9.

1
VOLUME

STRATEGIC
CONSIDERATIONS
FOR PHILIPPINE
CYBER SECURITY

OCCASIONAL
PAPER January 2016
 OCCASIONAL PAPER JANUARY 2016

02

STRATEGIC
CONSIDERATIONS
FOR PHILIPPINE
CYBER SECURITY
CYBER CRIME
Despite the relatively controlled threat posed by cyber crime, the Philippine
government has adopted a more active posture towards countering illegal domestic
cyber activities in contrast to countering external threats to national security.

Cyberspace has become an indispensable domain
for state interaction. Governments have, therefore,
made use of cyberspace for power projection, the
protection of critical national infrastructure, and the
exertion of political influence over other actors in the
international system. This domain, however, has also
become a prominent source of insecurity between
states because of its particularly strong potential for
espionage, sabotage, and subversion.1 While cyber
security continues to be a contentious policy issue,
the promise of a “cyber revolution” has influenced
numerous states to develop capabilities for military
cyber operations. More than 40 states have now
developed military cyber organizations and policies
and nearly 70 states have crafted non-
military policies and organizations.2
The idea of a cyber revolution is based on three
widely held assumptions suggested by some
scholars and policymakers about cyberspace:
it enables asymmetric advantages; it is offense-
dominant; and, deterrence is not effective in
this domain.3 First, cyberspace is asymmetric
because, it allows weaker actors to use fewer
resources and capabilities to challenge the military
forces of powerful states. Second, cyberspace is
offense-dominant for several reasons, including
the instantaneous speed of attacks, the problem
of attributing attacks to a perpetrator, and the
overwhelming dependence on cyberspace
throughout modern society.4 As a result, enemies
can exploit these opportunities and engage in
numerous malicious activities, including network Image Credit: rfa.com

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved. * The views and opinions expressed in this Paper are those of the author and do not necessarily reflect those of the Institute.
OCCASIONAL PAPER JANUARY 2016
03
disruption and espionage against target states. Third,
deterrence is not effective in cyberspace because the
threat of retaliation is not viable if the adversaries are not
cognizant of a state’s cyber capabilities.
Deterrence is the use of threats to discourage adversaries
from initiating undesirable actions.5 The logic of
conventional deterrence is based on three core elements:
communication, credibility, and capability.6 For deterrence
to be effective, a deterring state must first communicate
to its adversaries which actions are unacceptable and
the corresponding punishment once these actions are
undertaken. The state must then demonstrate that it
has the capabilities to support its threats. Lastly, the
state must establish credibility by convincing adversaries
that the communicated threats will actually be carried
out.7 However, these elements are problematic when
applied to cyberspace. It would be detrimental for
states to communicate and demonstrate that they have
cyber capabilities because to do so diminishes their
strategic surprise and technological superiority, the main
advantages of military cyber operations. Absent any
awareness and confirmation from their target state,
adversaries will not be persuaded that
a state has such capabilities.8
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
Athough the proliferation of cyber capabilities
is inevitable, the assumptions about the value
of cyberspace for military operations are mainly
overstated and need to be clarified. First,
cyberspace does not provide asymmetric
advantages to weak actors. The most sophisticated
cyber attacks, “Stuxnet” and “Flame” for instance,
required an unprecedented level of expertise and
operational capabilities that weak states and non-
state actors do not necessarily have.9 Second,
the idea that cyberspace is offense-dominant
is also questionable because the complexity
of weaponization makes offensive operations
more difficult for states to develop. Moreover, the
empirical evidence suggests that cyberspace is not
necessarily offense-dominant as some academics
and policymakers argue because the success
and decisiveness of offensive cyber operations
are generally conditioned on “attack severity,
organizational competence, and actor resolve.”10
Lastly, traditional deterrence models may not be
useful in cyberspace but an alternative interpretation
of deterrence sees a cyber attack as an indication of
successful deterrence because it substitutes kinetic
or physical attacks between states.11
Given this context, this paper argues that despite
the strategic limitations of cyberspace, the
Government of the Philippines should consider
cyber security as a policy priority because of
three reasons: the economic consequences of
cybercrime, the security consequences of cyber
espionage and the political consequences of cyber
conflict in the region. The remainder of the paper
is divided into in four sections. The first section
introduces central concepts regarding the study of
cyber security. The second examines some factors
that could influence the development of cyber
capabilities in the Philippines. The third surveys the
existing regional and domestic policy responses
to cyber threats. Finally, the last section offers
some recommendations for the next president,
particularly focusing on integrating cyber security
within national security policy and military strategy.
Following these objectives, the paper does not
offer recommendations about the domestic
law enforcement, e-governance, information
infrastructures and other related topics that fall
outside the scope of strategic interactions between
actors in the international system.
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
04
Concepts and Actors
Our understanding of cyber issues is dependent on
how concepts and actors are defined and framed. It
is necessary to clarify specific concepts and identify
actors to avoid confusion and exaggeration about
state capabilities and threats in cyberspace. The
following section therefore discusses some core
concepts and actors in area of cyber studies.
Concepts
A core concept in the conduct of cyber security
operations is the offensive and defensive capabilities
of a state or its Computer Network Operations
(CNO). These operations are divided into three
types of functions: Computer Network Attack
(CNA), Computer Network Defense (CND), and
Computer Network Exploitation (CNE). CNA is an
offensive operation and is defined as the capability
to use computers to “disrupt, deny, degrade, or
destroy information” in adversaries’ computers
and information systems. CND, on the other hand,
involves the protection of a state’s computer
networks: having the capability to “detect, analyze,
and mitigate threats and vulnerabilities, and
outmaneuver adversaries.” CNE is an espionage
operation and is the ability to collect intelligence
through the use of computer networks
to gather data about adversaries.12
These functions provide a general idea of what
states can do in cyberspace, although it is
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
important to note that the specific operational
instrument involved in executing cyber attacks are
weapons delivered through a computer. A cyber Table 1. CYBER WEAPONS DEFINED14
weapon, in this sense, is a computer code that is
used or is designed to be used with the objective
of threatening or causing damage to objects,
networks, or living beings.13 Cyber weapons can
come in different forms, ranging from generic tools
that cause nuisances to high-end tools that can
bring down a state’s critical infrastructure. Table 1
presents the main types of cyber weapons
as well as their basic definitions.
Another fundamental concept is the projection of
power in cyberspace or cyber power. This paper
considers cyber power as an extension of politics,
which is, fundamentally, the authoritative allocation
of valued things.15 Since power relates to the
allocation of capabilities and resources, the paper
adopts Nye’s idea of cyber power: “the ability to
obtain preferred outcomes through the use of
electronically interconnected information
resources of the cyber domain.”16
Moving to the next concept, much debate has
been generated by the term cyber war. While
several definitions exist for this concept, this
papers proceeds with the view that notion of war is
problematic and even dangerous when applied to
cyberspace. An act of war must be instrumental,
political, and lethal, whether in cyberspace or
not.17 No stand-alone cyber operation on record
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016

