S T R A T E G I E S A N D C A P A B I L I T I E S

i n C o m b a t i n g C y b e r a t t a c k s C O N F E R E N C E P R O C E E D I N G S

I S S N 2 8 1 5 - 0 7 8 3

the National Defense College of the Philippines

General Arturo Enrile Avenue, Camp General Emilio Aguinaldo, Quezon City 1100 Philippines

Copyright © 2021

The Philippines' Cyber Defense:

Strategies and Capabilities in Combating Cyber Attacks Conference Proceedings is a volume in the annual

publication of the Philippine Center for Excellence in Defense, Development and Security published by

The copyright of the articles and images in this compilation reverts to the individual authors and artists.

No part of this publication may be reproduced in any form or by any means,

electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the National Defense College of the Philippines, or individual authors.

C I S C O W E B E X T E L E C O N F E R E N C I N G

BACKGROUND OF THE ISSUE OPENING REMARKS

CLOSING REMARKS

CYBER ATTACK AS A NATIONAL SECURITY ISSUE

THE ROLE OF THE DEPARTMENT OF NATIONAL DEFENSE AND ARMED FORCES OF THE

PHILIPPINES IN COMBATING CYBER ATTACKS

REVIEWING THE STATE OF CYBER DEFENSE IN THE PHILIPPINES

STRENGTHENING CYBER DEFENSE:

POSSIBLE STRATEGIES

AND CAPABILITIES MOVING FORWARD

EVENT PHOTOS

THE CONFERENCE TEAM

2

4 3

7 11 14 17 18 20

1

█ PROF DR JOSE SANTOS R CARANDANG VI MNSA

█ CAPT JORGE A IBARRA PN MNSA

█ DIR CHRISTINE JUNE P CARIÑO MNSA

█ COL WALTER P ICARO PA MNSA

█ MR ALLAN S CABANLONG

█ LTC ROLAND J ONG INF (GSC) PA (RES) MNSA

Last 2017, the Department of Information and Communications Technology (DICT) launched its National Cybersecurity Plan (NCSP) 2022. NCSP serves as the framework in formulating policies and guidelines with regards to cybersecurity that will

be implemented across all units of the government.

It specifically aims to:

1) assure the continuous operation of the country’s critical infostructure and public and military networks;

2) implement cyber resiliency measures to improve the capability to address threats before, during and after the attacks;

3) coordinate effectively with law enforcement agencies; and 4) advocate for a cybersecurity-educated society.

The launching of NCSP pushed the Department of National Defense (DND) to boost its cyber defense capabilities since it plays a vital role in the implementation of the cybersecurity plans. During the DND Cybercon 2019, Defense Undersecretary Carodozo Luna mentioned that securing cyberspace is already included in the top priorities of DND, and it is already considered

as the fourth dimension of warfare in the National Defense Strategy (NDS). This tells us that the defense sector is now

starting to take the necessary steps in order to prepare and strengthen our cyber defense.

2

In his opening remarks, Dean Carandang highlighted the significance of continuously reinforcing the country’s cyber defense against the looming cyber threats in

the international and local arena. He said that though cyberattacks will continue to be more innovative and deceptive, the country will continue to strive towards secure cyberspace.

Dean Carandang stressed that this conference aimed to be a platform for new perspectives, that will ignite the minds and hearts of people who wish to advance their knowledge in conceptualizing new strategies for cyber defense.

Further, he added that various implementation of tactical knowledge and strategies to defend our cyberspace leads to transformed dimensions of warfare. With that,

the defense and security sector must magnify its efforts in providing platforms for a plan of action.

To end his message, he encouraged the participants to take this conference as an opportunity to promote the development of the capabilities of our cyber defense through recognizing the avenues we must tackle. He added that he is looking forward to the exchange of knowledge that is about to commence, and he is confident that the participants will be equipped with remarkable ideas to be applied in their respective spheres of influence on defense and security.

PROF DR JOSE SANTOS R CARANDANG VI MNSA Vice President for Academic Affairs and Dean

National Defense College of the Philippines

3

D I R C H R I S T I N E J U N E P C A R I Ñ O M N S A

O f f i c e o f C y b e r a n d

I n f o r m a t i o n S y s t e m M a n a g e m e n t

D e p a r t m e n t o f N a t i o n a l D e f e n s e

Director Cariño started her discussion by first laying down the common ground on what cyberattack is and how it is defined.

