- 2 years ago
- #themangahasinterviews
Ayon sa Department of Information and Communications Technology o DICT, problema raw sa buong mundo ang tumataas na bilang ng cybercrimes at hacking incidents.
Sa Pilipinas, mayroon na raw cybercriminal gang na malawakan ang operasyon sa pang-ii-scam gaya ng phishing at identity theft.
Aminado naman ang DICT na mas mababa sa average ang cybersecurity posture sa bansa. Dapat daw mas palakasin at paigtingin ang regulasyon at mga batas na may kinalaman sa cybersecurity.
Ang dahilan ng pagtaas ng mga hacking incident at ang implikasyon nito sa national security at sa darating na eleksyon, sasagutin ni DICT Usec Jeffrey Ian Dy sa #TheMangahasInterviews.
Sa Pilipinas, mayroon na raw cybercriminal gang na malawakan ang operasyon sa pang-ii-scam gaya ng phishing at identity theft.
Aminado naman ang DICT na mas mababa sa average ang cybersecurity posture sa bansa. Dapat daw mas palakasin at paigtingin ang regulasyon at mga batas na may kinalaman sa cybersecurity.
Ang dahilan ng pagtaas ng mga hacking incident at ang implikasyon nito sa national security at sa darating na eleksyon, sasagutin ni DICT Usec Jeffrey Ian Dy sa #TheMangahasInterviews.
Category
đź—ž
NewsTranscript
00:00Hacking, identity theft, and other scams against the government and our citizens are on the left and right.
00:13What are the implications of these cyber security attacks on national security and the upcoming elections?
00:20Our discussion today is about the hacking incidents that seem to be increasing and worsening.
00:26Undersecretary Jeffrey D. is in charge of the Department of Information and Communication Technologies,
00:33which is called Infrastructure Management, Cyber Security, and Upscaling.
00:39Good day, Usec Jeffrey.
00:41Good day to you and to all the listeners of the interviews.
00:47It seems that the incidents are increasing. Can you please explain why the situation is like this?
00:54The problem of hacking is global. The US and China have been attacked several times, etc.
01:04We need to understand that because times are changing, most of us have an alternate persona in the digital realm.
01:14Even crime has evolved. From street crime, it has become digital crime.
01:22Of course, the Philippines is part of the global community. It's not immune to this global trend.
01:31According to the report of a research agency, there is a 235% increase in cases, nobody is safe, no sector is impregnable,
01:43and the cost of these incidents is more than 10 trillion dollars.
01:49In the Philippines, do we have an estimate of how many percent increase by number of cases and how much the value of these attacks are?
01:57We don't have an estimate on the value, we have an estimate on the increase.
02:01For example, last year, 1,500 cases in the whole year.
02:07But this time, 1,574 cases only from January to May. We're talking about attacks against government and some other private institutions.
02:17So the increase is significant. But we cannot put a baseline figure because let's face it, before this administration,
02:30there is no data about total hacking. We are just now compiling the data and we are telling the public.
02:36All right. So not even half a year, but the total in 2023 is already in the middle.
02:43That's correct.
02:44So does that mean the total number of cases has doubled?
02:47There is. There is a possibility, yes.
02:50Now, there is no sector that is not vulnerable. But it seems that the government agencies are the ones who are suffering recently.
02:59For example, even the DRRM unit of the DICP, PhilHealth, PNP Logistics, the DFA email system, the DOST, the former ECOMELEC-OA.
03:13It seems that there are a lot of government agencies.
03:18What is the problem? Why is our cybersecurity system so weak?
03:23First, let us accept it that our cybersecurity posture as a country is below the average association of Southeast Asian nations.
03:33And we belong into the lower percentile rank, although only a few, approximately about 74 out of 200 countries, about 120 countries.
03:44We are in the middle, but on the lower half of the portion.
03:52That's also because, I guess, if you notice, our awareness when it comes to cybersecurity, we are just building it lately.
04:01For example, the National Cybersecurity Plan, it was started in 2017.
04:06We are reiterating and strengthening it now, 2022-2023.
04:14We now have a new National Cybersecurity Plan.
04:17Of course, the implementation of a National Cybersecurity Plan is very meticulous.
04:22It's not something we can do overnight.
04:25Also, we lack certain laws like the cybersecurity law.
04:28We do not have a cybersecurity law that will mandate critical information infrastructures to report to us if there is an issue or problem.
04:35The problem is that most of the critical information infrastructure is private sector.
04:39The public will ask, what is that critical information infrastructure?
04:42For example, the airport, the ICT of the airport.
04:46There were several times when there was a delay because there was a problem with the computer systems of our radar system.
04:52But there was no report from us on what the issue was.
04:57There was a problem with the electricity because there was also a software glitch, but there was no report from the National Computer Emergency Response Team.
05:06We do not have a law that mandates this kind of reporting and that we should look at security.
05:15There is no accountability yet.
05:18So I think these are the things that are missing that will surely help us defend the country.
05:24Okay. Weeks ago, there was a technology person from Manila Bulletin.
05:32He said that they hacked 93 websites, including some government agencies.
05:38What else is this? Is there progress in the investigation?
05:41I cannot say what our progress is, but I would like to commend the NBI because they caught Alias Kamkong and Lance.
05:50They are three. Sorry I forgot the other one.
05:54I would also like to mention that the NBI has two more suspects in the next coming months.
05:59They're just building a case.
06:00PNP-ACG is also looking for persons of interest.
