Cybersecurity in the Philippines: Laws and Plans

Questions and Answers

What is the primary law addressing cybercrime in the Philippines?

• RA 10627
• RA 8792
• RA 10173
• RA 10175 (correct)

Which agency was created by RA 10175 to combat cybercrimes?

• National Privacy Commission (NPC)
• Cybercrime Investigation and Coordinating Center (CICC) (correct)
• National Bureau of Investigation (NBI)
• Philippine National Police (PNP)

What year was the Cybercrime Prevention Act enacted?

• 2010
• 2012 (correct)
• 2015
• 2017

Which of the following is NOT considered a cybercrime under RA 10175?

Data erasure (C)

Which law covers the protection of personal data in the Philippines?

RA 10173 (A)

What right is guaranteed by RA 10173 to individuals regarding their personal data?

Right to access and rectify personal data (D)

What is one of the main goals of the National Cybersecurity Plan 2022?

Securing critical infrastructure (A)

Which of the following is a challenge faced by cybersecurity enforcement in the Philippines?

Limited resources and public awareness (A)

What does the term 'cybersecurity threat' refer to?

A malicious act that seeks to damage or steal digital assets (A)

Which of the following options best describes a 'botnet'?

A network of compromised computers used for malicious purposes (D)

What are the three types of social engineering?

Pretexting, Baiting, and Tailgating (D)

Which of the following is an example of a denial of service (DoS) attack?

Overloading a system with excessive traffic (A)

Which source of cyber threats is represented by individuals aiming for financial gain via hacking?

Hackers and Criminal Groups (C)

What is the primary function of spyware?

To steal user data quietly (A)

Which attack is known for using unauthorized access to intercept communications?

Man-in-the-Middle (MitM) (D)

Which of the following is NOT commonly recognized as a type of cybersecurity threat?

Binocular Attacks (D)

What does the Consumer Review Fairness Act specifically protect?

The right to share honest reviews. (A)

Which of the following is a purpose of product liability insurance?

To protect against claims related to defective products. (B)

Which Act regulates commercial email marketing in the United States?

CAN-SPAM Act. (C)

Which statement about the CCPA (California Consumer Privacy Act) is incorrect?

It applies to all businesses in the United States. (D)

What is a key characteristic of Advanced Persistent Threats (APTs)?

They focus on data exfiltration and may be state-sponsored. (D)

What is the main role of the National Privacy Commission in the Philippines?

To uphold the rights of individuals regarding data privacy. (B)

Which of the following is NOT a characteristic of compliance with e-commerce laws?

Creating legal loopholes. (B)

Which of the following correctly defines data breaches?

The unauthorized access or disclosure of sensitive data. (B)

What is the primary purpose of analyzing successful compliance case studies?

To understand effective legal compliance strategies. (C)

Which of the following statements about cross-border transactions is true?

They only complicate compliance due to varying laws. (C)

Which of the following is a responsible data processing characteristic under the Data Privacy Act?

Processing in a transparent manner. (B)

What is a common misconception regarding compliance with e-commerce regulations?

Compliance is optional once achieved. (C)

What must data protection laws like GDPR and CCPA provide for businesses?

They impose strict requirements regardless of business size. (A)

What law aims to protect personal information in both the private and public sectors?

Data Privacy Act (B)

Which act defines and penalizes various cybercrimes, including hacking and identity theft?

Cybercrime Prevention Act (D)

Which of the following is NOT a focus area of the National Cybersecurity Plan 2022?

Securing private sector networks (A)

Which agency is primarily responsible for overseeing compliance with the Cybercrime Prevention Act?

National Privacy Commission (D)

What is one of the key objectives of the DICT?

Promote ICT development (A)

Which type of cybercrime does the Cybercrime Prevention Act include?

Identity theft (D)

Which statement about the Data Privacy Act is NOT true?

It allows unrestricted access to personal information by any government agency. (C)

Which of the following is included in the National Cybersecurity Plan 2022?

Enhancing cybersecurity resilience (C)

What does the acronym DICT stand for?

Department of Information and Communications Technology (A)

Which of the following is NOT a responsibility of the DICT?

Regulating television broadcasts (C)

What year was Republic Act No. 10844 enacted?

2016 (B)

What is the primary purpose of the National Broadband Plan under DICT?

