In 2020, a German hospital was cyber attacked, and it disrupted the operations of the hospital’s emergency facility. A 78-year old lady being transported to the facility was diverted to another hospital 32 kilometers away which resulted in her death. This scene is not lifted from a medical drama or a movie but an event that is happening now and is expected to happen more as cyber criminals are now targeting critical information infrastructures (CIIs).
In the years to come, cyberspace is seen to be exploited more by criminals, terrorists, and even governments to push their agenda. Currently in Ukraine, the war has moved to cyberspace as their government and critical infrastructure are bombarded with cyber-attacks.
While most critical infrastructure are now connected to the internet, threat actors are also increasingly targeting not only data, but also control systems. This landscape compels governments to come up with strategies to protect their critical assets and infrastructure and reduce the attack surface.
In the Philippines, the National Cybersecurity Plan (NCSP), the national strategy for cybersecurity, is being reviewed and updated. But prior to its publication, the Department of Information and Communications Technology (DICT) on July 1, released a white paper on “The Need for Philippines Security Standards and Framework in 5G Equipment,” detailing the need for an ICT Equipment Certification and Testing Facility that would “ensure the evaluation of ICT equipment used by the CII has complied with the baseline of industry security standards.” The facility should be tied up with the common criteria framework and would use the expertise of the National Telecommunications Commission (NTC), Department of Trade and Industry (DTI), Department of Science and Technology (DOST), and premier universities in standards, research, and development, engineering practices in testing, development, and evaluation.
Standards play a vital role in cybersecurity. Generally, the objective of cybersecurity standards is to mitigate or prevent cyber-attacks by reducing the risks of ICT equipment and critical assets. Standards are usually used in the absence of testing centers and act as reference for organizations, industry, and regulators on doing risk assessment and managing potential impact. Adopting a globally acceptable standard means critical assets and infrastructure that would come into the country subscribe to tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies by that particular standard.
DICT’s paper focused on the need for standards for the telecommunications sector, a critical information infrastructure (CII) that is prone to cyber-attacks and a favorite target of cyber actors as shown by statistics from the country’s National Computer Emergency Response Team—CERT-PH. With the entrance of the controversial 5G technology, it is becoming more challenging for the Philippines to protect its networks and assets and minimize the impact of cyber-attacks. The paper outlined the adoption of several standards for the telecoms sector including ISO/IEC 27001 which is an international standard on managing information security; ISO/IEC 27002 which provides guidelines for organizational information security standards; and the Network Equipment Security Assurance Scheme (NESAS), a security assurance framework that facilitates improvements in security measures across the mobile industry.
In its effort to adopt these standards, DICT has conducted a series of stakeholders’ consultation that started in September last year to discuss the merit of adopting minimum equipment security standards in telecommunications. Currently, the Department is working with NTC and DTI’s Bureau of Philippine Standards on the adoption of 5G Standards.
With this bold move, is the Philippines on its way to building a cyber resilient nation? After all, cybersecurity should be inherent in a country’s growth strategy, and not just an after-thought.