Geo Focus: Asia , Geo-Specific , Government
Short-Staffed Philippines Cyber Agency Asks Hackers for Help
DICT Says Budget Cuts and Lack of Skilled Resources Are Hampering Incident ResponseBudget cuts and a lack of skilled cybersecurity professionals have forced the country's cybersecurity agency to ask hackers for tips and guidance on emerging threats, according to a top government official.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Jeffrey Ian Dy, undersecretary of the government's Department of Information and Communications Technology, told Bloomberg the department's cyber response team presently has about 35 members, far short of the numbers needed to adequately respond to cybersecurity threats.
"Do we even have the capability, with just 30 people looking at each and every weakness? We do not. We do our best to defend the republic," Dy said.
He said the lack of essential cybersecurity personnel has forced the department to reach out to black hat hackers - malicious cyber actors who operate in a clandestine manner. Although these hackers may have previously targeted Filipino agencies and organizations, they are now willing to offer tips and insights to DICT on how to respond to cyberthreats, Dy said.
DICT is spearheading the government's digital transformation efforts and is responsible for the country's information and communication technology infrastructure. It's cybersecurity bureau investigates incidents, but the responsibility is shared with other agencies, such as the national police, the Anti-Cybercrime Group and the Cybercrime Investigation and Coordinating Center.
The government agency's resource concerns follow similar distress calls made over the past year. A department official told CNN Philippines in October that DICT's cybersecurity budget for 2023 was cut in half from PHP 600 million to PHP 300 million as the government earmarked the rest as confidential funds.
DICT Secretary Ivan Uy said the budget cuts could prevent DICT from renewing security subscriptions, upgrading systems and training cybersecurity experts, and the agency could become a victim of a cybersecurity incident, as did PhilHealth, which was hit by Medusa ransomware in October, affecting the data of 13 million people.
DICT Assistant Secretary Renato Paraiso told ANC in October that the department could not compete with private and overseas organizations to recruit skilled cybersecurity professionals due to its lack of funds. "The bigger issue is a brain drain of cybersecurity experts here in our country. There is a need for the government to upskill, train cybersecurity experts inside government," he said.
Sherwin Ona, associate professor at Manila-based De La Salle University, told Information Security Media Group that the cybersecurity staff shortage affects all of the Philippines because some of the best professionals in the country move overseas for better employment opportunities (see: Philippines' Cybersecurity Initiatives Running Out of Time).
He said the country has only 200 certified professionals compared to the 180,000 needed to meet resource demands. DICT's ability to recruit more personnel is complicated by the fact that it has to compete for funds with other government offices such as the e-government and digital connectivity offices.
"DICT has its hands tied behind its back. It does not have positions to hire technical people, and any decision to hire certified cybersecurity professionals will have difficulty being approved," Ona said. "This is why the government is facing difficulty in upgrading cyber readiness because it cannot hire people with the right skills and competence."
The Philippines armed forces, which decided to create a new Cyber Command in 2023, is also competing for resources. The Cyber Command, initially formed as a cyber battalion in 2013, also has to compete for funds with other military units that require huge investments in modernization.