You are on page 1of 15

9.1

VOLUME

January 2016
January 2016

FOR PHILIPPINE

CONSIDERATIONS

STRATEGIC

CYBER SECURITY

OCCASIONAL
OCCASIONAL

PAPER

OCCASIONAL PAPER

02

January 2016

STRATEGIC

CONSIDERATIONS

FOR PHILIPPINE

CYBER SECURITY

CYBER CRIME

Despite the relatively controlled threat posed by cyber crime, the Philippine government has adopted a more active posture towards countering illegal domestic cyber activities in contrast to countering external threats to national security.

Cyberspace has become an indispensable domain for state interaction. Governments have, therefore, made use of cyberspace for power projection, the protection of critical national infrastructure, and the exertion of political influence over other actors in the international system. This domain, however, has also become a prominent source of insecurity between states because of its particularly strong potential for espionage, sabotage, and subversion. 1 While cyber security continues to be a contentious policy issue, the promise of a “cyber revolution” has influenced numerous states to develop capabilities for military cyber operations. More than 40 states have now developed military cyber organizations and policies and nearly 70 states have crafted non- military policies and organizations. 2

The idea of a cyber revolution is based on three widely held assumptions suggested by some scholars and policymakers about cyberspace:

it enables asymmetric advantages; it is offense- dominant; and, deterrence is not effective in this domain. 3 First, cyberspace is asymmetric because, it allows weaker actors to use fewer resources and capabilities to challenge the military forces of powerful states. Second, cyberspace is offense-dominant for several reasons, including the instantaneous speed of attacks, the problem of attributing attacks to a perpetrator, and the overwhelming dependence on cyberspace throughout modern society. 4 As a result, enemies can exploit these opportunities and engage in numerous malicious activities, including network

engage in numerous malicious activities, including network C 2016 ADRiNSTITUTE for Strategic and International

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: rfa.com
Image Credit: rfa.com

* The views and opinions expressed in this Paper are those of the author and do not necessarily reflect those of the Institute.

OCCASIONAL PAPER

03

January 2016

disruption and espionage against target states. Third, deterrence is not effective in cyberspace because the threat of retaliation is not viable if the adversaries are not cognizant of a state’s cyber capabilities.

Deterrence is the use of threats to discourage adversaries from initiating undesirable actions. 5 The logic of conventional deterrence is based on three core elements:

communication, credibility, and capability. 6 For deterrence to be effective, a deterring state must first communicate to its adversaries which actions are unacceptable and the corresponding punishment once these actions are undertaken. The state must then demonstrate that it has the capabilities to support its threats. Lastly, the state must establish credibility by convincing adversaries that the communicated threats will actually be carried out. 7 However, these elements are problematic when applied to cyberspace. It would be detrimental for states to communicate and demonstrate that they have cyber capabilities because to do so diminishes their strategic surprise and technological superiority, the main advantages of military cyber operations. Absent any awareness and confirmation from their target state, adversaries will not be persuaded that a state has such capabilities. 8

will not be persuaded that a state has such capabilities. 8 C 2016 ADRiNSTITUTE for Strategic

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Athough the proliferation of cyber capabilities is inevitable, the assumptions about the value of cyberspace for military operations are mainly overstated and need to be clarified. First, cyberspace does not provide asymmetric advantages to weak actors. The most sophisticated cyber attacks, “Stuxnet” and “Flame” for instance, required an unprecedented level of expertise and operational capabilities that weak states and non- state actors do not necessarily have. 9 Second, the idea that cyberspace is offense-dominant is also questionable because the complexity of weaponization makes offensive operations more difficult for states to develop. Moreover, the empirical evidence suggests that cyberspace is not necessarily offense-dominant as some academics and policymakers argue because the success and decisiveness of offensive cyber operations are generally conditioned on “attack severity, organizational competence, and actor resolve.” 10 Lastly, traditional deterrence models may not be useful in cyberspace but an alternative interpretation of deterrence sees a cyber attack as an indication of successful deterrence because it substitutes kinetic or physical attacks between states. 11

Given this context, this paper argues that despite the strategic limitations of cyberspace, the Government of the Philippines should consider cyber security as a policy priority because of three reasons: the economic consequences of cybercrime, the security consequences of cyber espionage and the political consequences of cyber conflict in the region. The remainder of the paper is divided into in four sections. The first section introduces central concepts regarding the study of cyber security. The second examines some factors that could influence the development of cyber capabilities in the Philippines. The third surveys the existing regional and domestic policy responses to cyber threats. Finally, the last section offers some recommendations for the next president, particularly focusing on integrating cyber security within national security policy and military strategy. Following these objectives, the paper does not offer recommendations about the domestic law enforcement, e-governance, information infrastructures and other related topics that fall outside the scope of strategic interactions between actors in the international system.

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

04

January 2016

Concepts and Actors

Our understanding of cyber issues is dependent on how concepts and actors are defined and framed. It is necessary to clarify specific concepts and identify actors to avoid confusion and exaggeration about state capabilities and threats in cyberspace. The following section therefore discusses some core concepts and actors in area of cyber studies.

Concepts

A core concept in the conduct of cyber security

operations is the offensive and defensive capabilities

of a state or its Computer Network Operations

(CNO). These operations are divided into three types of functions: Computer Network Attack (CNA), Computer Network Defense (CND), and Computer Network Exploitation (CNE). CNA is an offensive operation and is defined as the capability to use computers to “disrupt, deny, degrade, or destroy information” in adversaries’ computers and information systems. CND, on the other hand, involves the protection of a state’s computer networks: having the capability to “detect, analyze, and mitigate threats and vulnerabilities, and outmaneuver adversaries.” CNE is an espionage operation and is the ability to collect intelligence through the use of computer networks to gather data about adversaries. 12

These functions provide a general idea of what states can do in cyberspace, although it is

important to note that the specific operational instrument involved in executing cyber attacks are weapons delivered through a computer. A cyber weapon, in this sense, is a computer code that is used or is designed to be used with the objective of threatening or causing damage to objects, networks, or living beings. 13 Cyber weapons can come in different forms, ranging from generic tools that cause nuisances to high-end tools that can bring down a state’s critical infrastructure. Table 1 presents the main types of cyber weapons as well as their basic definitions.

