You are on page 1of 15

9.

1
VOLUME

STRATEGIC
CONSIDERATIONS

FOR PHILIPPINE
CYBER SECURITY
OCCASIONAL

PAPER

January 2016

OCCASIONAL PAPER JANUARY 2016

02

STRATEGIC
CONSIDERATIONS

FOR PHILIPPINE
CYBER SECURITY
CYBER CRIME
Despite the relatively controlled threat posed by cyber crime, the Philippine
government has adopted a more active posture towards countering illegal domestic
cyber activities in contrast to countering external threats to national security.

Cyberspace has become an indispensable domain
for state interaction. Governments have, therefore,
made use of cyberspace for power projection, the
protection of critical national infrastructure, and the
exertion of political influence over other actors in the
international system. This domain, however, has also
become a prominent source of insecurity between
states because of its particularly strong potential for
espionage, sabotage, and subversion.1 While cyber
security continues to be a contentious policy issue,
the promise of a “cyber revolution” has influenced
numerous states to develop capabilities for military
cyber operations. More than 40 states have now
developed military cyber organizations and policies
and nearly 70 states have crafted nonmilitary policies and organizations.2

The idea of a cyber revolution is based on three
widely held assumptions suggested by some
scholars and policymakers about cyberspace:
it enables asymmetric advantages; it is offensedominant; and, deterrence is not effective in
this domain.3 First, cyberspace is asymmetric
because, it allows weaker actors to use fewer
resources and capabilities to challenge the military
forces of powerful states. Second, cyberspace is
offense-dominant for several reasons, including
the instantaneous speed of attacks, the problem
of attributing attacks to a perpetrator, and the
overwhelming dependence on cyberspace
throughout modern society.4 As a result, enemies
can exploit these opportunities and engage in
numerous malicious activities, including network

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: rfa.com

* The views and opinions expressed in this Paper are those of the author and do not necessarily reflect those of the Institute.

OCCASIONAL PAPER JANUARY 2016

03

disruption and espionage against target states. Third,
deterrence is not effective in cyberspace because the
threat of retaliation is not viable if the adversaries are not
cognizant of a state’s cyber capabilities.
Deterrence is the use of threats to discourage adversaries
from initiating undesirable actions.5 The logic of
conventional deterrence is based on three core elements:
communication, credibility, and capability.6 For deterrence
to be effective, a deterring state must first communicate
to its adversaries which actions are unacceptable and
the corresponding punishment once these actions are
undertaken. The state must then demonstrate that it
has the capabilities to support its threats. Lastly, the
state must establish credibility by convincing adversaries
that the communicated threats will actually be carried
out.7 However, these elements are problematic when
applied to cyberspace. It would be detrimental for
states to communicate and demonstrate that they have
cyber capabilities because to do so diminishes their
strategic surprise and technological superiority, the main
advantages of military cyber operations. Absent any
awareness and confirmation from their target state,
adversaries will not be persuaded that
a state has such capabilities.8

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Athough the proliferation of cyber capabilities
is inevitable, the assumptions about the value
of cyberspace for military operations are mainly
overstated and need to be clarified. First,
cyberspace does not provide asymmetric
advantages to weak actors. The most sophisticated
cyber attacks, “Stuxnet” and “Flame” for instance,
required an unprecedented level of expertise and
operational capabilities that weak states and nonstate actors do not necessarily have.9 Second,
the idea that cyberspace is offense-dominant
is also questionable because the complexity
of weaponization makes offensive operations
more difficult for states to develop. Moreover, the
empirical evidence suggests that cyberspace is not
necessarily offense-dominant as some academics
and policymakers argue because the success
and decisiveness of offensive cyber operations
are generally conditioned on “attack severity,
organizational competence, and actor resolve.”10
Lastly, traditional deterrence models may not be
useful in cyberspace but an alternative interpretation
of deterrence sees a cyber attack as an indication of
successful deterrence because it substitutes kinetic
or physical attacks between states.11

Given this context, this paper argues that despite
the strategic limitations of cyberspace, the
Government of the Philippines should consider
cyber security as a policy priority because of
three reasons: the economic consequences of
cybercrime, the security consequences of cyber
espionage and the political consequences of cyber
conflict in the region. The remainder of the paper
is divided into in four sections. The first section
introduces central concepts regarding the study of
cyber security. The second examines some factors
that could influence the development of cyber
capabilities in the Philippines. The third surveys the
existing regional and domestic policy responses
to cyber threats. Finally, the last section offers
some recommendations for the next president,
particularly focusing on integrating cyber security
within national security policy and military strategy.
Following these objectives, the paper does not
offer recommendations about the domestic
law enforcement, e-governance, information
infrastructures and other related topics that fall
outside the scope of strategic interactions between
actors in the international system.

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

04

Concepts and Actors
Our understanding of cyber issues is dependent on
how concepts and actors are defined and framed. It
is necessary to clarify specific concepts and identify
actors to avoid confusion and exaggeration about
state capabilities and threats in cyberspace. The
following section therefore discusses some core
concepts and actors in area of cyber studies.
Concepts
A core concept in the conduct of cyber security
operations is the offensive and defensive capabilities
of a state or its Computer Network Operations
(CNO). These operations are divided into three
types of functions: Computer Network Attack
(CNA), Computer Network Defense (CND), and
Computer Network Exploitation (CNE). CNA is an
offensive operation and is defined as the capability
to use computers to “disrupt, deny, degrade, or
destroy information” in adversaries’ computers
and information systems. CND, on the other hand,
involves the protection of a state’s computer
networks: having the capability to “detect, analyze,
and mitigate threats and vulnerabilities, and
outmaneuver adversaries.” CNE is an espionage
operation and is the ability to collect intelligence
through the use of computer networks
to gather data about adversaries.12
These functions provide a general idea of what
states can do in cyberspace, although it is

important to note that the specific operational
instrument involved in executing cyber attacks are
weapons delivered through a computer. A cyber
weapon, in this sense, is a computer code that is
used or is designed to be used with the objective
of threatening or causing damage to objects,
networks, or living beings.13 Cyber weapons can
come in different forms, ranging from generic tools
that cause nuisances to high-end tools that can
bring down a state’s critical infrastructure. Table 1
presents the main types of cyber weapons
as well as their basic definitions.

