-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
1/15
JANUA
STRATEGICCONSIDERATIONS
FOR PHILIPPINECYBER SECURITY
9.1VOLUME
PAPEROCCASIONAL
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
2/15
Cyberspace has become an indispensable domain
for state interaction. Governments have, therefore,
made use of cyberspace for power projection, the
protection of critical national infrastructure, and the
exertion of political inuence over other actors in the
international system. This domain, however, has also
become a prominent source of insecurity between
states because of its particularly strong potential for
espionage, sabotage, and subversion.1 While cyber
security continues to be a contentious policy issue,
the promise of a cyber revolution has inuenced
numerous states to develop capabilities for military
cyber operations. More than 40 states have now
developed military cyber organizations and policiesand nearly 70 states have crafted non-
military policies and organizations.2
CYBER CRIME
Despite the relatively controlled threat posed by cyber crime, the Philippinegovernment has adopted a more active posture towards countering illegal domesticcyber activities in contrast to countering external threats to national security.
The idea of a cyber revolution is based on three
widely held assumptions suggested by some
scholars and policymakers about cyberspace:
it enables asymmetric advantages; it is oense-
dominant; and, deterrence is not eective in
this domain.3 First, cyberspace is asymmetric
because, it allows weaker actors to use fewer
resources and capabilities to challenge the military
forces of powerful states. Second, cyberspace is
oense-dominant for several reasons, including
the instantaneous speed of attacks, the problem
of attributing attacks to a perpetrator, and the
overwhelming dependence on cyberspace
throughout modern society.4As a result, enemiescan exploit these opportunities and engage in
numerous malicious activities, including network
STRATEGIC
CONSIDERATIONSFOR PHILIPPINECYBER SECURITY
* The views and opinions expressed in this Paper are those of the author and do not necessaC 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
OCCASIONAL PAPER JANUARY 2016
02
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
3/15
disruption and espionage against target states. Third,
deterrence is not eective in cyberspace because the
threat of retaliation is not viable if the adversaries are not
cognizant of a states cyber capabilities.
Deterrence is the use of threats to discourage adversaries
from initiating undesirable actions.5 The logic of
conventional deterrence is based on three core elements:
communication, credibility, and capability.6 For deterrence
to be eective, a deterring state must rst communicate
to its adversaries which actions are unacceptable and
the corresponding punishment once these actions are
undertaken. The state must then demonstrate that it
has the capabilities to support its threats. Lastly, the
state must establish credibility by convincing adversaries
that the communicated threats will actually be carried
out.
7
However, these elements are problematic whenapplied to cyberspace. It would be detrimental for
states to communicate and demonstrate that they have
cyber capabilities because to do so diminishes their
strategic surprise and technological superiority, the main
advantages of military cyber operations. Absent any
awareness and conrmation from their target state,
adversaries will not be persuaded that
a state has such capabilities.8
Athough the proliferation of cyber capabilities
is inevitable, the assumptions about the value
of cyberspace for military operations are mainly
overstated and need to be claried. First,
cyberspace does not provide asymmetric
advantages to weak actors. The most sophisticated
cyber attacks, Stuxnet and Flame for instance,
required an unprecedented level of expertise and
operational capabilities that weak states and non-
state actors do not necessarily have.9Second,
the idea that cyberspace is oense-dominant
is also questionable because the complexity
of weaponization makes oensive operations
more dicult for states to develop. Moreover, the
empirical evidence suggests that cyberspace is not
necessarily oense-dominant as some academics
and policymakers argue because the successand decisiveness of oensive cyber operations
are generally conditioned on attack severity,
organizational competence, and actor resolve.10
Lastly, traditional deterrence models may not be
useful in cyberspace but an alternative interpretation
of deterrence sees a cyber attack as an indication of
successful deterrence because it substitutes kinetic
or physical attacks between states.11
Given this context, this paper arg
the strategic limitations of cybers
Government of the Philippines sho
cyber security as a policy priorit y
three reasons: the economic cons
cybercrime, the security consequ
espionage and the political conse
conict in the region. The remaind
is divided into in four sections. Th
introduces central concepts rega
cyber security. The second exam
that could inuence the developm
capabilities in the Philippines. The
existing regional and domestic po
to cyber threats. Finally, the last s
some recommendations for the n
particularly focusing on integratingwithin national security policy and
Following these objectives, the pa
oer recommendations about the
law enforcement, e-governance, i
infrastructures and other related t
outside the scope of strategic inte
actors in the international system
OCCASIONAL PAPER JANUARY 2016
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
03
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
4/15
Concepts and Actors
Our understanding of cyber issues is dependent on
how concepts and actors are dened and framed. It
is necessary to clarify specic concepts and identify
actors to avoid confusion and exaggeration aboutstate capabilities and threats in cyberspace. The
following section therefore discusses some core
concepts and actors in area of cyber studies.
