The Philippines has no “operations center” to defend against cyberattacks on a national level, National Security Adviser Hermogenes Esperon Jr told a Senate panel on Monday, December 7.

Esperon admitted this as senators raised questions on the cybersecurity implications of the pending renewal of the legislative franchise of Dito Telecommunity, during a hearing of the Senate committee on public services led by Senator Grace Poe.

Dito, led by Filipino businessman Dennis Uy, is a consortium that includes China Telecom (ChinaTel), a company owned and controlled by the Chinese government. ChinaTel has a 40% stake in Dito.

At the hearing, Senator Risa Hontiveros cited findings that a China-linked hacking group called Naikon has been “quietly carrying out a cyber espionage campaign” against governments in the Asia Pacific region, including the Philippines, for 5 years.

Play Video

Esperon said the National Security Council (NSC) is “aware” that many states, third-party actors, proxies, and terrorists “have the capability” to conduct such operations, but that he “did not know the particular name.” Later on, after conferring with his staff, Esperon confirmed that “there is a group, Naikon, that really targets…the Philippines.”

“So, Secretary Esperon, there is a threat. If something happens, what is the mechanism we have in place? Who are the people in charge?” Poe inquired.

“It should be incumbent upon the companies to also comply with the national cybersecurity plan,” Esperon replied.

“So parang iniiwan natin sa mga kompanya (So we’re leaving it up to the companies)?” Poe followed up her query.

“No, not only that. That is why we need to fund the DICT (Department of Information and Communications Technology) so that they could have an operations center for lawful intercepts,” Esperon said.

“So right now, we don’t have that?” Poe asked.

“We don’t have that. That is why we need some funds for that for DICT,” Esperon answered.

Poe noted that the Senate has pushed to increase the allocation of the DICT in the proposed P4.5-trillion 2021 national budget. The Senate’s version of the budget bill allots P15.3 billion to the agency, which is mandated to create the country’s cybersecurity infrastructure.

Poe then pointed out that all China-based companies like ChinaTel are mandated by law to provide information and intelligence to the Chinese government.

“This is the problem. We’re talking about the franchise of Dito Telecommunications. One of the issues being brought forth – and I think, fairly – is how do we protect ourselves knowing that a certain percentage of ownership is owned by a foreign national?” Poe said.

“How can the government assure us that they’ve given a fair assessment of the safety to our sovereignty if we don’t even have a cybersecurity group that does the assessment?” she added.

Esperon said his council has formed technical working groups for telcos, for the national ID system, and for the national power grid. They “may have to create other technical working groups in the name of cybersecurity,” the former military general added.

“Listening to Secretary Esperon – they’re drafting this and that – but when it comes to the actual mechanism in place, should we have a threat, there’s really no plan. So papaano natin masasabi na safe tayo (So how can we say that we’re safe)?” said Poe.

No published doctrine on cyber defense, either

At the hearing, engineer Pierre Tito Galla, co-founder of the cybersecurity advocacy group Democracy.Net.PH, pointed out that in 2019, the DICT launched a “cybersecurity management system” intended as an operations center to guard 10 government agencies including the NSC, the Department of National Defense (DND) which oversees the military, and the Office of the President.

However, it is unclear whether this operations center has been functioning, Galla said, because there are no published reports about its status or accomplishments from government channels or in the media.

“It seems that because of the lack of mention of this security operations center, maybe it’s not running. Maybe it’s an expensive paperweight that we thought of setting up but we are not operating it? Because we are not getting any report,” Galla told the panel.

As part of international “best practices,” other countries’ cybersecurity management groups publish monthly or yearly reports on how many threats they detected and defeated, even without naming the identities or sources of such threats.

Galla also noted that the DND and the Armed Forces of the Philippines (AFP) have not published a doctrine on “what is the cyber defense posture of the Philippines.”

Cyber defense is different from cybersecurity, Galla emphasized. Cybersecurity is about individual and collective protection from threats. Cyber defense is about actively resisting attacks, from taking down hacker networks to actually arresting terrorist hackers, for example.

“There is a kinetic aspect to [cyber defense],” said Galla.

Esperon said the NSC and the military do not openly discuss matters of cyber defense or cybersecurity because they consist of classified information.

The AFP has a cyber defense unit with 40 personnel led by a Philippine Navy captain, he added.

“We have a lot of people into this. It’s just that we don’t discuss them openly, especially operations. We will have, of course, manuals later on,” Esperon said.

