Camarines Sur Reps. Migz Villafuerte and Luigi Villafuerte are spearheading the creation of a dedicated fund for mitigating cybersecurity risks as well as preventing and preparing for digital attacks on government offices and private businesses.
This proposed Cybersecurity Risk Management and Mitigation Fund (CRMMF) shall be used for managing imminent or actual cyber-attacks, including threat identification and detection, incident response, system recovery and protection, and other related works or services, according to Migz, chairman of the House committee on information and communications technology (ICT), and Luigi, a deputy majority leader in the chamber.
Of this CRMMF, 30% shall be set aside, said the Villafuertes, as Quick Response Fund for the immediate restoration of affected critical information infrastructure (CII), which comprises the country’s computer and ICT systems and processes essential to the continuous delivery of vital services that have become at risk from phishing, ransomware and social engineering attacks, along with the rise of new threats from Artificial Intelligence (AI) such as deepfakes.
The specific amount of the CRMMF and the appropriate recipient-agencies shall be determined upon approval of the President, in accordance with the favorable recommendation of the National Cybersecurity Agency (NCSA), which is the new agency that the Villafuertes and two fellow CamSur congressmen want established under House Bill (HB) No. 2826.
Otherwise known as “The Cybersecurity Act,” HB 2826 was introduced by the Villafuertes with Rep. Tsuyoshi Anthony Horibata and Bicol Saro Rep. Terry Ridon.
The proposed CRMMF shall fund the operations of their bill-proposed National Computer Emergency Response Team (NCERT), which is “the group of information security experts and practitioners responsible for responding to cybersecurity incidents of organizations.
Migz and Luigi proposed the establishment of the NCSA and the CRMMF in this bill as Secretary Henry Aguda of the Department of Information and Communications Technology (DICT) revealed that the government had foiled Distributed Denial of Service (DDoS) attacks on Philippine banks last Nov. 5.
Nov. 5 is observed as the Guy Fawkes Day or annual hacking day in which hacking activities, digital attacks and online protests happen across the world as a form of cyber activism.
Citing a report of the DICT’s Cybersecurity Bureau, Aguda bared at a press briefing that “the banking sector is the most affected (by the DDoS attacks). But so far, none of those banks have reported any disruption in their operations.”
DDoS refers to a “traffic flood” in which threat actors launch massive cyber attacks on the websites of selected institutions to disrupt their online services by making it difficult for netizens to download or access the targeted online platforms.
The DICT had reportedly activated its Oplan Cyberdome, where it coordinated with the Cybercrime Investigation and Coordinating Center (CICC), National Telecommunications Commission (NTC) and law enforcement agencies to monitor and fend off such cyberattacks.
“The CRMMF shall be used for cybersecurity risk mitigation, prevention, and preparedness activities such as but not limited to training of personnel, procurement of equipment, and capital expenditures,” Migz Villafuerte said.
Migz said this Fund “can also be utilized for the management of imminent or actual cybersecurity threats which may occur during the current fiscal year or those that occurred in the past 2 years from the current fiscal year.”
New legislation on cybersecurity is among the 44 priority measures under the Common Legislative Agenda (CLA) that President Marcos drew up with Congress leaders during the first Legislative-Executive Development Advisory Council (LEDAC) meeting under the 20th Congress last Sept. 30 at Malacañan Palace.
Luigi Villafuerte said that under HB 2826, “All departments or agencies that shall be allocated with funds from the CRMMF shall submit to the NCSA monthly statements on their utilization of CRMMF and make an accounting of such disbursements in accordance with existing accounting and auditing rules.”
The proposed CRMMF shall fund the operations of their bill-proposed National Computer Emergency Response Team (NCERT), which is “the group of information security experts and practitioners responsible for responding to cybersecurity incidents of organizations, with the aim of minimizing the impact or damage and ensuring recovery of affected CII systems,” Luigi said.
Under HB 2826, the NCERT shall be a quick-response team with a robust capability to promptly detect, analyze and mitigate cyber incidents affecting national security or public interest and to work with relevant government agencies, private sector entities, and international partners for coordinated incident response.
Also, the NCERT shall enhance cyber threat intelligence and situational awareness; establish a liaison network of CERTs among government agencies to support the implementation of the NCSA’s mandate; and perform vulnerability assessment and penetration testing initiatives to detect, identify, and analyze cyber threats and to properly attribute cyber-attacks against CIIs.
