Contextualizing the Cybersecurity Threat to Philippine National Security
The sky is not falling. Despite media reporting and public testimony, the threat to Philippine national security following degradative cyber operations remains unlikely. However, political warfare and espionage through the exercise of cyber capabilities are likely to remain a constant for the foreseeable future in light of strategic, political, and technological realities. That being said, this article's brief insights aim to ground expectations of cyber conflict involving the Philippines and other actors both within and outside the region.
Capability, Intent, and Form
While it cannot be denied that the state of Philippine cybersecurity renders it vulnerable to malicious behavior by state actors, a clarification must be made concerning the causal process linking capability, intent, and form. Early cybersecurity scholarship advanced the narrative of its revolutionary potential; that is, low-cost weapons offer an asymmetric advantage to materially constrained actors . However, history argues differently such that effectively operating in cyberspace requires significant technological, financial, and organizational resources to meet strategic objectives [2-4].
Regionally, cyber capabilities are found at different maturity levels – with states like Singapore taking the lead . Others, such as Vietnam, are continuously developing capabilities that have caught observers' attention in recent years . Beyond Southeast Asia, the Indo-Pacific is home to cyber powers such as the People's Republic of China (PRC) and the Democratic People's Republic of Korea (DPRK) that are involved in some of the most significant cybersecurity incidents to date. Consequently, it is fair to argue that the Philippines exists in a threatening (cyber) neighborhood.
Capabilities, however, do not translate to immediate use. Despite the opaque nature of in-domain interactions, the available data paints a picture of restraint rather than unbridled conflict [7, 8]. Rather than exploiting cyberspace's benefits, capable actors operate below the threshold of armed conflict and are punching below their “cyber weight”. Explanations for this are varied and range from a tacit norm of non-escalation to the inherent technical limitations [9-12]. Whatever the reason, tactical and operational restraint is consistent across global cyber interactions.
For the Philippines (and Southeast Asia), state-associated cybersecurity incidents appear to be limited to low-level disruptive operations (e.g., website defacement) and espionage. The former, while quite public, result in limited and transitory effects. While having the potential for long-term strategic consequences* , the latter is a tolerated practice. Taken together, the threats faced by the Philippines, thus far, is yet to yield significant strategic benefits for aggressors.
The empirical data available to scholars and policy experts call into question the exact form of competition in cyberspace. As argued by Joshua Rovner , a former scholar-in-residence with the United States' Cyber Command (USCC), cyber interactions over the past decade more closely resembles an intelligence rather than a military contest. In other words, cyber capabilities are used to gain a strategic advantage across domains instead of as a means to demonstrate overall superiority.
That being said, weighing adversarial capabilities against the cybersecurity incidents experienced, the Philippine experience suggests the existence of an intelligence contest. Disruptive cyber operations are exercised to cast doubt and possibly influence public opinion amid existing disputes. At the same time, espionage offers insight into existing capabilities and preferences that the Philippines can bring to bear across military, political, and economic issues.
Although it appears that the Philippines is expected to face a continuous stream of disruption and espionage operations, regional dynamics may mitigate some of these threats. Despite doubt about the efficacy of deterrence in cyberspace, several solutions have been proposed to overcome the weaknesses of conventional deterrence models when applied to cyberspace . One of which is entanglement.
Deterrence by entanglement functions based on shared benefits and consequences grounded in existing interdependencies between the actors involved [17, 18]. In this model, aggressors are deterred when they recognize that the cost they impose on their victims results in a first- or second-order effect on them as well. When applied to cyberspace, the targeting of an Internet exchange, for instance, may not only disrupt Internet access for the target but may inadvertently affect the aggressor owing to the interconnected nature of cyberspace. As a second-order effect, other actors may refuse to engage in a continued relationship (e.g., technology transfer) with an aggressor given their penchant for malicious behavior, further restricting their future capabilities.
Within the Association of Southeast Asian Nations (ASEAN), the emphasis placed on cyberspace as a pathway for economic prosperity offers an avenue for deterrence by entanglement. The regional integration of IT systems not only enables the effective exploitation of the domain for economic purposes, but it also establishes the interdependence mechanism that exposes an aggressor to the effects of malicious behavior. Outside the region, however, deterrence by entanglement appears less viable. Discouraging malicious behavior may require various measures that include a multi-stakeholder approach.