Another fundamental concept is the projection of power in cyberspace or cyber power. This paper considers cyber power as an extension of politics, which is, fundamentally, the authoritative allocation of valued things. 15 Since power relates to the allocation of capabilities and resources, the paper adopts Nye’s idea of cyber power: “the ability to obtain preferred outcomes through the use of electronically interconnected information resources of the cyber domain.” 16

Moving to the next concept, much debate has been generated by the term cyber war. While several definitions exist for this concept, this papers proceeds with the view that notion of war is problematic and even dangerous when applied to cyberspace. An act of war must be instrumental, political, and lethal, whether in cyberspace or not. 17 No stand-alone cyber operation on record

or not. 1 7 No stand-alone cyber operation on record C 2016 ADRiNSTITUTE for Strategic and

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Table 1. CYBER WEAPONS DEFINED 14
Table 1. CYBER WEAPONS DEFINED 14

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

05

January 2016

meets these criteria, thus the concept of cyber war will not be used for purposes of the paper. As alternative, the paper follows the work of Valeriano and Maness who suggest the term cyber conflict as more appropriate, as it involves hostile interactions between states but is not necessarily indicative of warfare. 18 Cyber conflict is defined as “the use of computational technologies in cyberspace for malevolent and destructive purposes in order to impact, change, or modify diplomatic as well as military interactions between entities.” 19

Actors Since the barriers and costs to entry in cyberspace are low, a range of actors have engaged in numerous types of disruptive activities against different targets. There are two main categories of actors in cyberspace: states and non-state actors. States are clearly the dominant actors in cyberspace, given their extensive resources, expertise, and capabilities. 20 The development of the most sophisticated and high-level CNO is typically designated to states’ intelligence and military services. The objectives of these services are to collect and/or destroy intelligence by exploiting and disrupting adversaries’ information infrastructure. Some prominent examples include the National Security Agency of the United States, the Government Communications Headquarters of the United Kingdom, the General Staff Department (3rd and 4th Departments) of the People’s Liberation Army in China, 21 and the Reconnaissance General Bureau and General Staff Department of the Korean People’s Army in North Korea. 22

In terms of non-state actors, there are three additional subcategories: criminals, hackers, and terrorists. Criminal organizations exploit cyberspace through various methods for monetary gain. The major types of online criminal activities include theft of data, financial crimes, corruption, and crimes against children. 23 Hackers on the other hand, execute in network intrusions for different reasons, ranging from experiencing the thrill of the challenge to bragging rights. Although cracking into networks once required a fair amount of skill or computer knowledge, attack tools have now become more sophisticated and easier to use, providing hackers with more capabilities. 24 For instance, politically motivated hackers or hacktivists, such as “Anonymous” and “LulzSec”, overload e-mail servers and hack into websites to send a specific political message to target audience.

While there have been no recorded incidences of “cyberterrorism”, cyberspace is attractive to terrorist organizations because it guarantees anonymity, it enables global communication, and it delivers a strong psychological impact. 25 The Central Intelligence Agency suggests that terrorists will remain focused on traditional attack methods; however, the CIA anticipates increasing cyber threats as a more technically capable generation of terrorists join the ranks. 26 Table 2 provides some examples of the cyber weapons that different actors have utilized as well as the incidents they were involved in.

utilized as well as the incidents they were involved in. C 2016 ADRiNSTITUTE for Strategic and

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Table 2. Actors, incidents and weapons
Table 2. Actors, incidents and weapons

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

06

January 2016

In examining the role of different actors in cyberspace, it is imperative to highlight the significant difference between the capabilities of states and non-state actors in cyberspace. There is a persistent media blitz about the threat of massive and destructive cyber attacks by non-state actors, but these reports are largely overstated and empirically untested. 32 It is therefore necessary to adopt a more strategic understanding of cyber conflict where the focus of inquiry is the realistic outcome or consequence of the attack aside from technical and tactical considerations such as the number of websites that are defaced or the type of malicious code used by hackers.

Factors Affecting Cyber Security Development

States generally produce specific defense and security capabilities in response to external and domestic considerations. While there is no scholarly nor policy consensus over which factors constrain states’ investments in cyber capabilities, the subsequent section offers three important factors that could potentially influence further cyber capability development in the Philippines.

Economic: Cyber Crime The first factor is the growing industry of cyber crime. The low barriers to entry, the assurance

of anonymity, and the high speed of transactions offered by cyberspace provide criminals with unparalleled opportunities for profit generation. A report by the Center for Strategic and International Studies and McAfee estimates that the global economy loses $375 billion to $575 billion annually due to cyber crimes. Even the most conservative estimate of economic losses to these criminal activities is more than the national income of most states and companies, signifying the level of risk states face from cyber crime and how rapidly the risk can evolve. 33

n the context of the Philippines, cyber crime is an existing problem but is not as threatening compared to other organized criminal activities such as robbery, kidnapping and drug trafficking. For instance, the Philippine National Police Anti- Crime Group reports that there were 3,368 recorded cases of cyber crime from 2003 to 2014. 34 Of these cases, the most common forms of cyber crimes were identified as website defacements, personal account infiltrations, and Internet fraud. The data to systematically quantify the economic impact of crime that make use of cyberspace is incomplete; however, the most substantial reports of losses have been from the Bangko Sentral ng Pilipinas, which estimates that PhP175 million was lost due to ATM fraud in 2012 and PhP220 million in 2013. 35

