MANILA - The Manila Central University (MCU) on Wednesday launched what it described as the Philippines’ first-ever cyber laboratory to help private firms boost their cybersecurity.

This was after a series of hacking incidents that have affected both government agencies and the private sector.

The Cybersecurity Posture Assessment Lab (CPAL) is a vendor-neutral facility that companies, particularly critical information infrastructures (CII), can tap into to assess the cyber risks against them, measure their cybersecurity posture maturity level, and provide them with recommendations on how to improve their systems through the use of advanced tools.

The initiative is a collaboration among MCU and cybersecurity industry experts such as NullForge and Blackfire.

“Our wish list in terms of the ones that will engage us will be the big ones, yung CII that store our data. Banks, we have the telcos. That’s why we also work with PSAC, the Private Sector Advisory Council, because they’re the ones that would also be helping us shed the light on how much this is actually needed sa private sector,” said MCU Executive Vice President Chynna Gonzales, who noted that they are already in talks with some potential clients.

Department of Information and Communications Technology (DICT) Secretary Ivan Uy, who attended the launch in Caloocan, hailed the program as a proactive step to address the growing threat of cybercrimes.

“This is not an after-the-fact incident na na-hack na kayo, and then naghahanap kayo ng solution. Dito, bago niyo pa dineploy yung sistema ninyo, or bago niyo pa i-open yun to the public ay na-testing niyo na,” he said. 

According to Uy, although private firms usually already have a go-to cybersecurity risk assessor, many of those may not be considered independent. 

“Ang nagiging challenge lang nila is, sometimes, obviously, ang solution ng vendor is bumili sa kanila so maaaring biased yung assessment kasi, siyempre, produkto nila gusto nilang ibenta. So by coming up with this vendor-neutral laboratory, they can validate if ang sinasabi ng vendor sa kanila ay totoo ba o hindi. At, totoo man, yung vendor lang ba ang may solusyon dyan? o may iba pa na pwedeng magbigay ng solusyon na mas targeted, appropriate and probably more cost-effective,” explained Uy. 

Uy said clients may even opt to just use the MCU facility but still have their own IT experts do the vulnerability test on their systems. 

“When they come over here to do their testing, may mga NDAs na pinapipirmahan yan. (And) the laboratory, I think, gives them a free hand to do their own testing so it’s not like somebody else is looking at their system… Sila lang ang nakakaalam kung ano yung sistema nila para nalalaman nila nasaan yung mga butas, and then it’s up to them to plug it,” he said. 

Based on research done by Blackfire on incidents of cyber attacks in the Philippines from 2018 to 2023, 50 percent of the attacks compromised the domains of private companies, 48 percent were that of the government, and 2 percent were military domains. 

Recently, the National Privacy Commission and the DICT have confirmed reported data breaches against several companies such as health management organization provider Maxicare and fast food giant Jollibee.

PROTECTING CRITICAL INFORMATION INFRASTRUCTURES 

DICT Undersecretary Jeffrey Dy also noted how the CPAL is in line with the government’s national cybersecurity plan in terms of promoting an ethical and regulated environment for cybersecurity vulnerability assessment and penetration testing (VAPT). 

“Ang magic word palagi doon is ethical. It must be in a controlled environment… May mga nahuhuli si NBI (National Bureau of Investigation) ngayon na mga VAPT providers na umaatake din. They are PAVT providers in the morning, they attack at night. Their victims: private companies and the government sector. So we want to create an ecosystem where the providers are trustworthy,” he said. 

He also stressed the importance of ensuring that critical information infrastructures are secured. 

“Who are CIIs? They are the ICT facilities of those companies, usually private companies, that operate to save you-- water companies, power companies, radar operators of NAIA (Ninoy Aquino International Airport). They are so critical to your life, to our lives that if they are compromised, they can also compromise not only our ICT, but our safety as well,” he said. 

For its part, Dy said the DICT is currently pushing for an executive order that would allow the government to assess and protect critical information infrastructures, in lieu of a cybersecurity law. 

Alongside the lab’s launch, MCU is also incorporating a Cybersecurity Program to its Bachelor of Science in Information Technology (IT) curriculum. This program aims to equip the next generation of cybersecurity professionals with the skills and knowledge needed to protect our digital landscape. This comprehensive curriculum covers analytical skills, foundational knowledge in cybersecurity, technical proficiency, hands-on experience, and software and application security. 

“It’s our job as a university to ready the next-gen all the time, so it’s our job to always innovate and always push for industries that we know will be needed. It’s not just about the infrastructure but also the talent,” said Gonzales.

GOVERNMENT HACKING 

Meanwhile, Dy again brushed off the supposed hacking of the DICT’s disaster management unit. 

Speaking to reporters, Dy said the page is meant to be an open system to allow for easier reporting of disaster-related emergencies.

“(That) assumes na nagkaroon tayo ng failure in terms of telecommunications. Binagyo, earthquake. So the system is designed to be easy for anybody to be able to report the incident. Andito kami, stranded kami, walang tubig, walang kuryente, nagka-landslide. So kung yung system na yun ay gagawin mong very very secure at naka-lock in, multi-factor authentication, it defeats the purpose,” he said. 

As for the cyber attack on the Department of Foreign Affairs (DFA), Uy declined to give any more details at the moment, saying the case is still under investigation.