05 Table 2. Actors, incidents and weapons

meets these criteria, thus the concept of cyber In terms of non-state actors, there are three
war will not be used for purposes of the paper. As additional subcategories: criminals, hackers, and
alternative, the paper follows the work of Valeriano terrorists. Criminal organizations exploit cyberspace
and Maness who suggest the term cyber conflict as through various methods for monetary gain. The
more appropriate, as it involves hostile interactionsmajor types of online criminal activities include theft
between states but is not necessarily indicative of data, financial crimes, corruption, and crimes
of warfare.18 Cyber conflict is defined as “the use against children.23 Hackers on the other hand,
of computational technologies in cyberspace for execute in network intrusions for different reasons,
malevolent and destructive purposes in order to ranging from experiencing the thrill of the challenge
impact, change, or modify diplomatic as well as to bragging rights. Although cracking into networks
military interactions between entities.”19 once required a fair amount of skill or computer
knowledge, attack tools have now become
Actors more sophisticated and easier to use, providing
Since the barriers and costs to entry in hackers with more capabilities.24 For instance,
cyberspace are low, a range of actors have engaged politically motivated hackers or hacktivists, such
in numerous types of disruptive activities against as “Anonymous” and “LulzSec”, overload e-mail
different targets. There are two main categories servers and hack into websites to send a specific
of actors in cyberspace: states and non-state political message to target audience.
actors. States are clearly the dominant actors
in cyberspace, given their extensive resources, While there have been no recorded incidences
expertise, and capabilities. The development
20
of “cyberterrorism”, cyberspace is attractive to
of the most sophisticated and high-level CNO is terrorist organizations because it guarantees
typically designated to states’ intelligence and anonymity, it enables global communication, and
military services. The objectives of these services it delivers a strong psychological impact.25 The
are to collect and/or destroy intelligence by Central Intelligence Agency suggests that terrorists
exploiting and disrupting adversaries’ information will remain focused on traditional attack methods;
infrastructure. Some prominent examples include however, the CIA anticipates increasing cyber
the National Security Agency of the United States, threats as a more technically capable generation of
the Government Communications Headquarters of terrorists join the ranks.26 Table 2 provides some
the United Kingdom, the General Staff Department examples of the cyber weapons that different
(3rd and 4th Departments) of the People’s Liberation actors have utilized as well as the
Army in China,21 and the Reconnaissance General incidents they were involved in.
Bureau and General Staff Department of the
Korean People’s Army in North Korea.22

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved. www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
06
In examining the role of different actors in
cyberspace, it is imperative to highlight the
significant difference between the capabilities of
states and non-state actors in cyberspace. There
is a persistent media blitz about the threat of
massive and destructive cyber attacks by non-state
actors, but these reports are largely overstated and
empirically untested.32 It is therefore necessary
to adopt a more strategic understanding of cyber
conflict where the focus of inquiry is the realistic
outcome or consequence of the attack aside from
technical and tactical considerations such as the
number of websites that are defaced or the
type of malicious code used by hackers.
Factors Affecting Cyber Security Development
States generally produce specific defense and
security capabilities in response to external
and domestic considerations. While there is no
scholarly nor policy consensus over which factors
constrain states’ investments in cyber capabilities,
the subsequent section offers three important
factors that could potentially influence further cyber
capability development in the Philippines.
Economic: Cyber Crime
The first factor is the growing industry of cyber
crime. The low barriers to entry, the assurance
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
of anonymity, and the high speed of transactions
offered by cyberspace provide criminals with
unparalleled opportunities for profit generation. A
report by the Center for Strategic and International
Studies and McAfee estimates that the global
economy loses $375 billion to $575 billion annually
due to cyber crimes. Even the most conservative
estimate of economic losses to these criminal
activities is more than the national income of most
states and companies, signifying the level of
risk states face from cyber crime and Image Credit: media.licdn.com
how rapidly the risk can evolve.33
Despite the relatively controlled threat posed by Investigation), and the Anti-Cybercrime
n the context of the Philippines, cyber crime is
cyber crime, the Philippine government has adopted Group (Philippine National Police).36
an existing problem but is not as threatening
a more active posture towards countering illegal
compared to other organized criminal activities
domestic cyber activities in contrast to countering Building on these efforts, there are two reasons why
such as robbery, kidnapping and drug trafficking.
external threats to national security. In terms of the government is encouraged to sustain and further
For instance, the Philippine National Police Anti-
crime prosecution, there are currently six laws that develop the capacity to address cyber crimes. First,
Crime Group reports that there were 3,368 recorded
relate to cyberspace: the Cybercrime Prevention domestic enforcement agencies, specifically the
cases of cyber crime from 2003 to 2014.34 Of these
Act of 2012, the Anti-Photo and Voyeurism Act National Bureau of Investigation and the Philippine
cases, the most common forms of cyber crimes
of 2009, the Anti-Child Pornography Act of 2009, National Police, still lack the expertise, capabilities,
were identified as website defacements, personal
the E-Commerce Act of 2000, the Access Devices and resources to effectively counter cyber threats.37
account infiltrations, and Internet fraud. The data
Regulation Act of 1998, and the Anti-Wiretapping Given the rapidly rising number of internet users,
to systematically quantify the economic impact of
Law of 1965. Moreover, the enforcement of it is impossible for the government to monitor
crime that make use of cyberspace is incomplete;
these laws is assigned to four key government millions of internet users without advanced network
however, the most substantial reports of losses have
agencies: the Cybercrime Investigation and surveillance systems and sufficient resources.
been from the Bangko Sentral ng Pilipinas, which
Coordination Center (Department of Science and Second, the mechanisms for inter-agency
estimates that PhP175 million was lost due to ATM
Technology), the Office of Cybercrime (Department cooperation are underdeveloped and need to be
fraud in 2012 and PhP220 million in 2013.35
of Justice), Cybercrime Division (National Bureau of strengthened. Since cyber crimes are pervasive and
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016

