Written by Miguel Gomez
Despite the nascent state of its cyber security, the recent initiatives by the Philippine government provide a unique opportunity to play an increasingly influential role with respect to domestic and regional cyber security concerns. Its proposal in 2016 for the establishment of a cyber security working group would allow its concerns to be discussed amongst its peers and with other established cyber powers. Closer to home, the establishment of the Department of Information and Communication Technologies (DICT) in conjunction with the draft National Cybersecurity Plan 2022 (NCP 2022) better equips the government to meet the complex demands of this emergent and increasingly crucial domain. Yet despite these developments, the question of whether the country will prove successful in its emergent role remains open to debate.
On the one hand, continued exposure to threats that range from cybercrime to state-associated cyber-attacks provides an appreciation for the level of risk expected through increasing dependence on cyberspace. On the other side, however, the Philippines’ interest in and conceptualisation of cyberspace as reflected by the NCP 2022 demonstrates that a nuanced and critical understanding of its inherent risks has yet to emerge. This situation places significant constraints on hopes for more assertive participation in addressing the question of cyber security. This article endeavours to provide a brief insight into the unique position occupied by the Philippines with respect to regional cyber security concerns and the challenges it faces in its move towards greater involvement.
A Thorough Exposure
The past two decades has seen the diversification of threats both to and from cyberspace. Beginning with the earliest malware infections in the early 1970s to the militarisation of cyberspace in the first decade of the 21st century, various threats have evolved beyond simple notions of digitised viruses or curious teenagers. In their earliest form, cyber threats drew parallels with biological pathogens that negatively impacted the wellbeing of computerised systems – much in the same way that a physical virus would. By the early 1990s the discourse had shifted to the lawless nature of cyberspace with both curious individuals and those with criminal intent causing serious harm to emerging digital economies. By 2007 the narrative had shifted to cyberspace as an instrument of national policy, that is to say; a tool for states to obtain their strategic objectives. The Distributed Denial-of-Service attacks against Estonia, purportedly launch by Russia, epitomises this development.
At this point, you may wonder why this is so important.
The significance of clearly defining the nature of threats influences (1) the referent object involved, (2) the actors in scope, and (3) the appropriate actions to be taken. Although the above representations would, to an extent, overlap in terms of these components, special considerations are required when addressing each one. For instance, if cyber-attacks are framed as an economic liability approaching individual enterprises to improve their own security posture, they may be a better option than if a military cyber command was given the responsibility of securing the national cyberspace. Inversely, if threats against individual enterprises are attributed to state actors with specific strategic goals, then greater government involvement may be ideal. Learning to identify variations between these different representations requires exposure to facilitate organisational learning. In this light, the Philippines occupies a unique position within the region as it has come to experience both the socio-economic and politico-strategic representations of cyber threats.
Historically, the Philippines has faced challenges associated with cybercrime. Annual third party reports have cited it as both a source and target of such activities over the past two decades. It is therefore unsurprising that the government has responded, albeit slowly, by passing legislation aimed at criminalising such activities. In addition, its proposed accession to the Convention on Cybercrime suggests a shared view of the threat and the necessary countermeasures required. More recently, however, the Philippines has also experienced cyberattacks that coincide with on-going political/military disputes. The cyber assets of both the private and public sectors experience some form of disruption each time disputes emerge e.g. the territorial contestation involving islands in the South China Sea has coincided with attacks against Philippine cyberspace attributed to China.
The presence of these incidents, while disruptive, comes at an opportune moment for the Philippines. Without being locked into one representation or the other, it finds itself able to develop solutions that could best address both types of threats. The benefits of doing so translates across three levels. Domestically, preventing future disruptions would allow it to fully benefit from the socio-economic advantages offered by increased investments in cyberspace. Regionally, this aligns with ASEAN’s goal of employing cyberspace as a platform for regional progress while considering the possibility of the domain’s militarised use within the region. Globally, its proposed solutions would be compatible with the findings of the UN Group of Governmental Experts (UN-GGE) regarding the use and protection of cyberspace.
Benefits and Roadblocks
The above provides the Philippines with an opportunity to strengthen its role in cyberspace. Though, it is far from a certainty. Success in this regard ultimately depends on the specific actions it takes within the domain. Policy documents such as the National Cybersecurity Plan 2022 shed light on the direction these would take. Prepared under the auspices of the DICT, the strategy document reflects the government’s approach in securing the national cyberspace. Despite being a draft at this point, several observations may be made that both support and hinder the country’s overall objective.
In its favour, the document acknowledges the multifaceted nature of threats in cyberspace and provides readers with its different forms and possible implications. Unfortunately, it remains silent with respect to how the Philippine government conceptualises the domain. While references to its socio-economic nature are evenly distributed, the occasional emphasis on its militarisation provides an inconsistent view. Such an inconsistency is crucial since other initiatives demonstrate that incongruent conceptualisations of cyberspace have led to the failure of agreements between parties. The case of the United States, China, and Russia struggling with defining appropriate behaviour in this domain is illustrative of the challenges faced by states such as the Philippines.
In addition, while the document highlights the variety of threats, it is not forthcoming as to specific considerations. For instance, while a whole-nation approach is espoused when responsibility of securing the domain is discussed, the exact configurations required to deal with specific threats are not considered. As an example,the Department of National Defense (DND) has been charged to “gather foreign cyber threat intelligence”. Although it does not appear controversial, a closer reading surfaces a crucial problem. Cyber threats can be both military and non-military in nature (i.e. criminal syndicates) with the latter out of scope for national security organisations such as the DND. From a practical/technological perspective, this may also be unrealistic as the infrastructure needed to provide such a wide coverage is not under the ownership of the DND or the government but is in the hands of private enterprise.
Crucially, the document appears to conflate both cybercrime and cyber warfare. While these may involve similar technologies, techniques, or even actors; instances of each case require different treatments. On its own, cybercrime is best addressed through national and international legal instruments. In contrast, cyber warfare – if such a thing exists – dictates additional considerations to avoid unnecessary escalation. This is especially true given that several interactions labelled as such have been associated with established political or military rivals. Moreover, such a situation is common within the region.
On the Right Path?
The Philippines finds itself in a unique position. Despite the consequences of threats against its cyberspace, its history provides the opportunity to develop a strategy that allows it a greater involvement in the efforts to secure this new and increasingly significant domain. Although its actions, to date, have been a step in the right direction, much more work is needed. First, effort must be invested in providing consistent views of cyberspace relative to its importance. Second, the nuances of the threats it faces must be better considered to provide an efficient and appropriate response. Finally, it should clarify its position regarding the criminal or military use of cyberspace. Although this debate is far from over, greater clarity would only help further its respective goals.
Miguel Gomez is a Senior Researcher at the Center for Security Studies in Zurich. His research focuses on strategy, norms, and risk in cyberspace. He has a background in both security studies and computer science. This article forms part of the IAPS Dialogue edition entitled “(In)Security in the Philippines.” Image Credit: CC/ Pixabay