“If we want people to embrace digitalization, then securing their data isn’t optional—it’s foundational”
We keep hearing it: digitalization is the future.
Faster services, smarter systems, more transparency.
But without cybersecurity, that future is built on sand.
No matter how many platforms the government rolls out, if people don’t trust that their data is safe, they won’t use them.
And right now, trust is in short supply.
Over the past three years, major Philippine agencies have suffered serious breaches.
In 2023, PhilHealth was hit by ransomware, compromising IDs and health data.
In 2024, the Department of Science and Technology saw internal research exposed. And earlier this year, the Department of Foreign Affairs reported intrusion attempts, likely by foreign actors, though no confirmed breach was disclosed.
These aren’t isolated events.
They’re part of a broader pattern.
According to Microsoft’s 2024 Digital Defense Report, its systems detect over 600 million attacks daily, many aimed at critical infrastructure. East and Southeast Asia—including the Philippines—are now key targets.
State-linked groups like Flax Typhoon and Granite Typhoon have tracked US–Philippine military exercises and probed government networks (Microsoft, 2024).
Microsoft also flagged a rise in credential theft via cloud-based platforms like SharePoint and OneDrive—tools many Philippine agencies use.
Phishing and malware remain dominant, now supercharged by AI. Microsoft tracks more than 1,500 threat groups worldwide, including 600 tied to governments.
Local data paints a similar picture. In 2024, the Department of Information and Communications Technology (DICT) blocked 5.4 million attacks targeting just 32 agencies. Kaspersky recorded an 800% surge in daily threats—about 8,800 per day—mainly against education and public sector systems (DICT, 2024, Philstar, 2024). Cyberint reported over 315,000 stolen credentials in the Philippines during the first half of 2024 alone.
Large private enterprises that collect personal data are prime targetts. In June 2024, Jollibee Foods Corporation confirmed a breach affecting over 11 million customers—names, phone numbers, and birthdates included.
So where’s the fix?
In 2017, the DICT introduced the Cloud-First Policy through Department Circular 2017-002. It aimed to move agencies away from fragmented, outdated systems—servers housed in offices, no integration, minimal defenses.
These legacy setups were expensive, hard to maintain, and easy targets.
Cloud migration promised stronger security, scalability, and cost-efficiency.
But there’s a trade-off: data can now reside in centralized centers inside or outside the Philippines. That opens up questions of control, oversight, and legal jurisdiction—especially when sensitive information sits on foreign infrastructure.
That’s why the National Cybersecurity Strategy Plan 2023–2028, issued under Executive Order 58, s. 2024, is critical.
It supports the Cloud-First shift but mandates tighter standards: minimum cloud security protocols, access controls, risk management, and resilience across hybrid or cross-border systems.
The DICT has been pushing national government agencies to shift to the cloud. Though there has been some compliance, the volume of hacking incidents only show the vulnerability of government data.
This is the real picture: cyber threats are escalating in volume and complexity. What used to be rare, isolated incidents are now ongoing campaigns by highly capable groups—some with nation-state backing, others profit-driven.
Every breach doesn’t just compromise systems—it erodes something far more valuable: public trust.
For companies, breaches mean reputational damage and legal risk. For government, it means a loss of legitimacy.
Digital services were meant to bring speed and transparency.
But the public won’t fully adopt them if they don’t feel safe. People aren’t just looking for convenience—they’re asking for protection.
They want assurance that their health records won’t end up on the dark web, and that their national IDs won’t be exploited for scams.
This is why simply moving data to the cloud isn’t enough. Without strong enforcement, the cloud just shifts risk instead of managing it—especially when the data lives in servers beyond our borders.
Trust doesn’t come from sleek websites or mobile apps. It comes from consistent, visible, and enforced protection.
The government now has the right policies in place—the Cloud-First Policy to modernize infrastructure, and the NCSP 2023–2028 to raise the bar on security.
But policies without enforcement are just paperwork.
If we want people to embrace digitalization, then securing their data isn’t optional—it’s foundational.
And rebuilding trust won’t start with technology. It will start with proving that the institutions asking for our data are ready to protect it.