07

persistent, it is crucial for the government to create hand, it can also facilitate network infiltration by
a cohesive strategy that defines the responsibilities adversaries.
of each agency and sets out a clear implementation
plan that accurately integrates their functions. In the case of the Philippines, investing in cyber
espionage or CNE capabilities would enhance
National Security: Cyber Espionage the intelligence collection of security and military
The second factor is the growing prominence of services. The minimum credible defense
cyberspace as area for espionage. Several cases strategy, which the government is developing, is
of cyber conflict relate to espionage operations fundamentally dependent on understanding an
between states. For example, in 2005, the United adversary’s intentions and capabilities.40 Given
States government discovered Chinese computer this situation, government security and military
network operations “Titan Rain”, which successfully forces can leverage the advantages of cyberspace
infiltrated numerous secure systems, including to collect vital intelligence regarding adversaries’
the Department of Defense, Department of State, intentions about critical issues, such as the ongoing
Department of Homeland Security, National territorial disputes or the arms dynamic in the region.
Aeronautics and Space Administration, and even the The government’s current focus is to improve
British Foreign Commonwealth Office.38 conventional capabilities of the military; it would be
reasonable to supplement these capabilities and
More recently, computer security company FireEye invest in military computer network operations.
revealed the extensive cyber espionage operation
of a group called APT30 against several states The paradox of cyberspace is that it also allows
in Southeast Asia and beyond. This incident is other states to steal information from computer
disconcerting because of APT30’s suspected networks in the Philippines. There have been several
association with the Chinese government as well as reports by companies like FireEye and Kaspersky
the group’s consistent focus on collecting specific Lab of network infiltrations against the Philippine
information about political, military, and economic government, but it is unclear if security and military
issues in the region, and about media organizations services have CND capabilities to defend the state’s
and journalists who write on topics about the networks against these hostile operations.41 This
Chinese government’s legitimacy. Considering
39
uncertainty is reflected in existing cyber security
these examples, espionage through cyberspace assessments, which indicate that the Philippines is
becomes paradoxical; on one hand, it enables deficient in military capabilities for cyber operations,
the efficient collection of intelligence, on the other public cybersecurity assistance networks (Computer