06:04These hacking activities of ours, these are our next arrests.
06:09So those who are doing this should be aware that, remember, you're committing a crime.
06:15Maybe they thought they were helping. No.
06:18You're committing a crime because that's illegal access to computer systems and that is a willful breach of a personally identifiable information.
06:26So now going back to the case of Kamkong, Christian Angel, a.k.a. Kamkong,
06:32who is being accused as a journalist, his allegation is that he will hack you and then hack you so that I can be the first one in the scoop.
06:46Let's just remember that Ard Samaniego did not hide it.
06:52As for me, you know I was with Ard several times and I saw his advocacy for cybersecurity.
06:59Maybe I can say that he's not hiding what he did.
07:03What he did was good.
07:05Even so, we have a case and he should face it and prepare himself for defense.
07:12All right. So did he testify?
07:15Is there a progress on what he admitted and what he did not admit?
07:21Yes. I think he was at the NBI on Friday.
07:25The NBI told him and he went there to explain.
07:29Maybe we should stop there because this investigation is between the NBI and they will file it to the prosecutor.
07:36But you mentioned that there's no one who is not vulnerable or impregnable.
07:42What are the vulnerable sectors in your estimation?
07:45Because you have DICT, Technology, Cybercrime and Investigation Coordinating Council.
07:53What is your job and what are you looking at as vulnerable or prone to be hacked?
08:02So in December, because there were a lot of hackings in the Philippines,
08:07we created a project that we call Project SONAR.
08:11SONAR is an acronym, Security Orchestration and Network Assessment and Review System.
08:16What it does is, it tries to attempt to look at the vulnerability of all online assets of the government.
08:27Just the government because if the target is the private sector, we might get hacked.
08:31Just the government.
08:32More than 20,000 assets of the government are scattered in the internet.
08:36We found approximately 73,000 vulnerabilities.
08:40Wow. Okay.
08:4273,000 in how many agencies? Sorry? How many agencies?
08:47I forgot the agencies, but there are more than 1,000 agencies including LGU, GOCC,
08:54just the government-related agencies.
08:57It means that there is one asset with multiple vulnerabilities because you are looking for 73,000.
09:03One asset can have 10 or 20 vulnerabilities.
09:07Why are we doing this?
09:09Because hackers are also doing this.
09:11We are just prioritizing.
09:13After that, we are advising the government agency, this is your vulnerability.
09:18This is the unfortunate part.
09:21What is the vulnerability when we say people, hardware, software, protocols, or the process in general?
09:30Project Sonar is just looking at technological vulnerability.
09:35It means what is the weakness of the system.
09:38But if you notice, out of the 73,000 plus vulnerabilities found in more than 1,000 government offices,
09:49only 21% responded.
09:51They are saying that they will fix what we submitted.
09:56You will also see there that there is procedural and people vulnerability.
10:00Why?
10:01Why can't you respond?
10:03Either you are not professional enough to respond, you lack technical capability or know-how to respond.
10:10Here, you can see our problem.
10:12I said that it cannot be solved overnight, but at least we have the tools.
10:16We have a baseline.
10:18The President also ordered that all government agencies should be audited.
10:22And that's what we're doing right now.
10:24So maybe the problem is that there are no people with technological capability or no budget.
10:30Precisely.
10:32That's what I'm saying.
10:33We started from the baseline that we looked at.
10:37Again, 73,000 vulnerabilities to more than 20,000 online assets of 1,000 plus government offices.
10:44But only 21% responded.
10:46Only 21% of 1,000, right?
10:49It means that they are the only ones with the capability to fix the problem or pinpoint the exact problem.
10:58All right.
10:59So that's how deep our problem is in cyber security.
11:02So it means that for the remaining 70 plus percent, maybe they don't have the knowledge
11:08or this cyber security is rocket science.
11:11Well, it's not rocket science, but I don't disagree that it's not easy to understand that kind of knowledge.
11:22In fact, usually you will encounter that in your third or fourth year of college if you are a computer scientist.
11:28If you have a subject like that, because most of the computer science is not subject to cyber security.
11:34Or if you are like a social media addict, you are not aware.
11:41But to be honest, when you audit government agencies,
11:46do you have a profile of how many revenue agencies are here, how many service agencies are here, how many infrastructure are here?
11:55Because in our previous interview, you said that the assets are consistent.
12:01Correct.
12:02Not just computer or info systems, but also actual infrastructure or facilities.
12:08Correct.
12:09What sectors are included in the vulnerabilities that we should repair work ASAP?
12:14Most of our critical vulnerabilities are LGUs.
12:20So that is to be expected.
12:23Again, the mayors are changing or of course, what you call that source of professionals might be limited.
12:31Our next source is the national government agencies.
12:35We call them shadow websites.
12:40What is a shadow website? Even DICT has one.
12:43What is a shadow website?
12:44A shadow website is what was created by the previous leadership and was forgotten.
12:51That's why it's what attacks us.
12:54There are many like that.
12:56We have encountered many like that.
12:59There is still an entry point because the internal systems are still open.
13:05If that's the case, the shadow probably still continues to create new content.
13:10Is it like that?
13:12When you say shadow, it's like the current IT doesn't know.
13:15They have a website that was created by the previous agency head.
13:20It's a coincidence that it's there.
13:22There are many like that.
13:23So it's just like latent.
13:26Yes.
13:27But the problem that we have observed is that when we say ICT,
13:32there are many government agencies that are being jobbed out or contracted out.
