[Part 1] A Recipe for Disaster: A Growing Digital Economy But Lagging in Cybersecurity Capacity
The Philippines is the fastest growing digital economy in Southeast Asia. In 2021, the internet economy in the country is valued at US$ 17 billion — an exponential increase from the US$ 2 billion levels in 2015.[i] While all ASEAN-6 countries are expected to have double-digit growth rates in the internet economy, the Philippines leads the way with a projected 24% compounded annual growth rate by 2025.
This growth is on the backs of a young population, who spends the most time online. With a median age of 25.7 years old, the Philippines is expected to stay young and tech-savvy in the next decade.[ii] In the Digital 2021 report by global social media management firm Hootsuite, the Philippines also leads the world in time spent online, clocking in at around 10 hours and 56 minutes per day.[iii] Internet penetration is at 67% of the population, while mobile phone connection is at 138% — which means Filipinos tend to have more than one device.
In addition, the global health crisis has accelerated the development and adoption of digital solutions in the country. Due to limited movement of people and strict lockdown measures, Filipinos have relied mainly on technology to continue availing of goods and services. The Bangko Sentral ng Pilipinas (BSP), or the Philippine Central Bank, noted a 25% decrease in automated teller machine withdrawals within the first month of the pandemic. By end of 2020, the share of digital payments to total transactions has reached 20.1%, which is a 10 percentage points increase from 2018 levels. Google estimates that there are also 12 million new digital users in the Philippines since the start of the pandemic.[iv]
While the rapid digitalization is a welcome development, the rise in cyber attacks and data breaches have also been apparent. Even before the exponential growth in digital use, the Philippines have fallen victim to data hacks, financial frauds, and breaches. The most infamous cases include: 1) the 2016 Commission of Election hack which released the entire database of Filipino voters on the dark web, and 2) the 2016 Bangladesh heist in which a Philippine bank was involved in making fraudulent transactions resulting to a loss of $81 million. In 2016, Russian cybersecurity firm Kaspersky noted that the Philippines is the most hacked country in Southeast Asia and ranks 7th in world in number of cyber attacks. A Microsoft study estimates around $3.5 billion, or 1.1 percent of GDP is at risk due to cybercrime incidents.[v]
There has been an observed rise in cyber attacks in the Philippines during the pandemic. The Philippine National Police (PNP) has reported a 37% increase in online scam cases in 2020. The National Bureau of Investigation (NBI) recorded a 200% increase in phishing cases handled. Private vendors have also seen an alarming trend. Technology security company Sophos saw a 30% increase in ransomware attacks among firms in the Philippines and cybersecurity provider Kaspersky reported a 49% increase in web threats in during the pandemic.[vi] The alarming trend has led the government to ramp up an awareness campaign on attack vectors being used by cyber criminals. However, there is a cause of concern in terms of the ability of the Philippines as a whole to handle the increasing cyber threats.
The Philippines continues to trail the ASEAN-6 economies in terms of cybersecurity capacity. Based on the International Telecommunications Union’s Global Cybersecurity Index 2020, the Philippines ranks last with a score of 77 among its neighbors.[vii] As a comparison, Singapore leads the region with an almost perfect score. The index measures commitments to cybersecurity across five pillars: legal measures, technical measures, organizational measures, capacity development measures, and cooperation measures. For its part, the Philippines scores high on the legal measures and cooperative measures. Where it needs development is in the organizational aspect or the coordination of institutions, policies, and strategies for cybersecurity development at a national level. Table 1 summarizes the scores of the commitment of the Philippines and ASEAN-6 economies across the five pillars.
There is also a lack of cybersecurity professionals in the country. The International Information System Security Certification Consortium (ISC2) is the leading cybersecurity professional organization in the world. The ISC2 grants the certification of Certified Information Systems Security Professional (CISSP), one of the most coveted certifications of cybersecurity experts. As of July 2021, there are 149,174 CISSP holders across 172 countries, 62% of which are in the United States.[viii] In the ASEAN region, there are 3,707 cybersecurity CISSPs, with Singapore leading at 2,683. The Philippines is 4th in the region with only 183 certified professionals.
While the Philippines may rank 4th in cybersecurity experts per million internet users among Southeast Asian states, it still has a long way to catch up to region-leading Singapore in terms of the number of cyber professionals. The country is home to an estimated 73 million internet users, and the ratio of cybersecurity experts to internet users is an alarming 2:1 million. For comparison, Singapore has 507 certified cybersecurity profession per million internet users. The lack of cybersecurity experts however is apparent throughout the region. Singapore is way ahead, with Vietnam and Indonesia only having one expert per million internet users. Philippine cybersecurity experts also highlight the fact that some CISSP professionals in Singapore are Filipinos who sought greener pastures. This means the talent is present in the Philippines, but the sector suffers from brain drain and a lack of competitive rates.
In addition, the Philippines also suffers from the lack of reliable data in cybersecurity incidents. Most of the reports being cited in legislation and regulations come from third-party sources. The government does not have a centralized and localized view of the kind of cyber threats that Filipinos are facing. The amount of data collection is spread across multiple government agencies, with limited coordination with each other.
Overall, the Philippines needs to improve its cybersecurity capacity, manpower, and data collection framework to maximize the benefits of the digital economy. While this article focuses on the overall landscape of digitalization and cybersecurity, the succeeding thought pieces will delve deeper into the current policy landscape, the overlapping mandates across agencies, and a proposal for an integrated cyber reporting system.
AUTHOR’S NOTE:
This article is part of a series discussing policy options to improve Philippine cybersecurity.
ENDNOTES AND REFERENCES
[i] See Google, Temasek, and Bain (2021). e-Conomy SEA 2021 — Philippines. Retrieved November 15, 2021.
[ii] See Philippine Statistics Authority (2020). National QuickStat for August 2020. Retrieved October 13, 2021.
[iii] Kemp, S. (2021) Digital in the Philippines: All the Statistics You Need in 2021. Retrieved November 15, 2021.
[iv] Ibid 1.
[v] See Cybersecurity threats to cost organizations in the Philippines US$3.5 billion in economic losses. Retrieved October 20, 2021.
[vi] Read Ransomware attacks cost PH firms P40 million on the average in 2020. Retrieved November 15, 2021. Read also VOTT: Cyberattacks threaten PH, other economies. Retrieved November 14, 2021.
[vii] International Telecommunications Union. (2021). Global Cybersecurity Index 2020. Retrieved November 15, 2021.
[viii] See full ISC2 member count and breakdown by country and region.