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved. Image Credit: post-gazette.com www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
08
Emergency Response Teams), and inter-agency and
intergovernmental cooperation among other areas.42
In this sense, it would be in the strategic interests
of the government to develop CND capabilities,
considering the advantages of cyberspace for
intelligence collection and the necessity for defense
against the persistent and pervasive threat of cyber
espionage by adversaries within region.
Political: Cyber Conflict
The third factor is the persistent cyber conflict in
the Asia-Pacific. The Philippines is located in a
region characterized by major shifts in the balance
despite the strategic
limitations of
cyberspace, the
Government of the
Philippines should consider
cyber security
as a policy priority
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
of power, uneven distributions of economic power
within and between states, and intense territorial
disputes.43 Given these dynamics, there are two
crucial reasons why geopolitics in the Asia-Pacific
is integral to influencing the development of cyber
capabilities in the Philippines. First, regional
disputes and insecurities between states have
continued on from conventional conflict domains
and have manifested in cyberspace. This situation
makes the Asia-Pacific the most active
region in terms of cyber conflicts between
states, mainly due to Chinese action.44
In light of the Philippines’ involvement in a territorial
dispute with China, it is likely that cyber conflict will
become a prominent tool for power projection in the
twenty-first century. This conflict has the advantage
of can delivering a strong message sans the risks
associated in conventional attacks. In addition,
the Philippines is currently entangled between
two great powers that are also engaged in hostile
action in cyberspace. A recent ground-breaking
study confirms this observation: “China needs an
outlet, and military grandstanding, with possibility
of escalation involving the Americans is something
China does not want to deal with at the moment.
China seems to be good at infiltrating foreign
networks, and this seems to be the “least”
they can do for power projection.”45 United States. In short, the lack of cyber capabilities
Second, other global “cyber powers” are also
located in the region. North Korea, South Korea,
and Japan all have advanced cyber capabilities
and are immersed in various political rivalries and
territorial disputes in the Asia-Pacific.46 Whereas
these rivals typically project military power and
engage in aggressive actions through the air and
maritime domains, cyber conflict has also been
used as a tool to advance foreign policy interests. It
is therefore not surprising that from 2001 to 2011,
North Korea instigated fifteen cyber attacks against
various states including South Korea, Japan and
the United States. South Korea was associated with
eighteen cyber incidents, mostly against Japan and
North Korea. Japan, meanwhile, had fifteen cyber
disputes involving China, North Korea, and
South Korea as adversaries.47
The strategic consequences of this relatively new
trend may be crucial for the Philippines as it is still
uncertain whether cyber conflict can consistently
lead to crisis instability and force states to escalate
low-risk cyber attacks into higher-risk conventional
attacks.48 In this case, the compelling reason for
the Philippines to develop cyber capabilities lies
in supporting its allies to mitigate and de-escalate
existing cyber conflicts. Even if the Philippines does
not have defense agreements with Japan and South
Korea, it could be entangled during cyber conflicts
because of its existing defense agreement with the
precludes the Philippines from defending itself from
cyber attacks as well as from contributing to the
security and stability of the regional cyberspace.
Policy Responses to Cyber Threats
Strategies to counter cyber threats have been
implemented by states unilaterally, rather collectively
through international institutions. There is a growing
consensus that norms and cooperation can mitigate
the uncertainty and hostility in cyberspace; however,
conflicting interests between powerful states,
exacerbated by the revelations of Edward Snowden,
make further international norm promotion
improbable.49 Responses to cyber threats have,
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
09
therefore, been state-driven and particularly focused
on strengthening domestic law enforcement as well as
military capabilities. These responses have included
everything from recruiting potential CNO specialists to
establishing full-scale cyber commands. This section
briefly surveys the policy responses of key regional
institutions in the Asia-Pacific and the efforts of the
Government of the Philippines towards cyber security.
Regional
States in the region have invested time and resources
to address cyber threats mainly through the Asia-Pacific
Economic Cooperation (APEC) and the Association
of Southeast Asian Nations (ASEAN). The creation of
regional levels of governance has created
a collaborative space where such strategic
discussions can take place. These efforts have,
therefore, enabled states in the region to develop
transnational responses to cyber threats with shared
confidence in their neighbors based on their
similarities rather than differences.50
The cyber security efforts of APEC are captured
in three key documents. The first is the APEC
Image Credit: hoover.org
Cybersecurity Strategy, which was formulated by
the APEC Telecommunications and Information
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
Working Group in May 2002.51 The strategy called for
increased cooperation and coordination in four broad
areas: creating a legal framework; sharing information
and cooperation, producing security and technical
guidelines, training and education; and developing
wireless security technologies. The document, however,
did not provide any details regarding how the strategy
would be implemented. The second document is
the APEC Strategy to Ensure Trusted, Secure and
Sustainable Online Environment, which was drafted
during the Senior Officials’ Meeting in November 2005.52
The document highlighted the emerging cyber threat
and highlighted the need to improve the following cyber
security measures: cohesive domestic strategies, legal
and policy frameworks, incident response and recovery
capabilities, partnerships among government, industry,
academics, public awareness regarding online security,
research and development, and interstate cooperation.
Much like the previous strategy, the modified version
does not offer any concrete directions on how APEC
member states would realize these measures.
The APEC TEL Strategic Action Plan 2016-2020 is
the third and most recent document, produced by the
APEC Telecommunications and Information Working
Group in March 2015.53 The document accentuated
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
10
five key priorities, including a strong emphasis on
a secure, resilient, and trusted ICT (Information
and Communications Technologies) environment.
More importantly, the document presented an
implementation plan that prescribed the need
to undertake specific actions during the next
four years: research, capability-building, public
awareness, and intergovernmental cooperation.
Whereas the strategic plan recommends workable
and specific measures to address cyber security,
the success of the plan is largely dependent
on the level of commitment and the
resources available to each state.