Concepts
A core concept in the conduct of cyber security
operations is the oensive and defensive capabilities
of a state or its Computer Network Operations
(CNO). These operations are divided into three
types of functions: Computer Network Attack
(CNA), Computer Network Defense (CND), and
Computer Network Exploitation (CNE). CNA is an
oensive operation and is dened as the capabilityto use computers to disrupt, deny, degrade, or
destroy information in adversaries computers
and information systems. CND, on the other hand,
involves the protection of a states computer
networks: having the capability to detect, analyze,
and mitigate threats and vulnerabilities, and
outmaneuver adversaries. CNE is an espionage
operation and is the ability to collect i ntelligence
through the use of computer networks
to gather data about adversaries.12
These functions provide a general idea of what
states can do in cyberspace, although it is
important to note that the specic operational
instrument involved in executing cyber attacks are
weapons delivered through a computer. A cyber
weapon, in this sense, is a computer code that is
used or is designed to be used with the objective
of threatening or causing damage to objects,
networks, or living beings.13 Cyber weapons can
come in dierent forms, ranging from generic tools
that cause nuisances to high-end tools that can
bring down a states critical infrastructure. Table 1
presents the main types of cyber weapons
as well as their basic denitions.
Another fundamental concept is the projection of
power in cyberspace or cyber power. This paper
considers cyber power as an extension of poli tics,
which is, fundamentally, the authoritative allocation
of valued things.15 Since power relates to the
allocation of capabilities and resources, the paperadopts Nyes idea of cyber power: the ability to
obtain preferred outcomes through the use of
electronically interconnected information
resources of the cyber domain.16
Moving to the next concept, much debate has
been generated by the term cyber war. While
several denitions exist for this concept, this
papers proceeds with the view that notion of war is
problematic and even dangerous when applied to
cyberspace. An act of war must be instrumental,
political, and lethal, whether in cyberspace or
not.17 No stand-alone cyber operation on record
Table 1. CYBER WEAPONS DEFINED14
OCCASIONAL PAPER JANUARY 2016
04
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
5/15
In terms of non-state actors, there are three
additional subcategories: criminals, hackers, and
terrorists. Criminal organizations exploit cyberspace
through various methods for monetary gain. The
major types of online criminal activities include theft
of data, nancial crimes, corruption, and crimesagainst children.23 Hackers on the other hand,
execute in network intrusions for dierent reasons,
ranging from experiencing the thrill of the challenge
to bragging rights. Although cracking into networks
once required a fair amount of skill or computer
knowledge, attack tools have now become
more sophisticated and easier to use, providing
hackers with more capabilities.24 For instance,
politically motivated hackers or hacktivists, such
as Anonymous and LulzSec, overload e-mail
servers and hack into websites to send a specic
political message to target audience.
While there have been no recorded incidences
of cyberterrorism, cyberspace is attractive to
terrorist organizations because it guarantees
anonymity, it enables global communication, and
it delivers a strong psychological impact.25 The
Central Intelligence Agency suggests that terrorists
will remain focused on traditional attack methods;
however, the CIA anticipates increasing cyber
threats as a more technically capable generation of
terrorists join the ranks.26 Table 2 provides some
examples of the cyber weapons that dierent
actors have utilized as well as the
incidents they were involved in.
meets these criteria, thus the concept of cyber
war will not be used for purposes of the paper. As
alternative, the paper follows the work of Valeriano
and Maness who suggest the term cyber conict as
more appropriate, as it involves hostile i nteractions
between states but is not necessarily indicativeof warfare.18 Cyber conict is dened as the use
of computational technologies in cyberspace for
malevolent and destructive purposes in order to
impact, change, or modify diplomatic as well as
military interactions between entities.19
Actors
Since the barriers and costs to entry in
cyberspace are low, a range of actors have engaged
in numerous types of disruptive activities against
dierent targets. There are two main categories
of actors in cyberspace: states and non-state
actors. States are clearly the dominant actorsin cyberspace, given their extensive resources,
expertise, and capabilities.20The development
of the most sophisticated and high-level CNO is
typically designated to states intelligence and
military services. The objectives of these services
are to collect and/or destroy intelligence by
exploiting and disrupting adversaries information
infrastructure. Some prominent examples include
the National Security Agency of the United States,
the Government Communications Headquarters of
the United Kingdom, the General Sta Department
(3rd and 4th Departments) of the Peoples Liberation
Army in China,21and the Reconnaissance General
Bureau and General Sta Department of the
Korean Peoples Army in North Korea.22
Table 2. Actors, incidents and weapons
OCCASIONAL PAPER JANUARY 2016
05
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
6/15
In examining the role of dierent actors in
cyberspace, it is imperative to highlight the
signicant dierence between the capabilities of
states and non-state actors in cyberspace. Thereis a persistent media blitz about the threat of
massive and destructive cyber attacks by non-state
actors, but these reports are largely overstated and
empirically untested.32 It is therefore necessary
to adopt a more strategic understanding of cyber
conict where the focus of inquiry is the realistic
outcome or consequence of the attack aside from
technical and tactical considerations such as the
number of websites that are defaced or the
type of malicious code used by hackers.
Factors Affecting Cyber Security Development
States generally produce specic defense and
security capabilities in response to external
and domestic considerations. While there is no
scholarly nor policy consensus over which factors
constrain states investments in cyber capabilities,
the subsequent section oers three important
factors that could potentially inuence further cyber
capability development in the Philippines.