due to ATM fraud in 2012 and PhP220 million in 2013. 3 5 C 2016 ADRiNSTITUTE

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Despite the relatively controlled threat posed by cyber crime, the Philippine government has adopted a more active posture towards countering illegal domestic cyber activities in contrast to countering external threats to national security. In terms of crime prosecution, there are currently six laws that relate to cyberspace: the Cybercrime Prevention Act of 2012, the Anti-Photo and Voyeurism Act of 2009, the Anti-Child Pornography Act of 2009, the E-Commerce Act of 2000, the Access Devices Regulation Act of 1998, and the Anti-Wiretapping Law of 1965. Moreover, the enforcement of these laws is assigned to four key government agencies: the Cybercrime Investigation and Coordination Center (Department of Science and Technology), the Office of Cybercrime (Department of Justice), Cybercrime Division (National Bureau of

Image Credit: media.licdn.com

Investigation), and the Anti-Cybercrime Group (Philippine National Police). 36

Building on these efforts, there are two reasons why the government is encouraged to sustain and further develop the capacity to address cyber crimes. First, domestic enforcement agencies, specifically the National Bureau of Investigation and the Philippine National Police, still lack the expertise, capabilities, and resources to effectively counter cyber threats. 37 Given the rapidly rising number of internet users, it is impossible for the government to monitor millions of internet users without advanced network surveillance systems and sufficient resources. Second, the mechanisms for inter-agency cooperation are underdeveloped and need to be strengthened. Since cyber crimes are pervasive and

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

07

January 2016

persistent, it is crucial for the government to create a cohesive strategy that defines the responsibilities of each agency and sets out a clear implementation plan that accurately integrates their functions.

National Security: Cyber Espionage The second factor is the growing prominence of cyberspace as area for espionage. Several cases of cyber conflict relate to espionage operations between states. For example, in 2005, the United States government discovered Chinese computer network operations “Titan Rain”, which successfully infiltrated numerous secure systems, including the Department of Defense, Department of State, Department of Homeland Security, National Aeronautics and Space Administration, and even the British Foreign Commonwealth Office. 38

More recently, computer security company FireEye revealed the extensive cyber espionage operation of a group called APT30 against several states in Southeast Asia and beyond. This incident is disconcerting because of APT30’s suspected association with the Chinese government as well as the group’s consistent focus on collecting specific information about political, military, and economic issues in the region, and about media organizations and journalists who write on topics about the Chinese government’s legitimacy. 39 Considering these examples, espionage through cyberspace becomes paradoxical; on one hand, it enables the efficient collection of intelligence, on the other

hand, it can also facilitate network infiltration by adversaries.

In the case of the Philippines, investing in cyber espionage or CNE capabilities would enhance the intelligence collection of security and military services. The minimum credible defense strategy, which the government is developing, is fundamentally dependent on understanding an adversary’s intentions and capabilities. 40 Given this situation, government security and military forces can leverage the advantages of cyberspace to collect vital intelligence regarding adversaries’ intentions about critical issues, such as the ongoing territorial disputes or the arms dynamic in the region. The government’s current focus is to improve conventional capabilities of the military; it would be reasonable to supplement these capabilities and invest in military computer network operations.

The paradox of cyberspace is that it also allows other states to steal information from computer networks in the Philippines. There have been several reports by companies like FireEye and Kaspersky Lab of network infiltrations against the Philippine government, but it is unclear if security and military services have CND capabilities to defend the state’s networks against these hostile operations. 41 This uncertainty is reflected in existing cyber security assessments, which indicate that the Philippines is deficient in military capabilities for cyber operations, public cybersecurity assistance networks (Computer

public cybersecurity assistance networks (Computer C 2016 ADRiNSTITUTE for Strategic and International

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: post-gazette.com

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

08

January 2016

Emergency Response Teams), and inter-agency and intergovernmental cooperation among other areas. 42 In this sense, it would be in the strategic interests of the government to develop CND capabilities, considering the advantages of cyberspace for intelligence collection and the necessity for defense against the persistent and pervasive threat of cyber espionage by adversaries within region.

Political: Cyber Conflict The third factor is the persistent cyber conflict in the Asia-Pacific. The Philippines is located in a region characterized by major shifts in the balance

of power, uneven distributions of economic power within and between states, and intense territorial disputes. 43 Given these dynamics, there are two crucial reasons why geopolitics in the Asia-Pacific is integral to influencing the development of cyber capabilities in the Philippines. First, regional disputes and insecurities between states have continued on from conventional conflict domains and have manifested in cyberspace. This situation makes the Asia-Pacific the most active region in terms of cyber conflicts between states, mainly due to Chinese action. 44

despite the strategic limitations of cyberspace, the Government of the Philippines should consider cyber security as a policy priority

should consider cyber security as a policy priority C 2016 ADRiNSTITUTE for Strategic and International

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

In light of the Philippines’ involvement in a territorial dispute with China, it is likely that cyber conflict will become a prominent tool for power projection in the twenty-first century. This conflict has the advantage of can delivering a strong message sans the risks associated in conventional attacks. In addition, the Philippines is currently entangled between two great powers that are also engaged in hostile action in cyberspace. A recent ground-breaking study confirms this observation: “China needs an outlet, and military grandstanding, with possibility of escalation involving the Americans is something China does not want to deal with at the moment. China seems to be good at infiltrating foreign networks, and this seems to be the “least” they can do for power projection.” 45