According to the US Committee on National Security System’s glossary, a cyberattack is an attack via cyberspace targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of the data or stealing controlled information. She also pointed out another definition by Unysis (an American global information technology company) that cyberattack is an attempt to disable computers, steal data, or use or particularly exploit a breached computer system to launch additional attacks. Furthermore, Director Cariño presented the definition of the Armed Forces of the Philippines (AFP). For AFP, cyberattacks infiltrate and exploit systems and networks through the unauthorized access, use, manipulation, interruption, and destruction of digital information and infrastructures that are used to process, communicate, and store information. The AFP definition recognizes that the impact of cyberattacks can go beyond cyberspace and lead to actual damages to the industry including physical and digital critical infrastructures.

She proceeded by describing and explaining important concepts related to cyberattacks such as cybercriminals; kinds of cyberattacks; and, the nature of cyberattacks. There are three (3) main natures of cyberattacks namely: 1) unrestrained by geographical boundaries; 2) constantly evolving; and, 3) difficulty and the complexity involved in identifying the perpetrator. Next, Director Cariño provided global, regional, and national examples of cyberattacks. On the global landscape, the European Union Agency for Cybersecurity or ENISA, with the support from the European Union published a report which saw an increasing trend in terms of phishing, identity theft, cyber threats, information leakage, and ransomware. On the regional level, it was enumerated that the top six (6) cybercrimes amid the COVID-19 pandemic released by Interpol in its ASEAN Cyber Threat Assessment 2021 are: 1) business email compromise; 2) phishing; 3) ransomware; 4) e-commerce data interception; 5) Crimeware as a Service (CaaS); and, 6) Cyber Fraud.

For the Philippine situation, data from the Department of Information and Computer Technology’s (DICT) National Computer Emergency Response Team or CERT PH, presents that fake news, data leak, and hacking topped the list of cyber-related issues in the country. Director Cariño then identified the significant cyber-attacks faced in the Philippines in recent years. The first is on the UCPD cyber heist in June 2020 by Nigeria hackers where 167 Million Pesos was stolen from a bank.

D I R C H R I S T I N E J U N E P C A R I Ñ O M N S A

5

Director Cariño concluded her presentation by saying that the DND is committed to strengthening the capabilities of the AFP as it adheres to its constitutional mandate as the protector of the people in the state against internal and external threats, whether they may be on land, air, water, or cyberspace.

D I R C H R I S T I N E J U N E P C A R I Ñ O M N S A

6

Another example is the stolen Trump-Duterte transcript back in 2017 by the hacking group APT 32 or OceanLotus. Also included in the stolen documents were notes on a conversation between President Duterte and Chinese President Xi Jinping and internal documents tied to the National Security Council.

Director Cariño after which moved forward to the discussion on why Cyber Attack is considered a national security issue. To explain this, she presented over 40 government policies that consider cyber threat as a national security concern. Among which are the National Security Policy 2017-2022 that outlines the Philippines National Security priorities based on a realistic and profound outlook on the dynamic and evolving security environment; the National Security Strategy 2018 where cyberattack was listed as a national interest. It even states that there is a need to protect the Filipino public from criminality, illegal drugs, pandemic, cyber-attack, and weapons of mass destruction; the National Defense Strategy 2018-2022 which recognizes that cyberspace is a court domain of conflict and a critical defense mission area; and the National Cyber Security Plan 2022 which outlines the National Cyber Security Framework and that in this framework, the Department of National Defense and the AFP was given the primary role in National Cyber Defense.

C o m m a n d e r

A F P C y b e r G r o u p

C O L W A L T E R P I C A R O P A M N S A

COL ICARO’s presentation focused on the roles of the DND and the AFP in cyber defense and provided information on the current programs and action plans of the DND-AFP to strengthen its cyber defense. COL ICARO started his discussion with Article II, Section 3 of the 1987 Constitution which states that:

“The Armed Forces of the Philippines is the protector of the people and the State. Its goal is

to secure the sovereignty of the State and the integrity of the national territory.”

He related this to the term cyber sovereignty which came up recently in the field of internet governance. The concept refers to the will of states to exercise and sustain control over the Internet domain within their own borders, including political, economic, cultural, and technological activities. It is on this premise, according to COL ICARO, that the AFP’s mandate of securing the sovereignty of the state transcends into the Philippine cyber domain.

