Debunking Errors in a Proposed Philippine Cybersecurity Framework


This is the inescapable conclusion one will have upon reading Francis Domingo’s opinion piece in the November 18, 2013 issue of Philippine Daily Inquirer, “Points to consider in securing Philippine cyberspace”. While Domingo raises a valid concern on the continual growth of the cybersecurity threat, his recommendations fail to address it. Worse, if followed, his recommendations may prove disastrous.


The Cybersecurity Threat Continuum 

“More people may decide to engage in cyber-attacks because of the low barriers to entry, anonymity and presence of others involved in similar activities.

“Performing various operations in cyberspace is not difficult because the resources and knowledge required to exploit and disrupt infrastructure are modest compared to the requirements of exploiting other domains of conflict such as land, sea, air and even space.

“Any individual with sufficient technical knowledge and has access to information communication technologies can execute cyber-attacks.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo points out correctly that cyberattacks will continue to grow in number, scope, and impact; he correctly points out that performing such attacks are less difficult than physical violence, and puts forward a valid observation that anonymity may be a factor in choosing to perpetrate crime or fraud, destruction and disruption, or enter into conflict via cyberattacks over conventional means.

The possibilities available, however, do not constitute a simple menu of choices. Cybersecurity threats are more accurately depicted in a continuum:


From left to right, the diagram describes two parallel concepts: first, that of actors — from an individual, through loosely-affiliated groups, to large, structured organizations — and, second, that of level of skill — how the increasing availability of skills and/or skilled manpower can be used as resources to plan, execute, and follow-through on a cyberattack.

From bottom to top, the diagram describes the potential damage that can result, especially from a deliberate cyberattack. For instance, the potential damage that can be caused by a prankster will be less than that of a dupe, as the former may be restrained by conscience while the latter is subject to the will of another person or group, who may feel no such restraint. Likewise, it is understandable that organized groups with larger pools of manpower and skillsets, as well as the drive to gain such skills and employ them, will have higher scales of potential damage than amorphous groups or individuals. It is equally interesting that the individuals and groups moving up the potential damage scale can be classed together into fairly distinct sets of motivations for cybercrime and cyberattack, as shown by the right-hand scale.

The cybersecurity continuum is by no means theoretical. Domingo appears to be familiar with the modes of cyberattack that have been used both locally and abroad, as well as the suspected perpetrators. As such, it is strange that Domingo clings to the notion that cyberattacks have limited impact; perhaps we must first define what a cyberattack is.


What is a Cyberattack?

In his opinion, Domingo provided no clear definition of a cyberattack. This vagueness may be the culprit of the erroneous premises upon which his arguments are based.

A US National Research Council’s report defines cyberattacks as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”[2] Taking off from this definition, an article “The Law of Cyber-Attack” in the California Law Review proposes that a cyberattack “consists of any action taken to undermine the functions of a computer network for a political or national security purpose.”[3]

These definitions are so broad that they seem to conflate cyberattacks and cybercrime. In crafting the Magna Carta for Philippine Internet Freedom (#MCPIF) bill, the group Democracy.Net.PH and other contributors agreed to separate the definitions of cybercrime and cyberattack. The bill defines cyberattack as:

“[A]n attack by a hostile foreign nation-state or violent non-state actor on Philippine critical infrastructure or networks through or using the Internet or information and communications technology.”[4]

The bill includes in the definition of cyberattack as also possibly this:

“[A]n assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.”[5]

The definition proposed in the #MCPIF acknowledges the cybersecurity threat continuum. This definition will serve as our basis in clarifying the flaws in Domingo’s op-ed piece.


A Cyberattack’s Impact Can be Lethal

“[C]yber-attacks have a limited impact on nation-states because the attacks rely on an electromagnetic spectrum, require man-made technology to function, and do not involve lethal action and physical violence.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo cites the distributed denial-of-service (DDoS) attack against Estonia in 2007 and the Stuxnet worm — used supposedly targeting Iran’s Natanz uranium enrichment facility and whose escape into the wild in 2010 led to its detection — as examples of cyberattacks. The modes exemplified by the Estonia attack[6] and Stuxnet[7] are similar to the Shamoon malware cyberattack on the state-owned oil firm Saudi Aramco[8], the DDoS attacks on US banks in 2012[9], the cyberattack on South Korean media and banking firms just this year[10], and so on.

