Senator Win Gatchalian called on all government agencies and the private sector to beef up their protection against cybersecurity threats, taking note of the hacking of the Philippine Health Insurance Corp. (Philhealth) that remains unresolved.

Gatchalian filed Senate Bill 2066, or the Critical Information Infrastructure Protection Act. The measure mandates all covered critical information institutions (CII) to adopt and implement adequate measures to protect their information and communications technology (ICT) systems and infrastructures and respond to and recover from any information security incident.

It also mandates the Department of Information and Communications Technology (DICT) to determine and update information security standards and require CII institutions to comply with such standards. It mandates the National Computer Emergency Response Team (NCERT) to act as the central authority for computer emergency response teams in the country and to administer the centralized information security incident reporting mechanism that would cover industries that include banking and finance, broadcast media, emergency services and disaster response, energy, health, telecommunications, and transportation, among others.

According to Gatchalian, more Filipinos and businesses rely on digital technologies to perform their daily tasks, especially after the COVID-19 pandemic. On the average, Filipinos are estimated to use and consume 4.3 more digital services compared to pre-pandemic years. E-commerce also continues to grow exponentially and sales are expected to be valued at $10.3 billion by 2025, the senator said, citing estimates made by GlobalData.

“It is high time that we take the necessary steps to protect our critical information infrastructure by ensuring, at the minimum, compliance with international standards and globally accepted best practices for cybersecurity,” Gatchalian stressed.

“With the increased use of digital technologies in our daily lives, malicious actors from casual scammers to highly sophisticated state-based groups, hunt for vulnerabilities in ICT systems and networks to steal information, disrupt essential services, and profit from attacks,” said Gatchalian, citing as an example the ongoing cyberattack on Philhealth’s database wherein cybercriminals have asked for $300,000 in exchange for handing over decryption keys, as well as deleting and not publishing the data they illegally obtained.

“The adoption and implementation of minimum information security standards is a globally accepted best practice to provide guidance, which would lead to more efficient use of resources, improved risk management, consistent delivery of critical and essential services and effective protection of the confidentiality, integrity, and availability of information that is vital to the nation,” he added.