Economic: Cyber Crime
The rst factor is the growing industry of cyber
crime. The low barriers to entry, the assurance
of anonymity, and the high speed of t ransactions
oered by cyberspace provide criminals with
unparalleled opportunities for prot generation. A
report by the Center for Strategic and InternationalStudies and McAfee estimates that the global
economy loses $375 billion to $575 billion annually
due to cyber crimes. Even the most conservative
estimate of economic losses to these criminal
activities is more than the national income of most
states and companies, signifying the level of
risk states face from cyber crime and
how rapidly the risk can evolve.33
n the context of the Philippines, cyber crime is
an existing problem but is not as threatening
compared to other organized criminal activities
such as robbery, kidnapping and drug tracking.
For instance, the Philippine National Police Anti-
Crime Group reports that there were 3,368 recorded
cases of cyber crime from 2003 to 2014.34 Of these
cases, the most common forms of cyber crimes
were identied as website defacements, personal
account inltrations, and Internet fraud. The data
to systematically quantify the economic impact of
crime that make use of cyberspace is incomplete;
however, the most substantial reports of losses have
been from the Bangko Sentral ng Pilipinas, which
estimates that PhP175 million was lost due to ATM
fraud in 2012 and PhP220 million in 2013.35
Despite the relatively controlled threat posed by
cyber crime, the Philippine government has adopted
a more active posture towards countering illegal
domestic cyber activities in contrast to counteringexternal threats to national security. In terms of
crime prosecution, there are currently six laws that
relate to cyberspace: the Cybercrime Prevention
Act of 2012, the Anti-Photo and Voyeurism Act
of 2009, the Anti-Child Pornography Act of 2009,
the E-Commerce Act of 2000, the Access Devices
Regulation Act of 1998, and the Anti-Wiretapping
Law of 1965. Moreover, the enforcement of
these laws is assigned to four key government
agencies: the Cybercrime Investigation and
Coordination Center (Department of Science and
Technology), the Oce of Cybercrime (Department
of Justice), Cybercrime Division (National Bureau of
Investigation), and the An
Group (Philippine Nationa
Building on these eorts, the government is encour
develop the capacity to ad
domestic enforcement ag
National Bureau of Invest
National Police, still lack th
and resources to eective
Given the rapidly rising nu
it is impossible for the gov
millions of internet users w
surveillance systems and
Second, the mechanisms
cooperation are underdev
strengthened. Since cybe
OCCASIONAL PAPER JANUARY 2016
06
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
7/15
Image Credit: post-gazette.com
hand, it can also facilitate network inltration by
adversaries.
In the case of the Philippines, investing in cyber
espionage or CNE capabilities would enhancethe intelligence collection of security and military
services. The minimum credible defense
strategy, which the government is developing, is
fundamentally dependent on understanding an
adversarys intentions and capabilities.40 Given
this situation, government security and military
forces can leverage the advantages of cyberspace
to collect vital intelligence regarding adversaries
intentions about critical issues, such as the ongoing
territorial disputes or the arms dynamic in the region.
The governments current focus is to improve
conventional capabilities of the military; it would be
reasonable to supplement these capabilities and
invest in military computer network operations.
The paradox of cyberspace is that it also allows
other states to steal information from computer
networks in the Philippines. There have been several
reports by companies like FireEye and Kaspersky
Lab of network inltrations against the Philippine
government, but it is unclear if security and milit ary
services have CND capabilities to defend the states
networks against these hostile operations.41 This
uncertainty is reected in existing cyber security
assessments, which indicate that the Philippines isdecient in military capabilities for cyber operations,
public cybersecurity assistance networks (Computer
persistent, it is crucial for the government to create
a cohesive strategy that denes the responsibilities
of each agency and sets out a clear implementation
plan that accurately integrates their functions.
National Security: Cyber Espionage
The second factor is the growing prominence of
cyberspace as area for espionage. Several cases
of cyber conict relate to espionage operations
between states. For example, in 2005, the United
States government discovered Chinese computer
network operations Titan Rain, which successfully
inltrated numerous secure systems, including
the Department of Defense, Department of State,
Department of Homeland Security, National
Aeronautics and Space Administration, and even the
British Foreign Commonwealth Oce.38
More recently, computer security company FireEye
revealed the extensive cyber espionage operation
of a group called APT30 against several states
in Southeast Asia and beyond. This incident is
disconcerting because of APT30s suspected
association with the Chinese government as well as
the groups consistent focus on collecting specic
information about political, military, and economic
issues in the region, and about media organizations
and journalists who write on topics about the
Chinese governments legitimacy.39 Considering
these examples, espionage through cyberspacebecomes paradoxical; on one hand, it enables
the ecient collection of intelligence, on the other
OCCASIONAL PAPER JANUARY 2016
07
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
8/15
despite the strategiclimitations of
cyberspace, theGovernment of the
Philippines should considercyber security
as a policy priority
Emergency Response Teams), and inter-agency and
intergovernmental cooperation among other areas.42
In this sense, it would be in the strategic interests
of the government to develop CND capabilities,
considering the advantages of cyberspace forintelligence collection and the necessity for defense
against the persistent and pervasive threat of cyber
espionage by adversaries within region.