It appears that Domingo’s position is that there has been no significant injury, loss of life, nor widespread physical damage to infrastructure. Ergo, damage is “limited.”

This is another shortsighted view.

While it is true that few, if at all, have so far been physically hurt by cyberattacks, the impact is nonetheless significant. The “ILOVEYOU” virus outbreak in 2000, a brainchild of one Onel de Guzman[11], a student of AMA Computer College, affected at the time about 45 million computers worldwide[12] and caused an estimated $10 billion dollars in damage[13]. The scale of damage caused by the ILOVEYOU worm, adjusted for inflation, is on a par with the scale of damage caused by Typhoon Yolanda.[14]

The perceived absence of injury to human beings does not render the damage from cyberattack limited; rather, such makes cyberattacks even more sinister. The disruption of networks that will result in the breakdown of services of government, power, communications, transport, finance, and other critical infrastructure can result in chaos in society. Instead of directly harming the populace, the attacker can create an environment where the populace will be motivated to destroy each other and themselves. Such damage mirrors that caused by enhanced radiation weapons, such as cobalt and neutron bombs, which are designed to kill but leave infrastructure and equipment relatively undamaged.[15]

Still eerily similar to atomic weapons of mass destruction, but to an even more sinister degree, is the ability of an attacker to design and control the degree of damage that is caused by the cyberattack. “Dial-a-yield” is the catchphrase often used to describe the capability to adjust a weapon to a desired scale of damage.

Domingo appears to make the error of failing to recognize that, with a cyberattack, the attacker not only can design the implementation but can practically specify the extent of damage from the narrowest of scopes up to unrestricted levels. Stuxnet was designed to go after a specific piece of equipment. Thus, the damage was limited only to the systems where the equipment was installed. If the global positioning system (GPS) navigation can be subject to an unrestricted cyberattack, which is now considered to be a distinct possibility[16], airplane crashes, ship groundings, and fatal mistaken identity incidents could occur at scales more horrific than simultaneous occurrences of incidents analogous to 9/11, Exxon Valdez, Aeroflot Flight 8381/ СССР-26492, MV Doña Paz/ MT Vector, and Korean Airlines Flight 007 combined.

There is no logical reason to wait until such catastrophic incidents occur, until lives are lost due to the lethality programmed into a cyberweapon, before establishing a robust cybersecurity framework.


Cyberattacks Do NOT Require High Technology; Cybersecurity Must Not Be Merely Technology-Centric

“[C]yber-attacks will not be successful if the spectrum is controlled or access to critical networks is blocked by accountable government units.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo mentions Stuxnet as a cyberattack; however, he may not be aware that the attack vector of Stuxnet was through the physical connection of an infected USB flash drive to a computer connected to the target network.

This, in hacker parlance, was a “sneakernet” attack. This attack was made via the crudest method of compromising a system — accessing the physical layer. The legal control of the allocation of the usable frequencies within the electromagnetic spectrum (for there is no means at present that can control the electromagnetic spectrum, short of repealing the laws of physics) by no means can prevent a sneakernet attack, or many other modes of attack for that matter. Restricting access to critical networks willy-nilly cannot likewise prevent such an attack since, by using the physical layer as the means of compromising the system, the data link, network, transport, session, presentation, and application layers are effectively bypassed.

Clearly, it is erroneous for Domingo to have posited that cyberattacks are solely technology-dependent, and thus for cybersecurity to be technology-centric.

In ensuring cybersecurity, there are two other aspects that must be considered and implemented. A cybersecurity plan must be based on a holistic combination of physical security, behavioral security, and electronic security means, policies, and procedures; to focus on a single defense aspect or potential threat axis would be analogous to building an iron door for a bank vault whose walls are made of paper.

Domingo has fallen into the trap of seeing a few trees and missing the forest.


