Prioritize state-level cyber defense

Dindo Manhit, President, Stratbase ADR Institute

These days we talk about digital infrastructure, digital readiness, and the possibilities that technology offers. On a grander scale, digital advances have furthered the interconnectedness of states in the geopolitical and economic spheres and heightened the connectivity of the global community.

In recent years and especially during this pandemic, we saw how technology enabled us to do many things even from the confines of our homes. But during this period, we also saw an alarmingly increasing number of electronic breaches both at the individual and at the organizational level. Identities have been stolen, privacy has been violated, personal information has fallen into the hands of strangers who misuse it for their own gain.

Magnify the scenario if the breach were to involve entire corporations, industries, government institutions, or critical infrastructure. The damage will be untold and the consequences will be crippling, not only for a handful of people but for entire geographical areas or segments of society. The estimated costs are mind-boggling.

Imagine the consequences of a data breach involving our own military, for instance, where sensitive state secrets and key defense capabilities are compromised, through attacks by malicious nation-states. Indeed, the cybersecurity capabilities of states are being tested by cyberattacks, cyberespionage, and other illegal digital operations.

No matter the amount of investments in digital infrastructure, we will continue to be insecure and vulnerable without a robust cyber defense posture.

We at the Stratbase ADR Institute, in partnership with the United States Embassy in the Philippines, organized a hybrid roundtable discussion that tackled exactly this last Tuesday, Oct. 25. Entitled “Establishing a Strong and Credible Cyber Defense Posture in the Philippines,” the forum gathered experts in defense and cybersecurity from the government, private sector, and the academe.

The consensus is that having a strong cyber defense posture will be a result of cooperation between and among the private sector, the government, and like-minded nations.

Cybersecurity and Infrastructure Security Agency Program Manager Paolo Pascetta said the United States’ relationship with treaty allies in the region, including the Philippines, is important to them as they confront threats from state and non-state actors.

Cybersecurity, he said, is not a separate technology, because critical infrastructure is both cyber and physical. Thus, digital creation that is unsustainable, exclusive, or untrustworthy, no matter how valuable, is unacceptable.

Their group has committed to hold training sessions in early 2023 in Manila on cyber hygiene and cyber work force development.

The commitment stems from the paramount importance placed by the US on its relationship with five of its treaty allies in the region — including the Philippines — in confronting threats from both state and non-state actors.

The former Director of the Threat Operations Center of the US National Security Agency, Dan Ennis, also said that government and private sector partnership is key in this endeavor. This can be done by setting priorities, taking a risk management approach, and then communicating the priorities, the approach, and the focus of one’s resources.

In an attempt to protect everything, we may exactly protect nothing, he said. The biggest gain that we could have is a strategy that sets out key priorities, both to protect key infrastructure and key economic targets, and a risk management approach to solving the problem.

Cybercrime can be defeated by sector, by entity, by company, by government agency, he added.

In the end, he said, it would be the critical infrastructure that would be key to the health of the economy and of our democratic institutions. Capacity must be built against both nation-states and cyber-criminals.

Meanwhile, the Philippine government is all too aware of our cybersecurity challenges.

“The first step in solving a problem is to acknowledge that it exists. We acknowledge that the cybersecurity issue is a global concern,” said Paul Joseph Mercado, Undersecretary for Special Concerns at the Department of Information and Communications Technology (DICT).

Despite the disparity between the problem and the budget allocated to the agency for next year — they asked for P34 billion but were only given P5 billion — the DICT intends to make do with what it has.

“There are ways ahead even with a limited budget. We will try to pursue public-private partnerships. If we spend this correctly, I think we will still have a very good future ahead of us in terms of these ICT projects,” Mr. Mercado said.

The problem is daunting, indeed, and even more frightening when we think of the state actors that are, at this moment, preparing to launch cyber-attacks on critical infrastructure, threatening to shut down entire industries, or plotting to cripple specific geographic areas.

We should be prepared to deal with this not only at the corporate or government level, but on a regional level as well. As individual companies or countries must work on their cyber defense posture, so should this be a common aspiration — and a great opportunity for cooperation — among states in the region.

This article was originally published in BusinessWorld.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s