Second, other global “cyber powers” are also located in the region. North Korea, South Korea, and Japan all have advanced cyber capabilities and are immersed in various political rivalries and territorial disputes in the Asia-Pacific. 46 Whereas these rivals typically project military power and engage in aggressive actions through the air and maritime domains, cyber conflict has also been used as a tool to advance foreign policy interests. It is therefore not surprising that from 2001 to 2011, North Korea instigated fifteen cyber attacks against various states including South Korea, Japan and the United States. South Korea was associated with eighteen cyber incidents, mostly against Japan and North Korea. Japan, meanwhile, had fifteen cyber

disputes involving China, North Korea, and South Korea as adversaries. 47

The strategic consequences of this relatively new trend may be crucial for the Philippines as it is still uncertain whether cyber conflict can consistently lead to crisis instability and force states to escalate low-risk cyber attacks into higher-risk conventional attacks. 48 In this case, the compelling reason for the Philippines to develop cyber capabilities lies in supporting its allies to mitigate and de-escalate existing cyber conflicts. Even if the Philippines does not have defense agreements with Japan and South Korea, it could be entangled during cyber conflicts because of its existing defense agreement with the United States. In short, the lack of cyber capabilities precludes the Philippines from defending itself from cyber attacks as well as from contributing to the security and stability of the regional cyberspace.

Policy Responses to Cyber Threats

Strategies to counter cyber threats have been implemented by states unilaterally, rather collectively through international institutions. There is a growing consensus that norms and cooperation can mitigate the uncertainty and hostility in cyberspace; however, conflicting interests between powerful states, exacerbated by the revelations of Edward Snowden, make further international norm promotion improbable. 49 Responses to cyber threats have,

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

09

January 2016

Image Credit: hoover.org
Image Credit: hoover.org
OCCASIONAL PAPER 09 January 2016 Image Credit: hoover.org C 2016 ADRiNSTITUTE for Strategic and International

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

therefore, been state-driven and particularly focused on strengthening domestic law enforcement as well as military capabilities. These responses have included everything from recruiting potential CNO specialists to establishing full-scale cyber commands. This section briefly surveys the policy responses of key regional institutions in the Asia-Pacific and the efforts of the Government of the Philippines towards cyber security.

Regional States in the region have invested time and resources to address cyber threats mainly through the Asia-Pacific Economic Cooperation (APEC) and the Association of Southeast Asian Nations (ASEAN). The creation of regional levels of governance has created a collaborative space where such strategic discussions can take place. These efforts have, therefore, enabled states in the region to develop transnational responses to cyber threats with shared confidence in their neighbors based on their similarities rather than differences. 50

The cyber security efforts of APEC are captured in three key documents. The first is the APEC Cybersecurity Strategy, which was formulated by the APEC Telecommunications and Information

Working Group in May 2002. 51 The strategy called for increased cooperation and coordination in four broad areas: creating a legal framework; sharing information and cooperation, producing security and technical guidelines, training and education; and developing wireless security technologies. The document, however, did not provide any details regarding how the strategy would be implemented. The second document is the APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment, which was drafted during the Senior Officials’ Meeting in November 2005. 52 The document highlighted the emerging cyber threat and highlighted the need to improve the following cyber security measures: cohesive domestic strategies, legal and policy frameworks, incident response and recovery capabilities, partnerships among government, industry, academics, public awareness regarding online security, research and development, and interstate cooperation. Much like the previous strategy, the modified version does not offer any concrete directions on how APEC member states would realize these measures.

The APEC TEL Strategic Action Plan 2016-2020 is the third and most recent document, produced by the APEC Telecommunications and Information Working Group in March 2015. 53 The document accentuated

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

10

January 2016

five key priorities, including a strong emphasis on a secure, resilient, and trusted ICT (Information and Communications Technologies) environment. More importantly, the document presented an implementation plan that prescribed the need to undertake specific actions during the next four years: research, capability-building, public awareness, and intergovernmental cooperation. Whereas the strategic plan recommends workable and specific measures to address cyber security, the success of the plan is largely dependent on the level of commitment and the resources available to each state.

Cyber security has been a concern for ASEAN for more than a decade, but prior to the ASEAN ICT Masterplan 2015, no clear and concrete regional strategy was developed by the institution to compel its member states to address cyber threats. The problem of cyber crime was first discussed during the 2nd Senior Officials Meeting on Transnational Crime in 2002. State representatives agreed on the following responses: to establish a compilation of applicable national laws, regulations and international treaties relating to cyber crime legislation; work towards the criminalization of cyber crime activities; enhance law enforcement and intelligence cooperation; develop regional training; coordinate with ASEAN Chiefs of National Police (ASEANAPOL) for the analysis of cyber crime activities; and seek training assistance from ASEAN Dialogue Partners and international institutions. 54

Following this discussion, cyber security figured prominently in several subsequent meetings, including the 3rd Meeting of the ASEAN Telecommunications and IT Ministers in 2003, where it was decided that an ASEAN Information Infrastructure was needed as well as the development and operationalisation of the national Computer Emergency Response Teams by 2005. 55 In 2006, the ASEAN Regional Forum released two statements that stressed the importance of cyber security. The first was the ARF Statement on Cooperation in Ensuring Cyber Security, which reinforced the need for an ARF work plan on security in the use of ICT and more dialogue on confidence- building, stability, and risk reduction measures to address the implications of ARF participants’ use of ICT. 56 The second was the ARF Statement on Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyber Space, which recommended the implementation of cyber crime laws in accordance with national conditions and continued interstate cooperation in countering cyber crime and terrorists’ use of cyberspace. 57

