00:00 You're watching The Source on CNN Philippines. I'm Pinky Webb, our source today. Information
00:06 and communications technology under Secretary Jeffrey D. Usec. D, welcome to The Source.
00:11 And also, thank you so much for your time. Let me already start, sir. Medusa ransomware
00:15 demanding $300,000. Is government inclined to pay this?
00:19 No, it's the policy of government not to pay any ransom for any type of criminal activity,
00:25 including cyber attacks. So it's the position of government not to pay this ransom.
00:29 Is there a concern on the kind of data the hackers have obtained?
00:36 Of course, every, let me start by saying that every data that any hacker got, we take it
00:45 seriously because the data based on our investigations, not just on the leaked documents that was
00:54 leaked by the hackers, but based on our internal investigations, they involve also some personally
01:00 identifiable information from employees of PhilHealth and some internal memos that are
01:08 supposed to be treated confidentially because they are internal memos within PhilHealth.
01:13 So we take it seriously. But I would also like to assure the public that as of now,
01:19 based on our investigations, the PhilHealth database remains intact. In fact, it is accessible
01:24 only externally because due to the containment measures that we have to put in place, we
01:32 turned off the online access, but the PhilHealth databases are still accessible by employees
01:36 of PhilHealth.
01:37 Yeah. In fact, I was asking Dr. Pargas a while ago, I was having him explain to me exactly
01:44 what was going on and what were the data that were compromised. Basically also, he was saying
01:53 that 72 workstations were initially compromised and then eventually they decided to shut it
01:59 down. Would you say that the decision to just shut down the online system and other parts
02:07 of that online system of PhilHealth was done fast enough so that the virus or the hackers
02:14 could not have been able to obtain more information? Did they act swiftly?
02:21 Yes. I actually would like to commend PhilHealth for acting swiftly. Number one, they contacted
02:26 the National Computer Emergency Response Team almost immediately after receiving the report.
02:31 They sent a message to one of our other secretaries and that was followed by another message directly
02:38 to our Computer Emergency Response Team. So it was really quick. And then we were there
02:44 when we advised them also to contain the situation by turning off all the other online systems.
02:49 Which PhilHealth is also connected to the ICT.
02:54 That's actually a good advice to companies for that matter when something like that happens.
03:03 The need to possibly, Tama Hua, please correct me if I'm wrong, to turn off the computers
03:07 or not to even access it when there seems to be a problem is the best option to take.
03:14 Because first you need to call the proper agency or authorities to advise them and tell
03:20 them what's going on?
03:23 That is correct. To contain first. So actually that's our framework. So first you have to
03:30 determine what the problem is. Then second is always to contain. One of the common problems
03:36 with hacking is that people start analyzing. You should start containing first so that
03:41 it doesn't spread. I think there are doctors in PhilHealth so they know that. In any emergency,
03:50 even if it's fire, even if it is a pandemic, really the first response is to contain the
03:56 situation. If you need to quarantine it so that it will not spread. It's the same as
04:01 a virus because it's in the middle of malware.
04:06 But here's the thing, Usec, if ransom is not paid, I do remember reading a report that
04:15 there's a deadline of about the next eight days for government to pay the ransom. And
04:23 if we don't pay the ransom, dinadagdagan pa ng so many thousands of dollars for every
04:29 additional day after the deadline that's been set. Here's the thing, what will happen, because
04:37 you said obviously government policy not to pay ransom, what will happen to the data they
04:41 obtained? Because this is going to be in the dark web, diho ba?
04:48 Yes correct. It's now in the dark web. In fact, similar to any ransom demand, they already
04:53 posted some leaks to prove that they are the hackers, number one, and they indeed have
05:00 the data. What will happen is that after eight days, and you're accurate, you're well informed
05:06 Pinky, I think it's now eight days less, seven something. What will happen is that they will
05:13 start leaking the data. Ang nangyayari kasi, their modus operandi is that if they cannot
05:19 force the victim, they will force the public. They will create panic. They will want the
05:25 public to be the ones to lobby PhilHealth and government to pay the ransom. So they
05:31 will one by one or by batches release the data in public. They will create stories like
05:40 oh you know what, these are the truth, PhilHealth is lying to you. They'll create a propaganda
05:48 because they want people to believe and to pressure PhilHealth and government to pay.
05:56 If you look at the Medusa website and the dark web, also I would like to reiterate,
06:00 Medusa ransomware or lockware is a very enterprising software. It's being sold to criminal syndicates.
