Technology

Debunking Errors in a Proposed Philippine Cybersecurity Framework

Myopia.

This is the inescapable conclusion one will have upon reading Francis Domingo’s opinion piece in the November 18, 2013 issue of Philippine Daily Inquirer, “Points to consider in securing Philippine cyberspace”. While Domingo raises a valid concern on the continual growth of the cybersecurity threat, his recommendations fail to address it. Worse, if followed, his recommendations may prove disastrous.

 

The Cybersecurity Threat Continuum 

“More people may decide to engage in cyber-attacks because of the low barriers to entry, anonymity and presence of others involved in similar activities.

“Performing various operations in cyberspace is not difficult because the resources and knowledge required to exploit and disrupt infrastructure are modest compared to the requirements of exploiting other domains of conflict such as land, sea, air and even space.

“Any individual with sufficient technical knowledge and has access to information communication technologies can execute cyber-attacks.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo points out correctly that cyberattacks will continue to grow in number, scope, and impact; he correctly points out that performing such attacks are less difficult than physical violence, and puts forward a valid observation that anonymity may be a factor in choosing to perpetrate crime or fraud, destruction and disruption, or enter into conflict via cyberattacks over conventional means.

The possibilities available, however, do not constitute a simple menu of choices. Cybersecurity threats are more accurately depicted in a continuum:

cyber-threat

From left to right, the diagram describes two parallel concepts: first, that of actors — from an individual, through loosely-affiliated groups, to large, structured organizations — and, second, that of level of skill — how the increasing availability of skills and/or skilled manpower can be used as resources to plan, execute, and follow-through on a cyberattack.

From bottom to top, the diagram describes the potential damage that can result, especially from a deliberate cyberattack. For instance, the potential damage that can be caused by a prankster will be less than that of a dupe, as the former may be restrained by conscience while the latter is subject to the will of another person or group, who may feel no such restraint. Likewise, it is understandable that organized groups with larger pools of manpower and skillsets, as well as the drive to gain such skills and employ them, will have higher scales of potential damage than amorphous groups or individuals. It is equally interesting that the individuals and groups moving up the potential damage scale can be classed together into fairly distinct sets of motivations for cybercrime and cyberattack, as shown by the right-hand scale.

The cybersecurity continuum is by no means theoretical. Domingo appears to be familiar with the modes of cyberattack that have been used both locally and abroad, as well as the suspected perpetrators. As such, it is strange that Domingo clings to the notion that cyberattacks have limited impact; perhaps we must first define what a cyberattack is.

 

What is a Cyberattack?

In his opinion, Domingo provided no clear definition of a cyberattack. This vagueness may be the culprit of the erroneous premises upon which his arguments are based.

A US National Research Council’s report defines cyberattacks as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”[2] Taking off from this definition, an article “The Law of Cyber-Attack” in the California Law Review proposes that a cyberattack “consists of any action taken to undermine the functions of a computer network for a political or national security purpose.”[3]

These definitions are so broad that they seem to conflate cyberattacks and cybercrime. In crafting the Magna Carta for Philippine Internet Freedom (#MCPIF) bill, the group Democracy.Net.PH and other contributors agreed to separate the definitions of cybercrime and cyberattack. The bill defines cyberattack as:

“[A]n attack by a hostile foreign nation-state or violent non-state actor on Philippine critical infrastructure or networks through or using the Internet or information and communications technology.”[4]

The bill includes in the definition of cyberattack as also possibly this:

“[A]n assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.”[5]

The definition proposed in the #MCPIF acknowledges the cybersecurity threat continuum. This definition will serve as our basis in clarifying the flaws in Domingo’s op-ed piece.

