISSAFP vlcejoco@yahoo.com condedagdag@yahoo.com ENS RANDY O HENGOYON CGWCEISS cgwceissmco@yahoo.com.ph LTJG JOSE B JACINTO JR PCG CGWCEISS, Phil Coast Guard cgwceissmco@yahoo.com.ph MR RANIER M ALVARADO CICT, House of Representatives rm.alvarado.24@gmail.com MS OFELIA M PASCUA Claims Division, PVAO ofel.pascua@yahoo.com ENS-PCG HENRY U DICHUPA PCG Coast Guard Legal Service, Phil Coast Guard dichupahenry@gmail.com MR CRAIG COVEY Cobra Itech Services Corporation coveycrai@msn.com
- 209. 209ICT Development andCyber Security Reader LTC LARRY Z AQUINO PAF (GSC) Command and General Staff College larryaquino90@gmail.com 1LT VIRGILIO T PALECPEC JR PAF Counter Intelligence Technical Unit MIG 17, Intelligence Service, AFP 17arjaysantos@gmail.co PSUPT LEO M FRANCISCO Criminal Investigation and Detection Group Philippine National Police leofrancis_92@yahoo.com.ph LIEUTENANT JAMES MARTY O MINGUILLAN PN CSEISB, CID, J2 ROBINA M ASIDO Daily Manila Shimbur robina.acido@gmail.com MR LOUIE C MONTEMAR De La Salle University louiemontemar@gmail.com GHIO ANGELO S ONG Defense Presse Corps ghiongangeloug@gmail.com MR JERRY P RITUAL Department of Energy jritual@doe.gov.ph MR ELIZAR S CANTUBA Department of Environment and Natural Resources ejay@denr.gov.ph MR JOSE ESTEBAN C LEIDO Department of Environment and Natural Resources jecleido17@denr.gov.ph MR ROBERTO L DE LEON Department of Environment and Natural Resources obet@denr.gov.ph ASEC ESTER A ALDANA Department of Interior and Local Government titel_compt2004@yahoo.com CDR ROGER S GAMBAN PN (RET) Department of National Defense rogergamban@yahoo.com MR AUGUSTO CAESAR S LORENZO Department of National Defense acslorenzo@ndrrmc.gov.ph MS AGNES PERPETUA R LEGASPI Department of Trade and Industry agneslegaspi@dti.gov.ph CPT LAMCEL C CARANGUIAN Deputy Assistant Chief of Staff for Communication, Electronics and Information Sys- tems, MC6 lamcelcaranguian@yahoo.com PCSUPT CATALINO B RODRIGUEZ JR DICTIM tdictm@pnp.gov.ph LCDR OLIVER P OBONGEN PN DSMC-DISG berong99@gmail.com MR FEDERICO HERIBERTO C DE LA LLANA MM EDP - IMD, National Security Council fhcdelallana@nsc.gov.ph MR HO KYUNG YOO FEU-East Asia College hokyung_yoo94@yahoo.com MR FERDINAND C PALOR Finance Division, Phil Veterans Affairs Office ferdz926@yahoo.com MAJOR REY A GUBANTES PAF Foreign Liaison, OA-2, Philippine Air Force masculado142@gmail.com MS KAREN P AGUIRRE Guidance Unit, FEU-East Asia College kpaguirreinfo@gmail.com MAJOR VALENTINO T AUSTRIA PA HHSC, Army Signal Regiment (P) austriavt@army.mil.ph ATTY ARTEMIO A ADASA JR, MNSA House of Representative aaa.legops@congress.gov.ph ENGR PHILIP P VILLAMIN House of Representatives vphone@gmail.com MR FELINO D CASTRO V ICT Management Service, DSWD focastrov@dswd.gov.ph