Cyber security has been a concern for ASEAN
for more than a decade, but prior to the ASEAN
ICT Masterplan 2015, no clear and concrete
regional strategy was developed by the institution
to compel its member states to address cyber
threats. The problem of cyber crime was first
discussed during the 2nd Senior Officials Meeting on
Transnational Crime in 2002. State representatives
agreed on the following responses: to establish a
compilation of applicable national laws, regulations
and international treaties relating to cyber crime
legislation; work towards the criminalization of
cyber crime activities; enhance law enforcement
and intelligence cooperation; develop regional
training; coordinate with ASEAN Chiefs of National
Police (ASEANAPOL) for the analysis of cyber crime
activities; and seek training assistance from ASEAN
Dialogue Partners and international institutions.54
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
Following this discussion, cyber security figured
prominently in several subsequent meetings,
including the 3rd Meeting of the ASEAN
Telecommunications and IT Ministers in 2003,
where it was decided that an ASEAN Information
Infrastructure was needed as well as the
development and operationalisation of the national
Computer Emergency Response Teams by 2005.55
In 2006, the ASEAN Regional Forum released
two statements that stressed the importance of
cyber security. The first was the ARF Statement
on Cooperation in Ensuring Cyber Security, which
reinforced the need for an ARF work plan on security
in the use of ICT and more dialogue on confidence-
building, stability, and risk reduction measures to
address the implications of ARF participants’ use
of ICT.56 The second was the ARF Statement on
Cooperation in Fighting Cyber Attack and Terrorist
Misuse of Cyber Space, which recommended the
implementation of cyber crime laws in accordance
with national conditions and continued interstate
cooperation in countering cyber crime
and terrorists’ use of cyberspace.57
The last and most current collaboration is the
ASEAN ICT Masterplan 2015 that was adopted
during the Telecommunications and IT Ministers
Meeting in 2011. The plan prioritizes cyber security
through two broad initiatives. Building trust is the
first initiative and it involves the promotion of secure
transactions within ASEAN and public awareness
about online security. Promoting information
security is the second initiative and it has to do appropriate strategy to mitigate cyber conflict.
with developing a common framework for network
security and information security across the region.58 Domestic
The response of the Government of the Philippines
In reviewing the regional responses to cyber threats, towards cyber security has generally been limited
it is apparent that some barriers have been slowing despite a significant cyber incident that transpired
the growth of cyber security efforts in the region. The in 2000. The “I LOVE YOU” virus, created by an
first barrier is the uneven distribution of resources undergraduate Filipino computer science student,
and capabilities among states. States such as infected around 55 million computers and
Japan, South Korea, and Singapore are clearly more generated around $10 billion worth of damage
technologically superior compared to other states globally.60 Government prosecutors filed cases
like China, Indonesia, Malaysia, the Philippines, and against the perpetrator Onel de Guzman, but the
Thailand; but even these are considerably more indictment was dismissed even at the first stage
advanced than states such as Brunei, Cambodia, because there was no law punishing
Laos, Myanmar or Vietnam. Even though this computer criminals at that time.61
“digital divide” is predominantly expressed in terms
of infrastructure development and broadband A significant initiative towards a national cyber
penetration, the economic inequalities and low security blueprint was the creation of the National
socio-political capacity levels present substantial Cyber Security Plan in 2004. The plan was
challenges to these states as well.59 The second comprehensive and reflected the government’s
barrier relates to the level of cooperation that states cyber security policy, which centers on
are willing to extend in the area of cyber security. institutionalizing “the necessary capabilities in the
States develop CNO capabilities to obtain different government and the private sector to adequately
strategic security objectives; therefore, it would not meet and respond to challenges and threats against
be in their best interest to share information about critical cyber infrastructures.”62 The plan presented
their cyber operations. In this sense, collaborative four main strategies and corresponding programs
operations and intelligence sharing can potentially that were part of the government’s solution
diminish the strategic advantage of cyber operations to increasing threats in cyberspace.
more than other conventional military operations.
Furthermore, the absence of global norms or code The first strategy is to understand the risks present
of conduct for cyberspace operations also signifies through a sustained threat assessment of national
the uncertainty and lack of consensus about the vulnerabilities and protective measures already
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
11
being implemented by the government. The second
is risk control, which requires comprehensive
security planning, effective resolution of crisis,
and risk monitoring. The third strategy relates to
the organization and mobilization of necessary
resources and relevant stakeholders, such
as specialists from the private sector and the
international community, for the implementation of
the plan. The fourth strategy focuses on instituting
regulatory and legislative reforms crucial to
addressing the challenges of cyber threats.63
Building on the cyber security policy, the National
Cybersecurity Coordination Office prepared an
operational framework in 2008. The National
Cybersecurity Coordination Strategy and
Implementation Plan proposed a coordination
strategy that comprised on five execution programs:
Cyber Security Legal Regime; Critical Cyber
Infrastructure Security Threat and Vulnerability
Reduction; Critical Cyber Infrastructure Security
Awareness, Education and Training; Critical Cyber
Infrastructure Security Incident Response and
Consequent Management; and National and
International Coordinating Mechanisms.64
More importantly, the plan justified the urgent
need for inter-agency cooperation through the
establishment of centralized committee and the
consistent participation of different government
bodies and private organizations securing Philippine
cyberspace. However, while the implementation
plan was comprehensive and ambitious in theory,
as of yet there is no clear evidence or report that
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
discusses the status or completion of the programs proposed in the plan.
The last and most recent cyber security initiative by the Government of the
Philippines is Executive Order No. 189, which was released on September
17, 2015. The Executive Order was drafted in response to increasing cyber
threats, and in particular intended to address the theft of classified and sensitive
electronic information and to assess national vulnerabilities of government and
commercial information systems.65 It prescribes several measures, the most
salient of which are the reestablishment of the National Cyber Security Inter-
Agency Committee, the formation of a National Cyber Security Coordination
Center, the creation of Computer Emergency Response Teams in all government
