00:41.6
Ito po yung report namin on the 811 early detected,
00:46.3
again, let me reiterate, that we detected attempts to hack government agencies.
00:51.5
Ang number one po na in attempt pero hindi naman tumutuloy is DOH.
00:57.6
Second, yung DICT, followed by Department of Transportation, NEDA, and PNP.
01:03.7
All the other agencies are listed there.
01:08.2
You will also notice na we also classified, ito po ay 2024 lamang.
01:14.1
We also classified kung yung attempt is a low risk or a critical risk.
01:19.9
Pag low risk po, ibig sabihin, mga nag-i-scan po ng assets, tinitingnan kung mayroon pang mapapasok.
01:26.5
Ang classification po.
01:27.6
Pag medium po, ibig sabihin, nag-a-attempt pong mag-upload ng file,
01:34.0
tumingin ng mga file transfer protocol.
01:36.9
Yung mga critical po, ito po yung mga SQL injection, gustong pasukin yung database.
01:42.5
So, there are a lot of low risk attempts in government.
01:46.6
And we registered about 13 from January to March, critical attempts to government.
01:57.6
We apologize kung medyo maliit po.
02:00.3
But here are the categories of the attacks that transpired, including the attempted attacks that transpired.
02:08.6
If you will notice, ang pinakamalaki po talaga ay malware and malicious files.
02:12.5
Kasama na po rito yung mga ransomware kung saan linalak po yung mga data at ninanakaw din po yung data.
02:18.8
We still note that our observed weakness still of government agencies,
02:27.6
is still yung end point po, yung mga laptop.
02:31.6
Ang pinakasikat po ngayon, bukod sa ransomware, ay yung tinatawag po na keylogger.
02:36.0
Kung saan po, pag nag-type po kayo ng password, kahit hindi po ninyo nakikita yung password,
02:40.6
ay nakukuha po nila.
02:42.8
This, I think, is the reason why there are, kahit nag-change na ng password yung administrator,
02:49.4
multiple times pong nakahack yung mga Facebook pages ng mga government agencies.
02:56.8
Example, yung mga Facebook pages ng mga government agencies.
02:57.6
Ang pinakasikat po ng keylogger, yung mga infostealer ang tawag natin, is redline.
03:01.8
How does an administrator protect the website?
03:09.5
So, usually, if I may, Mr. Chair, usually we deploy XDRs, or Extended Defense and Response Systems,
03:18.4
parang antivirus na mas advanced po ng konti, doon po sa laptops.
03:21.9
But also, we have to also face the fact na,
03:26.4
hindi po lahat ng laptops issued by government.
03:29.5
Yung iba po rito ay personal laptops na may kanya-kanya po silang personal antivirus
03:35.1
that are insufficient to defend their own systems.
03:39.1
Meron naman po kami mga seminars na hinuhold, multiple layers of defense,
03:43.0
kasama na po yung gumamit ng password tools na hindi nyo kinakailangan itype.
03:48.9
Alimbawa, kung medyo mahal po yung mga ganong laptop,
03:51.3
yung may mga biometric system po na hindi mo kailangan itype po yung password,
03:56.4
tapasok na lang yung password mo after authenticating yourself biometrically,
04:00.6
like your fingerprints po.
04:05.3
With your permission, Mr.
04:07.3
So, may I continue with the slides? Thanks.
04:10.9
The second one is data exfiltration or data leak.
04:16.3
And of course, ang third one po ay compromised website.
04:19.5
Ito po yung nag-upload sila ng mga...
04:21.9
Ito po yung para pahiyain yung gobyerno.
04:24.3
Data, ay ano po, website deface.
04:26.4
So, yun po yung top three natin.
04:29.0
Yung na-detect po sa House of Representatives na pinagtulungan po natin along with your IT,
04:34.4
yung ang tawag po rin ay denial of service.
04:38.3
Nagbabayad po yung gumagawa nito para i-overload yung traffic.
04:42.2
Kumbaga po, papipilahin lahat ng illegal na transaction para yung legal hindi makapasok kasi mababa yung pila.
04:50.4
So, medyo mahal po yung ganong klaseng attack, pero meron pong paid systems po kasi yan.
04:56.4
So, ginagamit to attack that.
05:01.0
We launched Project Sonar, which is our attempt to put a shield over all government agencies.
05:07.8
And to give information to government agencies what their vulnerabilities are.
05:14.0
Kumbaga po, inuunahan po natin yung mga hackers, malaman ano ba yung vulnerabilities nyo para ma-resolve.
05:20.3
And we would like to report again to the esteemed members of Congress regarding the progress of this project.