Cybersecurity is Not Merely a Convenient Buzzword

“Security strategies are not definitive.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Given that cybersecurity threats belong in a continuum, and that the actors, their motivations, the degrees of damage intended and programmed, and the level and breadth of skillsets are not one-dimensional – as he erroneously paints them to be – Domingo’s position of a one-size-fits-all approach to securing Philippine cyberspace is untenable.

Cybersecurity cannot be as casually relegated as Domingo proposes. The range of potential threats to the physical security of the Filipino citizen run the gamut of petty crime, organized crime, terrorism (domestic and otherwise), to unfriendly acts of foreign governments; it is well understood that the mandates to protect the life, liberty, and property of each Filipino that are given to the Philippine National Police, the National Bureau of Investigation, and the Armed Forces of the Philippines differ in level of threat and scope of action.

So, too, should be the cybersecurity mandate.

This is the approach taken by the drafters of the Magna Carta for Philippine Internet Freedom. The #MCPIF proposes that the Department of Justice (DOJ), the National Bureau of Investigation (NBI), and the Philippine National Police (PNP) shall be the competent law enforcement agencies to protect Filipino citizens from cybercrime, corollary to their mandates to protect Filipino citizens from non-ICT enabled or perpetrated crimes. Likewise, these law enforcement agencies, supported by other government offices—including the Department of Defense (DND) and the Armed Forces of the Philippines (AFP)—will be tasked with protecting the country from cyberterrorism and cyberespionage. This is no different from the current mandates given to the respective agencies of government to protect the country from terrorism and espionage.

As they are tasked with national defense and the protection of national critical infrastructure, it is therefore likewise logical that that the DND and the AFP will be tasked with national cyberdefense and the protection of national critical ICT infrastructure.

It should be pointed out that while he is correct that the Information Systems Security Society of the Philippines (ISSSP), the Information Systems Audit and Control Association (ISACA), and the Philippine Computer Emergency Response Team (PH-CERT), as well as scholars and government experts, can be resources and have actually been providing technical expertise on cybersecurity as private companies like Symantec, McAfee, and IBM, Domingo is wrong in saying that they can be agents to implement Philippine cybersecurity action and policy. There is no logic in this thinking, as it is analogous to using security guards as frontline troops in internal security operations against the New People’s Army. Security planning, while it may be enriched by inputs from those with the appropriate competencies and skills, is best put together by those who can see the forest and not just the trees.


RA 10175 is NOT a Good Basis for a Philippine Cybersecurity Framework


“[P]eople must be made aware of the rationale and scope of Republic Act No. 10175 and other laws that protect Philippine cyberspace.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

There is some merit, however limited, in Domingo’s vague proposals on how to implement cybersecurity for the Philippines, in so far as developing a culture of cybersecurity through education and information campaigns, ensuring resilience of institutions, and the development of multidisciplinary, multistakeholder teams for plans, policies, and programs to promote national cybersecurity. Clear proposals have been presented by the drafters of the Magna Carta for Philippine Internet Freedom and constitute an integral part of the bill.

Unfortunately, Domingo goes astray in promoting Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, as a basis for promoting cybersecurity.

The oft-quoted maxim of Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety,” points out the fatal flaw in Domingo’s promotion of the Cybercrime Prevention Act. As the law – fortunately suspended in its application – promotes such assaults into civil liberties such as the right to privacy, the right to due process of law, and the freedom of expression, it cannot be the basis for establishing cybersecurity for the Filipino people.

To be succinct: our rights online are our rights offline. Our cybersecurity thinking must be no different, therefore, from how we think of ensuring our physical security – holistic, properly-calibrated, competent, and rights-based.

To reduce it to vague buzzwords would be to endanger ourselves.



[1] Engr. Pierre Tito Galla, PECE, is one of the convenors of Democracy.Net.PH, an ICT and civil rights advocacy group that spearheaded the drafting of the Magna Carta for Philippine Internet Freedom. He is a practicing Professional Electronics Engineer with nearly a decade and a half in the information and communications technology sector, and is currently an executive in a Fortune 500 multinational whose networks span the globe.

[2]  Hathaway, et al. “The Law of Cyber-Attack.” <>.

[3]  Ibid.

[4] Democracy.Net.PH. “Full text of the Magna Carta for Philippine Internet Freedom.” <>.