06:08 That's why if you look at the dark web, there are, apart from PhilHealth, there are other
06:12 agencies abroad. There are other government agencies abroad. There are also a lot of privately
06:21 held companies also abroad that they are demanding ransom from. So hindi lang tayo yung tinamaan,
06:28 marami sila. Marami tayo. So this is also an international concern. That's why we're
06:34 also coordinating with other computer emergency response teams from other governments.
06:39 So let's say, when is the deadline to pay the ransom?
06:45 I think that's next, if I'm not mistaken, Monday next week.
06:50 Let's put it at Monday, sir. And then if we don't pay ransom, if government does not pay
06:54 ransom, you said that they will start bringing out data that will somehow seem sensitive
07:04 enough and push the public to tell government to start paying the ransom. Okay. But of course,
07:08 that is the call of government. My question is, what if there is data that is compromising
07:14 enough? Is there any data, I guess the question is, that is so compromising that should not
07:22 be out there?
07:28 That's a very good question. Actually, we have some indications of some data of some
07:33 people who you really want to keep. It is your laptop. Imagine this, even if it is a
07:42 personal laptop or a personal computer that you use for your work, there are certain items
07:46 there that you store that are personal to you. Maybe your pictures, pictures of your
07:51 family and even notes of perhaps, if you're that type of person, notes of passwords that
07:56 you use.
07:57 And even a journal, sir, even your own, your own journal, how you feel, etc. Just a lot
08:03 of things, a lot of stuff that are very personal to you.
08:07 That is correct. And also your contact book might be uploaded to your application or you
08:13 may have a worksheet with all the contacts that you have, including the phone numbers
08:17 and their addresses. That is possible. And that's what they will try to hit first. And
08:24 then second, like I said, they'll create a political situation by running through these
08:28 memos and then saying, "Oh, you know what? These are the memos that they've been writing.
08:32 They've been doing this, etc."
08:34 I guess so.
08:35 So yes.
08:36 Sigurus, I'm sorry, Usec. Here's my question. Do you know of any document that they have
08:47 that could be held hostage and eventually, if we do not pay ransom, they will bring it
08:54 out and possibly, I don't know, humiliate or embarrass or just sensitive information.
09:02 Is there anything that they have right now that is so sensitive that should not be publicized?
09:11 Right now, I don't have that information. The systems were already encrypted when we
09:17 came in and we don't know what the file contents are. Maybe PhilHealth would have more information
09:23 about that, but we don't have information. What we do know is that they have a significant
09:27 trove of information.
09:30 I'm sorry, sir.
09:32 Medyo marami.
09:33 I'm asking you.
09:34 They have a significant trove. Ibig sabihin it's approximate hundreds of thousands of
09:40 files.
09:41 We need to take a very short break. We'll be right back.
09:49 You're watching The Source on CNN Philippines and Pinky Web. Our source today, Information
09:53 and Communications Technology Undersecretary Jeffrey D. Usec. Just one more question. Any
09:59 idea on those behind this Medusa ransomware? Any update on the probe on these cyber hackers?
10:09 Yes. So we have. There are two types of that's a very complicated question. You tell us,
10:21 do we know the group? Yes. Do we know the APT, the modus operandi? Do we have an international
10:28 intelligence network that says where they operate? Yes. Is that enough to file charges
10:34 against certain people? Not yet. We don't even know the real identity behind the group.
10:41 Again, this is an international concern. We have evidences. We perform forensics inside
10:48 PhilHealth with the assistance of our friends from the Cybercrime Investigation Coordinating
10:53 Center. We got files. We have the command and control structure of this organization.
11:01 We even know where they're putting the files. But as to who exactly, they work in aliases.
11:10 For example, you know me as Jeffrey, but I could run as different alias, let's say Jose
11:16 Rizal. And then you wouldn't know who Jose Rizal is. That's how they operate. I guess
11:22 that's the complex answer. I understand. Yeah. It's not as easy. It's not an easy question
11:29 to answer. But investigation is ongoing. DICT Undersecretary Jeffrey Deeser, thank you so
11:35 much for your time. Thank you very much. Thank you. And before we go today marks the seventh
11:42 anniversary of the SARS. We would like to thank our guests for taking their time to
11:46 share their thoughts on issues that matter most to Filipinos. We would also like to thank
11:51 you, our viewers, for your continued support and trust as we strive to provide discussions
11:58 on critical issues that are accurate, fair and balanced. This seven year milestone will
12:04 also not be possible without the dedication and hard work of our team, the ones behind
12:09 the camera. The SARS will continue to provide in-depth conversations with the newsmakers
12:14 themselves. I'm Pinky Webb. You're watching CNN Philippines.
12:18 [MUSIC]
Comments