 

A Cyberattack’s Impact Can be Lethal

“[C]yber-attacks have a limited impact on nation-states because the attacks rely on an electromagnetic spectrum, require man-made technology to function, and do not involve lethal action and physical violence.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo cites the distributed denial-of-service (DDoS) attack against Estonia in 2007 and the Stuxnet worm — used supposedly targeting Iran’s Natanz uranium enrichment facility and whose escape into the wild in 2010 led to its detection — as examples of cyberattacks. The modes exemplified by the Estonia attack[6] and Stuxnet[7] are similar to the Shamoon malware cyberattack on the state-owned oil firm Saudi Aramco[8], the DDoS attacks on US banks in 2012[9], the cyberattack on South Korean media and banking firms just this year[10], and so on.

It appears that Domingo’s position is that there has been no significant injury, loss of life, nor widespread physical damage to infrastructure. Ergo, damage is “limited.”

This is another shortsighted view.

While it is true that few, if at all, have so far been physically hurt by cyberattacks, the impact is nonetheless significant. The “ILOVEYOU” virus outbreak in 2000, a brainchild of one Onel de Guzman[11], a student of AMA Computer College, affected at the time about 45 million computers worldwide[12] and caused an estimated $10 billion dollars in damage[13]. The scale of damage caused by the ILOVEYOU worm, adjusted for inflation, is on a par with the scale of damage caused by Typhoon Yolanda.[14]

The perceived absence of injury to human beings does not render the damage from cyberattack limited; rather, such makes cyberattacks even more sinister. The disruption of networks that will result in the breakdown of services of government, power, communications, transport, finance, and other critical infrastructure can result in chaos in society. Instead of directly harming the populace, the attacker can create an environment where the populace will be motivated to destroy each other and themselves. Such damage mirrors that caused by enhanced radiation weapons, such as cobalt and neutron bombs, which are designed to kill but leave infrastructure and equipment relatively undamaged.[15]

Still eerily similar to atomic weapons of mass destruction, but to an even more sinister degree, is the ability of an attacker to design and control the degree of damage that is caused by the cyberattack. “Dial-a-yield” is the catchphrase often used to describe the capability to adjust a weapon to a desired scale of damage.

Domingo appears to make the error of failing to recognize that, with a cyberattack, the attacker not only can design the implementation but can practically specify the extent of damage from the narrowest of scopes up to unrestricted levels. Stuxnet was designed to go after a specific piece of equipment. Thus, the damage was limited only to the systems where the equipment was installed. If the global positioning system (GPS) navigation can be subject to an unrestricted cyberattack, which is now considered to be a distinct possibility[16], airplane crashes, ship groundings, and fatal mistaken identity incidents could occur at scales more horrific than simultaneous occurrences of incidents analogous to 9/11, Exxon Valdez, Aeroflot Flight 8381/ СССР-26492, MV Doña Paz/ MT Vector, and Korean Airlines Flight 007 combined.

There is no logical reason to wait until such catastrophic incidents occur, until lives are lost due to the lethality programmed into a cyberweapon, before establishing a robust cybersecurity framework.

 

Cyberattacks Do NOT Require High Technology; Cybersecurity Must Not Be Merely Technology-Centric

“[C]yber-attacks will not be successful if the spectrum is controlled or access to critical networks is blocked by accountable government units.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo mentions Stuxnet as a cyberattack; however, he may not be aware that the attack vector of Stuxnet was through the physical connection of an infected USB flash drive to a computer connected to the target network.

This, in hacker parlance, was a “sneakernet” attack. This attack was made via the crudest method of compromising a system — accessing the physical layer. The legal control of the allocation of the usable frequencies within the electromagnetic spectrum (for there is no means at present that can control the electromagnetic spectrum, short of repealing the laws of physics) by no means can prevent a sneakernet attack, or many other modes of attack for that matter. Restricting access to critical networks willy-nilly cannot likewise prevent such an attack since, by using the physical layer as the means of compromising the system, the data link, network, transport, session, presentation, and application layers are effectively bypassed.

Clearly, it is erroneous for Domingo to have posited that cyberattacks are solely technology-dependent, and thus for cybersecurity to be technology-centric.