13:37Then the tech teams, although they're good most of the time,
13:41they don't leave what they learned, the system, the protocols, the codes, etc.
13:47to the government agencies.
13:49So they don't grow.
13:50You're right.
13:51Actually, you're right to our problems.
13:54Even now, we're talking to the Civil Service Commission and the DBM
13:58to have a cybersecurity professional in the plant.
14:02Because if you look at the government catalog of government employees,
14:06there's no cybersecurity.
14:08Even ICT is limited.
14:10The catalog is a bit old.
14:11There's still an encoder.
14:13You don't have an encoder anymore.
14:15Everyone knows how to encode.
14:17There's still an encoder.
14:19There's still a data card.
14:20There's still a data technician.
14:23So we need to update this.
14:25And we're already talking to the DBM and the Civil Service Commission.
14:29Hopefully, we can finish the catalog by, if not this year, by the first half of next year.
14:34One thing that was mentioned before is that there's a lack of capacity
14:38when it comes to cybersecurity work or even data privacy work.
14:43Although it's in the Data Privacy Act,
14:47all agencies should have data security and data privacy officers.
14:51But it seems like you only mentioned a few pieces of cybersecurity trained personnel in the Philippines.
15:01Let's differentiate between the private sector and the government.
15:04In the private sector, usually, when it's a big company, not a small one,
15:08there's one person who's only focused on cybersecurity.
15:12Usually, his head is CISO, Chief Information Security Officer.
15:19In the government, usually, an ASIC, a USEC, or a director is assigned on top of that job.
15:29He's not there full-time.
15:30First, he's not trained there.
15:32Second, if possible, ASIC for administration.
15:36But he's assigned there.
15:38So that's what I'm saying that we need to fix,
15:42that we need to produce cybersecurity professionals in the government.
15:47That's one.
15:48Second, we recently had an interview.
15:51I remember that.
15:52I said that we need to increase the number of schools that offer cybersecurity
15:58as a Bachelor of Science or as a degree program.
16:02I want to report to you, Maluna, since we talked last year,
16:06they have increased.
16:08There are now more than 15 schools that provide a Bachelor's degree in cybersecurity.
16:14So it's good that we have academic support in cybersecurity as a profession.
16:21Of course, we still have a lot to go.
16:24But we still need, you know, the whole world.
16:27There was an estimate that 3 million cybersecurity workers are needed in the world.
16:33And most of the time, we lose out to foreign markets because their salaries are higher, right?
16:40Just an example.
16:41This is just an anecdote.
16:42But this is a good statistic to follow.
16:44The CISSP certification program,
16:47which is a certification program approved by the Department of Defense of the United States.
16:51It's CISSP.
16:52Certified Information Security Systems Professional.
16:56That's only 200 in the whole Philippines.
16:59Maybe what's left in the Philippines is less than 100.
17:04Most of them went abroad.
17:06Especially those like me who will lower their salaries in the government.
17:11Knowing that I can actually make more money outside.
17:15I will earn more if I'm outside the government.
17:18So you're right.
17:20Because how do you begrudge these people, right?
17:23When they have to look for better paying jobs because they have families.
17:27But you applied for P6 and you're a CISSP.
17:30What's the difference in salary?
17:32So that people will have an idea.
17:34Because even if you put it on a government structure,
17:37maybe it won't reach, it won't pay.
17:40It's reasonable and deserved.
17:43Undersecretary, my salary is grade 30.
17:46So it's around P189,000.
17:48If you include the allowances, it's around P210,000.
17:54It will be reduced by a tax.
17:57That's the gross.
17:59When I was in the private sector, seven years, six years ago,
18:03my salary back then, I was the Director for Asia Pacific Information Security, P280,000.
18:11I didn't have an allowance yet.
18:13I was just a director.
18:15I wasn't a CISO or a Chief Information Security Officer.
18:18So you will see the difference.
18:20Correct.
18:21If you are a pay cut, if you are a cyber security expert,
18:25you will join the government.
18:27Yes.
18:28But the retirement pay in the government is better if you can reach 25 years.
18:37That means you will bully the youth.
18:40So that you will have a good GSIS pension.
18:45The problem here is the awareness from the top management.
18:50In many agencies, ASEC or USEC is assigned to this job,
18:54even though this is not their professional expertise.
18:57It's like they don't have a title, they don't have the capacity or training for it.
19:03So as a president, I know you have a cyber security plan,
19:08you have an updated AI strategy.
19:11What is the awareness of Malacanang, Congress, and the Senate on this issue?
19:17It's better if I give you very solid evidence.
19:21Look at the past administrations.
19:24They say it's cyber security, but you will see that the emphasis is not that big.
19:29But now, National Defense, DNB, and National Security Council are included in their plan.
19:39We, DICT, led the National Cyber Security Plan, etc.
19:45Do you know why?
19:46Because President Malacanang is very particular about cyber security.
19:53He is well-read and well-informed when it comes to emerging technologies.
20:01In fact, his next concern is, he said you are good,
20:06this is not cyber security hacking anymore.
20:09This is not misinformation and disinformation caused by advanced techniques in editing videos,
20:15the so-called robocalls that happened in the Philippines.
20:20Someone said, sorry we have a case being built, I cannot divulge,
20:25but suffice to say that there is a foreigner who is not based in the Philippines,
20:31I will not say the country first,
20:33he is in conflict with our law enforcement because he was scammed.