05:26.4
Which was only launched this December.
05:30.0
Again, in response to the hacking incidents of 2023.
05:37.4
Sige, next slide na lang. I already explained that.
05:40.7
Ito po ang, as of today, from December to today, Project Sonar scanned 2002 government assets of 885 government agencies, LGUs, including sub-agencies, etc. po.
05:56.4
Again, inuulit ko po, with or without permission.
06:00.3
Pagka-scan po namin sa gabi, i-inform namin yung agency na yung IP address galing sa amin, hindi po yun hacker. Kami po yun.
06:07.7
And I already reported earlier that we actually found 30,682 vulnerabilities.
06:13.8
So, medyo hindi po maganda yung state ng ating government agencies.
06:17.8
But please understand, your honors, that this is not something we can resolve overnight.
06:22.7
At least, information is now in their hands.
06:26.4
What type of vulnerabilities were found?
06:28.6
So that they can, if they need to procure something to defend themselves, then that can happen.
06:34.8
Next slide, please.
06:46.3
May last three slides na lang po ako.
06:56.4
So, ang next na po namin gagawin sa DICT is mag-request ng mga focal persons and contacts na magko-concentrate po dun sa mga nahanap na vulnerabilities.
07:07.0
Kasi out of 388 yung report ko po kanina, na mga agencies na pinadala namin ng reports, 55 lang po yung sumagot.
07:15.4
Which means 14.20% lang po ng government agencies na pinadalhan namin, kakasama po rito yung HOR.
07:23.5
Pero kasama po sa nag-respond.
07:26.4
So, this is very low compared to what we expect.
07:32.5
Of course, we're also discussing with some officials of DBM, baka po pwedeng isama na ito dun sa scorecards ng mga government agencies.
07:42.0
That they resolved the vulnerabilities that were found and that we reported to them.
07:49.4
Can we please ask a copy of those government agencies who did not answer?
07:56.4
We will furnish...
07:57.8
Yes, Your Honor. We will furnish this committee po.
08:09.0
We also have some sort of a shield which for confidential purposes we will not discuss po.
08:18.5
But suffice it to say that this is only for the 28 government agencies connected to the DICT's National Security Operations.
08:26.3
From January to March, we detected 208 million malicious traffic.
08:31.9
Including connections to malicious sites and command and control centers.
08:39.2
Of this, 310,000 was actually directly mitigated.
08:44.4
Ibig sabihin na stop po natin.
08:46.3
Yung malicious sites po kasi halo-halo na po yan.
08:49.0
Kasama na po yung uma-access sa mga...
08:52.5
Hindi dapat i-access, etc.
08:54.5
So, yung 310,000...
08:56.3
Yun po yung tinatawag natin command and control centers where your malicious code is trying to connect to the internet.
09:03.3
Perhaps because they already stole some data.
09:07.3
I guess the next slide is my last slide.
09:09.0
Ah, that's the last slide.
09:13.6
This is an example of something that we defended.
09:16.4
Hindi po yan lumabas sa media.
09:18.4
Just to highlight po na we're actually doing our best to defend our country.
09:23.0
There is a cobalt strike attack on DENR.
09:26.3
That cobalt strike po is a modus operandi or a...
09:31.3
Of the Deep Panda APT or Advanced Persistent Threat Group or ACTOR.
09:37.5
This is almost the same as the threat group ACTOR who was responsible for the February incident.
09:43.2
Where we did note that some Chinese, potentially those from that country,
09:51.4
attempted to attack our government mail systems.
09:56.3
We defended po and we can give a report to your office po.
10:01.1
Napapansin lang po namin na it seems that after an attack in the United States on certain infrastructure,
10:09.3
Example po, yung sa Google, that was after the attack also on government,
10:13.9
on the Google Cloud Services in the United States.
10:16.8
In this particular case po, there was an attack on the Microsoft Mail Exchange
10:21.4
and Microsoft Azure in US.
10:25.3
So, inatake po yung...
10:30.0
And they attempted to access Azure and Microsoft systems inside DNR.
10:35.3
Your Honors, that is my report.
10:37.8
We have a more detailed report but please allow us to, if you still are interested,
10:42.6
we can give you either a copy of the report or we would like to request for a confidential session
10:48.0
because these reports were not cleared for...
10:51.7
Because these are international security reports po.
10:56.3
Samad po, Mr. Chair, and to the esteemed members of Congress.
11:01.2
Musek, Jeffrey, END.
11:09.5
May we be allowed to ask also questions?
11:11.2
Yes, of course. Please proceed.
11:13.7
Okay, again, Musek, thank you for the report.
11:20.3
There are actually a few questions that I had in mind.