The last and most current collaboration is the ASEAN ICT Masterplan 2015 that was adopted during the Telecommunications and IT Ministers Meeting in 2011. The plan prioritizes cyber security through two broad initiatives. Building trust is the first initiative and it involves the promotion of secure transactions within ASEAN and public awareness about online security. Promoting information

awareness about online security. Promoting information C 2016 ADRiNSTITUTE for Strategic and International

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

security is the second initiative and it has to do with developing a common framework for network security and information security across the region. 58

In reviewing the regional responses to cyber threats, it is apparent that some barriers have been slowing the growth of cyber security efforts in the region. The first barrier is the uneven distribution of resources and capabilities among states. States such as Japan, South Korea, and Singapore are clearly more technologically superior compared to other states like China, Indonesia, Malaysia, the Philippines, and Thailand; but even these are considerably more advanced than states such as Brunei, Cambodia, Laos, Myanmar or Vietnam. Even though this “digital divide” is predominantly expressed in terms of infrastructure development and broadband penetration, the economic inequalities and low socio-political capacity levels present substantial challenges to these states as well. 59 The second barrier relates to the level of cooperation that states are willing to extend in the area of cyber security. States develop CNO capabilities to obtain different strategic security objectives; therefore, it would not be in their best interest to share information about their cyber operations. In this sense, collaborative operations and intelligence sharing can potentially diminish the strategic advantage of cyber operations more than other conventional military operations. Furthermore, the absence of global norms or code of conduct for cyberspace operations also signifies the uncertainty and lack of consensus about the

appropriate strategy to mitigate cyber conflict.

Domestic The response of the Government of the Philippines towards cyber security has generally been limited despite a significant cyber incident that transpired in 2000. The “I LOVE YOU” virus, created by an undergraduate Filipino computer science student, infected around 55 million computers and generated around $10 billion worth of damage globally. 60 Government prosecutors filed cases against the perpetrator Onel de Guzman, but the indictment was dismissed even at the first stage because there was no law punishing computer criminals at that time. 61

A significant initiative towards a national cyber security blueprint was the creation of the National Cyber Security Plan in 2004. The plan was comprehensive and reflected the government’s cyber security policy, which centers on institutionalizing “the necessary capabilities in the government and the private sector to adequately meet and respond to challenges and threats against critical cyber infrastructures.” 62 The plan presented four main strategies and corresponding programs that were part of the government’s solution to increasing threats in cyberspace.

The first strategy is to understand the risks present through a sustained threat assessment of national vulnerabilities and protective measures already

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

11

January 2016

OCCASIONAL PAPER 11 January 2016 C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

being implemented by the government. The second is risk control, which requires comprehensive security planning, effective resolution of crisis, and risk monitoring. The third strategy relates to the organization and mobilization of necessary resources and relevant stakeholders, such as specialists from the private sector and the international community, for the implementation of the plan. The fourth strategy focuses on instituting regulatory and legislative reforms crucial to addressing the challenges of cyber threats. 63

Building on the cyber security policy, the National Cybersecurity Coordination Office prepared an operational framework in 2008. The National Cybersecurity Coordination Strategy and Implementation Plan proposed a coordination strategy that comprised on five execution programs:

Cyber Security Legal Regime; Critical Cyber Infrastructure Security Threat and Vulnerability Reduction; Critical Cyber Infrastructure Security Awareness, Education and Training; Critical Cyber Infrastructure Security Incident Response and Consequent Management; and National and International Coordinating Mechanisms. 64

More importantly, the plan justified the urgent need for inter-agency cooperation through the establishment of centralized committee and the consistent participation of different government bodies and private organizations securing Philippine cyberspace. However, while the implementation plan was comprehensive and ambitious in theory, as of yet there is no clear evidence or report that

discusses the status or completion of the programs proposed in the plan.

The last and most recent cyber security initiative by the Government of the Philippines is Executive Order No. 189, which was released on September 17, 2015. The Executive Order was drafted in response to increasing cyber threats, and in particular intended to address the theft of classified and sensitive electronic information and to assess national vulnerabilities of government and commercial information systems. 65 It prescribes several measures, the most salient of which are the reestablishment of the National Cyber Security Inter- Agency Committee, the formation of a National Cyber Security Coordination Center, the creation of Computer Emergency Response Teams in all government offices, and the transfer of the new Cybercrime Investigation and Coordinating Center from the Office of the President to the National Cybersecurity Inter-Agency Committee. 66

The objectives of Executive Order are appropriate and reasonable, yet there are

two fundamental concerns that the government seemed to have missed. First, there was no discussion about the sustainability of the initiatives proposed in the document. Considering that the current government will be stepping down in 2016, it is uncertain whether the plans will be continued by the next set of political leaders. Second, the document does not provide any policy guidance regarding offensive and defensive cyber operations. It is not possible to secure national critical infrastructure and information systems without a clear and integrated strategy for cyberspace.

Thus, the government’s response to cyber threats can be described as acceptable but nevertheless incoherent. An evaluation of previous cyber security initiatives suggests that there are no consistent links or continuation between the initiatives of the previous and the current government. This incoherence is a contributing factor towards the underdevelopment of the cyber capabilities in the Philippines. Nevertheless, the lack of capabilities can also be an opportunity for the next president given the rapidly increasing dependence of states on cyberspace. The succeeding section offers some ideas about the relevance of integrating cyber security as a national security priority in the Philippines.

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

12

January 2016

Considerations for the Next President

Since previous efforts in creating a cyber strategy were incoherent, the next president has the opportunity to ensure strategic coherence in addressing cyber threats. There are two initial steps in producing a cyber strategy: assessment and development. The first is to assess the status and outcome of previous government initiatives on cyber security such as the National Cyber Security Plan and Executive Order No. 189. The assessment would have two objectives. The first is to determine if existing cyber organizations have the sufficient expertise, appropriate resources, and proper procedures to defend the state. The second is to evaluate if the existing inter-agency coordination and implementation mechanisms are in place and are actually working. This assessment is necessary to establish continuity and avoid wasting resources during government transitions.