He then focused on the National Security Strategy of 2018, where it is specifically mentioned that it is a national security goal to “provide strong cyber infrastructure and cyber security”. However, towards this endeavor, as the country automates its systems and processes in pursuing this goal, the critical information infrastructure risks in the cyber realm is expected to increase.

COL ICARO then proceeded with a brief discussion on the National Cybersecurity Plan (NCSP) 2022 which was launched in 2017. With the AFP as the DND’s agency tasked to conduct military operations, the military operations in the cyber domain are primarily the functions of the AFP Cyber Command as provided for in the NCSP 2022. In response to these tasks, the AFP pushed through with the activation of the AFP Cyber Group (Provisional) which was intended to be later organized as the AFP Cyber Command. The AFP Cyber Group’s (CyG) mission is to conduct cyberspace operations through planned, coordinated, integrated, and synchronized efforts in support of the AFP Joint Operations and the protection of the AFP’s info-structure. In addition, the AFP CyG’s mission is “to defend the AFP network and conduct cyberspace operations in support of the AFP mandate to secure the sovereignty of the State and the integrity of the national territory and its cyberspace domain.”sovereignty

C O L W A L T E R P I C A R O P A M N S A

8

On the other hand, with respect to its role in the National Cyber Defense Plan, the AFP CyG is mandated to defend critical sectors of national security in the cyber domain, as well as gather intelligence and determine attribution on foreign and domestic cyber threats. The AFP, as a bureau of the DND, is organized into force employers– these are the Unified Commands and Joint Task Forces – that orchestrates the conduct of land operations, air operations, and naval/maritime operations; and the force providers - Philippine Army, the Philippine Air Force, and the Philippine Navy – that develop, organize, train, equip, support and sustain the land, air and naval forces for the operational requirements of the force employers. At the General Headquarters level, the Unified Commands are supported by the AFP-wide Support and Separate units (AFPWSSUs) and the AFP Cyber Group is currently functioning as an AFPWSSU. With the Department’s recognition of cyberspace as another domain of military operations in 2013, the major services created subordinate units with the function of conducting cybersecurity operations to secure their respective cyber domains or computer networks. Communication, Electronics and Information System Service AFP’s (CEISSAFP) Cyber Security Group was created to conduct cybersecurity operations to secure the networks of the AFP General Headquarters, the Unified Commands’ Headquarters, and the AFPWSSUs.

C O L W A L T E R P I C A R O P A M N S A

9

For the DND-AFP’s current programs and action plans, COL ICARO says that the immediate concern is focused on the strengthening of the AFP’s cyber organizations to be more responsive in performing its mandate of securing the nation’s cyber domain and protect the critical information infrastructures. He also said that the AFP also aims to develop and enhance its cyberspace operations capability focusing on the people, processes, and technology. Particularly, the following are the way ahead of the organization:

1) On strengthening our cyber organization, the AFP is pursuing the establishment of the AFP Cyber Command;

2) On the enhancement of the AFP’s cyber capability, they are currently seeking and establishing partnerships with leading training and education institutions in the ICT and cybersecurity industry to develop a competent and professional workforce;

3) The AFP also intends to develop and enhance its systems and processes by adopting best practices in the cybersecurity industry which includes certification from international bodies specializing in the organizational development of cybersecurity organizations; and finally, 4) For the AFP’s technological enhancement, the defense department has allocated 1.5 billion pesos for the acquisition and development of the GHQ Cyberspace Operation Systems Project under the Horizon 2 of the AFP Modernization Program. The project portfolio includes the construction and development of the AFP Cybersecurity Operations Center, Tactical Mobile Data Center, facilities for training and education, research and development, and strategic studies; and capability to respond to cybersecurity incidents.

COL ICARO concluded his discussion by stating the current reality of cyber security in the defense and security sector.

According to him, the AFP Cyber Group and the different cyber units of the major services and the GHQ are all in the infancy stage and with limited capability. However, considering the evolving cyber threats that continue to threaten our cyber domain, the DND-AFP leadership is well aware of the need for the cyber units to develop in order to address the pressing concerns on protecting our cyber domain and the nation’s critical information infrastructure.