Political: Cyber Confict
The third factor is the persistent cyber conict in
the Asia-Pacic. The Philippines is located in a
region characterized by major shifts in the balance
of power, uneven distributions of economic power
within and between states, and intense territorial
disputes.43 Given these dynamics, there are two
crucial reasons why geopolitics in the Asia-Pacic
is integral to inuencing the development of cybercapabilities in the Philippines. First, regional
disputes and insecurities between states have
continued on from conventional conict domains
and have manifested in cyberspace. This situation
makes the Asia-Pacic the most active
region in terms of cyber conicts between
states, mainly due to Chinese action.44
In light of the Philippines involvement in a territorial
dispute with China, it is likely that cyber conict will
become a prominent tool for power projection in the
twenty-rst century. This conict has the advantage
of can delivering a strong message sans the risksassociated in conventional attacks. In addition,
the Philippines is currently entangled between
two great powers that are also engaged in hostile
action in cyberspace. A recent ground-breaking
study conrms this observation: China needs an
outlet, and military grandstanding, with possibility
of escalation involving the Americans is something
China does not want to deal with at the moment.
China seems to be good at inltrating foreign
networks, and this seems to be the least
they can do for power projection.45
Second, other global cyber powers are alsolocated in the region. North Korea, South Korea,
and Japan all have advanced cyber capabilities
and are immersed in various political rivalries and
territorial disputes in the Asia-Pacic.46 Whereas
these rivals typically project military power and
engage in aggressive actions through the air and
maritime domains, cyber conict has also been
used as a tool to advance foreign policy interests. It
is therefore not surprising that from 2001 to 2011,
North Korea instigated fteen cyber attacks against
various states including South Korea, Japan and
the United States. South Korea was associated with
eighteen cyber incidents, mostly against Japan and
North Korea. Japan, meanwhile, had fteen cyber
disputes involving China
South Korea as adversa
The strategic consequen
trend may be crucial for uncertain whether cyber
lead to crisis instability a
low-risk cyber attacks int
attacks.48 In this case, t
the Philippines to develo
in supporting its allies to
existing cyber conicts. E
not have defense agreem
Korea, it could be entang
because of its existing de
United States. In short, th
precludes the Philippines
cyber attacks as well as security and stability of th
Policy Responses to Cy
Strategies to counter cyb
implemented by states u
through international inst
consensus that norms an
the uncertainty and host
conicting interests betw
exacerbated by the revel
make further internationa
improbable.49 Response
OCCASIONAL PAPER JANUARY 2016
08
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
9/15
Image Credit: hoover.org
Working Group in May 2002
increased cooperation and c
areas: creating a legal frame
and cooperation, producing
guidelines, training and educ
wireless security technologie
did not provide any details r
would be implemented. The
the APEC Strategy to Ensur
Sustainable Online Environm
during the Senior Ocials M
The document highlighted t
and highlighted the need to
security measures: cohesive
and policy frameworks, incid
capabilities, partnerships amacademics, public awarene
research and development,
Much like the previous strate
does not oer any concrete
member states would realize
The APEC TEL Strategic Ac
the third and most recent do
APEC Telecommunications
Group in March 2015.53 The
therefore, been state-driven and particularly focused
on strengthening domestic law enforcement as well as
military capabilities. These responses have included
everything from recruiting potential CNO specialists to
establishing full-scale cyber commands. This section
briey surveys the policy responses of key regional
institutions in the Asia-Pacic and the eorts of the
Government of the Philippines towards cyber security.
Regional
States in the region have invested time and resources
to address cyber threats mainly through the Asia-Pacic
Economic Cooperation (APEC) and the Association
of Southeast Asian Nations (ASEAN). The creation of
regional levels of governance has created
a collaborative space where such strategicdiscussions can take place. These eorts have,
therefore, enabled states in the region to develop
transnational responses to cyber threats with shared
condence in their neighbors based on their
similarities rather than dierences.50
The cyber security eorts of APEC are captured
in three key documents. The rst is the APEC
Cybersecurity Strategy, which was formulated by
the APEC Telecommunications and Information
OCCASIONAL PAPER JANUARY 2016
09
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
10/15
Following this discussion, cyber security gured
prominently in several subsequent meetings,
including the 3rd Meeting of the ASEAN
Telecommunications and IT Ministers in 2003,
where it was decided that an ASEAN Information
Infrastructure was needed as well as the
development and operationalisation of the national
Computer Emergency Response Teams by 2005.55
In 2006, the ASEAN Regional Forum released
two statements that stressed the importance of
cyber security. The rst was the ARF Statement
on Cooperation in Ensuring Cyber Security, which
reinforced the need for an ARF work plan on security
in the use of ICT and more dialogue on condence-
building, stability, and risk reduction measures to
address the implications of ARF participants use
of ICT.56 The second was the ARF Statement on
Cooperation in Fighting Cyber Attack and Terrorist
Misuse of Cyber Space, which recommended theimplementation of cyber crime laws in accordance
with national conditions and continued interstate
cooperation in countering cyber crime
and terrorists use of cyberspace.57
The last and most current collaboration is the
ASEAN ICT Masterplan 2015 that was adopted
during the Telecommunications and IT Ministers
Meeting in 2011. The plan prioritizes cyber security
through two broad initiatives. Building trust is the
rst initiative and it involves the promotion of secure
transactions within ASEAN and public awareness
about online security. Promoting information
ve key priorities, including a strong emphasis on
a secure, resilient, and trusted ICT (Information
and Communications Technologies) environment.
More importantly, the document presented an
implementation plan that prescribed the need
to undertake specic actions during the next
four years: research, capability-building, public
awareness, and intergovernmental cooperation.
Whereas the strategic plan recommends workable
and specic measures to address cyber security,
the success of the plan is largely dependent
on the level of commitment and the
resources available to each state.
