By Miguel Gil
MANILA – Senator Sherwin Gatchalian on Sunday called on all government agencies and the private sector to beef up their protection against cybersecurity threats, taking note of the hacking of the Philippine Health Insurance Corp. (PhilHealth) that remains unresolved.
“It is high time that we take the necessary steps to protect our critical information infrastructure by ensuring, at the minimum, compliance with international standards and globally accepted best practices for cybersecurity,” he said in a news release.
Gatchalian filed Senate Bill 2066, or the Critical Information Infrastructure Protection Act, mandating all covered critical information institutions (CII) to adopt and implement adequate measures to protect their information and communications technology (ICT) systems and infrastructures and respond to and recover from any information security incident.
It also mandates the Department of Information and Communications Technology (DICT) to determine and update information security standards and require CII institutions to comply with such standards.
The National Computer Emergency Response Team (NCERT) will be the central authority for computer emergency response teams in the country and to administer the centralized information security incident reporting mechanism that would cover industries that include banking and finance, broadcast media, emergency services and disaster response, energy, health, telecommunications, and transportation, among others.
Winthrop Yu, chair emeritus of the Internet Society’s Philippine Chapter, noted that the cyber attackers have already “dropped” some 600 GB worth of data exfiltrated from PhilHealth, which in his opinion is somewhat large to be just employee data.
He said the public will have a clearer picture as to the extent of the breach when skilled cyber forensics investigators look deeper into the released files.
“It is unclear what data was exfiltrated as PhilHealth continues to issue updates and clarifications. What is clear is that yet another government system has been compromised. Moving forward, buying off-the-shelf solutions and appliances will not solve the problem,” Yu said in an interview on Sunday.
He was referring to commercial off-the-shelf cybersecurity solutions, which are broadly defined as software and/or hardware products that are commercially ready-made and available for sale, lease, or license to the general public.
In contrast, customized software solutions are tailor-made for the specific requirements of an organization and are generally considered more ideal for the needs of large and sensitive organizations.
Lito Averia, president of the Philippine Computer Emergency Response Team, said the government should look beyond the acquisition of cybersecurity solutions from various vendors.
“Employees should have been properly trained in the practice of cyber hygiene and been made aware of the types and manner of potential cyber-attacks like recognizing phishing attacks. Proper security measures include physical protection measures like physical access control to protect the computer hardware and network from unauthorized access,” he told the Philippine News Agency (PNA).
“In terms of technical measurers, proper segmentation of the network and databases could have been implemented to prevent wholesale data breach. Regular data backups should also be created to ensure that data will be accessible in the event that data bases are locked by ransomware,” he added.
As of 7:54 on Oct. 6, PhilHealth posted on Facebook that “100% of #MyPhilHealth front-facing apps were restored today @ 7PM.”
“Last batch restored: egroup (for group enrolment), Point of Service (for social welfare assistance), ePOAF (user account request for employers), and iCares (for PhilHealth CARES),” the post added.
Gatchalian said more Filipinos and businesses rely on digital technologies to perform their daily tasks, especially after the Covid-19 pandemic.
On the average, Filipinos are estimated to use and consume 4.3 more digital services compared to pre-pandemic years.
E-commerce also continues to grow exponentially, and sales are expected to be valued at USD10.3 billion by 2025, the senator said, citing estimates made by GlobalData.
“With the increased use of digital technologies in our daily lives, malicious actors from casual scammers to highly sophisticated state-based groups, hunt for vulnerabilities in ICT systems and networks to steal information, disrupt essential services, and profit from attacks,” Gatchalian said. (With reports from Miguel Gil/PNA)