THE proliferation of fake news in the Philippines is giving cyber criminals a platform to attack, and unfortunately, the country is now facing a perfect storm in cyber security given its weak infrastructure, still in its infancy stage in addressing cyber security problems.
According to cyber security experts, the Philippines is a perfect target for attackers given its sustained economic growth, with continuing threats on various fronts, whether they be domestic crime and violence, an ongoing communist insurgency, terrorism, or cyber threats.
“It’s not a matter of if but when you’re going to get hacked,” said Gene Yu, chairman and founder of Asia-based cyber security company Blackpanda, in an interview held via Zoom.
Law too slow
Click a fake news article, or click a fake website, and you open yourself to cyberattack. You may be giving hackers a chance to infect your gadget with another software that would allow a cyber thief to access passwords, or even withdraw or transfer money.
“Technology is advancing so fast the law cannot keep up with it. Law is slow,” Yu told PhilSTAR Life in an interview via Zoom.
Blackpanda was co-founded by Yu in 2015 and set up with the help of fellow former green berets, or members of the US Army Special Forces, with the goal of being the leader in providing bespoke security consulting and crisis management services in Asia Pacific.
Blackpanda put up its own headquarters in the Philippines sometime in 2015, but left last year realizing that while the Philippines was a rising market for the firm, it lacked the interest to confront it, now making it an easy target.
“There’s just so much cyber business ongoing and there’s such a gap in the Asia region,” Yu said.
No takers in PH?
“We also discovered as you pointed out that the Philippines is in its infancy when it comes to cyber security but the market was too small for us to quickly concentrate there like we did with physical security.”
In 2017, Blackpanda was tapped by Resorts World Manila to be in charge of improving the entertainment complex’s security after its casino was attacked by a lone gunman. An online news agency kept on saying it was a terrorist attack, despite lack of evidence.
Yu said there was a problem with the general mindset of the business industry on cyber security as compared to physical security. He said this is a possible reason why Philippine businesses were vulnerable to cyberattacks. Like threats to physical security, he said, threats to cyber security are real.
‘Why do you lock your door?’
“The general attitude is ‘why would anybody attack us?’” he said. To this, however, Yu had a simple response. “Well, if you think of yourself so unimportant (to thieves, or in this case, cyberattackers), why do you even lock your door?”
Whether they like it or not, Yu said people have to deal with the reality of the security game that sets those who are prepared apart from those who are not. And those who wish to protect their data have to build walls enough to discourage intruders who are setting up ladders, he added.
Yu said the cyber security landscape has become so complex and challenging with the increased use of technology and the dominance of cyberspace not just as an added layer but as the main platform for human communication and interaction.
Today, threats to security abound, compelling one to pay attention to digital literacy, especially in terms of cyber security.
In 2019, for instance, global cyber security company Kaspersky reported that the Philippines ranked 4th among countries with the highest number of cyberattacks, with 44.4 percent of its Kaspersky users being targeted by almost 28 million web-borne threats. The Philippines was the most attacked country in Southeast Asia.
Yu said this showed a kind of realist view on the predatory nature of cyberspace. “Fundamentally, unfortunately, human beings have been hurting each other the same way probably since the first human being ran into another human being,” he said.
The same principle, according to Yu, extended to online platforms.
While false information (often called fake news) undermines the integrity of social media platforms, cyberattacks could result in compromised and stolen data and other assets if one is not careful.
In cyber security parlance, a breach occurs right when there is unauthorized access to data, which may begin while clicking a fake, an unknown, but innocuous website.
Online intruders are using fake news, usually via phishing, to try to entice a netizen into downloading an attachment that takes him to compromised accounts.
It goes without saying that data involved in breaches are not just any kind of data.
These are usually personal and thus private information needed to conduct transactions online, such as individuals’ names, addresses, contact numbers, bank account details, credit card details, passwords, and security numbers, among others. These are just enough for identity theft to take place, as well as unauthorized purchases and mysterious fund transfers.
Fast food stores not spared
In the Philippines over the past few years, some major businesses were interrupted by breaches.