[5] Ibid.

[6] The Associated Press. “A look at Estonia’s cyber attack in 2007.” 8 July 2009. <>.

[7] Kushner, D. “The Real Story of Stuxnet.” IEEE Spectrum. 26 February 2013. <>.

[8] Perlroth, N. “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.” The New York Times. 23 October 2012. <>.

[9] Ibid.

[10] Waterman, S. “Cyberattack hits South Korea’s banks, media.” The Washington Times. 20 March 2013. <>.

[11] Cluley, G. “Memories of the Love Bug worm.” Naked Security. 4 May 2009. <>.

[12] Ward, M. “A decade on from the ILOVEYOU bug.” BBC News. 4 May 2010. <>.

[13] Landler, M. “A Filipino Linked to ‘Love Bug’ Talks About His License to Hack.” The New York Times. 21 October 2000. <>.

[14] RSJ/ GMA News. “NDRRMC: Yolanda death toll continues to rise, now at 5,759; damage surpasses P35B.” GMA News Online. 5 December 2013. <>.

[15] Snow, D. “Strategic Implications of Enhanced Radiation Weapons.” Air University Review. July-August 1979. <>.

[16] Neal, R. “GPS Terrorism: Hackers Could Exploit Location Technology to Hijack Ships, Airplanes.” International Business Times. 29 July 2013. <>.

The mtrcb wants to ‘regulate’ the Internet

According to ABS-CBN, the Movie, Television Review and Classification Board announced that it plans to talk to the Department of Justice regarding sites that supposedly publish video of underage women.

First off, it is a bold move in that there should be protection for underage women. And there are laws like the anti-child pornography law. So it isn’t like there is no protection at all or to even suggest that the Philippines isn’t out stumping out this form of evil.

Second, it is one of those ridiculous and dangerous things— even taking into account protecting underage women. We have just gotten out of a really bad situation in Dubai— where the Internet fought to be kept open and free. And the Philippines signed off against U.N. regulation of the Internet.

Near as I can understand it, MTRCB is beyond its Authority. In fact, why skimpy women dance on noon time shows is a matter of much concern, if we are being moralist about it.

What’s dangerous here is government stepping up on censorship on the Internet. It never has ended well. Justifying it on moralist ground is a danger in and on itself. And that’s what they really are after here isn’t it? Justification for RA 10175 or the Cybercrime Prevention Act. The move of the MTRCB wishes to have some justification for law and the takedown clause in the cybercrime law.

The question here shouldn’t be a take down clause. It should be who is deciding what should be taken down and when. It can not be the cops or the prosecutor— in this case– the executive department of the government. It should be the court of law that should decide if someone has stepped out of bounce because that’s the equal protection we all enjoy.

What is to stop someone years down the road for using RA 10175 as justification for doing an Egypt-style crackdown on the Internet? Or a Chinese-style one? One of the biggest flaws of the cybercrime prevention act is that it doesn’t really fight cybercrime. Neither is it cognizant of what cyberwar could be.

@rom disagrees with me. He says, “I don’t think they can think at far ahead. LOL.”

@philippinebeat tweeted, “Here we go again. Afraid of the Internet and netizens?”

@ceso: wrote: “@philippinebeat i think it was just a knee-jerk reaction frm the complaint. good tho that people are thinking about internet freedom”

@gelolopez says, “@philippinebeat There are reasons why they are called MTRCB. Movie and TV.”

“@philippinebeat altho, drive vs. exploitation & trafficking of minors online is being strengthened under #MCPIF,” @ceso added.

@philippinebeat replied: “@ceso Likely. We need orgs that think something through carefully before they act. Clearly this goes beyond MTRCB’s mandate.”

@mobilemaui reminds us of another great idea: “BIR wants to tax online sellers.”

The answer really is the Magna Carta for Philippine Internet Freedom. What this does is fix the flaws of the Cybercrime Prevention Act. It does it better by starting with protecting rights enshrined in the bill of rights. It stands for an open and free Internet by balancing those rights out with the need of government to protect us. It doesn’t think of the Internet as a medium, but a living breathing ecosystem. We are giving the government the right tools, the proper mindset to go after the real bad guys, and at the same time being cognizant that the Internet is an economic driver.