In ensuring cybersecurity, there are two other aspects that must be considered and implemented. A cybersecurity plan must be based on a holistic combination of physical security, behavioral security, and electronic security means, policies, and procedures; to focus on a single defense aspect or potential threat axis would be analogous to building an iron door for a bank vault whose walls are made of paper.

Domingo has fallen into the trap of seeing a few trees and missing the forest.

 

Cybersecurity is Not Merely a Convenient Buzzword

“Security strategies are not definitive.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Given that cybersecurity threats belong in a continuum, and that the actors, their motivations, the degrees of damage intended and programmed, and the level and breadth of skillsets are not one-dimensional – as he erroneously paints them to be – Domingo’s position of a one-size-fits-all approach to securing Philippine cyberspace is untenable.

Cybersecurity cannot be as casually relegated as Domingo proposes. The range of potential threats to the physical security of the Filipino citizen run the gamut of petty crime, organized crime, terrorism (domestic and otherwise), to unfriendly acts of foreign governments; it is well understood that the mandates to protect the life, liberty, and property of each Filipino that are given to the Philippine National Police, the National Bureau of Investigation, and the Armed Forces of the Philippines differ in level of threat and scope of action.

So, too, should be the cybersecurity mandate.

This is the approach taken by the drafters of the Magna Carta for Philippine Internet Freedom. The #MCPIF proposes that the Department of Justice (DOJ), the National Bureau of Investigation (NBI), and the Philippine National Police (PNP) shall be the competent law enforcement agencies to protect Filipino citizens from cybercrime, corollary to their mandates to protect Filipino citizens from non-ICT enabled or perpetrated crimes. Likewise, these law enforcement agencies, supported by other government offices—including the Department of Defense (DND) and the Armed Forces of the Philippines (AFP)—will be tasked with protecting the country from cyberterrorism and cyberespionage. This is no different from the current mandates given to the respective agencies of government to protect the country from terrorism and espionage.

As they are tasked with national defense and the protection of national critical infrastructure, it is therefore likewise logical that that the DND and the AFP will be tasked with national cyberdefense and the protection of national critical ICT infrastructure.

It should be pointed out that while he is correct that the Information Systems Security Society of the Philippines (ISSSP), the Information Systems Audit and Control Association (ISACA), and the Philippine Computer Emergency Response Team (PH-CERT), as well as scholars and government experts, can be resources and have actually been providing technical expertise on cybersecurity as private companies like Symantec, McAfee, and IBM, Domingo is wrong in saying that they can be agents to implement Philippine cybersecurity action and policy. There is no logic in this thinking, as it is analogous to using security guards as frontline troops in internal security operations against the New People’s Army. Security planning, while it may be enriched by inputs from those with the appropriate competencies and skills, is best put together by those who can see the forest and not just the trees.

 

RA 10175 is NOT a Good Basis for a Philippine Cybersecurity Framework

 

“[P]eople must be made aware of the rationale and scope of Republic Act No. 10175 and other laws that protect Philippine cyberspace.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

There is some merit, however limited, in Domingo’s vague proposals on how to implement cybersecurity for the Philippines, in so far as developing a culture of cybersecurity through education and information campaigns, ensuring resilience of institutions, and the development of multidisciplinary, multistakeholder teams for plans, policies, and programs to promote national cybersecurity. Clear proposals have been presented by the drafters of the Magna Carta for Philippine Internet Freedom and constitute an integral part of the bill.

Unfortunately, Domingo goes astray in promoting Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, as a basis for promoting cybersecurity.

The oft-quoted maxim of Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety,” points out the fatal flaw in Domingo’s promotion of the Cybercrime Prevention Act. As the law – fortunately suspended in its application – promotes such assaults into civil liberties such as the right to privacy, the right to due process of law, and the freedom of expression, it cannot be the basis for establishing cybersecurity for the Filipino people.