- 210. 210 ICT Developmentand Cyber Security Reader DIR PHILIP A VARILLA ICTO-DOST ITO ANDRES D NAVARRO IMO, DND adnavarro@dnd.gov.ph LCDR SALVADOR M SAMBALILO PN Information Systems Group, NCEISC, NSSC, Phil Navy sambalilo.salvador128107@navy.mil.ph MS AVEGALE CECIL G ALCARAZ Information Systems Security Department, Pag-Ibig Fund agalcaraz@pagibigfund.gov.ph ENGR / PSINSP ALLAN S CABANLONG Information Technology Management Service allancabanlong@pnp.gov.ph MS NIKKO L DIZON MNSA Inquirer nicolettekn@gmail.com MR MENARDO S GARCIA Intelligence Service, AFP menardogarcia@yahoo.com TSGT RUBEN A BIRUNG PA Intelligence Service, AFP rabirung@gmail.com MAJ CHRIS V CABADING PA Intelligence Service, AFP xtiansr00@yahoo.com MR HARINDRANATH MEPURATHU International Organization for Migration hmepurathu@iom.int CPT REX C BOLO PA ISG, Philippine Army rexcbolo97@yahoo.com MR MERVIN R BUNAG ISSA Manila Chapter mervin.bunag@gmail.com MR CHINO S RODRIGUEZ IT Resource Mgt Office crodriguez@ateneo.edu LTCOL MARCIANO JESUS C GUEVARA J-staff, AFP, GHQ-AFP sirocco8800791@yahoo.com / oj7_bat@yahoo.com MS CAROLINA P DELA CRUZ Knowledge Management Division, Department of Health cpdelacruz@co.doh.gov.ph ATTY ARIEL O LABRA Law Department, City Govt of Makati atty.arielolabra@gmail.com ATTY / P/ENS BLESSIE L TURIJA-PALMOS Legal Service blessiepalmosa@yahoo.com ENGR MERLINA PANGANIBAN Makati Mayors Office merlinagp@gmail.com MS ELSIE I ENCARNACION Metro Manila Development Authority oc.miss@mmda.gov.ph ENGR FREID RICK C TURINGAN Metro Manila Development Authority miss.administrator2@mmda.gov.ph MS ANNABELLE C RAGSAC Mngt Information Systems Division, IMO belle@nsc.gov.ph CAPT ROMMEL ANTHONY SD REYES PN N6 Philippine Navy reyes.rommel10106@navy.mil.ph MR JOEY I NARCISO National Bureau of Investigation joey@joeyinarciso.com MR VICTOR V LORENZO CPA National Bureau of Investigation victorlorenzo38@yahoo.com DIR RAUL N NILO National Computer Center raul@ncc.gov.ph MR FEDERICO HERIBERTO C DE LA LLANA National Security Council fhcdelallana@nsc.gov.ph FMR CONG RODOLFO PLAZA MNSA NDCPAAI
- 211. 211ICT Development andCyber Security Reader COL CARLYZAR DIVINAGRACIA PAF (RES) MNSA NDCPAAI dcarlyzar@hotmail.com LTC DOLORES DE QUIROS - CASTILLO PA (RES) MNSA NDCPAAI dollydqc@yahoo.com MR GAUDENCIO A CANTOS III MNSA NDCPAAI gcantosiii@yahoo.com MR DICKSON G WEE MNSA NDCPAAI iweb@club88.net / bloatedgenius@yahoo.com MS SHIRLEY MARIE P PLAZA MNSA NDCPAAI shirleypplaza@gmail.com MAJOR JAY JOSEPH C ESPIRITU PA Net Center, ASR(1) IA espiritujj@army.mil.ph MAJOR JOEY T FONTIVEROS PA NETC, ASR (P) fontiverosjt@army.mil MR ALFREDO G FRANCO Network Solutions Engineering Group afranco@ncc.gov.ph LTJG EDUARDO R BARRAMEDA JR PN NISF, PN erbj101@lonaicom.net MR DAVID R LCRUZ OASPP davecruzph@yahoo.com CPT ROMEO M PAZZIUAGAN ODCS FOR CEIS, J6 pazziuaganrm@afp.mil.ph CAPT GEORGE F CATAMEO ODCS for Reservists & Retiree Affairs, J9 rraoja_opns@yahoo.com MAJOR DON MARIA R ANICETE PAF Office for Defense Reform, Department of National Defense donanicete@yahoo.com EVA B DELOS SANTOS Office for Public Affairs evabds25@yahoo.com COL ARNOLD DF ANDALES PA, MNSA Office of AC of S for CEIS, G6, PA rnold61@yahoo.com MR