offices, and the transfer of the new Cybercrime Investigation and
Coordinating Center from the Office of the President to the
National Cybersecurity Inter-Agency Committee.66
The objectives of Executive Order are appropriate and reasonable, yet there are
two fundamental concerns that the government seemed to have missed. First,
there was no discussion about the sustainability of the initiatives proposed in
the document. Considering that the current government will be stepping down
in 2016, it is uncertain whether the plans will be continued by the next set of
political leaders. Second, the document does not provide any policy guidance
regarding offensive and defensive cyber operations. It is not possible to
secure national critical infrastructure and information systems
without a clear and integrated strategy for cyberspace.
Thus, the government’s response to cyber threats can be described as
acceptable but nevertheless incoherent. An evaluation of previous cyber security
initiatives suggests that there are no consistent links or continuation between
the initiatives of the previous and the current government. This incoherence is
a contributing factor towards the underdevelopment of the cyber capabilities in
the Philippines. Nevertheless, the lack of capabilities can also be an opportunity
for the next president given the rapidly increasing dependence of states on
cyberspace. The succeeding section offers some ideas about the relevance of
integrating cyber security as a national security priority in the Philippines.
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
12
Considerations for the Next President
Since previous efforts in creating a cyber strategy
were incoherent, the next president has the
opportunity to ensure strategic coherence in
addressing cyber threats. There are two initial steps
in producing a cyber strategy: assessment and
development. The first is to assess the status and
outcome of previous government initiatives on cyber
security such as the National Cyber Security Plan
and Executive Order No. 189. The assessment
would have two objectives. The first is to determine
if existing cyber organizations have the sufficient
expertise, appropriate resources, and proper
procedures to defend the state. The second is to
evaluate if the existing inter-agency coordination and
implementation mechanisms are in place and are
actually working. This assessment is necessary to
establish continuity and avoid wasting
resources during government transitions.
The second step is to develop cyber strategy
that builds on the efforts of the previous
government. There are five levels of strategy
where the government needs to integrate cyber
security: policy, grand, military, operational, and
tactical.67 Policy refers to the set of objectives
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
to be accomplished by the government.68 A national security policy typically
explains the main priorities and objectives of the president of a state. If cyber
security is to be a priority, the national security policy should explicitly explain the
relevance of cyber security and its value for the state. Grand strategy denotes the
coordination of all national assets towards the attainment of policy objectives.69
The grand strategy provides more details about the cyber strategy of the
government such as the relevant cyber organizations, the system of coordination,
management of capabilities, and cooperation with international institutions if
possible. The military strategy refers to use of military power in support of the
grand strategy.70 A national military strategy, thus, discusses the objectives,
general approaches, and the resources of the armed forces in preserving the
national security of a state. In terms of cyber security, this strategy should explain
the military’s role in cyberspace and give the public a general sense of
the type of military actions involved in securing the cyberspace.
An operational strategy has to do with the cumulative and coordinated tactical
actions undertaken to achieve a specific operational goal.71 Since goals at the
operational level are diverse, integrating cyber operations into military operations
would involve engagements ranging from disabling a command and control
system of a military base to disrupting the infrastructure protocols of a military
production facility. Lastly, a tactical strategy refers to the details of combat,
specifically deployments, engagement with the enemy, and interaction between
different units of the military.72 Cyber operations at the tactical level would entail
detailed actions, including the development of cyber units in each military
service, the type of response against cyber attacks, and the
coordination between different military cyber units.
Image Credit: forbescustom.com
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016
13
Conclusion
Cyber security is still a weak aspect of Philippine
national security. The lack of discussion regarding
the challenges and opportunities relating to
cyberspace is impeding current efforts to address
increasing cyber threats against the state. Given
these circumstances, there are three reasons
why the Philippine government should consider
cyber security as a policy priority. The first is that
the economic losses to cybercrime are escalating
and law enforcement agencies do not necessarily
have the capabilities to handle the massive volume
of incidents. The second is cyber espionage has
become a predominant method of intelligence
collection and it is not clear if the military has the
capabilities to detect and counter these operations.
Third is that the territorial disputes and political
conflicts in the Asia-Pacific region have “spilled over”
into cyberspace, therefore making the region the
most active in terms of cyber conflict.
C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved.
Reponses to cyber threats have mainly been
implemented by states, rather than collective action
through by international institutions. Whilst there is
a growing consensus that norms and cooperation
can mitigate the uncertainty and hostility in
cyberspace, conflicting interests between powerful
states, aggravated by the revelations of Edward
Snowden, make international norm promotion more
difficult. States in the region have invested time
and resources to address cyber threats through
the Asia-Pacific Economic Cooperation and the
Association of Southeast Asian Nations but these
efforts are limited; although cyber security has
been a topic of concern for the last decade, more
concrete plans have only been articulated in the
last few years. Domestic responses to cyber threats
have been limited since most of the efforts have
focused on establishing legal frameworks to enable
law enforcement. There is no indication that the
previous and current government has mandated
the investment in capabilities for military
operations in cyberspace.
In this regard, the next president has the genuine
opportunity to consider cyber security as a core
national security priority and to ensure strategic
coherence in addressing cyber threats. Strategic
coherence can be enhanced by integrating cyber
security measures in all levels of strategy: policy,
grand, military, operational, and tactical. More
significantly, the next president must realize that
the topic of cyber security is no longer just for the
“IT crowd.” An interdisciplinary approach to cyber
security that draws on a range of expertise and
involves all government agencies is necessary to
protect Philippine national interests in cyberspace.
www.stratbase.com.ph
OCCASIONAL PAPER JANUARY 2016