To be succinct: our rights online are our rights offline. Our cybersecurity thinking must be no different, therefore, from how we think of ensuring our physical security – holistic, properly-calibrated, competent, and rights-based.

To reduce it to vague buzzwords would be to endanger ourselves.

 

Endnotes: 

[1] Engr. Pierre Tito Galla, PECE, is one of the convenors of Democracy.Net.PH, an ICT and civil rights advocacy group that spearheaded the drafting of the Magna Carta for Philippine Internet Freedom. He is a practicing Professional Electronics Engineer with nearly a decade and a half in the information and communications technology sector, and is currently an executive in a Fortune 500 multinational whose networks span the globe.

[2]  Hathaway, et al. “The Law of Cyber-Attack.” <http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf>.

[3]  Ibid.

[4] Democracy.Net.PH. “Full text of the Magna Carta for Philippine Internet Freedom.” <http://democracy.net.ph/mcpif/full-text/>.

[5] Ibid.

[6] The Associated Press. “A look at Estonia’s cyber attack in 2007.” NBCNews.com. 8 July 2009. <http://www.nbcnews.com/id/31801246/#.Up3wE8RDtXg>.

[7] Kushner, D. “The Real Story of Stuxnet.” IEEE Spectrum. 26 February 2013. <http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet>.

[8] Perlroth, N. “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.” The New York Times. 23 October 2012. <http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?_r=0>.

[9] Ibid.

[10] Waterman, S. “Cyberattack hits South Korea’s banks, media.” The Washington Times. 20 March 2013. <http://www.washingtontimes.com/news/2013/mar/20/cyberattack-hits-s-koreas-banks-media-highlights-r/?page=all>.

[11] Cluley, G. “Memories of the Love Bug worm.” Naked Security. 4 May 2009. <http://nakedsecurity.sophos.com/2009/05/04/memories-love-bug-worm/>.

[12] Ward, M. “A decade on from the ILOVEYOU bug.” BBC News. 4 May 2010. <http://www.bbc.co.uk/news/10095957>.

[13] Landler, M. “A Filipino Linked to ‘Love Bug’ Talks About His License to Hack.” The New York Times. 21 October 2000. <http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html>.

[14] RSJ/ GMA News. “NDRRMC: Yolanda death toll continues to rise, now at 5,759; damage surpasses P35B.” GMA News Online. 5 December 2013. <http://www.gmanetwork.com/news/story/338384/news/nation/ndrrmc-yolanda-death-toll-continues-to-rise-now-at-5-759-damage-surpasses-p35b>.

[15] Snow, D. “Strategic Implications of Enhanced Radiation Weapons.” Air University Review. July-August 1979. <http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jul-aug/snow.html>.

[16] Neal, R. “GPS Terrorism: Hackers Could Exploit Location Technology to Hijack Ships, Airplanes.” International Business Times. 29 July 2013. <http://www.ibtimes.com/gps-terrorism-hackers-could-exploit-location-technology-hijack-ships-airplanes-1362937>.

Crowdsourcing: The Story of the Drafting of the Magna Carta for Philippine Internet Freedom

Update: The Magna Carta for Philippine Internet Freedom (MCPIF) has been refiled for the 16th Congress.
PHNetDems statement when Senator Santiago filed the MCPIF in the Senate as Senate Bill No. 53
Statement of PHNetDems when Representative Kimi Cojuangco filed the MCPIF in the House of Representatives as House Bill 1086.

SBN3327 Screencap

This is the story of how six ordinary, tech- and internet-savvy citizens, over three hundred online onlookers on Facebook, Twitter, and Google Docs, and a number of their politically-connected friends brought the dream of a Magna Carta for Philippine Internet Freedom to the august halls of the Senate of the Republic of the Philippines, and found in Senator Miriam Defensor Santiago a champion for civil and political rights in cyberspace.

Read more

Santiago Files Magna Carta for Philippine Internet Freedom

Senator Miriam Defensor Santiago
Senator Miriam Defensor Santiago, principal sponsor of SBN 3327

(Update 14 Nov 2012: SBN 3327 official PDF from Senate official website embedded below.)