All national government agencies (NGAs), government-owned and -controlled corporations (GOCCs) and local government units (LGUs) are mandated by HB 2826 to adopt cybersecurity baselines and designate Chief Information Security Officers in their respective institutions to ensure institutional resilience.
The Villafuertes said that in this era of digitalization in which peoples, governments and businesses have become highly vulnerable to increasingly pernicious attacks on cyberspace, the creation of a quick-response NCSA is a must for building a robust defense infrastructure to shield individuals and organizations from cyberattacks.
HB 2826 imposes administrative and criminal penalties on offenses, such as non-compliance, unauthorized disclosure of confidential information, and cyberattacks on CIIs.
“We need to put front and center the protection of our online systems, networks and programs from attacks from threat actors who aim to access, alter or destroy sensitive information, extort money from cyber players through ransomware and/or disrupt normal government or business processes,” Migz said.
“Hence, the immediate congressional passage of HB 2826, or ‘The Cybersecurity Act,’ is earnestly sought to secure the Philippines’ digital future and make sure that our country is adequately prepared to confront and overcome the complex challenges of the modern cyber environment,” Migz added.
Luigi explained that phishing involves duping people to download viruses or malware (malicious software) through fraudulent links in assorted channels like emails, mobile phone texts and websites, while ransomware involves encrypting through malware the data of persons or organizations to restrict access to their own files and systems and then demand ransom from these victims to get their data back.
Social Engineering, meanwhile, involves impersonating individuals so they can retrieve sensitive data from these targets through deception, such as pretending to be employees of banks or telecoms companies (telcos) to dupe their victims into giving them their personal passwords, Luigi said.
The NCSA shall be headed by a Director-General with the rank of Undersecretary, and the DICT’s Cybersecurity Bureau (CSB) and its corresponding Divisions along with their powers and functions, applicable funds and appropriations, records, equipment, property, and personnel, shall be transferred to this Agency.
HB 2826 imposes administrative and criminal penalties on offenses, such as non-compliance, unauthorized disclosure of confidential information, and cyberattacks on CIIs.
Violations with intent to intimidate the public or destabilize national structures may be prosecuted under the Anti-Terrorism Act.
Individuals who either willfully or through negligence cause the unauthorized disclosure of confidential or sensitive information shall face jail time of 6 to 12 years and/or a fine of at least P500,000.
Any unauthorized disclosure of confidential or sensitive information affecting national defense or national security, with intent or reason to believe that the same is to be used to the injury of the Philippines or to the advantage of any foreign nation or enemy of the State, whether domestic or foreign, shall be subject to a penalty of life imprisonment and/or a fine of not less than P1 million.
Earlier, Migz said that the House committee on ICT, which he chairs, is crafting an AI framework to curb deepfakes or AI-generated fakery and other forms of cyber fraud spawned by the all-pervasive digital technology.
Also, Migz and Luigi along with Horibata and Ridon are calling for the enactment of a Bill of Rights on AI—as they proposed in HB 2827—to prop up the government’s National AI Strategy for the Philippines (NAIS Ph) by providing the guiding principles to ensure that this fast-evolving technology is always “accessible, ethical and responsive” in serving the material needs of society.
The proposed framework under HB 2827, or the “Artificial Intelligence (AI) Development and Regulation Act,” is contingent on establishing four (4) institutions to implement and oversee policies meant for the government to best adapt to the fast-paced evolution of AI and AI systems.
These include the: [1] Philippine Council on Artificial Intelligence (PCAI), which will serve as a policy-making and advisory body of experts under the Department of Information and Communications Technology (DICT); and [2] Artificial Intelligence Board (AIB), composed of the DICT Secretary as chairperson and the Secretary of the Department of Science and Technology (DOST) as co-chairperson, to exercise regulatory and supervisory authority over the development of Al systems;
The two others are the: [3] National Center for Artificial Intelligence Research (NCAIR), which will be a DOST-attached agency primarily responsible for policy and program coordination; and [4] National Innovation Council (NIC), which shall promote synergy among the government and private sector and the academe on the development of AI.
“The 20th Congress needs to craft a set of rules and regulations on AI control as this disruptive technology has been linked to the proliferation of deepfakes or AI fakery aimed at manipulating and deceiving the public, which can have serious political and social implications,” Migz said.
Luigi said that, given the harm that the misuse of AI poses to public welfare, “the DOST has drawn up a NAIS Ph—and which the President subsequently approved—to guide the country on developing, deploying and governing AI in the country until 2028.”