Cyber security has been a concern for ASEAN
for more than a decade, but prior to the ASEAN
ICT Masterplan 2015, no clear and concrete
regional strategy was developed by the institution
to compel its member states to address cyberthreats. The problem of cyber crime was rst
discussed during the 2nd Senior Ocials Meeting on
Transnational Crime in 2002. State representatives
agreed on the following responses: to establish a
compilation of applicable national laws, regulations
and international treaties relating to cyber crime
legislation; work towards the criminalization of
cyber crime activities; enhance law enforcement
and intelligence cooperation; develop regional
training; coordinate with ASEAN Chiefs of National
Police (ASEANAPOL) for the analysis of cyber crime
activities; and seek training assistance from ASEAN
Dialogue Partners and international institutions.54
security is the second initiative and it has to do
with developing a common framework for network
security and information security across the region.58
In reviewing the regional responses to cyber threats,
it is apparent that some barriers have been slowing
the growth of cyber security eorts in the region. The
rst barrier is the uneven distribution of resources
and capabilities among states. States such as
Japan, South Korea, and Singapore are clearly more
technologically superior compared to other states
like China, Indonesia, Malaysia, the Philippines, and
Thailand; but even these are considerably more
advanced than states such as Brunei, Cambodia,
Laos, Myanmar or Vietnam. Even though this
digital divide is predominantly expressed in terms
of infrastructure development and broadband
penetration, the economic inequalities and low
socio-political capacity levels present substantialchallenges to these states as well.59 The second
barrier relates to the level of cooperation that states
are willing to extend in the area of cyber security.
States develop CNO capabilities to obtain dierent
strategic security objectives; therefore, it would not
be in their best interest to share information about
their cyber operations. In this sense, collaborative
operations and intelligence sharing can potentially
diminish the strategic advantage of cyber operations
more than other conventional military operations.
Furthermore, the absence of global norms or code
of conduct for cyberspace operations also signies
the uncertainty and lack of consensus about the
appropriate strategy to m
Domestic
The response of the Gov
towards cyber security h
despite a signicant cybe
in 2000. The I LOVE YO
undergraduate Filipino co
infected around 55 millio
generated around $10 b
globally.60 Government p
against the perpetrator O
indictment was dismisse
because there was no la
computer criminals at th
A signicant initiative tow
security blueprint was th
Cyber Security Plan in 20comprehensive and ree
cyber security policy, wh
institutionalizing the nec
government and the priv
meet and respond to cha
critical cyber infrastructu
four main strategies and
that were part of the gov
to increasing threats i n c
The rst strategy is to un
through a sustained thre
vulnerabilities and protec
OCCASIONAL PAPER JANUARY 2016
10
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
11/15
being implemented by the government. The second
is risk control, which requires comprehensive
security planning, eective resolution of crisis,
and risk monitoring. The third strategy relates to
the organization and mobilization of necessary
resources and relevant stakeholders, such
as specialists from the private sector and the
international community, for the implementation of
the plan. The fourth strategy focuses on instituting
regulatory and legislative reforms crucial to
addressing the challenges of cyber threats.63
Building on the cyber security policy, the National
Cybersecurity Coordination Oce prepared an
operational framework in 2008. The National
Cybersecurity Coordination Strategy and
Implementation Plan proposed a coordination
strategy that comprised on ve execution programs:
Cyber Security Legal Regime; Critical Cyber
Infrastructure Security Threat and VulnerabilityReduction; Critical Cyber Infrastructure Security
Awareness, Education and Training; Critical Cyber
Infrastructure Security Incident Response and
Consequent Management; and National and
International Coordinating Mechanisms.64
More importantly, the plan justied the urgent
need for inter-agency cooperation through the
establishment of centralized committee and the
consistent participation of dierent government
bodies and private organizations securing Philippine
cyberspace. However, while the implementation
plan was comprehensive and ambitious in theory,
as of yet there is no clear evidence or report that
discusses the status or completion of the programs
The last and most recent cyber security initiative by t
Philippines is Executive Order No. 189, which was re
17, 2015. The Executive Order was drafted in respon
threats, and in particular intended to address the the
electronic information and to assess national vulnera
commercial information systems.65 It prescribes sev
salient of which are the reestablishment of the Nation
Agency Committee, the formation of a National Cybe
Center, the creation of Computer Emergency Respon
oces, and the transfer of the new Cybercrime Inves
Coordinating Center from the Oce of the President
National Cybersecurity Inter-Agency Committee.66
The objectives of Executive Order are appropriate an
two fundamental concerns that the government seem
there was no discussion about the sustainability of th
the document. Considering that the current governm
in 2016, it is uncertain whether the plans will be contpolitical leaders. Second, the document does not pro
regarding oensive and defensive cyber operations.
secure national critical infrastructure and information
without a clear and integrated strategy for cyberspac
Thus, the governments response to cyber threats ca
acceptable but nevertheless incoherent. An evaluatio
initiatives suggests that there are no consistent links
the initiatives of the previous and the current governm
a contributing factor towards the underdevelopment
the Philippines. Nevertheless, the lack of capabilities
for the next president given the rapidly increasing de
cyberspace. The succeeding section oers some ide
integrating cyber security as a national security priori
OCCASIONAL PAPER JANUARY 2016
11
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
12/15
Considerations for the Next President
Since previous eorts in creating a cyber strategy
were incoherent, the next president has the
opportunity to ensure strategic coherence in
addressing cyber threats. There are two initial steps
in producing a cyber strategy: assessment and
development. The rst is to assess the status and
outcome of previous government initiatives on cyber
security such as the National Cyber Security Plan
and Executive Order No. 189. The assessment
would have two objectives. The rst is to determine
if existing cyber organizations have the sucient
expertise, appropriate resources, and proper
procedures to defend the state. The second is to
evaluate if the existing i nter-agency coordination and
implementation mechanisms are in place and areactually working. This assessment is necessary to
establish continuity and avoid wasting
resources during government transitions.