Constitutional rights shall not be diluted in the Information Age.

This is the guarantee sought to be galvanized by Senate Bill 3327, filed on November 12, 2012, by the eminent constitutionalist and international law expert Senator Miriam-Defensor Santiago. In what is a first in Philippine legislative history, the provisions of the bill authored by Senator Santiago draw directly upon the suggestions of Filipino netizens solicited through online “crowdsourcing”. The proposed measure seeks to address not only the protection of  but also the establishment of the rights of Internet users in the Philippines. Also, guided by the expert knowledge of the diverse set of IT and legal specialists who advised on the bill, SBN 3327 seeks to establish a sensible, fact-oriented and balanced environment that defends Filipinos against against cybercrimes and cyberattacks.

Senate Bill 3327 is titled, appropriately enough, “An Act Establishing a Magna Carta for Philippine Internet Freedom, Cybercrime Prevention and Law Enforcement, Cyberdefense and National Cybersecurity.” Also known as the MCPIF to the netizens whose views helped shape the Bill, the Magna Carta for Philippine Internet Freedom is anchored on:

a. Rights
The MCPIF protects the civil and political rights of Filipinos, recognizing and asserting our guaranteed constitutional rights in cyberspace. Economic rights and consumer rights, especially as affected by the use of the Internet and information and communications technology (ICT), are also promoted and upheld.

b. Governance
The MCPIF promotes ICT in governance, translating into an empowered citizenry, a more efficient and responsive government, and more effective use and distribution of resources.

c. Development
The MCPIF provides government agencies with the mandate and the means to harness ICT for national development, thus promoting Philippine economic growth and ensuring Filipinos remain competitive in the information age.

d. Security
The MCPIF prepares Philippine law enforcement agencies and the armed forces for the current and emerging security challenges of the information age. It equips law enforcement with the capability to prevent, detect, and respond to cybercrime. With bolstered national defense and intelligence capabilities made possible through the MCPIF, the Philippines will be able to protect its critical infrastructure, reducing its vulnerability to attacks by cyber-terrorists and rogue or enemy states.

SBN 3327 has been referred to the Committee on Science and Technology for deliberations. It is expected that in the same spirit that animated the crafting of the Magna Carta for Philippine Internet Freedom, legislative deliberations will be enhanced by the active participation of the citizens online, and the other ICT stakeholders. The Internet has facilitated an unexpected next step in participatory democracy, and the forthcoming legislative process will harness that power.

SBN 3327 – An Act Establishing a Magna Carta for Philippine Internet Freedom, Cybercrime Prevention and Law Enforcement, and Cyberdefense and National Cybersecurity

[scribd id=113187011 key=key-yeze4eq6waidnxz1mpa mode=scroll]

(Photo credit: Senate official website, http://www.senate.gov.ph/)

(PDF credit: Senate official website, http://www.senate.gov.ph/)

Occupied

Restoring a meritocratic society is the goal of the 99 movement in America. Establishing it for once in the Philippines should be our national ambition.

The Nobel winning economist, Gary Becker, whose work on human capital I deeply admire wrote a piece called Deserving and Undeserving Inequality in the blog which he shares with Richard Posner. In it he distinguishes between good inequality (deserved) and bad inequality (undeserved) saying

The great majority of people in different cultures do not object to someone who has made lots of money when they have superior abilities and talents, and they work hard at producing what are considered useful goods or services.

The meritocratic society with upward and downward social mobility would be in Becker’s view the most acceptable form. In this just society, the cream always rises to the top. He cites actors like Tom Hanks and Jennifer Anniston, entrepreneurs like Bill Gates and Steve Jobs, and skilled professionals like transplant surgeons who have grown rich by applying their exemplary talents and skills.