14
ENDNOTES: Economist: Modern Warfare, Intelligence and Deterrence: The technologies that are asean.org/ communities/asean-political-security-community/item/work-programme-
transforming London: Economist Books, Arquilla, J., (27 February 2012) Cyberwar Is to-implement-the-asean-plan-of-action-to-combat-transnational-crime-kuala-lumpur-
1
Rid T. (2013). Cyberwar will Not Take Place. London: Hurst & Co. Ltd, xiv-xv. Already Upon Us [Web log post]. Retrieved from http://foreignpolicy.com/2012/02/27/ 17-may-2002
2
United Nations Institute for Disarmament Research (2013). The Cyber Index In- cyberwar-is-already-upon-us/ and Palette, D. et. al. (12 October 2015) Cyberwar Ig- 55
Association of Southeast Asian Nations (2003) 3rd Meeting of the ASEAN Tele-
ternational Security Trends and Realities Geneva, Switzerland: United Nations. nites a New Arms Race. Wall Street Journal. Retrieved from http://www.wsj.com/ar- communications and IT Ministers. Retrieved from http://www.asean.org/communities/
3
For a more detailed discussion on these assumptions see Lynn III, W. J. (2010) ticles/cyberwar-ignites-a-new-arms-race-1444611128 asean-economic-community/category/asean-telecommunications-and-it-ministers-
Defending a New Domain: The Pentagon’s Cyberstrategy Foreign Affairs 89 (5), 97- 33
Lewis, J. (2014). Net Losses: Estimating the Global Cost of Cybercrime Wash- meeting-telmin
108, Nye Jr., J. S. (2011). The Future of Power New York: Public Affairs, Libicki, M. ington D.C.: Center for Strategic and International Studies. 56
ASEAN Regional Forum (2012) ARF Statement on Cooperation in Ensuring Cy-
(2009) Cyberdeterrence and Cyberwarfare Santa Monica, CA: RAND Corporation. 34
Guillermo, J. (2015). Local Cybercrime Landscape [PowerPoint slides] Retrieved ber Security. Retrieved from https://ccdcoe.org/sites/default/files/documents/ASEAN-
4
Sheldon, J. (2011). Deciphering Cyberpower: Strategic Purpose in Peace Stra- from http://aseanfic.org/2015/wp-content/uploads/2015/02/Philippine-Cybercrime- 120712-ARFStatementCS.pdf
tegic Studies Quarterly 5(2), 95-112. Landscape-ASEANFIC.pdf 57
ASEAN Regional Forum (2006) ARF Statement on Cooperation in Fighting Cyber
5
Freedman, L. and Raghavan, S. (2008) “Coercion” In Paul Williams (ed.) Security 35
Bartolome, J. (2014, November 1) Nearly P400M lost to ATM fraud from 2012 Attack and Terrorist Misuse of Cyber Space. Retrieved from http://www.mofa.go.jp/
Studies: An Introduction London: Routledge, 217-218. to 2013, says lawmaker [Web log post.] Retrieved from http://www.gmanetwork.com/ region/asia-paci/asean/conference/arf/state0607-3.html
6
Mansbach, R. W. and Taylor, K. L. (ed.) (2011) Introduction to Global Politics 2nd news/story/ 386207/ money/economy/nearly-p400m-lost-to-atm-fraud-from-2012-to- 58
Association of Southeast Asian Nations (2011) ASEAN ICT Masterplan 2015.
Edition London: Routledge, 297. 2013-says-lawmaker Retried from http://www.asean.org/resources/publications/asean-publications/item/
7
Ibid 36
Sy, Geronimo L. (2015). Philippines 2014-2015 Cybercrime Report The Rule of asean-ict-masterplan-2015
8
Libicki, M. (2013) Brandishing Cyberattack Capabilities Santa Monica, CA: Law in Cyberspace Manila: Department of Justice. 59
Thomas, Cyber Security in East Asia, 4-5
RAND Corporation, vii-xi. 37
Ibid 60
Poulsen, K. (2010, May 3) May 4, 2000: Tainted ‘Love’ Infects Computers Re-
9
Lindsay, J. (2013) Stuxnet and the Limits of Cyber Warfare. Security Studies (22) 38
Seagal, A., (2013) “From Titan Rain to Byzantine Hades” In Jason Healey (ed.) A trieved from http://www.wired.com/2010/05/0504i-love-you-virus/
3, 385-389. Fierce Domain in Cyberspace, 1986-2012 Virginia: Cyber Conflict Studies Association, 61
Sosa, g. (2009). “Country Report on Cybercrime: The Philippines” In M. Sasaki,
10
Gartzke, E. and Lindsay J. (2015) Weaving Tangled Webs: Offense, Defense, 165-167. Resource Material No. 79 Paper Presented at International Training Course: The Crimi-
and Deception in Cyberspace. Security Studies 24 (2), 346. 39
Kujawa, A. (2015). APT30 and the Mechanics of a Long-Running Cyber Espio- nal Justice Response to Cybercrime, Tokyo, Japan: United Nations Asia and Far East
11
Ibid nage Operation Milpitas, CA: FireEye. Institute, 80-87.
12
Cartwright, J. E. (2010). Joint Terminology for Cyberspace Operations Washing- 40
Domingo, F. (2015, 27 February). Intelligence as the Philippines’ First Line of De- 62
Milallos, M. and Romero, S. (2004). National Cyber Security Plan Manila: Office
ton D.C.: U.S. Department of Defense. fense [Web log post]. Retrieved from, http://nottspolitics.org/2015/02/27/intelligence- of the President, Task Force for the Security of Critical Infrastructure, 32.
13
Rid, T., and McBurney, P. (2012). Cyber-Weapons. RUSI Journal 157 (1), 7. as-the-philippines-first-line-of-defense/ 63
Ibid, 34-42.
14
Definitions adopted from Carr, J. (2010), Inside Cyber Warfare: Mapping the Cy- 41
Kujawa, APT30 and the Mechanics and Donohue, B. (19 May 2015). Naikon 64
National Cyber Security Coordination Office (2008). National Cyber-security Co-
ber Underworld Sebastopol, CA O’Reilly Media, Reveron, D. (Ed.). (2012). Cyberspace APT steals geopolitical data from the South China Sea [Web log post]. Retrieved from ordination and Implementation Strategy Quezon City: Author.
and National Security: Threats, Opportunities, and Power in a Virtual World Washington https://blog.kaspersky.com/ naikon-apt-south-china-sea/8696/ 65
Executive Order No. 189 (2015)
D.C.: Georgetown University Press, 8, and Valeriano, B., and Maness, R. (2015). Cyber 42