20:38His partner, a Filipino-based person, called him.
20:45Give us a rundown because you said this is hacking because most everyone could be vulnerable.
20:52There are a lot of government agencies so there is a sense of urgency and better awareness.
20:57But it's not just hacking.
21:00You said vulnerabilities could be attacked in multiple ways.
21:06There is phishing, there are deepfakes, there is AI, chat GPT, generative AI.
21:13Tell me, what is the full menu that you think the people of the country and the government should be aware of?
21:20Let's layer it.
21:22What is the most common reason for hacking?
21:25What is the entry point?
21:26For example, this is the tool for hacking.
21:30Let's say your tool for hacking is a hammer or a gun.
21:38You cannot enter the door of a house with a gun or a hammer because you will be surrounded by guards.
21:45So how can you enter?
21:48The number one cause of cyber security to hack you is phishing.
21:56This is the person who will text you, please click.
22:00Do you know that if you click on it, even if you don't put your info,
22:04the moment you click on it, he will immediately know your IP address,
22:08what phone you are using and if you have an open account, what is your email address, your phone number.
22:13That's an example. Just click on it.
22:16Second, phishing is huge.
22:19Second, vulnerability is when we use old technology, we don't update it.
22:28Of course, there are vulnerabilities that can be hacked.
22:32That's the second.
22:33The third, this is a higher class.
22:38This is where they attack you and target you.
22:41These are the government agencies.
22:44As you know, there are websites that have high points if you put a government agency that you breached.
22:51It's like having a badge.
22:54If it's DICT, it's a five-star.
23:00Something like that.
23:02Of course, the highest one is state-sponsored.
23:06This is what we call advanced persistent threats.
23:09This means that it was developed by very sophisticated tools, well-funded.
23:15When I say well-funded, these are private companies engaging in cybercriminal activities
23:21and their net worth is approximately like 50 to 200 million US dollars.
23:27They have their own company and building just to hack.
23:31These are the ransomware, these are the state-sponsored attacks, etc.
23:38This is our menu.
23:40But the most basic, why are there so many Filipinos being hacked?
23:43Phishing.
23:45They send it to your email, send it to your phone, then you click on it.
23:49The question in people's minds is, we had a registration of SIM, right?
23:54It's been a year.
23:55Yes.
23:56And it's still leaking.
23:57You always have messages like you won or someone added money to your mobile phone.
24:03And for others, it's like an anti-SIM where you click on it.
24:07As you said, don't click if you don't know the source of your message.
24:12Why is there a registration of SIM and there are still so many scams like this?
24:17Phishing operations.
24:19The answer is a bit complicated.
24:21But let's simplify the answer to these three.
24:24First, we need to review the IRR of the SIM Card Registration Act and also audit the compliance of telecommunications companies.
24:38It's within the law that after one year, we can audit them.
24:42We are nervous because we think they just accepted the registration, but there is no validation.
24:51Is it true that the identity was registered?
24:54It's like I submitted an ID, any ID, even if it's a low class ID, like barangay and postal ID,
25:01then I took a picture of myself, that's it.
25:04Even if there is no verification, the ID is different.
25:07Is the ID connected to a national database?
25:11There is no such thing.
25:13So that's one.
25:14Second, technology has evolved.
25:19You saw that we caught fake BTS.
25:22Last month, there was a Chinese with a big white machine inside his car.
25:30That is a fake radio unit that transmits scams.
25:38At the minimum.
25:40It doesn't go through the SIM card.
25:42Directly.
25:44Directly.
25:46Even if it's a cartoon character, it's okay to submit an ID.
25:51That's what we're afraid of.
25:54But I'll put you first, Malu.
25:56Because the law dictates that we should audit the DICT, even if it's a regulatory agency, NTC.
26:02Correct.
26:04But we're talking about millions here.
26:07This is hundreds of millions.
26:09If you audit the DICT, what should they pay for their work?
26:14What are the penalties if they find out that you are not compliant or have no due diligence in your work?
26:22Under the law, there are fines.
26:24I don't know what exactly.
26:26If you find out that you were released from your job.
26:30But we'll have to check on that.
26:32I don't want to put the DICT first.
26:34If we announce in the media or in an interview that we're chasing fines,
26:39maybe they won't let us audit.
26:40We'll have to hire a lawyer.
26:41In the next one or two years, we'll be talking to lawyers.
26:45So now, we just need to audit to see where the problem is.
26:49And then, let's resolve this consistently and conscientiously.
26:57But Malu, I know you receive a lot.
26:59I know.
27:01I forgot the third one.
27:02I think so, sir.
27:04I have a technique on my phone.
27:05Okay.
27:06I filter out.
27:08Maybe I'll teach you sometime.
27:10But the third one that I'm talking about,
27:12there's a cybercriminal gang that is based in the Philippines.
27:19And their only job is to scam.
27:22Okay.
27:23When you say...
27:26We've already caught some.
27:27Some of them are hiding as POGO.
27:29Okay.
27:30It's also mentioned that these POGOs are a national security threat
27:34because they function like BPOs or cybercriminal gangs.
27:41That's what you're saying.
27:42So what could be done quickly to get rid of this?
27:45Because it's like Malacanang is neglecting the decision to ban all POGOs.
27:52We need to bring in law enforcement.
27:55So you'll see the triumvirate of cybersecurity.
27:58We, which is policymaking and technical,
28:02but we need the NBI, PNP, and the National Intelligence Community
28:07so we can tackle these problems.