Table 1. CYBER WEAPONS DEFINED14

Another fundamental concept is the projection of
power in cyberspace or cyber power. This paper
considers cyber power as an extension of politics,
which is, fundamentally, the authoritative allocation
of valued things.15 Since power relates to the
allocation of capabilities and resources, the paper
adopts Nye’s idea of cyber power: “the ability to
obtain preferred outcomes through the use of
electronically interconnected information
resources of the cyber domain.”16
Moving to the next concept, much debate has
been generated by the term cyber war. While
several definitions exist for this concept, this
papers proceeds with the view that notion of war is
problematic and even dangerous when applied to
cyberspace. An act of war must be instrumental,
political, and lethal, whether in cyberspace or
not.17 No stand-alone cyber operation on record

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

05

Table 2. Actors, incidents and weapons

meets these criteria, thus the concept of cyber
war will not be used for purposes of the paper. As
alternative, the paper follows the work of Valeriano
and Maness who suggest the term cyber conflict as
more appropriate, as it involves hostile interactions
between states but is not necessarily indicative
of warfare.18 Cyber conflict is defined as “the use
of computational technologies in cyberspace for
malevolent and destructive purposes in order to
impact, change, or modify diplomatic as well as
military interactions between entities.”19

In terms of non-state actors, there are three
additional subcategories: criminals, hackers, and
terrorists. Criminal organizations exploit cyberspace
through various methods for monetary gain. The
major types of online criminal activities include theft
of data, financial crimes, corruption, and crimes
against children.23 Hackers on the other hand,
execute in network intrusions for different reasons,
ranging from experiencing the thrill of the challenge
to bragging rights. Although cracking into networks
once required a fair amount of skill or computer
knowledge, attack tools have now become
Actors
more sophisticated and easier to use, providing
Since the barriers and costs to entry in
hackers with more capabilities.24 For instance,
cyberspace are low, a range of actors have engaged politically motivated hackers or hacktivists, such
in numerous types of disruptive activities against
as “Anonymous” and “LulzSec”, overload e-mail
different targets. There are two main categories
servers and hack into websites to send a specific
of actors in cyberspace: states and non-state
political message to target audience.
actors. States are clearly the dominant actors
in cyberspace, given their extensive resources,
While there have been no recorded incidences
20
expertise, and capabilities. The development
of “cyberterrorism”, cyberspace is attractive to
of the most sophisticated and high-level CNO is
terrorist organizations because it guarantees
typically designated to states’ intelligence and
anonymity, it enables global communication, and
military services. The objectives of these services
it delivers a strong psychological impact.25 The
are to collect and/or destroy intelligence by
Central Intelligence Agency suggests that terrorists
exploiting and disrupting adversaries’ information
will remain focused on traditional attack methods;
infrastructure. Some prominent examples include
however, the CIA anticipates increasing cyber
the National Security Agency of the United States,
threats as a more technically capable generation of
the Government Communications Headquarters of
terrorists join the ranks.26 Table 2 provides some
the United Kingdom, the General Staff Department
examples of the cyber weapons that different
(3rd and 4th Departments) of the People’s Liberation actors have utilized as well as the
Army in China,21 and the Reconnaissance General
incidents they were involved in.
Bureau and General Staff Department of the
Korean People’s Army in North Korea.22
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

06

In examining the role of different actors in
cyberspace, it is imperative to highlight the
significant difference between the capabilities of
states and non-state actors in cyberspace. There
is a persistent media blitz about the threat of
massive and destructive cyber attacks by non-state
actors, but these reports are largely overstated and
empirically untested.32 It is therefore necessary
to adopt a more strategic understanding of cyber
conflict where the focus of inquiry is the realistic
outcome or consequence of the attack aside from
technical and tactical considerations such as the
number of websites that are defaced or the
type of malicious code used by hackers.

Factors Affecting Cyber Security Development
States generally produce specific defense and
security capabilities in response to external
and domestic considerations. While there is no
scholarly nor policy consensus over which factors
constrain states’ investments in cyber capabilities,
the subsequent section offers three important
factors that could potentially influence further cyber
capability development in the Philippines.
Economic: Cyber Crime
The first factor is the growing industry of cyber
crime. The low barriers to entry, the assurance

of anonymity, and the high speed of transactions
offered by cyberspace provide criminals with
unparalleled opportunities for profit generation. A
report by the Center for Strategic and International
Studies and McAfee estimates that the global
economy loses $375 billion to $575 billion annually
due to cyber crimes. Even the most conservative
estimate of economic losses to these criminal
activities is more than the national income of most
states and companies, signifying the level of
risk states face from cyber crime and
how rapidly the risk can evolve.33
n the context of the Philippines, cyber crime is
an existing problem but is not as threatening
compared to other organized criminal activities
such as robbery, kidnapping and drug trafficking.
For instance, the Philippine National Police AntiCrime Group reports that there were 3,368 recorded
cases of cyber crime from 2003 to 2014.34 Of these
cases, the most common forms of cyber crimes
were identified as website defacements, personal
account infiltrations, and Internet fraud. The data
to systematically quantify the economic impact of
crime that make use of cyberspace is incomplete;
however, the most substantial reports of losses have
been from the Bangko Sentral ng Pilipinas, which
estimates that PhP175 million was lost due to ATM
fraud in 2012 and PhP220 million in 2013.35