Disclosure: the Author helped draft the Magna Carta for Philippine Internet Freedom.

[Editor’s note: we updated this entry to reflect a few comments]

Crowdsourcing: The Story of the Drafting of the Magna Carta for Philippine Internet Freedom

Update: The Magna Carta for Philippine Internet Freedom (MCPIF) has been refiled for the 16th Congress.
PHNetDems statement when Senator Santiago filed the MCPIF in the Senate as Senate Bill No. 53
Statement of PHNetDems when Representative Kimi Cojuangco filed the MCPIF in the House of Representatives as House Bill 1086.

SBN3327 Screencap

This is the story of how six ordinary, tech- and internet-savvy citizens, over three hundred online onlookers on Facebook, Twitter, and Google Docs, and a number of their politically-connected friends brought the dream of a Magna Carta for Philippine Internet Freedom to the august halls of the Senate of the Republic of the Philippines, and found in Senator Miriam Defensor Santiago a champion for civil and political rights in cyberspace.

Read more

Santiago Files Magna Carta for Philippine Internet Freedom

Senator Miriam Defensor Santiago
Senator Miriam Defensor Santiago, principal sponsor of SBN 3327

(Update 14 Nov 2012: SBN 3327 official PDF from Senate official website embedded below.)

Constitutional rights shall not be diluted in the Information Age.

This is the guarantee sought to be galvanized by Senate Bill 3327, filed on November 12, 2012, by the eminent constitutionalist and international law expert Senator Miriam-Defensor Santiago. In what is a first in Philippine legislative history, the provisions of the bill authored by Senator Santiago draw directly upon the suggestions of Filipino netizens solicited through online “crowdsourcing”. The proposed measure seeks to address not only the protection of  but also the establishment of the rights of Internet users in the Philippines. Also, guided by the expert knowledge of the diverse set of IT and legal specialists who advised on the bill, SBN 3327 seeks to establish a sensible, fact-oriented and balanced environment that defends Filipinos against against cybercrimes and cyberattacks.

Senate Bill 3327 is titled, appropriately enough, “An Act Establishing a Magna Carta for Philippine Internet Freedom, Cybercrime Prevention and Law Enforcement, Cyberdefense and National Cybersecurity.” Also known as the MCPIF to the netizens whose views helped shape the Bill, the Magna Carta for Philippine Internet Freedom is anchored on:

a. Rights
The MCPIF protects the civil and political rights of Filipinos, recognizing and asserting our guaranteed constitutional rights in cyberspace. Economic rights and consumer rights, especially as affected by the use of the Internet and information and communications technology (ICT), are also promoted and upheld.

b. Governance
The MCPIF promotes ICT in governance, translating into an empowered citizenry, a more efficient and responsive government, and more effective use and distribution of resources.

c. Development
The MCPIF provides government agencies with the mandate and the means to harness ICT for national development, thus promoting Philippine economic growth and ensuring Filipinos remain competitive in the information age.

d. Security
The MCPIF prepares Philippine law enforcement agencies and the armed forces for the current and emerging security challenges of the information age. It equips law enforcement with the capability to prevent, detect, and respond to cybercrime. With bolstered national defense and intelligence capabilities made possible through the MCPIF, the Philippines will be able to protect its critical infrastructure, reducing its vulnerability to attacks by cyber-terrorists and rogue or enemy states.

SBN 3327 has been referred to the Committee on Science and Technology for deliberations. It is expected that in the same spirit that animated the crafting of the Magna Carta for Philippine Internet Freedom, legislative deliberations will be enhanced by the active participation of the citizens online, and the other ICT stakeholders. The Internet has facilitated an unexpected next step in participatory democracy, and the forthcoming legislative process will harness that power.