The second step is to develop cyber strategy that builds on the efforts of the previous government. There are five levels of strategy where the government needs to integrate cyber security: policy, grand, military, operational, and tactical. 67 Policy refers to the set of objectives

to be accomplished by the government. 68 A national security policy typically explains the main priorities and objectives of the president of a state. If cyber security is to be a priority, the national security policy should explicitly explain the relevance of cyber security and its value for the state. Grand strategy denotes the coordination of all national assets towards the attainment of policy objectives. 69

The grand strategy provides more details about the cyber strategy of the government such as the relevant cyber organizations, the system of coordination, management of capabilities, and cooperation with international institutions if possible. The military strategy refers to use of military power in support of the grand strategy. 70 A national military strategy, thus, discusses the objectives, general approaches, and the resources of the armed forces in preserving the national security of a state. In terms of cyber security, this strategy should explain the military’s role in cyberspace and give the public a general sense of the type of military actions involved in securing the cyberspace.

An operational strategy has to do with the cumulative and coordinated tactical actions undertaken to achieve a specific operational goal. 71 Since goals at the operational level are diverse, integrating cyber operations into military operations would involve engagements ranging from disabling a command and control system of a military base to disrupting the infrastructure protocols of a military production facility. Lastly, a tactical strategy refers to the details of combat, specifically deployments, engagement with the enemy, and interaction between different units of the military. 72 Cyber operations at the tactical level would entail detailed actions, including the development of cyber units in each military service, the type of response against cyber attacks, and the coordination between different military cyber units.

the coordination between different military cyber units. C 2016 ADRiNSTITUTE for Strategic and International

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: forbescustom.com

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

13

January 2016

Conclusion

Cyber security is still a weak aspect of Philippine national security. The lack of discussion regarding the challenges and opportunities relating to cyberspace is impeding current efforts to address increasing cyber threats against the state. Given these circumstances, there are three reasons why the Philippine government should consider cyber security as a policy priority. The first is that the economic losses to cybercrime are escalating and law enforcement agencies do not necessarily have the capabilities to handle the massive volume of incidents. The second is cyber espionage has become a predominant method of intelligence collection and it is not clear if the military has the capabilities to detect and counter these operations. Third is that the territorial disputes and political conflicts in the Asia-Pacific region have “spilled over” into cyberspace, therefore making the region the most active in terms of cyber conflict.

the region the most active in terms of cyber conflict. C 2016 ADRiNSTITUTE for Strategic and

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Reponses to cyber threats have mainly been implemented by states, rather than collective action through by international institutions. Whilst there is a growing consensus that norms and cooperation can mitigate the uncertainty and hostility in cyberspace, conflicting interests between powerful states, aggravated by the revelations of Edward Snowden, make international norm promotion more difficult. States in the region have invested time and resources to address cyber threats through the Asia-Pacific Economic Cooperation and the Association of Southeast Asian Nations but these efforts are limited; although cyber security has been a topic of concern for the last decade, more concrete plans have only been articulated in the last few years. Domestic responses to cyber threats have been limited since most of the efforts have focused on establishing legal frameworks to enable law enforcement. There is no indication that the

previous and current government has mandated the investment in capabilities for military operations in cyberspace.

In this regard, the next president has the genuine opportunity to consider cyber security as a core national security priority and to ensure strategic coherence in addressing cyber threats. Strategic coherence can be enhanced by integrating cyber security measures in all levels of strategy: policy, grand, military, operational, and tactical. More significantly, the next president must realize that the topic of cyber security is no longer just for the “IT crowd.” An interdisciplinary approach to cyber security that draws on a range of expertise and involves all government agencies is necessary to protect Philippine national interests in cyberspace.

www.StrAtbASE.cOM.ph

OCCASIONAL PAPER

14

January 2016

ENDNOTES:

1 Rid T. (2013). Cyberwar will Not Take Place. London: Hurst & Co. Ltd, xiv-xv.

2 United Nations Institute for Disarmament Research (2013). The Cyber Index In- ternational Security Trends and Realities Geneva, Switzerland: United Nations.

3 For a more detailed discussion on these assumptions see Lynn III, W. J. (2010) Defending a New Domain: The Pentagon’s Cyberstrategy Foreign Affairs 89 (5), 97- 108, Nye Jr., J. S. (2011). The Future of Power New York: Public Affairs, Libicki, M. (2009) Cyberdeterrence and Cyberwarfare Santa Monica, CA: RAND Corporation.

4 Sheldon, J. (2011). Deciphering Cyberpower: Strategic Purpose in Peace Stra- tegic Studies Quarterly 5(2), 95-112.

5 Freedman, L. and Raghavan, S. (2008) “Coercion” In Paul Williams (ed.) Security Studies: An Introduction London: Routledge, 217-218.

6 Mansbach, R. W. and Taylor, K. L. (ed.) (2011) Introduction to Global Politics 2nd Edition London: Routledge, 297.

7

Ibid

8 Libicki, M. (2013) Brandishing Cyberattack Capabilities Santa Monica, CA:

RAND Corporation, vii-xi.

9 Lindsay, J. (2013) Stuxnet and the Limits of Cyber Warfare. Security Studies (22) 3, 385-389.

10 Gartzke, E. and Lindsay J. (2015) Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace. Security Studies 24 (2), 346.