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: media.licdn.com

Despite the relatively controlled threat posed by
cyber crime, the Philippine government has adopted
a more active posture towards countering illegal
domestic cyber activities in contrast to countering
external threats to national security. In terms of
crime prosecution, there are currently six laws that
relate to cyberspace: the Cybercrime Prevention
Act of 2012, the Anti-Photo and Voyeurism Act
of 2009, the Anti-Child Pornography Act of 2009,
the E-Commerce Act of 2000, the Access Devices
Regulation Act of 1998, and the Anti-Wiretapping
Law of 1965. Moreover, the enforcement of
these laws is assigned to four key government
agencies: the Cybercrime Investigation and
Coordination Center (Department of Science and
Technology), the Office of Cybercrime (Department
of Justice), Cybercrime Division (National Bureau of

Investigation), and the Anti-Cybercrime
Group (Philippine National Police).36
Building on these efforts, there are two reasons why
the government is encouraged to sustain and further
develop the capacity to address cyber crimes. First,
domestic enforcement agencies, specifically the
National Bureau of Investigation and the Philippine
National Police, still lack the expertise, capabilities,
and resources to effectively counter cyber threats.37
Given the rapidly rising number of internet users,
it is impossible for the government to monitor
millions of internet users without advanced network
surveillance systems and sufficient resources.
Second, the mechanisms for inter-agency
cooperation are underdeveloped and need to be
strengthened. Since cyber crimes are pervasive and

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

07

persistent, it is crucial for the government to create
a cohesive strategy that defines the responsibilities
of each agency and sets out a clear implementation
plan that accurately integrates their functions.

hand, it can also facilitate network infiltration by
adversaries.

In the case of the Philippines, investing in cyber
espionage or CNE capabilities would enhance
National Security: Cyber Espionage
the intelligence collection of security and military
The second factor is the growing prominence of
services. The minimum credible defense
cyberspace as area for espionage. Several cases
strategy, which the government is developing, is
of cyber conflict relate to espionage operations
fundamentally dependent on understanding an
between states. For example, in 2005, the United
adversary’s intentions and capabilities.40 Given
States government discovered Chinese computer
this situation, government security and military
network operations “Titan Rain”, which successfully forces can leverage the advantages of cyberspace
infiltrated numerous secure systems, including
to collect vital intelligence regarding adversaries’
the Department of Defense, Department of State,
intentions about critical issues, such as the ongoing
Department of Homeland Security, National
territorial disputes or the arms dynamic in the region.
Aeronautics and Space Administration, and even the The government’s current focus is to improve
British Foreign Commonwealth Office.38
conventional capabilities of the military; it would be
reasonable to supplement these capabilities and
More recently, computer security company FireEye
invest in military computer network operations.
revealed the extensive cyber espionage operation
of a group called APT30 against several states
The paradox of cyberspace is that it also allows
in Southeast Asia and beyond. This incident is
other states to steal information from computer
disconcerting because of APT30’s suspected
networks in the Philippines. There have been several
association with the Chinese government as well as reports by companies like FireEye and Kaspersky
Lab of network infiltrations against the Philippine
the group’s consistent focus on collecting specific
government, but it is unclear if security and military
information about political, military, and economic
issues in the region, and about media organizations services have CND capabilities to defend the state’s
networks against these hostile operations.41 This
and journalists who write on topics about the
39
Chinese government’s legitimacy. Considering
uncertainty is reflected in existing cyber security
these examples, espionage through cyberspace
assessments, which indicate that the Philippines is
becomes paradoxical; on one hand, it enables
deficient in military capabilities for cyber operations,
the efficient collection of intelligence, on the other
public cybersecurity assistance networks (Computer

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: post-gazette.com

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

08

Emergency Response Teams), and inter-agency and
intergovernmental cooperation among other areas.42
In this sense, it would be in the strategic interests
of the government to develop CND capabilities,
considering the advantages of cyberspace for
intelligence collection and the necessity for defense
against the persistent and pervasive threat of cyber
espionage by adversaries within region.
Political: Cyber Conflict
The third factor is the persistent cyber conflict in
the Asia-Pacific. The Philippines is located in a
region characterized by major shifts in the balance

of power, uneven distributions of economic power
within and between states, and intense territorial
disputes.43 Given these dynamics, there are two
crucial reasons why geopolitics in the Asia-Pacific
is integral to influencing the development of cyber
capabilities in the Philippines. First, regional
disputes and insecurities between states have
continued on from conventional conflict domains
and have manifested in cyberspace. This situation
makes the Asia-Pacific the most active
region in terms of cyber conflicts between
states, mainly due to Chinese action.44

despite the strategic
limitations of
cyberspace, the
Government of the
Philippines should consider
cyber security
as a policy priority
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

In light of the Philippines’ involvement in a territorial
dispute with China, it is likely that cyber conflict will
become a prominent tool for power projection in the
twenty-first century. This conflict has the advantage
of can delivering a strong message sans the risks
associated in conventional attacks. In addition,
the Philippines is currently entangled between
two great powers that are also engaged in hostile
action in cyberspace. A recent ground-breaking
study confirms this observation: “China needs an
outlet, and military grandstanding, with possibility
of escalation involving the Americans is something
China does not want to deal with at the moment.
China seems to be good at infiltrating foreign
networks, and this seems to be the “least”
they can do for power projection.”45

