Author: Mark Manantan, Pacific Forum
In 2019, the Philippines’ Department of Information and Communications Technology (DICT) formally launched the Cybersecurity Management System Project (CSMP). This is the country’s national cyber intelligence platform designed to conduct information-sharing, monitor threats and protect critical national infrastructure. It was a significant achievement born from the country’s first-ever National Cybersecurity Plan 2022. But after over a year of anticipation, the cyber monitoring system is yet to fully come online.
As the Philippines remains a primary target of cyberattacks and the Duterte administration continues to relegate cybersecurity to the periphery of its national security agenda, an industry-led public–private partnership (PPP) in cybersecurity has emerged. But beneath the surface of this booming PPP are simmering national security concerns.
In principle, the government is in charge of realising the National Cybersecurity Plan. But its planned implementation is complicated. The plan is cloaked in normative and value-laden statements, lacking a clear-cut mandate on actual cybersecurity management. The Philippine government does not possess adequate technical expertise or fiscal resources to put the plan into practice.
The private sector is cognisant of the government’s budgetary and manpower limitations. It is grappling with potential economic losses associated with ransomware and data breaches amounting to approximately US$3.5 billion per year. This could affect business continuity, company reputation and the overall competitiveness of the Philippines in the emerging data-driven economy.
The Philippines’ PPP in cybersecurity is unique in the sense that the private sector goes beyond the protection of critical national infrastructure. It also augments the cybersecurity capabilities of the resource-poor Philippine military.
The recent launch of the cybersecurity partnership between the Philippine Air Force (PAF) and Philippine Long Distance Telecommunications (PLDT) Group demonstrates this industry-initiated PPP model. Through its Cyber Security Operations Group, the Philippine-based telco company will aid the PAF’s lagging cybersecurity capabilities on two fronts: workforce development and digital infrastructure.
The PLDT Group will train PAF cyberwarriors through combined lectures and hands-on experience in the ePLDT’s Security Operation Center. The PAF will also gain access to a cyber intelligence platform to protect its infrastructure from cyber threats.
Likewise, the PLDT Group will acquire relevant data from PAF on the types of attacks it encounters — particularly the tactics, techniques and procedures used by threat actors. Negotiations for possible engagement between the PLDT Group and the Armed Forces of the Philippines (AFP) Cyber Group are also underway.
Another PPP on the horizon is the memorandum of agreement (MOA) signed between ChinaTel-backed Dito Telecommunity Corporation (DITO) and the AFP. DITO will build microwave relay and base trans-receiver stations for mobile communications in AFP camps throughout the country. The agreement was met with public backlash citing the partnership as a potential Chinese backdoor for espionage, prompting a fresh round of Senate inquiries.
The PLDT–PAF and DITO–AFP partnerships are crucial test cases for an industry-led PPP in the Philippines. But the involvement of telco companies in government and military infrastructures will have national security implications — especially because defence institutions still lack a comprehensive risk-assessment and assurances certification strategy to assess external partners.
On the one hand, the Philippine military may benefit from the advanced capabilities and resources of these private companies. But in the long-term, it risks possible unwarranted physical and digital access to classified defence intelligence.
As the private sector and external contractors continue to play a significant role in augmenting the cybersecurity capability gap in the Philippine military, the following policy recommendations should be considered.
First, the Philippine government should establish an assurance certification scheme for external parties to safeguard classified information. Private contractors must not only satisfy the cybersecurity criteria but also establish a level of trust with the government concerning their owners and employees.
The Philippines can take cues from emerging accreditation or certification processes and tailor these to suit its own policy objectives. One possible model is Australia’s Defence Industry Security Program where controls are implemented to match the level of risk associated with a particular supplier. Similarly, the US Cybersecurity Maturity Model evaluates contractors on a graduated scale to determine their maturity process and cybersecurity practices. This protects sensitive information shared across their networks.
Second, the government should invest in the Philippines’ sovereign cybersecurity capabilities. The current Self-Reliant Defense Posture partnership between the Department of National Defense (DOD) and the Department of Science and Technology must add cybersecurity to its portfolio. Local talent from the start-up community could become vital assets in a coordinated cybersecurity capability framework.
Third, Philippine legislative bodies must revisit the country’s foreign ownership laws. Lawmakers must adopt a forward-leaning approach to enforce a ‘know your investor’ strategy. This will encourage greater scrutiny on all foreign direct investments and business ventures that could have long-term national security ramifications.
The DOD realigned its defence budget to help the Duterte administration fund its COVID-19 response. Cybersecurity will not take centre-stage very soon in the national security agenda. But this must not prevent the Philippine military from implementing a robust technical and risk-benefit assessment to regulate its cybersecurity partnerships and safeguard the country’s national security and economic interests in decades to come.
Mark Manantan is the Lloyd and Lilian Vasey Fellow at the Pacific Forum and a non-resident fellow at the Center for Southeast Asian Studies at National Chengchi University, Taiwan.
All views expressed are the author’s own.