While the realities faced by the Philippines appears to be one of tempered and restrained action, complacency should not be allowed to flourish. Persistent socio-political cleavages expose the country to influence operations that may benefit adversaries. Tangentially, limited cybersecurity expertise at both the operational and leadership levels increase vulnerability to disruptive and espionage operations.
Although the appropriate steps are being taken across different sectors, further effort is needed to enhance Philippine cybersecurity. These include improvements in education, increased budget allocation for national-level organizations, and further engagement in multi-stakeholder projects at both the regional and global levels. These function collectively to improve the overall state of cybersecurity within the country, allowing it to weather challenges as it continues to leverage the benefits offered by the domain.
*Debate continues whether or not cyber espionage results in a measurable strategic advantage for parties that engage in such acts (Gilli, A. and M. Gilli, Why China Has Not Caught Up Yet: Military-Technological Superiority and the Limits of Imitation, Reverse Engineering, and Cyber Espionage. International Security, 2019. 43(3): p. 141-189.)
Miguel Alberto Gomez is a senior researcher at the Center for Security Studies, ETH, and a doctoral candidate at the Universität Hildesheim, Germany. He holds a master’s degree in international security from the Institut Barcelona d’Estudis Internacionals (IBEI). He has worked previously as a lecturer at both the De La Salle University and the College of St. Benilde. His area of research is centered around cybersecurity and tackles the cognitive and affective factors that influence decision-making concerning
References 1. Clarke, R.A. and R.K. Knake, Cyber war. 2014: Tantor Media, Incorporated. 2. Pytlak, A. and G.E. Mitchell, Power, rivalry, and cyber conflict: an empirical analysis, in Conflict in cyber space : theoretical, strategic and legal perspectives, K. Friis and J. Ringsmose, Editors. 2016, Routledge: London. p. 65-82. 3. Borghard, E.D. and S.W. Lonergan, The Logic of Coercion in Cyberspace. Security Studies, 2017. 26(3): p. 452-481. 4. Slayton, R., What Is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment. International Security, 2017. 41(3): p. 72-109. 5. Gomez, M.A. and C. Tran Dai, Challenges and opportunities for cyber norms in ASEAN. Journal of Cyber Policy, 2018. 3(2): p. 217 - 235. 6. Gomez, M.A., Frustrated with the Philippines, Vietnam Resorts to Cyber Espionage, in Net Politics, CFR, Editor. 2017, Council on Foreign Relations. 7. Maness, R.C. and B. Valeriano, The Impact of Cyber Conflict on International Interactions. Armed Forces & Society, 2016. 42(2): p. 301-323. 8. Kreps, S. and J. Schneider, Escalation firebreaks in the cyber, conventional, and nuclear domains: moving beyond effects-based logics. Journal of Cybersecurity, 2019. 5(1). 9. Valeriano, B. and B. Jensen, The Myth of the Cyber Offense: The Case for Restraint, in Policy Analysis. 2019, Cato Institute. 10. Lindsay, J., Stuxnet and the Limits of Cyber Warfare. Security Studies, 2013. 22(3): p. 365-404. 11. Gomez, M.A., In Cyberwar, There Are Some (Unspoken) Rules, in Foreign Policy. 2018, Foreign Policy. 12. Rid, T., Cyber War Will Not Take Place. Journal of Strategic Studies, 2012. 35(1): p. 5-32. 13. Gilli, A. and M. Gilli, Why China Has Not Caught Up Yet: Military-Technological Superiority and the Limits of Imitation, Reverse Engineering, and Cyber Espionage. International Security, 2019. 43(3): p. 141-189. 14. Smeets, M., The Strategic Promise of Offensive Cyber Operations. Strategic Studies Quarterly, 2018. 12(3): p. 90 - 113. 15. Rovner, J., Cyber War as an Intelligence Contest, in War on the Rocks. 2019, Texas National Security Review. 16. Fischerkeller, M.P. and R.J. Harknett, Deterrence is not a credible strategy for cyberspace. Orbis, 2017. 61(3): p. 381-393. 17. Nye, J.S., Deterrence and dissuasion in cyberspace. International Security, 2017. 41(3): p. 44-71. 18. Brantly, A.F., Entanglement in Cyberspace: Minding the Deterrence Gap. Democracy and Security, 2020: p. 1 - 24.