Second, other global “cyber powers” are also
located in the region. North Korea, South Korea,
and Japan all have advanced cyber capabilities
and are immersed in various political rivalries and
territorial disputes in the Asia-Pacific.46 Whereas
these rivals typically project military power and
engage in aggressive actions through the air and
maritime domains, cyber conflict has also been
used as a tool to advance foreign policy interests. It
is therefore not surprising that from 2001 to 2011,
North Korea instigated fifteen cyber attacks against
various states including South Korea, Japan and
the United States. South Korea was associated with
eighteen cyber incidents, mostly against Japan and
North Korea. Japan, meanwhile, had fifteen cyber

disputes involving China, North Korea, and
South Korea as adversaries.47
The strategic consequences of this relatively new
trend may be crucial for the Philippines as it is still
uncertain whether cyber conflict can consistently
lead to crisis instability and force states to escalate
low-risk cyber attacks into higher-risk conventional
attacks.48 In this case, the compelling reason for
the Philippines to develop cyber capabilities lies
in supporting its allies to mitigate and de-escalate
existing cyber conflicts. Even if the Philippines does
not have defense agreements with Japan and South
Korea, it could be entangled during cyber conflicts
because of its existing defense agreement with the
United States. In short, the lack of cyber capabilities
precludes the Philippines from defending itself from
cyber attacks as well as from contributing to the
security and stability of the regional cyberspace.

Policy Responses to Cyber Threats
Strategies to counter cyber threats have been
implemented by states unilaterally, rather collectively
through international institutions. There is a growing
consensus that norms and cooperation can mitigate
the uncertainty and hostility in cyberspace; however,
conflicting interests between powerful states,
exacerbated by the revelations of Edward Snowden,
make further international norm promotion
improbable.49 Responses to cyber threats have,
www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

09

therefore, been state-driven and particularly focused
on strengthening domestic law enforcement as well as
military capabilities. These responses have included
everything from recruiting potential CNO specialists to
establishing full-scale cyber commands. This section
briefly surveys the policy responses of key regional
institutions in the Asia-Pacific and the efforts of the
Government of the Philippines towards cyber security.
Regional
States in the region have invested time and resources
to address cyber threats mainly through the Asia-Pacific
Economic Cooperation (APEC) and the Association
of Southeast Asian Nations (ASEAN). The creation of
regional levels of governance has created
a collaborative space where such strategic
discussions can take place. These efforts have,
therefore, enabled states in the region to develop
transnational responses to cyber threats with shared
confidence in their neighbors based on their
similarities rather than differences.50

Image Credit: hoover.org

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

The cyber security efforts of APEC are captured
in three key documents. The first is the APEC
Cybersecurity Strategy, which was formulated by
the APEC Telecommunications and Information

Working Group in May 2002.51 The strategy called for
increased cooperation and coordination in four broad
areas: creating a legal framework; sharing information
and cooperation, producing security and technical
guidelines, training and education; and developing
wireless security technologies. The document, however,
did not provide any details regarding how the strategy
would be implemented. The second document is
the APEC Strategy to Ensure Trusted, Secure and
Sustainable Online Environment, which was drafted
during the Senior Officials’ Meeting in November 2005.52
The document highlighted the emerging cyber threat
and highlighted the need to improve the following cyber
security measures: cohesive domestic strategies, legal
and policy frameworks, incident response and recovery
capabilities, partnerships among government, industry,
academics, public awareness regarding online security,
research and development, and interstate cooperation.
Much like the previous strategy, the modified version
does not offer any concrete directions on how APEC
member states would realize these measures.

The APEC TEL Strategic Action Plan 2016-2020 is
the third and most recent document, produced by the
APEC Telecommunications and Information Working
Group in March 2015.53 The document accentuated

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

10

five key priorities, including a strong emphasis on
a secure, resilient, and trusted ICT (Information
and Communications Technologies) environment.
More importantly, the document presented an
implementation plan that prescribed the need
to undertake specific actions during the next
four years: research, capability-building, public
awareness, and intergovernmental cooperation.
Whereas the strategic plan recommends workable
and specific measures to address cyber security,
the success of the plan is largely dependent
on the level of commitment and the
resources available to each state.
Cyber security has been a concern for ASEAN
for more than a decade, but prior to the ASEAN
ICT Masterplan 2015, no clear and concrete
regional strategy was developed by the institution
to compel its member states to address cyber
threats. The problem of cyber crime was first
discussed during the 2nd Senior Officials Meeting on
Transnational Crime in 2002. State representatives
agreed on the following responses: to establish a
compilation of applicable national laws, regulations
and international treaties relating to cyber crime
legislation; work towards the criminalization of
cyber crime activities; enhance law enforcement
and intelligence cooperation; develop regional
training; coordinate with ASEAN Chiefs of National
Police (ASEANAPOL) for the analysis of cyber crime
activities; and seek training assistance from ASEAN
Dialogue Partners and international institutions.54

Following this discussion, cyber security figured
prominently in several subsequent meetings,
including the 3rd Meeting of the ASEAN
Telecommunications and IT Ministers in 2003,
where it was decided that an ASEAN Information
Infrastructure was needed as well as the
development and operationalisation of the national
Computer Emergency Response Teams by 2005.55
In 2006, the ASEAN Regional Forum released
two statements that stressed the importance of
cyber security. The first was the ARF Statement
on Cooperation in Ensuring Cyber Security, which
reinforced the need for an ARF work plan on security
in the use of ICT and more dialogue on confidencebuilding, stability, and risk reduction measures to
address the implications of ARF participants’ use
of ICT.56 The second was the ARF Statement on
Cooperation in Fighting Cyber Attack and Terrorist
Misuse of Cyber Space, which recommended the
implementation of cyber crime laws in accordance
with national conditions and continued interstate
cooperation in countering cyber crime
and terrorists’ use of cyberspace.57
The last and most current collaboration is the
ASEAN ICT Masterplan 2015 that was adopted
during the Telecommunications and IT Ministers
Meeting in 2011. The plan prioritizes cyber security
through two broad initiatives. Building trust is the
first initiative and it involves the promotion of secure
transactions within ASEAN and public awareness
about online security. Promoting information

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

security is the second initiative and it has to do
with developing a common framework for network
security and information security across the region.58

appropriate strategy to mitigate cyber conflict.