In contrast, Becker poses the problem society seems to have with hedge fund managers who make use of arbitrage (momentary bargains unnoticed by the market) to make huge sums of money. He lumps them together with speculators, Russian oligarchs and monopolists who enrich themselves through unfair, uncompetitive means (the latter two through government fiat).

Becker of course uses human capital theory as his framework for addressing this issue. Under its framework, individuals who acquire knowledge and skill through education and training (one cannot gain it any other way as it cannot be inherited or passed on) deservedly earn private returns in the form of higher incomes over the remainder of their working lives.

A meritocratic society should in Becker’s view reward the investments made by individuals in themselves and not rely on some other criteria. Elitism, the polar opposite of meritocracy rewards individuals for investing in other things (political patronage, social standing or being raised on the right side of the tracks, marrying into the right family, etc). It all sounds rational and justified, which is why Becker says “the great majority of people in different cultures” accept the legitimacy of a certain form of inequality (I have some reservations which I expressed here).

The Occupy Wall Street protests that have spread all around the world is comprised of a disparate set of individuals, but at its core, it is a protest against what is seen as an illegitimate form of social structure perpetuated by a weak central government unable to constrain the greed of corporate elites.

The breakdown of social cohesion has occurred because of what is perceived to be the breakdown of a meritocratic society where one rule seems to apply to the rich who are becoming a new aristocracy while another set of rules applies to the rest.

The teapartiers detest the privilege accorded to the global capitalists/Wall Street at the expense of local merchants and tradesmen/main street, while OWS expresses their distaste mathematically by stating they represent the 99% who play by the rules but have to bailout the 1% who don’t.

It is curious to see how the OWS protest that began in NY mutates as it travels to each city throughout the world deriving a local “strain” in each place. In the Philippines, which has witnessed a high level of social inequality, there has not been a similar groundswell of support outside the usual suspects of BAYAN MUNA and other groups who coalesce under anti-American imperialist banners.

The reason being I think that the broad sections of our society by and large aspire towards a meritocracy and see their lack of social mobility as either the result of divine providence or misfortune. The masses have not coalesced around a universal sense of rights and entitlements that has taken hold in the West perhaps because they still depend on ties of patronage from local elites.

The state has had a long history of either colluding with or acceeding to our elites. They have given concessions to the “peasantry” whenever popular movements have challenged their ascendancy but withdrawn them when the threats have passed. Charismatic populist leaders like Ramon Magsaysay and Joseph Estrada sought to appease them, not undertake reforms aimed at genuine social restructuring.

The only time when the state sought to weaken the landed elite by expropriating their assets was under Martial Law. Even then there were limits to what it could do as it sought to make its authority legally and constitutionally binding in the eyes of the world. The problem was that once it had weakened any challenge to its authority, nothing prevented the regime from plundering as well.

The lack of accountability under Martial Law made the state susceptible to a new form of super-sized impunity. This was not inevitable though as in the case of East Asia with their benevolent dictators. Had Mr Marcos fostered a new meritocracy in both the bureaucracy and the wider economy, things might have been different.

His wife Imelda widely reviled for her pompous display of wealth had actually promoted a meritocracy in the arts. Through her sponsorship of young scholars and aspiring artists through competitions and venues for the demonstration of their capabilities, she enabled a flowering of talent that was not based on birth or privilege. This is the one legacy for which she can be rightly credited.

If only the same thing had happened in the technology sector where innovation and risk-taking could have been encouraged, instead of the crony capitalism that created a new elite not based on productive but predatory activity, the Marcos years might have come out smelling a bit better.

Contemporaneous with the Marcos era, during the 1970s and 1980s, Brazil and India embarked on a policy of giving birth to technology firms. The state agencies that were engaged in this “midwifery” role were not perfect, but as discussed by Peter Evans in his book Embedded Autonomy, despite their imperfections, at the end of the 1980s they still had something to show for it.