KELVIN ART T OFRECIO Office of Civil Defense katofrecio@ndrrmc.gov.ph LTC CHARLEMAGNE F BATAYOLA JR PA Office of Strategic & Special Studies Division, AFP yuri10936@gmail.com MAJOR ELMER D HAMAMOTO PA Office of the AC of S for CEIS, G6, PA hamamotoed@army.mil.ph COL ERNESTO C FONBUENA JR PAF (GSC) Office of the Deputy Chief of Staff for Communica- tion, Electronics and Information Systems, OG6 fonbuenaec@afp.mil.ph MAJOR JOSE RAYNIL B MAHINAY PAF Office of the Deputy Chief of Staff for Personnel, J1 raynil_m@yahoo.com PROF LEMUEL RODOLFO B BRAĂA Office of the President, Cobra Itech Services Corpo- ration lrbbrana@cobraitech.com MR DEXTER D CONCEPCION Office of the Vice President ddconcepcion@ovp.gov.ph MR STEPHEN P CUTLER PHD Official Global Control Corporation steve.cutler@ogcc.biz 1LT KAREN LELETH P DIPALING PA OG2, PA kar_dips06@yahoo.com CDR ROBERTO E RUBIA OJ4 amir6177@gmail.com COLONEL JAIME FERNANDO R HIDALGO PA OJ5, GHQ, AFP jimhidalgo87@yahoo.com / jimhidalgo87@gmail. com
- 212. 212 ICT Developmentand Cyber Security Reader COL ERNESTO C FONBUENA JR PAF (GSC) OJG fonbuenaecjr@afp.mil.ph MR JESSE REY F RIOS Operations Section, Office of Civil Defense - Cordil- lera car@ocd.gov.ph / civildefense_car@yahoo.com ATTY JOSE ANGELO V CUNANAN OUSLLASC gelocunanan@alumni.ateneo.edu MR JAIME L ROQUERO Phil - Star jrlaude@yahoo.com COMMODORE SALVADOR Q ESGUERRA AFP (RET) Phil Veterans Affairs Office sqesguerra@gmail.com COL SUSTHENES C VALCORZA GSC (PAF) Philippine Air Force a6@paf.mil.ph MAJOR MARVEL C SABELLON PAF Philippine Air Force sabellon.marvel@paf.mil.ph MAJ JUDE P EJERCITO PAF (GSC) Philippine Air Force jude.ejercito@yahoo.com SGT JAN BER M TERRITORIO Philippine Army 1LT IVY M PILONES Philippine Army ivy_06ymra@yahoo.com LTC ROMEO N BAUTISTA III PA Philippine Army romeo_bautista93@yahoo.com.ph 09186750762 MAJ JERIC MAXIMO M REYES PA Philippine Army afpps@yahoo.com MR VIRGILIO M GAJE Philippine Information Agency vergaje@yahoo.com LTC EDWARD VINCENT S ARRIOLA PN (M) Philippine Marine Corps mc6@marinecorps.mil.ph LTC JOSE DODJIE C BELLOGA PA Philippine Military Academy dodjieb@pma.ph PSSUPT BENJAMIN C ACORDA JR Philippine National Police acorda91@yahoo.com PSSUPT BARTOLOME R BUSTAMANTE Philippine National Police legalbuster@yahoo.com PSSUPT EDWIN JOSE G NEMENZO Philippine National Police PSSUPT RENE D ONG Philippine National Police renediazong@yahoo.com.ph CDR RUBIN D ATILLO PN Philippine Navy atillo.rubin128090@navy.mil.ph ENS JAN KYLE Q BORRES PN Philippine Navy borres.jan16421@navy.mil.ph CPT KRISTINE B SALON PN (M) Philippine Navy salon.kristine134651@navy.mil.ph MR JAIME R LAUDE Philippine Star jrlaude@yahoo.com MS MELENDA I LUNA Philippine Veterans Affairs Office vrmd_pvao@yahoo.com MR ROBERT DG LOSABE Philippine Veterans Affairs Office rlsport12345@yahoo.com MS OLIVIA C ALEJANDRINO ISA III, MID Philippine Veterans Affairs Office Department of National Defense olvcruz@gmail.com MR DARIOS S VALLEJOS Planning / IT, Office of Civil Defense Region 3 itenpus@yahoo.com