Domestic
The response of the Government of the Philippines
In reviewing the regional responses to cyber threats, towards cyber security has generally been limited
it is apparent that some barriers have been slowing
despite a significant cyber incident that transpired
the growth of cyber security efforts in the region. The in 2000. The “I LOVE YOU” virus, created by an
first barrier is the uneven distribution of resources
undergraduate Filipino computer science student,
and capabilities among states. States such as
infected around 55 million computers and
Japan, South Korea, and Singapore are clearly more generated around $10 billion worth of damage
technologically superior compared to other states
globally.60 Government prosecutors filed cases
like China, Indonesia, Malaysia, the Philippines, and against the perpetrator Onel de Guzman, but the
Thailand; but even these are considerably more
indictment was dismissed even at the first stage
advanced than states such as Brunei, Cambodia,
because there was no law punishing
Laos, Myanmar or Vietnam. Even though this
computer criminals at that time.61
“digital divide” is predominantly expressed in terms
of infrastructure development and broadband
A significant initiative towards a national cyber
penetration, the economic inequalities and low
security blueprint was the creation of the National
socio-political capacity levels present substantial
Cyber Security Plan in 2004. The plan was
challenges to these states as well.59 The second
comprehensive and reflected the government’s
barrier relates to the level of cooperation that states cyber security policy, which centers on
are willing to extend in the area of cyber security.
institutionalizing “the necessary capabilities in the
States develop CNO capabilities to obtain different
government and the private sector to adequately
strategic security objectives; therefore, it would not
meet and respond to challenges and threats against
be in their best interest to share information about
critical cyber infrastructures.”62 The plan presented
their cyber operations. In this sense, collaborative
four main strategies and corresponding programs
operations and intelligence sharing can potentially
that were part of the government’s solution
diminish the strategic advantage of cyber operations to increasing threats in cyberspace.
more than other conventional military operations.
The first strategy is to understand the risks present
Furthermore, the absence of global norms or code
through a sustained threat assessment of national
of conduct for cyberspace operations also signifies
the uncertainty and lack of consensus about the
vulnerabilities and protective measures already

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

11

being implemented by the government. The second
is risk control, which requires comprehensive
security planning, effective resolution of crisis,
and risk monitoring. The third strategy relates to
the organization and mobilization of necessary
resources and relevant stakeholders, such
as specialists from the private sector and the
international community, for the implementation of
the plan. The fourth strategy focuses on instituting
regulatory and legislative reforms crucial to
addressing the challenges of cyber threats.63
Building on the cyber security policy, the National
Cybersecurity Coordination Office prepared an
operational framework in 2008. The National
Cybersecurity Coordination Strategy and
Implementation Plan proposed a coordination
strategy that comprised on five execution programs:
Cyber Security Legal Regime; Critical Cyber
Infrastructure Security Threat and Vulnerability
Reduction; Critical Cyber Infrastructure Security
Awareness, Education and Training; Critical Cyber
Infrastructure Security Incident Response and
Consequent Management; and National and
International Coordinating Mechanisms.64
More importantly, the plan justified the urgent
need for inter-agency cooperation through the
establishment of centralized committee and the
consistent participation of different government
bodies and private organizations securing Philippine
cyberspace. However, while the implementation
plan was comprehensive and ambitious in theory,
as of yet there is no clear evidence or report that

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

discusses the status or completion of the programs proposed in the plan.
The last and most recent cyber security initiative by the Government of the
Philippines is Executive Order No. 189, which was released on September
17, 2015. The Executive Order was drafted in response to increasing cyber
threats, and in particular intended to address the theft of classified and sensitive
electronic information and to assess national vulnerabilities of government and
commercial information systems.65 It prescribes several measures, the most
salient of which are the reestablishment of the National Cyber Security InterAgency Committee, the formation of a National Cyber Security Coordination
Center, the creation of Computer Emergency Response Teams in all government
offices, and the transfer of the new Cybercrime Investigation and
Coordinating Center from the Office of the President to the
National Cybersecurity Inter-Agency Committee.66
The objectives of Executive Order are appropriate and reasonable, yet there are
two fundamental concerns that the government seemed to have missed. First,
there was no discussion about the sustainability of the initiatives proposed in
the document. Considering that the current government will be stepping down
in 2016, it is uncertain whether the plans will be continued by the next set of
political leaders. Second, the document does not provide any policy guidance
regarding offensive and defensive cyber operations. It is not possible to
secure national critical infrastructure and information systems
without a clear and integrated strategy for cyberspace.
Thus, the government’s response to cyber threats can be described as
acceptable but nevertheless incoherent. An evaluation of previous cyber security
initiatives suggests that there are no consistent links or continuation between
the initiatives of the previous and the current government. This incoherence is
a contributing factor towards the underdevelopment of the cyber capabilities in
the Philippines. Nevertheless, the lack of capabilities can also be an opportunity
for the next president given the rapidly increasing dependence of states on
cyberspace. The succeeding section offers some ideas about the relevance of
integrating cyber security as a national security priority in the Philippines.