International Telecommunications Union (2015). Global Cybersecurity Index Ge- 66
Ibid
War versus Cyber Realities. Oxford: Oxford University Press, 33-37. neva, Switzerland: ITU and Feakin, T., et. al. (2015) Cyber Maturity in the Asia-Pacific 67
Kane, T. and Lonsdale, D. (2011). Understanding Contemporary Strategy Lon-
15
Easton, D. (1953). The Political System: An Inquiry into the State of Political Sci- Region Canberra: Australian Strategic Policy Institute. don: Routledge, 13.
ence New York: Alfred Knopf, 5. 43
Betts, R. K. (1994). Wealth Power, and Instability-East-Asia and the United 68
Clausewitz, Carl von (2008). On War (M. Howard and P. Paret, trans.), Oxford:
16
Nye, The Future of Power New, 123 States After the Cold War International Security 18(3), 34-77 and Christensen, T. J. Oxford University Press, 28-29
17
Rid et, al., Cyber-Weapons, 7 (1999). China, the US-Japan Alliance, and the Security Dilemma in East Asia. Interna- 69
Hart, B. H. Lidell (1967) Strategy: An Indirect Approach London: Faber & Faber,
18
Valeriano et. al., Cyber War versus Cyber Realities, 31 tional Security 23(4), 49-80 335.
19
Ibid 44
Valeriano et. al., Cyber War versus Cyber Realities, 128 70
Kane et. al., Understanding Contemporary Strategy, 13
20
Nye, The Future of Power and Lindsay, Stuxnet and the Limits of Cyber Warfare 45
Ibid 71
Ibid, 14
21
Patton A., et. al., Occupying the Information High Ground: Chinese Capabilities 46
Wicherski et. al. (2011) Ten Days of Rain Santa Clara, CA: McAfee; Booz Allen 72
Ibid, 14
for Computer Network Operations and Cyber Espionage, Washington D.C.: US-China Hamilton (2001) Cyber Power Index: Findings and Methodology Virginia: author; Vale-
Economic and Security Review Commission, 2012. riano et. al., Cyber War versus Cyber Realities
22
Jun, Jenny, et. al. (2014). The Organization of Cyber Operations in North Korea 47
Valeriano et. al., Cyber War versus Cyber Realities, 84-90
Washington D.C.: Center for Strategic and International Studies. 48
Gompert, D., and Libicki, M. (2014). Cyber Warfare and Sino-American Crisis
23
International Police (2015) Cybercrime Retrieved from http://www.interpol.int/ Instability. Survival, 56(4), 7-22.
Crime-areas/ Cybercrime/Cybercrime 49
For more on the debate about cyber norms see Stevens, T. (2012). A Cyberwar
24
Reveron, Cyberspace and National Security of Ideas? Deterrence and Norms in Cyberspace Contemporary Security Policy 33 (1),
25
Weimann, G. (2004). Cyberterrorism How Real Is the Threat? Washington D.C.: 148-170 and Farell, H. (2015). Promoting norms for Cyberspace Cyber Brief New York:
United States Peace Institute. Council on Foreign Relations.
26
Ibid 50
Thomas, N. (2009). Cyber Security in East Asia: Governing Anarchy Asian Secu-
27
Healey, Jason (ed.) (2013) A Fierce Domain in Cyberspace, 1986-2012 Virginia: rity 5 (1), 19-20.
Cyber Conflict Studies Association, 141-142; Berghel, H. (2001) The Code Red Worm 51
Richardson, J. (2002) APEC Cybersecurity Strategy Singapore: Asia-Pacific
Communications of the ACM (44) 12, 15-19. Economic Cooperation
28
Stiennon, R. (2015) “A Short Histroy of Cyber Warfare” In James Green (ed.) 52
Asia-Pacific Economic Cooperation (2004) APEC Strategy to Ensure Trusted,
Cyber Warfare: A Multidisciplinary Analysis London: Routledge, 9-10. Secure and Sustainable Online Environment Retrieved from http://www.apec.org/~/
29
Blank, S. (2008) Web War I: Is Europe’s First Information War a New Kind of media/Files/ Groups/TEL/05_TEL_APECStrategy.pdf
War? Comparative Strategy (27) 3, 227-247. 53
Asia-Pacific Economic Cooperation (2015) APEC TEL Strategic Action
30
Lindsay, Stuxnet and the Limits of Cyber Warfare; Falliere, N. (2011) W32.Stux- Plan 2016-2020. Retrieved from http://www.apec.org/~/media/Files/Groups/
net Dossier. Mountain View, CA: Symantec Corporation, 1-3. TEL/20150331_APEC%20TEL% 20Strategic%20Action%20Plan%202016-2020.pdf
31
Valeriano et. al., Cyber War versus Cyber Realities, 173-175; 54
Association of Southeast Asian Nations (2002) Work Programme to Implement
32
Exaggerations of war in cyberspace are discussed in Sutherland, B. (2011) The the ASEAN Plan of Action to Combat Transnational Crime. Retrieved from http://www.

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved. www.stratbase.com.ph
9.1
VOLUME

ABOUT
Francis Domingo
is Assistant Professor of International Studies at De La Salle
University and concurrently a doctoral researcher affiliated with the Centre for
Conflict, Security and Terrorism and the Institute of Asia and Pacific Studies
at University of Nottingham. His current research explores the strategic
utility of cyber capabilities for small states. He holds an MA in Intelligence
Studies from Brunel University London (2009) and an MRes in Strategic Studies
from University of Reading (2014). His research has been published in
Defense and Security Analysis, Military and Strategic Affairs,
and Strategic Analysis, among other journals.

Before joining academia, he worked with the Armed Forces of the

Philippines as a research analyst with the Office of Strategic and
Special Studies (OSS), where he contributed to a number of
assessments on sensitive political and security issues.

Stratbase’s Albert Del Rosario Institute

is an independent international and strategic research
organization with the principal goal of addressing the
issues affecting the Philippines and East Asia
9F 6780 Ayala Avenue, Makati City
Philippines 1200
V 8921751
F 8921754
www.stratbase.com.ph

C 2016 ADRiNSTITUTE for Strategic and International Studies. All rights reserved. Image Credit: rfa.com and hoover.org