After seeing efforts at producing local operating systems and PC clones flounder, Brazil’s IT sector survived by specializing in financial automation for their banking sector (emblematic of this were companies like Itautec of the Itau Banking group). In India, state investments in skills produced manpower to work in systems integration services combining hardware and software engineering which became their strength. Today some of these Indian firms have successfully expanded their operations overseas (Mahindra Satyam and Tata Consulting Services are prime examples).

Korea which was most successful in fostering growth of this sector focused on the assembly of computers, consumer electronics and semiconductors through concessionary loans and state sponsored and financed research and development. In 1989 Samsung and IBM signed a co-licensing deal allowing them to tap into each other’s portfolio of patents. Today IBM no longer makes PCs, but Samsung is challenging Apple for the handheld tablet market.

Brazil of course was under a military dictatorship during this period. India was except for a brief period in the 70s a rambunctuous democracy like the Philippines is now. Korea was still being ruled by an autocratic president. In other words, the type of political system did not prevent the sorts of policies needed for promoting a meritocracy from emerging in productive sectors.

This was Pres Marcos’s greatest moral failing: neglecting the national development project and engaging in pure predatory behavior. The “Freedom Constitution” that followed his fall sought to put a system of checks and balances in place to restrain the executive has unfortunately not produced a meritocracy either. It simply revived the old aristocracy to power which has picked up where it left off prior to Martial Law by engaging in booty capitalism.

The weakness of the judicial system has served to deny a system of justice to the dispossessed and the poor. So unlike the Occupy Wall Street protesters who camp outside the headquarters of the global elite, our own version of the downtrodden live in slums outside the gated communities of local elites. They are forced to work in the informal sector without legal entitlements such as social security, healthcare or retirement funds, for the most part having acquired very little in the form of human capital.

The present dispensation is beset with many challenges all around which include fostering good governance and promoting economic growth. These projects will take time to bear fruit. While it is seeking to free the poor from local patron-client relationships through social insurance programs, it eventually needs to buckle down to the difficult task of generating employment through industrial promotion strategies and policies.

Having fostered the emergence of the electronics and business process outsourcing industries in the interim, the government faces the more difficult task of expanding the scope of these industries in the international division of labor (what Evans terms the role of “husbandry”) into more value added activities.

It would be good if aside from producing the domestic equivalents of Tom Hanks and Jennifer Anniston (a legacy of our showbiz, pop mentality from the Imeldific years) we could also foster the development of our own Bill Gates or Steve Jobs (the burgeoning industries out of Silicon Valley of course received tremendous government support through the defense industry).

Globalization was meant to usher in a kind of meritocracy among nations in the division of labor. What the experience of emerging countries has shown is that to rise to the top, state involvement in the development of industries is necessary. The ultimate goal should not be to one day attract a greater share of foreign companies to our shores; the national ambition should be to one day join our brothers in emerging markets in buying out foreign companies within their own shores.

Perhaps it is this vision that should occupy our hearts and minds as we look to the future.

Ampaw: The Flawed NTC Memorandum Order on Minimum Speed of Broadband Connections

NTC MO 07-07-2011 is a paper tiger

Author’s Note: The full text of the National Telecommunications Commission Memorandum Order No. 07-07-2011 (Minimum Speed of Broadband Connections) was provided via email as an Adobe PDF file, in response to a request for the document.

To the best of the author’s knowledge, NTC MO 07-07-2011 has not yet been published in any newspaper of national circulation.

A sop to Filipino consumers, conceived with no regard to objective realities, and written in a lazy fashion — that, very politely, describes the NTC MO No. 07-07-2011. Not quite unlike a speech given by a traditional politician, it is prefaced by a long-winded introduction and followed by a weak policy.

To be fair, let’s begin our analysis by parsing the strengths of NTC MO 07-07-2011.

First, NTC MO 07-07-2011 requires internet service providers to be transparent in the billing of their subscribers, via Rules 1 and 2 of the order. Transparency is good for us consumers; we’ll know exactly what it is we are paying for.