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

12

Considerations for the Next President
Since previous efforts in creating a cyber strategy
were incoherent, the next president has the
opportunity to ensure strategic coherence in
addressing cyber threats. There are two initial steps
in producing a cyber strategy: assessment and
development. The first is to assess the status and
outcome of previous government initiatives on cyber
security such as the National Cyber Security Plan
and Executive Order No. 189. The assessment
would have two objectives. The first is to determine
if existing cyber organizations have the sufficient
expertise, appropriate resources, and proper
procedures to defend the state. The second is to
evaluate if the existing inter-agency coordination and
implementation mechanisms are in place and are
actually working. This assessment is necessary to
establish continuity and avoid wasting
resources during government transitions.
The second step is to develop cyber strategy
that builds on the efforts of the previous
government. There are five levels of strategy
where the government needs to integrate cyber
security: policy, grand, military, operational, and
tactical.67 Policy refers to the set of objectives

to be accomplished by the government.68 A national security policy typically
explains the main priorities and objectives of the president of a state. If cyber
security is to be a priority, the national security policy should explicitly explain the
relevance of cyber security and its value for the state. Grand strategy denotes the
coordination of all national assets towards the attainment of policy objectives.69
The grand strategy provides more details about the cyber strategy of the
government such as the relevant cyber organizations, the system of coordination,
management of capabilities, and cooperation with international institutions if
possible. The military strategy refers to use of military power in support of the
grand strategy.70 A national military strategy, thus, discusses the objectives,
general approaches, and the resources of the armed forces in preserving the
national security of a state. In terms of cyber security, this strategy should explain
the military’s role in cyberspace and give the public a general sense of
the type of military actions involved in securing the cyberspace.
An operational strategy has to do with the cumulative and coordinated tactical
actions undertaken to achieve a specific operational goal.71 Since goals at the
operational level are diverse, integrating cyber operations into military operations
would involve engagements ranging from disabling a command and control
system of a military base to disrupting the infrastructure protocols of a military
production facility. Lastly, a tactical strategy refers to the details of combat,
specifically deployments, engagement with the enemy, and interaction between
different units of the military.72 Cyber operations at the tactical level would entail
detailed actions, including the development of cyber units in each military
service, the type of response against cyber attacks, and the
coordination between different military cyber units.

Image Credit: forbescustom.com

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

13

Conclusion
Cyber security is still a weak aspect of Philippine
national security. The lack of discussion regarding
the challenges and opportunities relating to
cyberspace is impeding current efforts to address
increasing cyber threats against the state. Given
these circumstances, there are three reasons
why the Philippine government should consider
cyber security as a policy priority. The first is that
the economic losses to cybercrime are escalating
and law enforcement agencies do not necessarily
have the capabilities to handle the massive volume
of incidents. The second is cyber espionage has
become a predominant method of intelligence
collection and it is not clear if the military has the
capabilities to detect and counter these operations.
Third is that the territorial disputes and political
conflicts in the Asia-Pacific region have “spilled over”
into cyberspace, therefore making the region the
most active in terms of cyber conflict.

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Reponses to cyber threats have mainly been
implemented by states, rather than collective action
through by international institutions. Whilst there is
a growing consensus that norms and cooperation
can mitigate the uncertainty and hostility in
cyberspace, conflicting interests between powerful
states, aggravated by the revelations of Edward
Snowden, make international norm promotion more
difficult. States in the region have invested time
and resources to address cyber threats through
the Asia-Pacific Economic Cooperation and the
Association of Southeast Asian Nations but these
efforts are limited; although cyber security has
been a topic of concern for the last decade, more
concrete plans have only been articulated in the
last few years. Domestic responses to cyber threats
have been limited since most of the efforts have
focused on establishing legal frameworks to enable
law enforcement. There is no indication that the

previous and current government has mandated
the investment in capabilities for military
operations in cyberspace.
In this regard, the next president has the genuine
opportunity to consider cyber security as a core
national security priority and to ensure strategic
coherence in addressing cyber threats. Strategic
coherence can be enhanced by integrating cyber
security measures in all levels of strategy: policy,
grand, military, operational, and tactical. More
significantly, the next president must realize that
the topic of cyber security is no longer just for the
“IT crowd.” An interdisciplinary approach to cyber
security that draws on a range of expertise and
involves all government agencies is necessary to
protect Philippine national interests in cyberspace.

www.stratbase.com.ph

OCCASIONAL PAPER JANUARY 2016

14

ENDNOTES:

Rid T. (2013). Cyberwar will Not Take Place. London: Hurst & Co. Ltd, xiv-xv.
2

United Nations Institute for Disarmament Research (2013). The Cyber Index International Security Trends and Realities Geneva, Switzerland: United Nations.
3

For a more detailed discussion on these assumptions see Lynn III, W. J. (2010)
Defending a New Domain: The Pentagon’s Cyberstrategy Foreign Affairs 89 (5), 97108, Nye Jr., J. S. (2011). The Future of Power New York: Public Affairs, Libicki, M.
(2009) Cyberdeterrence and Cyberwarfare Santa Monica, CA: RAND Corporation.
4

Sheldon, J. (2011). Deciphering Cyberpower: Strategic Purpose in Peace Strategic Studies Quarterly 5(2), 95-112.
5

Freedman, L. and Raghavan, S. (2008) “Coercion” In Paul Williams (ed.) Security
Studies: An Introduction London: Routledge, 217-218.
6

Mansbach, R. W. and Taylor, K. L. (ed.) (2011) Introduction to Global Politics 2nd
Edition London: Routledge, 297.
7
Ibid
8

Libicki, M. (2013) Brandishing Cyberattack Capabilities Santa Monica, CA:
RAND Corporation, vii-xi.
9