28:10We really admit.
28:12I think it's already apparent and very obvious to the public.
28:15Maybe we haven't told them yet.
28:17But there's a scamming operation that's happening.
28:20We've already caught it a few times.
28:22We've already caught three or four instances.
28:25And you will notice that when we raid POGOs,
28:28they have telecommunications devices there.
28:31What's critical is the funding.
28:33Where did the funds come from for these gangs?
28:37So that's the problem with the criminal ecosystem.
28:41The scam is where they get the money.
28:44Correct.
28:45Then they will reinvest it.
28:47The question is, where?
28:48I'm sure they won't just reinvest it in scams.
28:51They can also reinvest it in other things, which is dangerous.
28:54Do they use it in international Ponzi schemes, for example?
28:59So that they can earn more money?
29:01Etc.
29:02Not in arms or drugs.
29:05That's what's scary.
29:06Because you will notice,
29:07why is there a torture chamber inside a POGO raid?
29:12There's telecommunications.
29:13Why are there hundreds, actually not hundreds,
29:16tens of thousands of SIM cards?
29:18Why are there fake radio units used for broadcasting messages?
29:22There's an encryption and decryption mechanism.
29:24It's like a call center.
29:26They even have a chat.
29:28But to be honest, we have a bank secrecy law.
29:33But the money trail here actually doesn't go through banks anymore.
29:38So is our anti-money laundering council helpless or hopeless?
29:45Actually, it's not bank secrecy, it's the anti-money laundering council.
29:48We have a mechanism to track the flow of money.
29:51But there is one type of currency that is no longer monitored.
29:55Cryptocurrency.
29:57Bitcoin, etc.
29:59And internationally,
30:02in the Counter Ransomware Initiative,
30:05it is being discussed that it should be included in the anti-money laundering mechanisms of all nations.
30:11That is cryptocurrency.
30:13Because most of my incidents are paid with cryptocurrency.
30:16Sir, let's go to the last point.
30:18Because our AMLC, even gambling, is no longer monitored.
30:25It can also go through gambling.
30:27It can also go through crypto or bitcoin.
30:30But their capacity is not enough.
30:35Our reference now is that a suspicious transaction is 500,000 pesos and up.
30:43If it doesn't go through the banks,
30:48and there are many reports from the banks,
30:50there's nothing the AMLC can do actively.
30:53The small ones you're talking about.
30:56For example, the one hundred, two hundred, twenty-twenty pesos.
31:02Correct.
31:04There's a new law now, APASA.
31:06This is actually a more stringent law.
31:16Here, if your illegal money goes through your bank account,
31:19your entire bank account is frozen.
31:25What is illegal money?
31:27That's gambling.
31:29Gambling, okay.
31:30Illegal gambling, that's one.
31:32Ponzi, illegal investments.
31:36Pogo.
31:38Includes gambling.
31:41What we remember is that people became concerned
31:46because of these hacking incidents,
31:48or even what they're saying about vote-buying via e-wallets.
31:55What do you think should be done to ensure that our electoral process is not abused,
32:04transparent, accountable, and inclusive?
32:06Because there's a lot of vulnerability.
32:09It's not just the troll farms,
32:13or what they're saying about online payments for buying votes,
32:19and even digital attacks, deepfakes.
32:24What do you think?
32:25Do you have an investigation?
32:27How vulnerable the elections in May 2025 will be,
32:30and what can be done?
32:33Okay.
32:34The first is the payment of bribery to GCash or Paymaya,
32:41or any other e-wallets.
32:44We have an agreement with GCash,
32:47and I think we should have an agreement with GCash and Paymaya,
32:52so that when the election comes,
32:54these personal transactions will be limited,
32:57which could be in bulk.
32:58It's easy to see if it's in bulk.
33:00Of course, if it's an individual transfer of ₱500,
33:04it's a mistake.
33:05Sorry, the payment for the election is ₱10,000.
33:09₱10,000 or ₱20,000.
33:11If you see a multiple from one account,
33:13it should stop.
33:18Ask them where it's for.
33:20Why is the transaction so big?
33:21That's one.
33:23We have to have that mechanism.
33:25We don't have a mechanism like that yet,
33:26but we have to have that mechanism.
33:28The disinformation, I have to admit,
33:30is very, very difficult.
33:34If you go to Facebook,
33:35you will notice that there is an AI label.
33:39What we will do now,
33:41let's go to Facebook and do what we're doing.
33:44If you're AI and you didn't label yourself as AI,
33:48that's already evidence that you want to fool the public.
33:52Alright, okay.
33:54Because you know it's AI,
33:55you uploaded it,
33:56but you didn't label yourself as AI.
33:59And that could be very good
34:00or that could be an easier way of managing
34:05filing a case.
34:07Okay.
34:09Because you know you're being fooled.
34:11But if that's the case,
34:12for example,
34:13Facebook has had in the 2022 elections
34:17its disclosure of ad take-up of candidates,
34:21but those are the official pages.
34:23We know that there are a lot of candidates
34:26who are possible in the communities
34:28or those who are influencers
34:31and the digital marketing campaign, boosting.
34:35If the election spending is not captured there,
34:38it will also not be able to capture
34:39who the candidates are.
34:42Because they are not declared as official websites.
34:45How can the Comelec address this issue?
34:48I think we should ask the Comelec
34:50because they are there.
34:52Maybe from a technology perspective,
34:54the advice we can give to them
34:57is to make guidelines.