Second, NTC MO 07-07-2011 requires internet service providers to be provide a minimum service reliability for their subscribers, via Rule 1. Instead of not being certain of getting what we’re paying for, the minimum service reliability ensures that we’re going to get it. In fairness to the ISPs and the NTC, a minimum service reliability of 80% is not too bad, considering the state of telecommunications infrastructure in the Philippines.

Third, NTC MO 07-07-2011 provides internet service providers good flexibility towards developing competition strategies, via Rule 1. By allowing internet service providers to offer the public various packages and prices, the ISP with the most aggressive, the most reliable, and the best-priced packages wins the market.

All that said, and despite the best of intentions, NTC MO 07-07-2011 is useless to us consumers and does nothing concrete to require good service from ISPs. Why?

First, NTC MO 07-07-2011 does not provide effectively for short-term prepaid internet connectivity. With service reliability measured on a monthly basis, prepaid internet subscriptions lasting one day, three days, or a week can easily meet 80% service reliability on paper, with the customer not enjoying the connectivity he has paid for. For instance, should a customer use a 3-day prepaid card and not be connected, his complaint will be easily dismissed once the ISP shows that he could have been connected on the other 27 days of the month, with the ISP meeting a service reliability of 90%.

Considering how much of the broadband market floats on prepaid services, that segment of the consuming public is going to continue to get screwed.

Second, NTC MO 07-07-2011 does not specify where service reliability is to be measured, instead of protecting the consumer by requiring service reliability to be measured at the subscriber end. As such, the internet service provider can very well claim to be meeting 80% service reliability or even higher, by measuring reliability at their end of the transmission medium.

This, despite at his end the consumer keeps on getting “Unable to connect to the Internet” error messages on his browser.

Third, NTC MO 07-07-2011 is silent on data volume capping. Thus, the MO allows for unreasonable data volume capping.

Therefore, a consumer with consistent 1 Mbps connection speeds can have his connection cut off every three days by virtue of a 1 GB data volume cap, and the ISP will still be completely compliant with the memorandum order, for as long as the ISP has a provision on data volume capping in fine print somewhere in the service offer/ contract/ prepaid SIM wrapper.

Fourth, NTC MO 07-07-2011 does not require ISPs to provide clear, timely, and customer-centric rebate mechanisms for customers if service reliability minimums are not met. ISPs can very well still get paid for the services they do not provide, and getting rebates will still be as easy as pulling teeth from a rabid dog using longnose pliers.

Subscribers, therefore, can continue to get screwed under the guise of “ma’am, network maintenance po kasi, di po yan covered ng rebate”, “sir, kelangan complete po ang documents and proof of downtime, tapos wait po kayo ng thirty days tapos i-claim ninyo personally dito sa office namin yung tseke”, and whatnot.

To summarize bluntly the impact of NTC MO 07-07-2011 to internet service providers, compliance to NTC MO 07-07-2011 is as simple as ISPs rewording their boilerplate contracts and marketing collaterals and ensuring that 80% reliability or higher is measured at their end. NTC MO 07-07-2011 will merely require cosmetic changes and tweaks in marketing, rather than significant improvements in service.

To summarize bluntly the impact of NTC MO 07-07-2011 to us consumers, NTC MO 07-07-2011 provides us with absolutely nothing but a wad of used toilet paper.

It’s brilliant, really. This MO will be hailed as a victory for the consuming public, with the perception of the NTC being the white knight riding to the defense against the greedy invading ISPs. The reality, however, is that the NTC MO 07-07-2011 is no more an actual strike for Filipino empowerment than the sham that was the Battle of Manila and the surrender of the Spanish troops to the Americans.

Read the full text of NTC MO 07-07-2011 here. If you want to read a proposed draft of a better memorandum order, one that serves all parties fairly, read this one instead.

And to think we were led to believe that the NTC really does have our interests at heart and does its best to serve us. Bleh.

Image from The Pulse Review (www.pulsereview.com).