The second step is to develop cyber strategy
that builds on the eorts of the previous
government. There are ve levels of strategy
where the government needs to integrate cyber
security: policy, grand, military, operational, and
tactical.67 Policy refers to the set of objectives
to be accomplished by the government.68 A national security policy typically
explains the main priorities and objectives of the president of a state. If cyber
security is to be a priority, the national security policy should explicitly explain the
relevance of cyber security and its value for the state. Grand strategy denotes the
coordination of all national assets towards the attainment of policy objectives.69
The grand strategy provides more details about the cyber strategy of the
government such as the relevant cyber organizations, the system of coordination,
management of capabilities, and cooperation with international institutions if
possible. The military strategy refers to use of military power in support of the
grand strategy.70 A national military strategy, thus, discusses the objectives,
general approaches, and the resources of the armed forces in preserving the
national security of a state. In terms of cyber security, this strategy should explain
the militarys role in cyberspace and give the public a general sense of
the type of military actions involved in securing the cyberspace.
An operational strategy has to do with the cumulative and coordinated tacticalactions undertaken to achieve a specic operational goal.71 Since goals at the
operational level are diverse, integrating cyber operations into military operations
would involve engagements ranging from disabling a command and control
system of a military base to disrupting the infrastructure protocols of a military
production facility. Lastly, a tactical strategy refers to the details of combat,
specically deployments, engagement with the enemy, and interaction between
dierent units of the military.72 Cyber operations at the tactical level would entail
detailed actions, including the development of cyber units in each military
service, the type of response against cyber attacks, and the
coordination between dierent military cyber units.
OCCASIONAL PAPER JANUARY 2016
12
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
OCCASIONAL PAPER JANUARY 2016
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
13/15
Conclusion
Cyber security is still a weak aspect of Philippine
national security. The lack of discussion regardingthe challenges and opportunities relating to
cyberspace is impeding current eorts to address
increasing cyber threats against the state. Given
these circumstances, there are three reasons
why the Philippine government should consider
cyber security as a policy priority. The rst is that
the economic losses to cybercrime are escalating
and law enforcement agencies do not necessarily
have the capabilities to handle the massive volume
of incidents. The second is cyber espionage has
become a predominant method of intelligence
collection and it is not clear if the military has the
capabilities to detect and counter these operations.
Third is that the territorial disputes and political
conicts in the Asia-Pacic region have spilled over
into cyberspace, therefore making the region the
most active in terms of cyber conict.
Reponses to cyber threats have mainly been
implemented by states, rather than collective actionthrough by international institutions. Whilst there is
a growing consensus that norms and cooperation
can mitigate the uncertainty and hostility in
cyberspace, conicting interests between powerful
states, aggravated by the revelations of Edward
Snowden, make international norm promotion more
dicult. States in the region have invested time
and resources to address cyber threats through
the Asia-Pacic Economic Cooperation and the
Association of Southeast Asian Nations but these
eorts are limited; although cyber security has
been a topic of concern for the last decade, more
concrete plans have only been articulated in the
last few years. Domestic responses to cyber threats
have been limited since most of the eorts have
focused on establishing legal frameworks to enable
law enforcement. There is no indication that the
previous and current gov
the investment in capaboperations in cyberspac
In this regard, the next p
opportunity to consider c
national security priority
coherence in addressing
coherence can be enhan
security measures in all l
grand, military, operation
signicantly, the next pre
the topic of cyber securi
IT crowd. An interdisci
security that draws on a
involves all government a
protect Philippine nation
OCCASIONAL PAPER JANUARY 2016
13
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
OCCASIONAL PAPER JANUARY 2016
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
14/15
ENDNOTES:
1 Rid T. (2013). Cyberwar will Not Take Place. London: Hurst & Co. Ltd, xiv-xv.2 United Nations Institute for Disarmament Research (2013). The Cyber Index In-ternational Security Trends and Realities Geneva, Switzerland: United Nations.3 For a more detailed discussion on these assumptions see Lynn III, W. J. (2010)Defending a New Domain: The Pentagons Cyberstrategy Foreign Aairs 89 (5), 97-
108, Nye Jr., J. S. (2011). The Future of Power New York: Public Aairs, Libicki, M.