11:23.5
And just to go to like a...
11:26.3
Everybody's on the same page.
11:29.1
The attacks that we have, and please correct me if I'm wrong,
11:32.6
the attacks that we are having now are technically an evolved version
11:36.7
of the many attacks that we've also had prior to this administration, correct?
11:45.6
Congressman, thank you for the question, sir.
11:47.7
I am not a member of the cybersecurity team of the previous administration,
11:52.0
so I cannot comment.
11:53.0
What I would say is that we are...
11:56.3
We are actually part of the evolving global landscape on cybersecurity attacks
12:00.4
that started in 2022,
12:02.6
and that was targeting also other...
12:05.3
some of our allies, including the United States and Japan.
12:08.2
So, but in general, the trend is that
12:12.0
what is happening now is also similar to what was happening then before.
12:17.5
As technology evolved, and many people,
12:22.6
be it white hat, gray hat, or black hat,
12:26.3
hackers that are trying to really penetrate into the different systems worldwide now.
12:32.4
But one thing that I found alarming,
12:35.7
and this was also included in the privileged speech,
12:38.1
I mean, sorry, the sponsorship speech of Honorable Castro,
12:42.0
was the mention of the amount of data that was leaked,
12:46.6
which amounted to about 817 gigabytes of data slash records from multiple agencies.
12:54.6
Could you paint the picture?
12:56.3
First, on how big 817 gigabytes worth of records is to the members of this committee?
13:07.1
If not, allow me na lang, no?
13:10.0
Let's say, for example, a very simple text file would be around 57 bytes of data,
13:17.8
kilobytes of data,
13:19.2
which, if we were to divide it by 817 gigabytes,
13:23.9
would amount to 14,300,000.
13:26.3
So, we could say that 817 gigabytes would amount to around 1.6 million personal records that were leaked.
13:30.5
If, let's say, for example, it is 500 kilobytes worth of data per record,
13:36.0
then that 817 gigabytes would amount to around 1.6 million personal records that were leaked.
13:42.9
So, what I'm trying to say is, 817 gigabytes is not a small number.
13:46.7
It is a big, big number, especially when we talk about including the records of the PNP, NBI, BIR, SAF,
13:55.6
and so on and so forth.
13:56.3
Now, which is a concerning question, especially when we try to attribute it to the release of the sonar, the project sonar.
14:07.0
I want to ask, why was sonar released after, December, correct?
14:13.2
Why was this released after the other DDoS cases that were not really publicized but happened?
14:21.8
I think House was also hacked prior to the release of...
14:26.3
Project Sonar, if I'm not mistaken.
14:28.4
What promulgated the release of this program considerably late?
14:39.1
Your Honor, first, I would like to apologize that it was late.
14:43.1
I came into this office, January 2023 as well.
14:48.4
There was also a lot of debates.
14:50.7
Please understand that we have to build consensus.
14:53.6
We have to get some funds also.
14:56.3
This fund kasi was not...
14:58.5
So we have to ask for funds from different sources as well.
15:02.3
But I think ang pinakamatagal po is to build consensus.
15:07.8
Which until now is quite a challenge.
15:11.0
That's why we only have 28 agencies connected to it.
15:14.1
So I guess that's the main issue, Your Honor.
15:19.1
Good thing that you mentioned.
15:20.0
So consensus and funds are the top two, I would say, hurdles.
15:26.3
So I think that's the main thing that we have to do.
15:28.5
I think that's the main thing that we have to do to ensure security amongst all of our government agencies and the digital assets that we are trying to protect.
15:34.3
So in that case, Mr. Chair, I'd also maybe like to put on record that maybe this committee would like to hold maybe an investigation as to at least what are our options to further bolster our cybersecurity network,
15:51.5
especially in the light of...
15:56.3
trying to convince or at least mandating even the upgrade, the investment of different agencies into bolstering their own cybersecurity programs and mitigations.
16:10.9
Because in light of this one, I'd like to also ask you, sir, how do we fare?
16:18.5
How does the Philippines fare as compared to our immediate neighbors in Southeast Asia in terms of cybersecurity?
16:26.3
Ranked number five in the Global Cybersecurity Index as compared to our 10...
16:31.3
out of 10 Association of Southeast Asian Nations.
16:34.9
Globally, we are ranked...
16:39.0
Somewhere in the middle of 100...
16:43.5
I'll just check if it is in the 51 or 57th rank.
16:48.5
Because the reason why I asked this is because in the committee, we've visited a few countries with advanced cybersecurity.
16:56.3
We've visited a few countries with advanced cybersecurity measures.