SBN 3327 – An Act Establishing a Magna Carta for Philippine Internet Freedom, Cybercrime Prevention and Law Enforcement, and Cyberdefense and National Cybersecurity

[scribd id=113187011 key=key-yeze4eq6waidnxz1mpa mode=scroll]

(Photo credit: Senate official website,

(PDF credit: Senate official website,

Explanation required, Mr. President

My position regarding what has become Republic Act No. 10175, the Cybercrime Prevention Act of 2012, has not changed since I first went over the Senate version (Senate Bill No. 2796) several months ago: I maintain that it is a deeply flawed law that will not be able to properly address the problems it was ostensibly designed for, including, but not limited to, libel, cyber-bullying, and cyber-prostitution. Of course, back in February, I was content merely to air my anxiety, because I was fairly optimistic that the ill-conceived bill would not prosper, such optimism—or maybe I should say, with the benefit of hindsight, naïveté—being largely rooted in my reluctance to entertain the notion that the denizens of officialdom would act, to use a time-honored phrase, like a bunch of drooling incompetents.

It seems opportune to raise yet again the important question of whether our leaders understand what goes on in cyberspace, even as they attempt to engage the wired middle and upper classes—certainly not the general public, in view of extant data on the level of Internet penetration, not to mention access to electricity, in the country—by establishing and using all sorts of online properties, such as web sites, blogs, and social media accounts.

The massive outcry against the anti-cybercrime law, which, as of this writing, includes four separate petitions filed with the Supreme Court by various groups, has found the apparatchiks of this administration scrambling to defend the decision of President Benigno S. Aquino III to sign it into law. For instance, at a press briefing yesterday, September 27, Presidential Spokesman Edwin Lacierda, urging critics to wait for the pertinent Implementing Rules and Regulations (IRR), said that “freedom of expression is not absolute”, and that the law “[attaches] responsibilities in cyberspace”—pronouncements that are not without merit and would be difficult to disagree with, but tend to come across as incongruous at the very least, considering that Lacierda, along with other Palace functionaries, has been known to happily heckle political opponents—transport strike organizers and participants, say, or former Chief Justice Renato Corona—using his Twitter account, and could more convincingly serve as an exemplar of irresponsible online behavior than the opposite, especially because, by virtue of his position, he is supposed to speak with the voice of the Chief Executive.

Similarly irresponsible, as well as disingenuous, are the arguments advanced by Presidential Communications Development and Strategic Planning Office (PCDSPO) Undersecretary Manuel L. Quezon III, who, in response to blogger Jon Limjap’s tweet that the law, presumably on account of its provisions on libel, could be used “to silence political critics online“, replied that Limjap’s “sweeping” statement “ignores the [C]onstitution and its guarantees“, adding that the Act contained nothing that “any columnist hasn’t had to live with since time immemorial“. I would have thought that the following patently obvious things need not be said: first, the Constitution will not prevent—and in fact allows—the litigious from threatening to file or actually filing lawsuits, as Quezon himself knows from experience, whatever the courts eventually decide; second, the majority of people online are not columnists and have had no journalistic training, though pretenders do proliferate; and third, just because a particular state of affairs has persisted “since time immemorial” is not a reason to maintain said state.

None of the foregoing is to advocate that a kind of exceptionalism be observed with reference to cyberspace and the various activities that go on it it, as The Philippine Star columnist Federico J. Pascual seems to believe, rather strangely, of those against the anti-cybercrime law. I do think that there is much that deserves to be regulated online, although that requires a separate discussion. The process of law-making, however, ought to be undertaken with intelligence, sensitivity, and no small amount of caution. Given the disturbing implications of the Act in its current form, a severe shortage of precisely the aforementioned qualities may well be afflicting Congress and Malacañang, and now time, energy, and taxpayer money must be spent, if not squandered, in the fight against a law that, as Cocoy Dayao has pointed out, could have been crafted “far, far better“, and would therefore have been a more efficient use of national resources.

It is interesting to note that, according to a recent report, Aquino did not exercise his veto power over the Act because the office of Executive Secretary Paquito Ochoa, Jr. prepared a legal memorandum recommending the law for signing. Perhaps Ochoa or Aquino might be prevailed upon to release the contents of this memorandum to the public,  in order that the rationale behind the approval of the Act by a President who has repeatedly asserted his commitment to freedom and transparency might be understood by the people it will affect—the so-called bosses in whose interests he claims to work, and to whom he now owes a clear explanation.