35:00Because you can submit that to Facebook.
35:03Or you can submit that to YouTube.
35:05Make guidelines that all boosting
35:10which pertains to a particular individual,
35:12submit.
35:13But that's not for us to say.
35:15I think that's for Comelec.
35:17Because I know that Comelec
35:18also has a problem
35:19with the kind of regulation
35:20that they will pass.
35:23In other countries,
35:24in Indonesia,
35:25there was an election
35:26where there were millions
35:28of AI-generated deepfakes
35:33or misinformation and disinformation.
35:37Here in our country,
35:38it's not that far away
35:39to have such a problem.
35:40Although in some other countries
35:42where there were recent elections,
35:44they are suggesting
35:45that there should be de-platforming.
35:47For example,
35:48this influencer
35:50initiated multiple threads
35:53and then it went viral.
35:55It went around
35:56in various systems and operations.
35:58I don't think Facebook or YouTube
36:02will allow such things
36:06because these are social media platforms
36:08that don't seem to follow.
36:11In fact,
36:12Congressman Abandean
36:13proposed in Congress
36:14a social media regulation
36:17Let me just state in your program
36:19that BICP actually supports
36:20social media regulation.
36:22We are friends with social media platforms.
36:24We don't have a problem with them.
36:25We only have one request to them
36:26and they follow it.
36:27But the request is different
36:29to a regulatory power
36:31that you can compel them.
36:33For example,
36:35this is not theoretical.
36:37What's happening is
36:38some journalists
36:39have already copied their videos.
36:43Then it looks like they are selling them.
36:45One is selling Rosario.
36:47The other is selling milk.
36:49The President himself
36:51has copied his voice.
36:53So for us,
36:56we have technology.
36:58You're right.
36:59We can determine
37:00who is the first poster.
37:02It can be done.
37:03Who is the first poster?
37:05But for us to get it quickly,
37:08all social media platforms
37:10should report.
37:11What is the time stop of the first post?
37:13This is the video.
37:15Run the script.
37:16Tell us.
37:17Who posted the earliest?
37:20From there,
37:21we can see that you are the origin.
37:23Can you see who shared it?
37:25It should be the origin.
37:27Yes.
37:28The last one is the original.
37:30The one who shared it will get mad.
37:33It's like a problem
37:34because we already know
37:35that for example,
37:36even if it's not filing
37:37a certificate of candidacy,
37:38there is social listening
37:40that is happening.
37:42These are the transactions
37:43that are under the radar
37:45because in the reports
37:47that we made,
37:48these are internal arrangements.
37:51There is no paper trail.
37:53These are cash transactions.
37:55I think that's the main part
37:58of the campaign
38:00and elections in the Philippines.
38:01Can the DICT have some solutions
38:05to cover them
38:06also as part of regulation?
38:08Well, number one,
38:09there should be regulation
38:10because there is none now.
38:11So there should be regulation.
38:13If there is regulation,
38:14we can...
38:15There are two regulations.
38:17First is the regulation
38:19of social media platforms.
38:20Second,
38:21if I remember the law well,
38:22and you can ask Comelec,
38:23there is no regulation in Comelec
38:25to monitor social media platforms
38:27outside of the campaign period
38:29and the campaign spending.
38:31So I think in this particular case,
38:33two laws are needed.
38:35But technology is easy.
38:38We can always have the technology.
38:40We are confident in the DICT.
38:42We can support Comelec
38:44with appropriate technology
38:46to track them down.
38:47But we need regulation
38:48because the moment we do this,
38:50we can be accused of infringement
38:52on your rights, right?
38:56I know that you were part
38:58of the advisory council
39:00when the specs were set
39:03for our electoral system,
39:05our AES,
39:06the fast track.
39:07They said it's a prototype.
39:09What do you think?
39:10There is no law that says
39:11it can be a prototype
39:12because it needs to be used
39:14in past elections
39:15in other countries.
39:16Do you have an opinion on that?
39:18Comelec said it's a prototype,
39:20this fast track.
39:21If we separate the two cases,
39:23the prototype and the used one.
39:25The used one,
39:26there is evidence
39:27that Meru used it
39:29and he sold it
39:30in an election.
39:31So we're okay with that.
39:33It was used.
39:34The second is the prototype,
39:35the so-called prototype.
39:36What about you?
39:38Everything we requested
39:40will be a prototype
39:41because nothing in the world
39:42is what we requested.
39:43You noticed, right?
39:45That's how thick it is.
39:47You know,
39:48there are only two standard
39:50electoral machines in the world,
39:53direct recording
39:54or optical receiver
39:56or optical mark reader.
39:59This one mixes.
40:01DRE and OMR.
40:03DRE, which is
40:04you vote on the screen
40:05and you click on the screen.
40:07The optical mark reader,
40:08this is the PCOS
40:09that has paper.
40:10You read the paper.
40:11Isn't that what Comelec requested?
40:14There's a big screen.
40:16No.
40:17It's out of standard now.
40:21In this particular case,
40:25we have to understand the context
40:26and the spirit of the law.
40:28The system provider
40:30is not new in elections.
40:34The system you requested is unique.
40:37Correct.
40:38How is that?
40:39But you're with the advisory council
40:42that approved the selection.
40:44Is that what you approved?
40:47DRE and OMR?
40:49Combi?
40:50For us,
40:51our request is OMR
40:53but hybrid.
40:57Comelec got it.