11 Ibid

12 Cartwright, J. E. (2010). Joint Terminology for Cyberspace Operations Washing- ton D.C.: U.S. Department of Defense.

13 Rid, T., and McBurney, P. (2012). Cyber-Weapons. RUSI Journal 157 (1), 7.

14 Definitions adopted from Carr, J. (2010), Inside Cyber Warfare: Mapping the Cy- ber Underworld Sebastopol, CA O’Reilly Media, Reveron, D. (Ed.). (2012). Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World Washington D.C.: Georgetown University Press, 8, and Valeriano, B., and Maness, R. (2015). Cyber War versus Cyber Realities. Oxford: Oxford University Press, 33-37.

15 Easton, D. (1953). The Political System: An Inquiry into the State of Political Sci- ence New York: Alfred Knopf, 5.

16 Nye, The Future of Power New, 123

17 Rid et, al., Cyber-Weapons, 7

18 Valeriano et. al., Cyber War versus Cyber Realities, 31

19 Ibid

20 Nye, The Future of Power and Lindsay, Stuxnet and the Limits of Cyber Warfare

21 Patton A., et. al., Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, Washington D.C.: US-China Economic and Security Review Commission, 2012.

22 Jun, Jenny, et. al. (2014). The Organization of Cyber Operations in North Korea Washington D.C.: Center for Strategic and International Studies.

23 International Police (2015) Cybercrime Retrieved from http://www.interpol.int/ Crime-areas/ Cybercrime/Cybercrime

24 Reveron, Cyberspace and National Security

25 Weimann, G. (2004). Cyberterrorism How Real Is the Threat? Washington D.C.:

United States Peace Institute.

26 Ibid

27 Healey, Jason (ed.) (2013) A Fierce Domain in Cyberspace, 1986-2012 Virginia:

Cyber Conflict Studies Association, 141-142; Berghel, H. (2001) The Code Red Worm Communications of the ACM (44) 12, 15-19.

28 Stiennon, R. (2015) “A Short Histroy of Cyber Warfare” In James Green (ed.) Cyber Warfare: A Multidisciplinary Analysis London: Routledge, 9-10.

29 Blank, S. (2008) Web War I: Is Europe’s First Information War a New Kind of War? Comparative Strategy (27) 3, 227-247.

30 Lindsay, Stuxnet and the Limits of Cyber Warfare; Falliere, N. (2011) W32.Stux- net Dossier. Mountain View, CA: Symantec Corporation, 1-3.

31 Valeriano et. al., Cyber War versus Cyber Realities, 173-175;

32 Exaggerations of war in cyberspace are discussed in Sutherland, B. (2011) The

war in cyberspace are discussed in Sutherland, B. (2011) The C 2016 ADRiNSTITUTE for Strategic and

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Economist: Modern Warfare, Intelligence and Deterrence: The technologies that are transforming London: Economist Books, Arquilla, J., (27 February 2012) Cyberwar Is Already Upon Us [Web log post]. Retrieved from http://foreignpolicy.com/2012/02/27/ cyberwar-is-already-upon-us/ and Palette, D. et. al. (12 October 2015) Cyberwar Ig- nites a New Arms Race. Wall Street Journal. Retrieved from http://www.wsj.com/ar-

ticles/cyberwar-ignites-a-new-arms-race-1444611128

33 Lewis, J. (2014). Net Losses: Estimating the Global Cost of Cybercrime Wash- ington D.C.: Center for Strategic and International Studies.

34 Guillermo, J. (2015). Local Cybercrime Landscape [PowerPoint slides] Retrieved from http://aseanfic.org/2015/wp-content/uploads/2015/02/Philippine-Cybercrime- Landscape-ASEANFIC.pdf

35 Bartolome, J. (2014, November 1) Nearly P400M lost to ATM fraud from 2012 to 2013, says lawmaker [Web log post.] Retrieved from http://www.gmanetwork.com/ news/story/ 386207/ money/economy/nearly-p400m-lost-to-atm-fraud-from-2012-to-

2013-says-lawmaker

36 Sy, Geronimo L. (2015). Philippines 2014-2015 Cybercrime Report The Rule of Law in Cyberspace Manila: Department of Justice.

37

Ibid

38 Seagal, A., (2013) “From Titan Rain to Byzantine Hades” In Jason Healey (ed.) A Fierce Domain in Cyberspace, 1986-2012 Virginia: Cyber Conflict Studies Association,

165-167.

39 Kujawa, A. (2015). APT30 and the Mechanics of a Long-Running Cyber Espio- nage Operation Milpitas, CA: FireEye.

40 Domingo, F. (2015, 27 February). Intelligence as the Philippines’ First Line of De - fense [Web log post]. Retrieved from, http://nottspolitics.org/2015/02/27/intelligence- as-the-philippines-first-line-of-defense/

41 Kujawa, APT30 and the Mechanics and Donohue, B. (19 May 2015). Naikon APT steals geopolitical data from the South China Sea [Web log post]. Retrieved from https://blog.kaspersky.com/ naikon-apt-south-china-sea/8696/

42 International Telecommunications Union (2015). Global Cybersecurity Index Ge- neva, Switzerland: ITU and Feakin, T., et. al. (2015) Cyber Maturity in the Asia-Pacific Region Canberra: Australian Strategic Policy Institute.