Poe and Hontiveros said that with the Naikon threat going on for the last 5 years, and questions over possible Chinese influence on Dito, the NSC should go beyond making general statements on cyber threats in general.

Poe said people “would expect at least a minimum discussion on the general makeup of the cybersecurity plan.”

Hontiveros: ChinaTel a ‘proxy’ for Chinese government

Dito Telecommunity has an agreement with the AFP to set up transmission facilities in military bases all over the country. In its own risk analysis conducted in late 2019, the AFP identified spying risks presented by its deal with Dito: electronic and radio frequency eavesdropping, interception, and signal jamming.

Lawmakers and experts have raised the alarm over this, but the deal is pushing through. The AFP recently said it would require free access to Dito’s facilities inside military properties, aside from other “safeguards” including equipment inspections and background checks on personnel.

Dito is preparing to roll out services in 2021. It has so far built around 2,000 cell towers, the company’s chief administrative officer Adel Tamano told the Senate panel. Telcos Globe and Smart each have around 10,000 cell towers all over the country.

Besides accessing military information through intercepts, ChinaTel might also harvest big data and demographic information through its role in Dito, which could allow China to sabotage the Philippine economy, cybersecurity experts earlier said.

Hontiveros said her “theory” is that ChinaTel is a “proxy for the Chinese government.”

“By allowing it to set up a communications network in the country as well as facilities in military bases, hindi ba ito katumbas na pagpayag sa mga state-sponsored hacking groups na magkaroon ng isang foot in the door dito sa Pilipinas (isn’t this tantamount to allowing state-sponsored hacking groups to have a foot in the door here in the Philippines)?” Hontiveros asked Esperon.

Esperon said Globe and Smart have foreign investors, too. Hontiveros then pointed out that Globe’s Singaporean and Smart’s Indonesian partners are not bound by their governments to supply intelligence, unlike ChinaTel.

Singapore and Indonesia, unlike China, do not have interests in the Philippines’ national power grid, or overreaching claims in the West Philippine Sea, Hontiveros added.

With the Philippines at best still drafting a cybersecurity or cyber defense doctrine, the government should not precede it by granting a franchise to Dito, knowing full well its partner ChinaTel’s links to the Chinese government, the opposition senator said.

Pangilinan proposes closed-door session

Because of the sensitivity of the subject, Senator Francis Pangilinan proposed holding an executive session – a closed-door meeting – to discuss national security concerns surrounding Dito’s business connection with ChinaTel.

Senators, security officials, and resource persons would be able to talk more freely and comprehensively about the matter in an executive session, Pangilinan said.

ChinaTel, he noted, is one of 20 companies listed by the United States Department of Defense as having direct links to the Chinese military, the People’s Liberation Army. It is also mandated to spy for its government.

“How is Dito going to address this in terms of the security concerns of the country, given that China Telecom, precisely has a 40% stake [in] their company?” said Pangilinan, who was among the first senators to call attention to the risks posed by the company positioning to be the Philippines’ 3rd major telco.

Poe agreed that the national security aspect of renewing Dito’s francise, which will expire in 2023, should be taken up in an executive session. She said she would call one “eventually.”

Senate Majority Leader Juan Miguel Zubiri proposed that such a session should be done face-to-face – observing health safety protocols – and not online as Monday’s hearing was conducted. 

Those who have been wanting to hack into the Philippine government’s communications “will be listening in, for sure,” if the executive session were to be held online, Zubiri warned.

Go gives ‘full support’ to Dito franchise renewal

After the discussion on Dito’s national security implications, Senator Bong Go made a manifestation – a statement of his position – before the panel.

“I just want to express my full support to the grant of a legislative franchise to Mindanao Islamic Telephone Company or Dito Telecommunity. I know that Dito can be of great help in bolstering the telecommunications and internet services in the country especially during these times that such services are needed more than ever,” said Go, who is President Rodrigo Duterte’s closest associate.

Duterte had Dito’s Uy among major contributors to his presidential campaign in 2016.

Go reminded Dito that should its franchise to operate be renewed, it would only be the start of its work, and that it should deliver on its promise to provide better communication services to Filipinos.

The Senate committee ended Monday’s hearing without yet approving the proposal to renew Dito’s franchise for another 25 years. The new telco must first prove its capability by providing 27 mbps of data service to 37% of consumers, as it had said it would.

Also, the concern about Dito’s national security implications “is paramount,” said Poe. – Rappler.com