16:58.3
To name a few, Singapore was one of them.
17:00.3
China was also one of them.
17:02.3
And in fact, we can only...
17:04.3
We couldn't help but drool over the amount of investment that the government has put into that particular movement and protection methods.
17:20.3
In that case, so again, we are ranked middle globally.
17:24.3
And top five in our ranking.
17:26.3
In our immediate vicinity.
17:31.3
So, it's still top ten.
17:33.3
Which also begs us to think that since we are...
17:36.3
Especially now that the administration has also entered into a trilateral agreement with our allies,
17:42.3
our position then becomes more critical in terms of cybersecurity,
17:47.3
which makes it even more urgent that we should also look into the investment,
17:55.6
and also the awareness,
17:57.6
to spread awareness to our fellow agencies.
18:00.6
And in fact, in every government agency,
18:02.6
there should also be a very active and very strong message that should be sent by the ICT
18:10.6
as the one that is in charge also of at least looking into the ICT infrastructure and assets.
18:17.6
So, I think I'd like to request,
18:19.6
be this an open letter siguro,
18:22.6
or an open request to the ICT,
18:23.6
that maybe we should also look into,
18:24.6
other methods of trying to convince,
18:28.6
or at least strongly wording,
18:30.6
our plea to our other national government agencies
18:35.6
to improve their cybersecurity infrastructure and programs.
18:46.6
since cybersecurity,
18:48.6
as compared to cybercrime,
18:50.6
cybersecurity is more proactive in the prevention
18:55.6
have we set up other,
18:57.6
have we also set up other systems for potential risks that have yet to arrive?
19:03.6
Or is Project Sonar the one that's existing pa now?
19:10.6
There are a lot of other things we're thinking about.
19:13.6
For example, setting up,
19:15.6
first, we would like to thank the President for already issuing EO-58,
19:20.6
which endorses the adoption of the national cybersecurity,
19:23.6
which is a five-year plan written by almost every agency represented in this hearing today.
19:31.6
In that plan, Your Honor,
19:34.6
my combination of technology,
19:38.6
policy that is required.
19:41.6
So, if you're talking about technology,
19:43.6
there are a lot of other things we still need to do.
19:46.6
we need to talk to the telecommunications providers
19:53.6
routing protocols like secure BGP.
19:56.6
We also are looking into the use of
19:59.6
voluntary mechanism for labeling
20:02.6
yung mga binibili po natin
20:05.6
para malaman ng publiko kung
20:07.6
ito ba ay secure or not.
20:09.6
Voluntary in a sense na if it is,
20:11.6
if you do not volunteer,
20:13.6
then you are one star.
20:15.6
But if you volunteer, then you have the capability to go,
20:19.6
We're actually discussing actively with our neighbors,
20:22.6
because Singapore has already adopted this.
20:25.6
And there's a lot more.
20:26.6
Of course, on top of the agenda,
20:29.6
which we are now discussing in NSIAC,
20:31.6
I think NSIAC is represented here as well.
20:34.6
NSIAC is the National Cyber Security Interagency Committee
20:38.6
chaired by the Executive Secretary and co-chaired by us in the NSA.
20:43.6
It's the Cyber Security Act.
20:45.6
We now have a draft.
20:46.6
We just are circulating it with the members of NSIAC
20:50.6
so that at least we have an executive version.
20:52.6
of a cyber security bill.
20:55.6
I understand that there are more than 10 cyber security bills
21:00.6
filed in both houses of Congress.
21:02.6
And they are very good.
21:04.6
So we also are attempting to merge them into one super cyber security bill.
21:09.6
In fact, sir, yung mga nabanggit niyong neighbors,
21:12.6
umaakit po sila sa rankings sa GCI, sa Global Cyber Security Index,
21:17.6
pag napass nila yung cyber security bill.
21:22.6
Malaysia is an example.
21:24.6
And Indonesia, who surpassed us after their passage of that bill.
21:30.6
Thank you, Yusec.
21:31.6
Mr. Chair, again, I think this also,
21:35.6
I'd like to highlight this particular exchange
21:40.6
as a call to action, maybe.
21:44.6
Maybe if the committee would be interested in holding another executive session,
21:50.6
at least for the cybersecurity.
21:52.6
So that we have a clear view as to how the legislators
21:58.6
and the legislative branch can also supplement the efforts of the ICT
22:03.6
among other agencies and law enforcement agencies.
22:08.6
So that we can also be assured of the security of our country
22:13.6
and also all of its digital assets as well.
22:15.6
Thank you, Mr. Chair.
22:16.6
Thank you, Yusec.
22:17.6
Thank you, Congressman Almaya.