43 Betts, R. K. (1994). Wealth Power, and Instability-East-Asia and the United States After the Cold War International Security 18(3), 34-77 and Christensen, T. J. (1999). China, the US-Japan Alliance, and the Security Dilemma in East Asia. Interna- tional Security 23(4), 49-80

44 Valeriano et. al., Cyber War versus Cyber Realities, 128

45

Ibid

46 Wicherski et. al. (2011) Ten Days of Rain Santa Clara, CA: McAfee; Booz Allen Hamilton (2001) Cyber Power Index: Findings and Methodology Virginia: author; Vale- riano et. al., Cyber War versus Cyber Realities

47 Valeriano et. al., Cyber War versus Cyber Realities, 84-90

48 Gompert, D., and Libicki, M. (2014). Cyber Warfare and Sino-American Crisis Instability. Survival, 56(4), 7-22.

49 For more on the debate about cyber norms see Stevens, T. (2012). A Cyberwar of Ideas? Deterrence and Norms in Cyberspace Contemporary Security Policy 33 (1), 148-170 and Farell, H. (2015). Promoting norms for Cyberspace Cyber Brief New York:

Council on Foreign Relations.

50 Thomas, N. (2009). Cyber Security in East Asia: Governing Anarchy Asian Secu- rity 5 (1), 19-20.

51 Richardson, J. (2002) APEC Cybersecurity Strategy Singapore: Asia-Pacific Economic Cooperation

52 Asia-Pacific Economic Cooperation (2004) APEC Strategy to Ensure Trusted, Secure and Sustainable Online Environment Retrieved from http://www.apec.org/~/ media/Files/ Groups/TEL/05_TEL_APECStrategy.pdf

53 Asia-Pacific Economic Cooperation (2015) APEC TEL Strategic Action Plan 2016-2020. Retrieved from http://www.apec.org/~/media/Files/Groups/ TEL/20150331_APEC%20TEL% 20Strategic%20Action%20Plan%202016-2020.pdf

54 Association of Southeast Asian Nations (2002) Work Programme to Implement the ASEAN Plan of Action to Combat Transnational Crime. Retrieved from http://www.

asean.org/ communities/asean-political-security-community/item/work-programme-

to-implement-the-asean-plan-of-action-to-combat-transnational-crime-kuala-lumpur-

17-may-2002

55 Association of Southeast Asian Nations (2003) 3rd Meeting of the ASEAN Tele-

communications and IT Ministers. Retrieved from http://www.asean.org/communities/

asean-economic-community/category/asean-telecommunications-and-it-ministers-

meeting-telmin

56 ASEAN Regional Forum (2012) ARF Statement on Cooperation in Ensuring Cy- ber Security. Retrieved from https://ccdcoe.org/sites/default/files/documents/ASEAN-

120712-ARFStatementCS.pdf

57 ASEAN Regional Forum (2006) ARF Statement on Cooperation in Fighting Cyber Attack and Terrorist Misuse of Cyber Space. Retrieved from http://www.mofa.go.jp/

region/asia-paci/asean/conference/arf/state0607-3.html

58 Association of Southeast Asian Nations (2011) ASEAN ICT Masterplan 2015. Retried from http://www.asean.org/resources/publications/asean-publications/item/

asean-ict-masterplan-2015

59 Thomas, Cyber Security in East Asia, 4-5

60 Poulsen, K. (2010, May 3) May 4, 2000: Tainted ‘Love’ Infects Computers Re- trieved from http://www.wired.com/2010/05/0504i-love-you-virus/

61 Sosa, g. (2009). “Country Report on Cybercrime: The Philippines” In M. Sasaki, Resource Material No. 79 Paper Presented at International Training Course: The Crimi- nal Justice Response to Cybercrime, Tokyo, Japan: United Nations Asia and Far East Institute, 80-87.

62 Milallos, M. and Romero, S. (2004). National Cyber Security Plan Manila: Office of the President, Task Force for the Security of Critical Infrastructure, 32.

63 Ibid, 34-42.

64 National Cyber Security Coordination Office (2008). National Cyber-security Co- ordination and Implementation Strategy Quezon City: Author.

65 Executive Order No. 189 (2015)

66 Ibid

67 Kane, T. and Lonsdale, D. (2011). Understanding Contemporary Strategy Lon - don: Routledge, 13.

68 Clausewitz, Carl von (2008). On War (M. Howard and P. Paret, trans.), Oxford:

Oxford University Press, 28-29

69 Hart, B. H. Lidell (1967) Strategy: An Indirect Approach London: Faber & Faber,

335.

70 Kane et. al., Understanding Contemporary Strategy, 13

71

Ibid, 14

72 Ibid, 14

www.StrAtbASE.cOM.ph

9.1

VOLUME

9.1 VOLUME Image Credit: rfa.com and hoover.org ABOUT Francis Domingo is Assistant Professor of International Studies
Image Credit: rfa.com and hoover.org
Image Credit: rfa.com and hoover.org

ABOUT

Francis Domingo

is Assistant Professor of International Studies at De La Salle University and concurrently a doctoral researcher affiliated with the Centre for Conflict, Security and Terrorism and the Institute of Asia and Pacific Studies at University of Nottingham. His current research explores the strategic utility of cyber capabilities for small states. He holds an MA in Intelligence Studies from Brunel University London (2009) and an MRes in Strategic Studies from University of Reading (2014). His research has been published in Defense and Security Analysis, Military and Strategic Affairs, and Strategic Analysis, among other journals.

Before joining academia, he worked with the Armed Forces of the Philippines as a research analyst with the Office of Strategic and Special Studies (OSS), where he contributed to a number of assessments on sensitive political and security issues.

of assessments on sensitive political and security issues. Stratbase’s Albert Del Rosario Institute is an independent

Stratbase’s Albert Del Rosario Institute

is an independent international and strategic research organization with the principal goal of addressing the issues affecting the Philippines and East Asia

9F 6780 Ayala Avenue, Makati City

Philippines 1200

V

F

www.stratbase.com.ph

8921751

8921754

C 2016 ADR iNSTITUTE for Strategic and International Studies. All rights reserved. C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.