(2009) Cyberdeterrence and Cyberwarfare Santa Monica, CA: RAND Corporation.4 Sheldon, J. (2011). Deciphering Cyberpower: Strategic Purpose in Peace Stra-tegic Studies Quarterly 5(2), 95-112.5 Freedman, L. and Raghavan, S. (2008) Coercion In Paul Williams (ed.) SecurityStudies: An Introduction London: Routledge, 217-218.6 Mansbach, R. W. and Taylor, K. L. (ed.) (2011) Introduction to Global Politics 2ndEdition London: Routledge, 297.7 Ibid8 Libicki, M. (2013) Brandishing Cyberattack Capabilities Santa Monica, CA:RAND Corporation, vii-xi.9 Lindsay, J. (2013) Stuxnet and the Limits of Cyber Warfare. Security Studies (22)3, 385-389.10 Gartzke, E. and Lindsay J. (2015) Weaving Tangled Webs: Oense, Defense,
and Deception in Cyberspace. Security Studies 24 (2), 346.11 Ibid12 Cartwright, J. E. (2010). Joint Terminology for Cyberspace Operations Washing-ton D.C.: U.S. Department of Defense.13 Rid, T., and McBurney, P. (2012). Cyber-Weapons. RUSI Journal 157 (1), 7.14 Denitions adopted from Carr, J. (2010), Inside Cyber Warfare: Mapping the Cy-ber Underworld Sebastopol, CA OReilly Media, Reveron, D. (Ed.). (2012). Cyberspaceand National Security: Threats, Opportunities, and Power in a Virtual World WashingtonD.C.: Georgetown University Press, 8, and Valeriano, B., and Maness, R. (2015). CyberWar versus Cyber Realities. Oxford: Oxford University Press, 33-37.15 Easton, D. (1953). The Political System: An Inquiry into the State of Political Sci-ence New York: Alfred Knopf, 5.16 Nye, The Future of Power New, 12317 Rid et, al., Cyber-Weapons, 718 Valeriano et. al., Cyber War versus Cyber Realities, 3119 Ibid20 Nye, The Future of Power and Lindsay, Stuxnet and the Limits of Cyber Warfare21 Patton A., et. al., Occupying the Information High Ground: Chinese Capabilitiesfor Computer Network Operations and Cyber Espionage, Washington D.C.: US-ChinaEconomic and Security Review Commission, 2012.22 Jun, Jenny, et. al. (2014). The Organization of Cyber Operations in North KoreaWashington D.C.: Center for Strategic and International Studies.23 International Police (2015) Cybercrime Retrieved from http://www.interpol.int/Crime-areas/ Cybercrime/Cybercrime24 Reveron, Cyberspace and National Security25 Weimann, G. (2004). Cyberterrorism How Real Is the Threat? Washington D.C.:United States Peace Institute.26 Ibid27 Healey, Jason (ed.) (2013) A Fierce Domain in Cyberspace, 1986-2012 Virginia:Cyber Conict Studies Association, 141-142; Berghel, H. (2001) The Code Red Worm
Communications of the ACM (44) 12, 15-19.28 Stiennon, R. (2015) A Short Histroy of Cyber Warfare In James Green (ed.)Cyber Warfare: A Multidisciplinary Analysis London: Routledge, 9-10.29 Blank, S. (2008) Web War I: Is Europes First Information War a New Kind ofWar? Comparative Strategy (27) 3, 227-247.30 Lindsay, Stuxnet and the Limits of Cyber Warfare; Falliere, N. (2011) W32.Stux-
net Dossier. Mountain View, CA: Symantec Corporation, 1-3.31 Valeriano et. al., Cyber War versus Cyber Realities, 173-175;32 Exaggerations of war in cyberspace are discussed in Sutherland, B. (2011) The
Economist: Modern Warfare, Intelligence and Deterrence: The technologies that aretransforming London: Economist Books, Arquilla, J., (27 February 2012) Cyberwar Is
Already Upon Us [Web log post]. Retrieved from http://foreignpolicy.com/2012/02/27/cyberwar-is-already-upon-us/ and Palette, D. et. al. (12 October 2015) Cyberwar Ig-nites a New Arms Race. Wall Street Journal. Retrieved from http://www.wsj.com/ar-ticles/cyberwar-ignites-a-new-arms-race-144461112833 Lewis, J. (2014). Net Losses: Estimating the Global Cost of Cybercrime Wash-ington D.C.: Center for Strategic and International Studies.34 Guillermo, J. (2015). Local Cybercrime Landscape [PowerPoint slides] Retrievedfrom http://aseanc.org/2015/wp-content/uploads/2015/02/Philippine-Cybercrime-
Landscape-ASEANFIC.pdf35 Bartolome, J. (2014, November 1) Nearly P400M lost to ATM fraud from 2012to 2013, says lawmaker [Web log post.] Retrieved from http://www.gmanetwork.com/news/story/ 386207/ money/economy/nearly-p400m-lost-to-atm-fraud-from-2012-to-2013-says-lawmaker36 Sy, Geronimo L. (2015). Philippines 2014-2015 Cybercrime Report The Rule ofLaw in Cyberspace Manila: Department of Justice.37 Ibid38 Seagal, A., (2013) From Titan Rain to Byzantine Hades In Jason Healey (ed.) AFierce Domain in Cyberspace, 1986-2012 Virginia: Cyber Conict Studies Association,
165-167.39 Kujawa, A. (2015). APT30 and the Mechanics of a Long-Running Cyber Espio-nage Operation Milpitas, CA: FireEye.40 Domingo, F. (2015, 27 February). Intelligence as the Philippines First Line of De-fense [Web log post]. Retrieved from, http://nottspolitics.org/2015/02/27/intelligence-as-the-philippines-rst-line-of-defense/41 Kujawa, APT30 and the Mechanics and Donohue, B. (19 May 2015). Naikon