40:58In fairness,
40:59they got our request,
41:00our choice.
41:02They did a bigger thing
41:03with our request.
41:05For us,
41:06that's why we want an optical mark reader
41:08because let's face it,
41:09in some areas,
41:10the internet is still weak.
41:11So DRE is more dangerous
41:13if there's no internet.
41:14That means the optical mark reader,
41:15if you have a problem with the internet,
41:16you still have paper.
41:18Correct.
41:19Your ballot box.
41:20It's in the ballot box.
41:21If you have a problem,
41:22you can manually open it.
41:23Is there a risk analysis of DICT
41:26in the upcoming elections?
41:28If ever,
41:29what technology can be used?
41:32It's not DICT,
41:33it's CAC.
41:34DICT is the chair
41:36of the Comelec Advisory Council.
41:38We don't have a risk analysis yet.
41:40The members of CAC
41:42are insisting that
41:43we should start the discussion.
41:45Correct.
41:46That's a good suggestion, Maloub.
41:48We'll start that.
41:49After this call,
41:50maybe by next week,
41:51we'll start the discussion on risk.
41:53Because there's already
41:54a delivery of milestones.
41:56As far as we know,
41:57because we're monitoring
41:58the project implementation,
42:00the training should start soon.
42:02Correct.
42:03How will we train
42:04if the samples and test equipment
42:06haven't been approved yet?
42:09Yes, that's one.
42:11Then we need to certify
42:12the test equipment.
42:13Correct.
42:14That hasn't happened yet.
42:16Also,
42:17internet voting for overseas
42:19is just a win.
42:21Correct.
42:22For our OFWs,
42:24your vote is already up.
42:26Correct.
42:27You won't have to send
42:28ballots to the embassy.
42:29Correct.
42:30But can the system still be hacked?
42:33Because that was their problem
42:35in the first part.
42:37They said that the system
42:39can be hacked
42:41and can be loaded.
42:43Until now,
42:44there's been talk
42:46about why this gateway
42:48suddenly lost votes.
42:50Why are the patterns of split
42:52in the vote the same?
42:53Is it possible
42:55that it can be hacked?
42:58The answer is possible.
43:01Always.
43:03Always.
43:04Hacking is a matter of time.
43:09Remember,
43:12our election system
43:14is only open for 8 hours
43:16or 12 hours.
43:17The question is,
43:18can you hack it in 12 hours?
43:20I don't know the answer yet
43:22because we haven't tested the system.
43:25But that's what we need to check.
43:26If you can hack it
43:27within a year,
43:29that's okay.
43:30Okay.
43:31That means you're safe.
43:33Because by the 12-hour window,
43:34the system will die.
43:35Your data is safe inside.
43:38But other conditions
43:39could also matter.
43:41For example,
43:42the climate.
43:43They said it's an internet connection.
43:44Then,
43:45we are archipelagos.
43:47Of course,
43:48these machines
43:49can be hacked across islands.
43:52Those problems
43:54that were mentioned
43:55during the elections
43:57were tackled by MIRU
43:58in third world countries
44:00like us.
44:01Cybersecurity has three elements.
44:04Confidentiality,
44:05Integrity,
44:06and Availability.
44:07In an election,
44:08availability is important.
44:09Correct.
44:10For example,
44:11if I jam the machine,
44:12it won't be able to transmit.
44:14That means
44:15the result of the machine
44:16will be delayed in transmission.
44:18The jammer,
44:19even if it's illegal,
44:21it's easy to hide
44:22and it's easy to buy.
44:24Okay, okay.
44:25That's one.
44:28Confidentiality,
44:29he said.
44:30Confidentiality
44:31is even harder.
44:33In fact,
44:34honestly,
44:35confidentiality is not that important
44:37in an election
44:38because it should be transparent.
44:40What you should hide
44:41is how voters vote.
44:43That's all.
44:44The rest must be transparent.
44:47Integrity.
44:48I can change the election
44:51but I don't know the result.
44:54For example,
44:55I just want to make a mess.
44:56For example,
44:57this is what we call an attack
44:59that you don't want to win
45:01according to the survey
45:03but you don't care
45:04who will win.
45:06Can you do that?
45:08Nothing.
45:09I just want to make a mess.
45:10That's an integrity issue.
45:12We haven't checked
45:13the new machine yet
45:14but it's possible.
45:15Right?
45:16You're just interrupting the transmission.
45:18You're just messing with it.
45:20But actually,
45:21you don't know
45:22who will win.
45:23It's just a mischief attack.
45:25Mischievous attacks, yes.
45:27That's an attack against integrity.
45:29That could happen
45:30in any province
45:32or in any neighboring country.
45:34Right?
45:35It's possible that the machines
45:36don't arrive on time
45:38or there could be
45:40a power outage
45:42that's localized.
45:44Precisely.
45:45There's no electricity.
45:46There's no machine.
45:47There's not a single component of the machine.
45:49Let's say,
45:50there's no stamper.
45:51Let's say,
45:52there's no SIM card
45:54or SD card
45:55or whatever they're using.
45:56Right?
45:57Then,
45:58you'll have a problem right away.
46:00I think you should
46:01do a risk analysis
46:02of the CAC.
46:04The Advisory Council.
46:06Because it looks like
46:07they're already doing training
46:08and they're already sending
46:09machines for testing
46:11and certification.
46:13Yes.
46:14So,
46:15we'll start that
46:17in this month, July.
46:19Before the end of July.