C O L W A L T E R P I C A R O P A M N S A

10

A L L A N S C A B A N L O N G

A d v i s o r a n d F o r m e r A s s i s t a n t

S e c r e t a r y f o r C y b e r s e c u r i t y

a n d E n a b l i n g T e c h n o l o g i e s

D e p a r t m e n t o f I n f o r m a t i o n a n d C o m m u n i c a t i o n s T e c h n o l o g y

Mr Cabanlong’s presentation entitled “Reviewing the State of Cyber Defense in the Philippines” focused on examining the current state of cyber defense in the country. He tackled strategic questions on cyber warfare doctrines and policies, cyber operations, and international humanitarian law. Further, he discussed strategic policies in political, legal, and military doctrines that are aligned with the country’s national security agenda and NCSP 2022.

He first highlighted that Informational and Cybersecurity is one of the 12-point National Security Strategy goals of the Philippines that led to the creation of the National Cybersecurity Plan of 2022. He then proceeded with elaborating the identified government agencies or “champions” that lead certain aspects of the National Cybersecurity Plan of 2022—these are the Department of Information and Communications Technology (DICT), Department of Justice (DOJ), National Bureau of Investigation (NBI), Department of Interior and Local Government (DILG), Philippine National Police (PNP), and Department of National Defense (DND). The DICT is the lead for protection because of their expertise. The DOJ-NBI and DILG-PNP are the lead for investigation, enforcement, and prosecution. While the DND is the lead for national cyber defense. The coordination among these governing bodies must be monitored by the National Cybersecurity Inter-Agency Committee to ensure and establish proper and smooth coordination. Further, the framework pushed for the creation of the AFP Cyber Command to lead in the cyber operations aspect of the national cyber defense. He further stressed that the main goal of cyber operations is to defend military networks from cyberattacks.

He emphasized that for the Philippines to craft its cyber defense strategy, it must first establish its guidelines, definitions, rules of engagements, and measures that will serve as the backbone of the said strategy. Additionally, he highlighted the need to develop cyber warfare doctrines and policies that represent a set of rules and standards for governing war involving cyberspace.

According to him, “the cyber defense and cybersecurity are not all about projects, it is not all about building your new centers. It is about building laws, policies, and technology support.” These cyber warfare doctrines and policies must be based on political, legal, and military doctrines. He emphasized further that if there are no policies to support the technology, it will die a natural death. He also mentioned that we may use the Tallinn Manual 2.0 as our reference in crafting these doctrines and policies.

A L L A N S C A B A N L O N G

12

Mr Cabanlong also discussed the notion of cyber operations and International Humanitarian Law (IHL). In this part, he highlighted the following key insights from the publication of Laurent Gisel and Tilman Rodenhäuser from the International Committee of Red Cross (ICRC): 1) Cyber operations can cause human harm; 2) IHL applies to cyber operations during armed conflict; 3) IHL provides essential rules protecting civilian populations; 4) We need to clarify how key IHL notions apply in the cyberspace, and 5) Any development of law or norms needs to build upon re-affirmed existing rules.

In conclusion, Mr Cabanlong stressed the need to craft the Philippines’ cyber defense strategy and the DND needs to take the lead on this. He also emphasized the importance of establishing our doctrines, guidelines, and standards when it comes to cyber defense or cyber warfare. Hence, he hoped that students from the NDCP can push forward this initiative.

A L L A N S C A B A N L O N G

13

L T C R O L A N D J O N G I N F ( G S C ) P A ( R E S ) M N S A

T e r r i t o r y M a n a g e r a n d S o l u t i o n s C o n s u l t a n t

F i r e E y e S i n g a p o r e P r i v a t e L t d

LTC Ong discussed possible strategies and capabilities to further strengthen the country’s cyber defense. In his presentation, he emphasized the need to face the inconvenient truth in the cyberspace, the solutions for critical cyber security challenges, the requirements to meet these challenges, and the way forward.

He emphasized that with the “New Normal” brought by the Covid- 19 pandemic, data is the new oil that must be protected at all costs. With that, he elaborated on three facets that organizations and other stakeholders must focus on to protect their data—technology, people, and processes. As they investigate the complexity of these three facets, he stressed that they will be bombarded with a lot of alerts and noises which cause various pain points. These pain points will then make them realize that the basic signature approach can no longer cope up with the current threat landscape of cyberspace. The challenge, then, is for them to level up the current security posture they put in place. They should be able to focus on alerts or pain points that matter, and human resources must focus on strategic efficiency, putting in place the total cost of ownership and cost control.

Further, LTC ONG stressed that to strengthen their cyber defense, they must first accept the inconvenient truth that breaches are inevitable. And by accepting this inconvenient truth, they would be able to anticipate and prepare for the cybersecurity challenges that they will face.