- 213. 213ICT Development andCyber Security Reader MR ALLAN TIENZO Powerlink allan.tienzo@powerlink.ph 1LT MARICHRIS A BELLEZA PA Presidential Security Group mabelleza@psg.mil.ph alferezmc@army.mil.ph MR SIMOUN S UNG PVB Card Corporation simoun.ung@paybps.com simoun.ung@osac.ph MS ROCHELLE O CHAVEZ RTC Makati cchlechavez@yahoo.com MS AUGUSTA N ALTOBAR SACSO, FEU-East Asia College analtobar@feu-eastasia.edu.ph MS BEATRIZ G SUMAGAYSAY SACSO-Discipline Unit, FEU-East Asia College bgsumagaysay@feu-eastasia.edu.ph MR GABRIEL B FORTU SACSO-Guidance Unit, FEU-East Asia College gbfortu@feu-eastasia.edu.ph MR JOHN WILMER DG JIMENEZ SACSO-SADU, FEU-East Asia College jgjimenez@feu-eastasia.edu.ph MR CEZAR DV GUTIERREZ Senate of the Philippines rasec15g@yahoo.com DIR FD NICOLAS B PICHAY Senate of the Philippines artandlaw.pichay@yahoo.com MR DAVID Y SANTOS Solar News david.yu.santos@gmail.com MS IMELDA M ACOSTA Training Section, OCD Region 1 ocdrc1@yahoo.com / sugary14SgMM@yahoo.com MR STUYVESANT LIM TRUSTWAVE slim@trustwave.com MS FLORDELIZA A VIDAURRETA UDO-MAKATI CITY GOVT vidaurretafa@makati.gov.ph MR JEROME GARRIDO Urban Development, Makati Mayors Office jerome.garrido@powerlink.ph LAURENT M DE WINTER 2ND SECRETARY, POLITICAL, US Embassy dewintermm@state.gov MR KYLE MILLS US Embassy millskg@state.gov MR MOISES PALER Zperia moie@zperia.com
- 214. 214 ICT Developmentand Cyber Security Reader National Defense College of the Philippines Mission To prepare and develop potential national security leaders for high positions of responsibility and command, and undertake strategic research and policy studies to enhance national defense and security (PD 190 s. 1973; PD 452 s. 1974; Admin Code of 1987, DC 2 s. 2007) Vision To be the center of excellence in educational and policy development for strategic and dynamic leaders in national defense and security by 2022. Functions a. Undertake an academic program and confer the degree of Master in National Security Administration (MNSA) or such other appropriate courses upon all its students who have satisfactorily completed the prescribed courses of study; b. Undertake a research program as basis in the formulation of national defense and security policies; c. Conduct extension program such as non-degree training, seminar-workshops, policy conferences and other similar fora on national defense and security issues; d. Conduct other programs and projects in support of the mission of the Department of National Defense (DND) and its bureaus and offices and other government agencies. Join the MNSA Regular Course and become one of the countryâs SCHOLARS and ADVOCATES of NATIONAL SECURITY at the NDCP â âwhere admission is an honor.â For details, call telephone nos. Office of the NDCP President- (02) 911-8469; Registrar- (02) 912-1510; Academics Division- (02) 912 9117; Research Division-(02) 912-9125; Admin Division (02) 912-1412 visit us @ www.ndcp.edu.ph.