APT steals geopolitical data from the South China Sea [Web log post]. Retrieved fromhttps://blog.kaspersky.com/ naikon-apt-south-china-sea/8696/42 International Telecommunications Union (2015). Global Cybersecurity Index Ge-neva, Switzerland: ITU and Feakin, T., et. al. (2015) Cyber Maturity in the Asia-Pacic
Region Canberra: Australian Strategic Policy Institute.43 Betts, R. K. (1994). Wealth Power, and Instability-East-Asia and the UnitedStates After the Cold War International Security 18(3), 34-77 and Christensen, T. J.(1999). China, the US-Japan Alliance, and the Security Dilemma in East Asia. Interna-tional Security 23(4), 49-8044 Valeriano et. al., Cyber War versus Cyber Realities, 12845 Ibid46 Wicherski et. al. (2011) Ten Days of Rain Santa Clara, CA: McAfee; Booz AllenHamilton (2001) Cyber Power Index: Findings and Methodology Virginia: author; Vale-riano et. al., Cyber War versus Cyber Realities47 Valeriano et. al., Cyber War versus Cyber Realities, 84-9048 Gompert, D., and Libicki, M. (2014). Cyber Warfare and Sino-American CrisisInstability. Survival, 56(4), 7-22.49 For more on the debate about cyber norms see Stevens, T. (2012). A Cyberwarof Ideas? Deterrence and Norms in Cyberspace Contemporary Security Policy 33 (1),148-170 and Farell, H. (2015). Promoting norms for Cyberspace Cyber Brief New York:Council on Foreign Relations.50 Thomas, N. (2009). Cyber Security in East Asia: Governing Anarchy Asian Secu-rity 5 (1), 19-20.51 Richardson, J. (2002) APEC Cybersecurity Strategy Singapore: Asia-Pacic
Economic Cooperation52 Asia-Pacic Economic Cooperation (2004) APEC Strategy to Ensure Trusted,
Secure and Sustainable Online Environment Retrieved from http://www.apec.org/~/media/Files/ Groups/TEL/05_TEL_APECStrategy.pdf53 Asia-Pacic Economic Cooperation (2015) APEC TEL Strategic Action
Plan 2016-2020. Retrieved from http://www.apec.org/~/media/Files/Groups/
TEL/20150331_APEC%20TEL% 20Strategic%20Action%20Plan%202016-2020.pdf54 Association of Southeast Asian Nations (2002) Work Programme to Implementthe ASEAN Plan of Action to Combat Transnational Crime. Retrieved from http://www.
asean.org/ communities/asean-politicato-implement-the-asean-plan-of-action-t17-may-200255 Association of Southeast Asian Ncommunications and IT Ministers. Retrievasean-economic-community/category/ameeting-telmin56 ASEAN Regional Forum (2012) ARber Security. Retrieved from https://ccdc
120712-ARFStatementCS.pdf57 ASEAN Regional Forum (2006) AR
Attack and Terrorist Misuse of Cyber Spregion/asia-paci/asean/conference/arf/st58 Association of Southeast Asian NRetried from http://www.asean.org/resasean-ict-masterplan-201559 Thomas, Cyber Security in East As60 Poulsen, K. (2010, May 3) May 4trieved from http://www.wired.com/201061 Sosa, g. (2009). Country Report oResource Material No. 79 Paper Presentenal Justice Response to Cybercrime, TokInstitute, 80-87.62 Milallos, M. and Romero, S. (2004
of the President, Task Force for the Secu63 Ibid, 34-42.64 National Cyber Security Coordinat
ordination and Implementation Strategy Q65 Executive Order No. 189 (2015)66 Ibid67 Kane, T. and Lonsdale, D. (2011)don: Routledge, 13.68 Clausewitz, Carl von (2008). On WOxford University Press, 28-2969 Hart, B. H. Lidell (1967) Strategy: 335.70 Kane et. al., Understanding Conte71 Ibid, 1472 Ibid, 14
OCCASIONAL PAPER JANUARY 2016
14
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
9 1
-
7/25/2019 Occasional Paper - Strategic Considerations for Philippine Cyber Security
15/15
C 2016ADRiNSTITUTEfor Strategic and International Studies. All rights reserved.
is an independent international and strategic researchorganization with the principal goal of addressing theissues affecting the Philippines and East Asia
Stratbases Albert Del Rosario Institute
9F 6780 Ayala Avenue, Makati CityPhilippines 1200
V 8921751F 8921754
www.stratbase.com.ph
ABOUT
Francis Domingois Assistant Professor of International Studies at De La SalleUniversity and concurrently a doctoral researcher afliated with the Centre forConict, Security and Terrorism and the Institute of Asia and Pacic Studiesat University of Nottingham. His current research explores the strategicutility of cyber capabilities for small states. He holds an MA in IntelligenceStudies from Brunel University London (2009) and an MRes in Strategic Studies
from University of Reading (2014). His research has been published inDefense and Security Analysis, Military and Strategic Affairs,and Strategic Analysis, among other journals.
Before joining academia, he worked with the Armed Forces of thePhilippines as a research analyst with the Ofce of Strategic andSpecial Studies (OSS), where he contributed to a number ofassessments on sensitive political and security issues.
9.1VOLUME