Lindsay, J. (2013) Stuxnet and the Limits of Cyber Warfare. Security Studies (22)
3, 385-389.
10

Gartzke, E. and Lindsay J. (2015) Weaving Tangled Webs: Offense, Defense,
and Deception in Cyberspace. Security Studies 24 (2), 346.
11
Ibid
12

Cartwright, J. E. (2010). Joint Terminology for Cyberspace Operations Washington D.C.: U.S. Department of Defense.
13

Rid, T., and McBurney, P. (2012). Cyber-Weapons. RUSI Journal 157 (1), 7.
14

Definitions adopted from Carr, J. (2010), Inside Cyber Warfare: Mapping the Cyber Underworld Sebastopol, CA O’Reilly Media, Reveron, D. (Ed.). (2012). Cyberspace
and National Security: Threats, Opportunities, and Power in a Virtual World Washington
D.C.: Georgetown University Press, 8, and Valeriano, B., and Maness, R. (2015). Cyber
War versus Cyber Realities. Oxford: Oxford University Press, 33-37.
15

Easton, D. (1953). The Political System: An Inquiry into the State of Political Science New York: Alfred Knopf, 5.
16

Nye, The Future of Power New, 123
17

Rid et, al., Cyber-Weapons, 7
18

Valeriano et. al., Cyber War versus Cyber Realities, 31
19
Ibid
20

Nye, The Future of Power and Lindsay, Stuxnet and the Limits of Cyber Warfare
21

Patton A., et. al., Occupying the Information High Ground: Chinese Capabilities
for Computer Network Operations and Cyber Espionage, Washington D.C.: US-China
Economic and Security Review Commission, 2012.
22

Jun, Jenny, et. al. (2014). The Organization of Cyber Operations in North Korea
Washington D.C.: Center for Strategic and International Studies.
23

International Police (2015) Cybercrime Retrieved from http://www.interpol.int/
Crime-areas/ Cybercrime/Cybercrime
24

Reveron, Cyberspace and National Security
25

Weimann, G. (2004). Cyberterrorism How Real Is the Threat? Washington D.C.:
United States Peace Institute.
26
Ibid
27

Healey, Jason (ed.) (2013) A Fierce Domain in Cyberspace, 1986-2012 Virginia:
Cyber Conflict Studies Association, 141-142; Berghel, H. (2001) The Code Red Worm
Communications of the ACM (44) 12, 15-19.
28

Stiennon, R. (2015) “A Short Histroy of Cyber Warfare” In James Green (ed.)
Cyber Warfare: A Multidisciplinary Analysis London: Routledge, 9-10.
29

Blank, S. (2008) Web War I: Is Europe’s First Information War a New Kind of
War? Comparative Strategy (27) 3, 227-247.
30

Lindsay, Stuxnet and the Limits of Cyber Warfare; Falliere, N. (2011) W32.Stuxnet Dossier. Mountain View, CA: Symantec Corporation, 1-3.
31

Valeriano et. al., Cyber War versus Cyber Realities, 173-175;
32

Exaggerations of war in cyberspace are discussed in Sutherland, B. (2011) The
1

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Economist: Modern Warfare, Intelligence and Deterrence: The technologies that are
transforming London: Economist Books, Arquilla, J., (27 February 2012) Cyberwar Is
Already Upon Us [Web log post]. Retrieved from http://foreignpolicy.com/2012/02/27/
cyberwar-is-already-upon-us/ and Palette, D. et. al. (12 October 2015) Cyberwar Ignites a New Arms Race. Wall Street Journal. Retrieved from http://www.wsj.com/articles/cyberwar-ignites-a-new-arms-race-1444611128
33

Lewis, J. (2014). Net Losses: Estimating the Global Cost of Cybercrime Washington D.C.: Center for Strategic and International Studies.
34

Guillermo, J. (2015). Local Cybercrime Landscape [PowerPoint slides] Retrieved
from http://aseanfic.org/2015/wp-content/uploads/2015/02/Philippine-CybercrimeLandscape-ASEANFIC.pdf
35

Bartolome, J. (2014, November 1) Nearly P400M lost to ATM fraud from 2012
to 2013, says lawmaker [Web log post.] Retrieved from http://www.gmanetwork.com/
news/story/ 386207/ money/economy/nearly-p400m-lost-to-atm-fraud-from-2012-to2013-says-lawmaker
36

Sy, Geronimo L. (2015). Philippines 2014-2015 Cybercrime Report The Rule of
Law in Cyberspace Manila: Department of Justice.
37
Ibid
38

Seagal, A., (2013) “From Titan Rain to Byzantine Hades” In Jason Healey (ed.) A
Fierce Domain in Cyberspace, 1986-2012 Virginia: Cyber Conflict Studies Association,
165-167.
39

Kujawa, A. (2015). APT30 and the Mechanics of a Long-Running Cyber Espionage Operation Milpitas, CA: FireEye.
40

Domingo, F. (2015, 27 February). Intelligence as the Philippines’ First Line of Defense [Web log post]. Retrieved from, http://nottspolitics.org/2015/02/27/intelligenceas-the-philippines-first-line-of-defense/
41

Kujawa, APT30 and the Mechanics and Donohue, B. (19 May 2015). Naikon
APT steals geopolitical data from the South China Sea [Web log post]. Retrieved from
https://blog.kaspersky.com/ naikon-apt-south-china-sea/8696/
42

International Telecommunications Union (2015). Global Cybersecurity Index Geneva, Switzerland: ITU and Feakin, T., et. al. (2015) Cyber Maturity in the Asia-Pacific
Region Canberra: Australian Strategic Policy Institute.
43