The breach of the former’s website exposed over 80,000 records of personal data while that of the latter compromised data of about 18 million customers.
In the Philippines, data breaches are reported to the NPC, the body in charge of implementing Republic Act 10173 or the Data Privacy Act of 2012.
Singapore doing better
Several factors, however, pose a serious challenge to improving cyber security in the Philippines. For one, from a political perspective, although there are laws in place such as the Cybercrime Prevention Act of 2012 and the Data Privacy Act of 2012, government regulation still needs to be more strictly focused on cyber security.
In a column for The Philippine Star last January 2020, former Foreign Secretary Roberto Romulo pointed out the Philippines should consider adopting something similar to Singapore’s Cybersecurity Act, which deals not just with day-to-day cybercrimes but also with cyberterrorism and cyberwar.
Yet government regulation on cyber security, Yu noted, is an issue in Asia in general. “A lot of times it’s not mandatory. So, we do see a lot of clients that do not report to their customers where their data is.”
Although the incidents did not specify any further details, Yu explained a common type of attack done by hackers was through ransomware.
“Ransomware is when somebody comes in and penetrates your network and encrypts all of your data. And until you pay a certain amount of money usually through cryptocurrency, then you’ll never see your data again.”
Other industries are not spared by cyberattacks, as was the case in January 2019 when pawnshop Cebuana Lhuillier suffered a breach, exposing data of over 900,000 accounts. Then, three months later, data from Cebu Pacific’s rewards server GetGo were downloaded by Pinoy LulzSec, a local hacking group. The airline had served more than 20 million passengers based on its reported statistics the previous year.
Stealing vaccine formula
Yu shared it is easy to understand major companies attract hackers because they have the money. “The high-risk businesses that everybody will specifically target will still be the companies with actual cash.” He added, “Financial institutions are extremely high-risk. Online gaming platforms—actual cash is sitting in there. This sort of platform is very high-risk.”
Yu said the healthcare sector is also at risk, especially these days given the ongoing COVID-19 pandemic, “Many hackers are trying to hack pharmaceutical companies to steal their vaccine solutions.”
By all means, government websites are also targeted by hackers.
Election data, too
One would recall the Commission on Elections was on the receiving end of a series of attacks made by Anonymous Philippines and Lulzsec Pilipinas weeks prior to the 2016 elections. The former defaced the Comelec website while the latter leaked at least 312 GB worth of voters’ information and registration data on Facebook.
Anonymous Philippines member Paul Biteng, known as PhantomHacker Khalifa in the hacker community, was arrested by the National Bureau of Investigation just weeks after the March 2016 incident Biteng was charged with violation of RA 10175 or the Cybercrime Prevention Act of 2012, but was acquitted by the Manila Regional Trial Court in February 2020.
It is a given that governments are prone to attacks, Yu explained. “Definitely, governments and government agencies are very high-risk targets. That’s been true, I mean, always, if you think about the security that sits around the White House or Malacañang.”
One could only imagine what would happen if attackers had control of very sensitive government information. “Because, wow, what very important information, right?” Yu said. “What’s more sensitive than the present location of President Duterte or Trump?” Or, say, the functionalities of vote counting machines used for national elections—the very reason many were concerned as to whether they could be assured by the Comelec of a secure election last 2016.
‘Cyber firefighters’ 24/7
After a breach is detected, what should individuals or companies do next? This problem of incident response is what only a few companies like Blackpanda address.
“We’re the guys you call after you’ve been breached,” Yu said. “We’re the cyber firefighters that come in to put out the fire.”
Yu explained Blackpanda’s cyber incident response services also include digital forensics and cyber crisis management, “The forensics aspect will look through the rubble, figure out how the bad guys got in, and tell you how to fix yourself going forward.”
The Philippines needs to install cyber security measures, Yu said. Compare it to physical security, say two houses: one has high walls, the one is exposed. Who do you think is more vulnerable? “Criminals do not like challenges,” he said.
Editor’s Note: The author was a risk analyst for Blackpanda from 2018 until 2019 when the company moved its operations from Manila to Singapore.