46:20Who will be sitting
46:21in the CAC?
46:22Secretary Ivan.
46:24I'm his alternate.
46:25You know,
46:26he's the secretary when he's busy.
46:27So, I'll be sitting
46:28as his alternate.
46:29Alright.
46:30The last topic
46:31that will be important
46:32is Wi-Fi
46:33across the nation.
46:34It's been a promise
46:35for a long time
46:36that it seems like
46:37it's going to be stopped
46:38or will it be stopped again?
46:40So,
46:41we have
46:42the Philippine Digital Infrastructure
46:44Project Loan
46:45for 16 billion pesos.
46:47Give or take.
46:48It's actually
46:49288 million US dollars.
46:52What it will do here
46:53is it will finish
46:54the backbone
46:55of the Philippines.
46:56Now,
46:57it's finished
46:58from Lawag to Metro Manila.
46:59Okay.
47:00This backbone is ours.
47:01It's not PLD.
47:02It's not Globe.
47:03It's ours.
47:04Then,
47:05it will finish
47:06the leg of Visayas
47:07to Mindanao.
47:08And hopefully,
47:09when we finish that,
47:10it will provide
47:11more internet connections
47:12especially in
47:13non-serviceable areas.
47:14Okay.
47:15These are the barangays
47:16that
47:17can't be sold
47:18by Globe,
47:19Smart,
47:20or PLDT
47:21because they don't have
47:22commercial value.
47:23The population is small
47:24and the income is small.
47:25That's what the
47:26free Wi-Fi program
47:27is saying.
47:28So,
47:29this project
47:30will be completed
47:31by 2028.
47:33And
47:34hopefully,
47:35when this
47:36the output
47:37of this
47:38will happen,
47:39the price of
47:40the internet
47:41will go down
47:42for us
47:43because
47:44we can nudge
47:45the behavior
47:46of PLDT,
47:47of Globe,
47:48of Smart.
47:49And second,
47:50we will be able
47:51to provide
47:52internet connections
47:53to those
47:54who can't
47:55because
47:56it's hard
47:57to reach.
47:58Hard to reach.
47:59Yes.
48:00Geographically
48:01deprived.
48:02Isolated.
48:03Geographically
48:04isolated
48:05and disadvantaged areas.
48:06What can
48:07Pre-Emptive
48:08Strike
48:09do?
48:10Do we have
48:11options available?
48:12And
48:13what is the outlook?
48:14Will things
48:15get better
48:16before they
48:17get worse
48:18in the next
48:19year?
48:20They said
48:21the
48:22before
48:23sunrise
48:24it's always
48:25darker
48:26at dawn.
48:27We are
48:28going through
48:29a
48:30zeitgeist
48:31sorry for
48:32that deep
48:33term.
48:34We're going
48:35through a
48:36zeitgeist
48:37of events
48:38that is
48:39leading us
48:40towards
48:41cybersecurity.
48:42And
48:43I can see
48:44that
48:45I think
48:46I sincerely
48:47believe we'll
48:48get better
48:49as long as
48:50we implement
48:51the national
48:52cybersecurity
48:53plan.
48:54You know,
48:55let's go back to
48:56our problem
48:57last year or
48:58two years
48:59ago.
49:00We didn't talk
49:01about
49:02cybersecurity.
49:03But now,
49:04in a survey,
49:05cybersecurity
49:06is number
49:07one.
49:08It's the
49:09number two
49:10price of
49:11rice.
49:12In a
49:13way,
49:14it's
49:15the
49:16number
49:17two
49:18price of
49:19rice.
49:20So,
49:21it's
49:22number
49:23two.
49:24And
49:25it's
49:26the
49:27number
49:28one
49:29price
49:30of
49:31rice.
49:32So,
49:33it's
49:34the
49:35number
49:36two
49:37price
49:38of
49:39rice.
49:40So,
49:41it's
49:42the
49:43number
49:44two
49:45price
49:46of
49:47rice.
49:48So,
49:49it's
49:50the
49:51number
49:52two
49:53price
49:54of
49:55rice.
49:56So,
49:57it's
49:58the
49:59number
50:00two
50:01price
50:02of
50:03rice.
50:04So,
50:05it's
50:06the
50:07number
50:08two
50:09price
50:10of
50:11rice.
50:12So,
50:13it's
50:14the
50:15number
50:16two
50:17price
50:18of
50:19rice.
50:20So,
50:21it's
50:22the
50:23number
50:24two
50:25price
50:26of
50:27rice.
50:28So,
50:29it's
50:30the
50:31number
50:32two
50:33price
50:34of
50:35rice.
50:36So,
50:37it's
50:38the
50:39number
50:40two
50:41price
50:42of
50:43rice.
50:44So,
50:45it's
50:46the
50:47number
50:48two
50:49price
50:50of
50:51rice.
50:52So,
50:53it's
50:54the
50:55number
50:56two
50:57price
50:58of
50:59rice.
51:00So,
51:01it's
51:02the
51:03number
51:04two
51:05price
51:06of
51:07rice.
51:08So,
51:09it's
51:10the
51:11number
51:12two
51:13price
51:14of
51:15rice.
51:16So,
51:17it's
51:18the
51:19number
51:20two
51:21price
51:22of
51:23rice.
51:24So,
51:25it's
51:26the
51:27number
51:28two
51:29price
51:30of
51:31rice.
51:32So,
51:33it's
51:34the
51:35number
51:36two
Comments