In his presentation, LTC Ong raised the following: “since breaches are inevitable, I will have to throw out my ego out of the window as a cybersecurity practitioner or as the one leading the security implementation of my organization. I just have to simply answer these four questions—Am I protected?

Or have I been breached? And if I have been breached, how do I respond? And in the event that I still don’t know what’s going on, how do I prepare?” In here, he highlighted that to solve critical cybersecurity challenges, organizations must first identify whether they have the right tools and capabilities to protect themselves from any breaches. Next, if they experienced any breaches, they must identify how do they respond to these breaches. Lastly, they must be able to come up with concrete steps or plans on how they are going to prepare for any breaches that they may encounter in the future.

L T C R O L A N D J O N G I N F ( G S C ) P A ( R E S ) M N S A

15

L T C R O L A N D J O N G I N F ( G S C ) P A ( R E S ) M N S A Further, as the way forward, he stressed that organizations must

be able to catch up with the ever-evolving cyber threat landscape.

To do this, he said, “well, the typical cyber advice here is we must accelerate our maturity. We need to transition from the traditional compliance approach to proactive security.” He noted that while most organizations start in a compliance phase, we must remember that compliance to those standards does not translate to being more secure. Hence, there is a need to undergo the three phases in transitioning to proactive security. The first phase is the Initial Capability, wherein organizations need to move up and have the ability to help detect threats. The next phase is Defined Capability, wherein there should be an incident response team who can identify what went wrong and aid in shortening the investigation time of the threats. Lastly, the Optimized Capability, wherein there is an ability to proactively hunt for a covert activity that will be a challenge in the future.

In conclusion, LTC ONG emphasized that what is important is to put up a capability to reduce cyber risks. The key strategy then to strengthen cyber defense is to change the traditional mindset of doing reactive measures and shift to a “New Normal” approach by moving into more proactive and predictive measures in handling cyberattacks

In strengthening cyber defense, LTC ONG said that the approach is to move from the current state to the desired state. In the desired state, there should be an accelerated response and minimized impact of the incidents; holistic visibility across threat vectors; ability to prioritize alerts that matter; automated repeatable workflows; integrated investigative and response capabilities; and sufficient resources to address surges.

16

On behalf of BGen Archimedes H Viaje AFP (Ret), PhD, MNSA, CESE, President of the National Defense College of the

Philippines (NDCP), Capt Jorge A Ibarra PN, MNSA, delivered the closing remarks of the Philippines’ Cyber Defense: Strategies and Capabilities in Combating Cyberattacks Conference. In his

speech, Capt Ibarra emphasized that cyberspace is the new frontier—full of possibilities to advance security and prosperity in the modern age. However, he noted that the possibilities also come with obstacles. According to him, constantly changing vulnerabilities exist not only within AFP but in the private and public sectors as well.

Capt Ibarra, who is the chief of the NDCP’s Military Affairs

Division, also argued that cybersecurity should become a priority for every country, especially now that the field is being

integrated into economic and national security sectors. He noted that collaboration between various segments of the community is vital to promote an environment of security and trust in the digital domain, as well as optimize the full potential of the digital economy and society.

In conclusion, Capt Ibarra said the country’s response to

cyberattacks needs to be agile to keep up with the ever-changing cyber landscape. He also offered his gratitude to those who took part in the discussion and the Philippine Center of Excellence in Defense, Development, and Security (PCEDS) for organizing the virtual conference.

CAPT JORGE A IBARRA PN MNSA Chief, Military Affairs Division

National Defense College of the Philippines

17

18

Ms. Glyzel Anne Sapla Ms. Michaella Gonzales

Mr. Mar Jensen Arinto Mr. Vince Drei Sabellon

Ms. Regina Romero Ms. Anne Klein Baluyot

Ms. Marlo Cabral Mr. Apolinario Aquino, Jr.

Mr. Rej Cortez Torrecampo

Associate Professor I / Director, PCEDS

EDITOR

RAPPORTEUR

GRAPHICS EDITOR

ADMINISTRATIVE SUPPORT

20

N A T I O N A L D E F E N S E C O L L E G E O F T H E P H I L I P P I N E S

P H I L I P P I N E C E N T E R O F E X C E L L E N C E I N D E F E N S E , D E V E L O P M E N T A N D S E C U R I T Y pceds@ndcp.edu.ph