Betts, R. K. (1994). Wealth Power, and Instability-East-Asia and the United
States After the Cold War International Security 18(3), 34-77 and Christensen, T. J.
(1999). China, the US-Japan Alliance, and the Security Dilemma in East Asia. International Security 23(4), 49-80
44

Valeriano et. al., Cyber War versus Cyber Realities, 128
45
Ibid
46

Wicherski et. al. (2011) Ten Days of Rain Santa Clara, CA: McAfee; Booz Allen
Hamilton (2001) Cyber Power Index: Findings and Methodology Virginia: author; Valeriano et. al., Cyber War versus Cyber Realities
47

Valeriano et. al., Cyber War versus Cyber Realities, 84-90
48

Gompert, D., and Libicki, M. (2014). Cyber Warfare and Sino-American Crisis
Instability. Survival, 56(4), 7-22.
49

For more on the debate about cyber norms see Stevens, T. (2012). A Cyberwar
of Ideas? Deterrence and Norms in Cyberspace Contemporary Security Policy 33 (1),
148-170 and Farell, H. (2015). Promoting norms for Cyberspace Cyber Brief New York:
Council on Foreign Relations.
50

Thomas, N. (2009). Cyber Security in East Asia: Governing Anarchy Asian Security 5 (1), 19-20.
51

Richardson, J. (2002) APEC Cybersecurity Strategy Singapore: Asia-Pacific
Economic Cooperation
52

Asia-Pacific Economic Cooperation (2004) APEC Strategy to Ensure Trusted,
Secure and Sustainable Online Environment Retrieved from http://www.apec.org/~/
media/Files/ Groups/TEL/05_TEL_APECStrategy.pdf
53

Asia-Pacific Economic Cooperation (2015) APEC TEL Strategic Action
Plan 2016-2020. Retrieved from http://www.apec.org/~/media/Files/Groups/
TEL/20150331_APEC%20TEL% 20Strategic%20Action%20Plan%202016-2020.pdf
54

Association of Southeast Asian Nations (2002) Work Programme to Implement
the ASEAN Plan of Action to Combat Transnational Crime. Retrieved from http://www.

asean.org/ communities/asean-political-security-community/item/work-programmeto-implement-the-asean-plan-of-action-to-combat-transnational-crime-kuala-lumpur17-may-2002
55

Association of Southeast Asian Nations (2003) 3rd Meeting of the ASEAN Telecommunications and IT Ministers. Retrieved from http://www.asean.org/communities/
asean-economic-community/category/asean-telecommunications-and-it-ministersmeeting-telmin
56

ASEAN Regional Forum (2012) ARF Statement on Cooperation in Ensuring Cyber Security. Retrieved from https://ccdcoe.org/sites/default/files/documents/ASEAN120712-ARFStatementCS.pdf
57

ASEAN Regional Forum (2006) ARF Statement on Cooperation in Fighting Cyber
Attack and Terrorist Misuse of Cyber Space. Retrieved from http://www.mofa.go.jp/
region/asia-paci/asean/conference/arf/state0607-3.html
58

Association of Southeast Asian Nations (2011) ASEAN ICT Masterplan 2015.
Retried from http://www.asean.org/resources/publications/asean-publications/item/
asean-ict-masterplan-2015
59

Thomas, Cyber Security in East Asia, 4-5
60

Poulsen, K. (2010, May 3) May 4, 2000: Tainted ‘Love’ Infects Computers Retrieved from http://www.wired.com/2010/05/0504i-love-you-virus/
61

Sosa, g. (2009). “Country Report on Cybercrime: The Philippines” In M. Sasaki,
Resource Material No. 79 Paper Presented at International Training Course: The Criminal Justice Response to Cybercrime, Tokyo, Japan: United Nations Asia and Far East
Institute, 80-87.
62

Milallos, M. and Romero, S. (2004). National Cyber Security Plan Manila: Office
of the President, Task Force for the Security of Critical Infrastructure, 32.
63

Ibid, 34-42.
64

National Cyber Security Coordination Office (2008). National Cyber-security Coordination and Implementation Strategy Quezon City: Author.
65

Executive Order No. 189 (2015)
66
Ibid
67

Kane, T. and Lonsdale, D. (2011). Understanding Contemporary Strategy London: Routledge, 13.
68

Clausewitz, Carl von (2008). On War (M. Howard and P. Paret, trans.), Oxford:
Oxford University Press, 28-29
69

Hart, B. H. Lidell (1967) Strategy: An Indirect Approach London: Faber & Faber,
335.
70

Kane et. al., Understanding Contemporary Strategy, 13
71

Ibid, 14
72

Ibid, 14

www.stratbase.com.ph

9.1
VOLUME

ABOUT
Francis Domingo

is Assistant Professor of International Studies at De La Salle
University and concurrently a doctoral researcher affiliated with the Centre for
Conflict, Security and Terrorism and the Institute of Asia and Pacific Studies
at University of Nottingham. His current research explores the strategic
utility of cyber capabilities for small states. He holds an MA in Intelligence
Studies from Brunel University London (2009) and an MRes in Strategic Studies
from University of Reading (2014). His research has been published in
Defense and Security Analysis, Military and Strategic Affairs,
and Strategic Analysis, among other journals.
Before joining academia, he worked with the Armed Forces of the
Philippines as a research analyst with the Office of Strategic and
Special Studies (OSS), where he contributed to a number of
assessments on sensitive political and security issues.

Stratbase’s Albert Del Rosario Institute
is an independent international and strategic research
organization with the principal goal of addressing the
issues affecting the Philippines and East Asia
9F 6780 Ayala Avenue, Makati City
Philippines 1200
V 8921751
F 8921754
www.stratbase.com.ph
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.

Image Credit: rfa.com and hoover.org