The global health crisis has accelerated digital transformation and technology adoption in the Philippines. With limited movement of people and services due to the lockdown, Filipinos have relied mainly on digital solutions to conduct transactions and businesses. The Philippine Central Bank, for example, noted a 25% decrease in automated teller machine withdrawals in May, while one of the banks cited a 160% increase in online and mobile banking transactions. This trend is in line with the already growing digital economy of the Philippines even before the pandemic. The e-Conomy 2019 report, led by Google, characterized the Philippine internet economy as the one with the “most room for growth” in Southeast Asia. Transactions over the internet has risen from $2 billion in 2015 to $7 billion in the last year due to online shops and e-commerce orders, online bookings for travel, online media, ride-hailing apps, and food deliveries. Currently, the internet economy accounts for 2.1% of gross domestic product (GDP), and could rise to up to 5.3% of GDP by 2025.
Economic managers and observers agree that digital technology will be a key factor in the road to recovery after the pandemic. While it may be attractive to rapidly adopt digital transformation, the Philippines cannot have a “build it now, fix it later” mindset. Experts point to the inevitability of cybercrime as one of the consequences of increased connectivity. Hence, the importance of cybersecurity cannot be stressed enough. As industry practitioners always warn: it is not a matter of “if” but “when” users and organizations get hacked. The World Economic Forum, in its latest global risk report, identified cyber threats as one of the main man-made risks for firms. There is a huge incentive for criminals to continue finding security vulnerabilities and exploiting it for profit. Several studies estimate illegal activities in the cyber realm is worth $1.5 trillion dollars annually. To put it into context, it is around the size of South Korea or Russia in terms of GDP, or three times the revenue of Walmart — the top grossing U.S. firm in 2019.
The Philippines, which admittedly is still in its early stages of technology adoption, is no stranger to data hacks, financial fraud, and breaches. According to Russian cybersecurity firm Kaspersky, the Philippines is the most attacked country in Southeast Asia and ranks 7th globally. A Microsoft study estimates around $3.5 billion or 1.1 percent of GDP is at risk due to cybercrime incidents.
As a response, the Philippine government has released the National Cybersecurity Plan 2022 as a framework for the protection of individuals, businesses, and critical infrastructure. However, implementation has been slow owing to the lack of manpower and bureaucratic constraints. On the user side, there continues to be a low awareness of cybersecurity. Information asymmetry also exists as some firms tend to choose not to report breaches and instead firefight the attacks themselves due to reputational damage they may face. While there are current initiatives from various sectors to forge cyber resilient industries, there are key cross-cutting measures the government should consider as urgent that would serve as building blocks to further refine regulations and frameworks for cyber security. The private sector also has a huge role to play in achieving a whole-of-society approach to combat cyber threats.
Cross-cutting Policy Considerations
- Increase cybersecurity spending for government.
The Philippines spent around 0.04% of its GDP on cybersecurity in 2017, which is below the ASEAN average of 0.07% and the global average of 0.13%. Between 2017 to 2025, CISCO estimates the Philippines needs to spend around $22.8 billion to be in line with top countries in cybersecurity. The proposed budget for cybersecurity for 2021 is reportedly only at $24 million. This remains a huge challenge for the Philippine government in their efforts to protect critical infrastructure. A target of at least the ASEAN average in the short-term should be prioritized by legislators given the pursuit of digital adoption for COVID-19 recovery. A silver lining to the lagging government spending is the study by Palo Alto Networks noting that 54% of firms in the Philippines are increasing their budget to secure their networks.
2. Develop a Cybersecurity Workforce through Education, Upskilling, and Reskilling.
The Philippine population is composed of a young, tech-savvy population with a median age of 25.7 years old, and is expected to stay young and tech-savvy in the next decade. It would serve as a demographic advantage to create a digital workforce and cybersecurity professionals. On the basic level, information and dissemination campaign on cyber threats should continue, together with the development of a curriculum that would solidify the quality of I.T. and cybersecurity professionals the country produces. As for government agencies, there should be a national cyber readiness survey to gauge the skills bank of existing talent. The private sector will be forced by market competition to upskill and reskill, but the Commission on Higher Education should consider partnering with leading firms in crafting a framework for approving cybersecurity degrees to create a standard across educational institutions, and match the needs of the industry with the professionals education institutions will produce.
3. Certify Cybersecurity Law as Urgent.
As a best practice framework, experts agree that governments should have three legislative pillars to secure personal information of the citizenry and to protect the integrity of the digital economy. These include a data privacy law, a cyber crime law, and a cybersecurity law. The Philippines satisfies the first two legislations by virtue of the Data Privacy Act of 2012 and the Cybercrime Prevention Act of 2012. The Philippines need to certify a cybersecurity bill as an urgent measure. The Philippines can look to Singapore for best practices in establishing a national cybersecurity agency that would be able to craft cross-cutting regulations for cyber protection.
4. Promote the use of artificial intelligence and data analytics to combat against cyberthreats.
The government should partner with the private sector to promote the use of artificial intelligence and data analytics. Cybercriminals are moving at a faster pace in order to make their tools more sophisticated. A.I. can help detect and combat these vulnerabilities. A.I. can also free up the scarce cyber talent in the Philippines to move up the value chain and focus on more complex cybersecurity problems. The private sector is starting to adopt A.I into their systems and the government should follow suit in leveraging and promoting technology solutions for technology problems.
5. Leverage international cooperation.
Cyber threat knows no boundaries. The best way to stay one step ahead of criminals is through collaboration between the private and public sector, and international partners. The U.S.-Philippines Joint Cybersecurity Working Group, a public-private partnership as initiated by the U.S. Embassy Manila, can serve as a model for knowledge sharing, technical training, and trust building initiatives. The Philippine government should continue to use such mechanisms to develop knowledge and skills, and consider building similar partnerships with ASEAN and other foreign partners.