Increase internet speed and accessibility (A)

Which of the following public spaces offers free Wi-Fi under DICT's provisions?

Shopping malls (D)

According to the Cybercrime Prevention Act, which of the following is a punishable offense?

Online libel (D)

Which of the following duties is part of DICT's mandate?

Enhancing ICT capacity-building (A)

Flashcards

NIST CSF

A framework to help organizations manage and reduce cybersecurity risks.

Cybersecurity Risk Management

The process of identifying, assessing, and mitigating cybersecurity risks.

Cybersecurity Incident Response

Actions taken when a cybersecurity incident is detected.

Cybercrime Prevention Act

Law to combat cybercrimes in the Philippines.

Data Privacy Act

Law covering data protection in the Philippines.

Cybercrime

Criminal activity conducted using the internet or networks.

National Cybersecurity Plan 2022

Plan for enhancing security of critical infrastructure.

National Privacy Commission (NPC)

Philippine agency tasked with data privacy enforcement.

Cybercrime Investigation and Coordinating Center (CICC)

A Philippine law enforcement agency tasked with investigating cybercrimes.

Cybersecurity

Protecting systems, networks, and data from digital attacks.

Cyber libel

Online defamation or spreading false information that harms someone's reputation using the internet.

Child pornography

Creating, distributing, or possessing online materials depicting minors in sexual acts, illegal under RA 10175.

National Cybersecurity Plan 2022 Focus Areas

Protecting national infrastructure and promoting awareness and resilience.

Cybersecurity Challenges (Philippines)

Lack of awareness and resources are significant issues.

DICT

The Department of Information and Communications Technology, promoting ICT development in the Philippines, including cybersecurity.

Importance of Cybersecurity Laws

Protect individuals, businesses, and the nation's digital infrastructure from harm.

E-Commerce Law

Laws governing online business transactions and contracts, protecting consumers and businesses.

Intellectual Property Protection

Protecting brand and product rights through legal means.

Deceptive Advertising

Misleading consumers with false or misleading information in ads.

Consumer Review Fairness Act

Protects consumers' right to honest product reviews.

CAN-SPAM Act

Regulates commercial email marketing.

Product Liability

Insurance covering claims due to defective products or injuries.

E-commerce Compliance

Following the legal rules for online businesses.

Consumer Trust

Building confidence in a product or company through legal compliance.

Data Breaches

Illegal access to and handling of personal info.

Data Privacy Act 2012

Philippines law addressing data protection of individuals.

Data Subject Rights

Individual's legal rights regarding their personal data.

Zero-Day Exploits

Malware exploiting software flaws unknown to the vendor.

Advanced Persistent Threats (APTs)

State-sponsored or criminal attacks focusing on long-term data theft.

Cryptojacking

Using someone's computer to generate cryptocurrency without their consent.

Cybersecurity Threat

Any malicious act intended to damage, steal, or disrupt digital assets like information, data, networks, systems, or devices.

Botnets

Networks of compromised computers controlled by attackers, often used for DDoS attacks, spamming, or spreading malware.

Social Engineering

Tricking users into revealing confidential information or granting access to systems through psychological manipulation.

Pretexting

A type of social engineering where attackers create a believable scenario to gain information or access from victims.

Baiting

A type of social engineering where attackers offer something enticing to trick users into clicking malicious links or downloading malware.

Tailgating

Gaining unauthorized access to restricted areas by following someone who has legitimate access.

Malware

Software designed to harm or disrupt computer systems, including viruses, worms, Trojans, and ransomware.

Study Notes

Cybersecurity in the Philippines and Beyond

• Philippine Cybercrime Law: RA 10175 addresses various cybercrimes, including hacking, data interference, system interference, and online libel. RA 10173 (Data Privacy Act) protects personal data.

• Cybersecurity Enforcement Challenges: Limited resources and public awareness are significant challenges in the Philippines.

• National Cybersecurity Plan 2022: This plan aims to secure critical infrastructure and promote cybersecurity awareness.

• Key Agencies: The Cybercrime Investigation and Coordinating Center (CICC) investigates cybercrimes. The National Privacy Commission (NPC) enforces the Data Privacy Act. DICT (Department of Information and Communications Technology) promotes ICT development and cybersecurity, including operating the Cybersecurity Bureau.

NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)

• Purpose: Designed to help organizations of all sizes and sectors (industry, government, academia, nonprofit) manage and reduce cybersecurity risks.

• Components: The CSF covers various components to manage cybersecurity risks. Safeguards are used to manage cybersecurity. Actions are taken regarding cybersecurity incidents. Categories of detected incidents are described. The framework defines desired outcomes. Privacy events resulting from data processing are part of it. Tiers for implementation are defined.

Specific Laws and Regulations

• RA 10627: This law is not about cybersecurity, but it's important to be aware of laws related to cybercrimes.

• RA 10173 (Data Privacy Act): This law protects personal information and defines responsibilities surrounding data processing.

• RA 10175 (Cybercrime Prevention Act ): This law criminalizes various cybercrimes like hacking, data interference, and online libel.

• E-commerce Law: Covers online transactions and digital contracts. Crucially, it needs to change with the times.

Cybersecurity Threats and Definitions

• Terrorist Organizations: Threaten national security and seek infrastructure destruction or harm.

• Malicious Insiders: Abuse privileges for personal gain.

• Malware: Malicious software – different types such as spyware and adware.

• Social Engineering: Tricking users to provide access points for malware.

• Spyware and Adware: Secretly collect user data or display unwanted ads.

• Cybersecurity Threats: Generally malicious acts like stealing data or disrupting computer systems.

• Sources of Cyber Threats: Includes nation states, terrorist organizations, hackers, and malicious insiders.

• Types of Cyber Threats (Examples): Malware, Advanced Persistent Threats (APTs), Crypto-jacking, Phishing, Denial-of-Service (DoS) attacks, Man-in-the-Middle (MitM) attacks, Insider Threats, Zero-Day Exploits, Credential Stuffing, Supply Chain Attacks, Social Engineering, IoT Vulnerabilities, Password Attacks, and Rootkits.

Data Privacy Act

• NPC Responsibilities: The NPC enforces the Data Privacy Act of 2012 (RA 10173). They perform various roles of enforcement, guidance, compliance checks, and public awareness campaigns about the law with respect to personal information.

• Key Responsibilities: The four key responsibilities of data controllers concerning personal information include transparency, security, lawfulness, and just data collection

• Data Subject Rights: Data subjects have several rights concerning their personally identifiable information, including the right to access their data, update it, and request deletion of it. 

E-commerce Law

• E-commerce Regulations: There are various regulations that govern e-commerce activities.

• Compliance Challenges: One significant challenge in e-commerce is adapting to changing regulatory environments.

• Consumer Trust: Building consumer trust through legal compliance is crucial for success in e-commerce.

• Jurisdictional Differences and Disputes: E-commerce compliance can be complicated by jurisdictional conflicts and differences in regulations.

• Data Handling and Privacy: Mishandling customer data leads to issues about data breaches and privacy violations.

DICT (Department of Information and Communications Technology)

• Purpose: To primarily promote ICT development and, specifically, information and communications technology (ICT).

• Mandates: Develop national policies, strategies, and frameworks; lead cybersecurity efforts. Developing and implementing national cybersecurity policies and programs. Promote the security of the country’s information and communications infrastructure.

Cybersecurity Framework Components

• Technical Security: Includes encryption, network security, and secure data transmission.
• Physical Security: Includes access controls, secure storage of sensitive data.
• National Privacy Commission (NPC): The NPC is a regulatory body ensuring data protection rights.
• Data Privacy Act (RA 10173): A comprehensive law on personal data protection in the Philippines.
• Penalties for Non-Compliance: This includes fines and sanctions for non-compliance with cybersecurity guidelines and laws.
• International Collaboration: Partnerships with international institutions and local agencies to enhance cybersecurity measures are often important.
• NPC Vision: The NPC aims to be a model data protection authority.

Cybersecurity Threats

• Malware Malicious Software
• Man-in-the-Middle (MitM) Attacks: Attackers intercept communications between two parties.
• Zero-Day Exploits Vulnerabilities unknown to the software developer, are exploited.
• Advanced Persistent Threats (APTs): Sophisticated and long-lasting attacks, often state-sponsored or carried out by organized crime groups.
• Supply Chain Attacks: Attacks targeting software suppliers.
• Phishing: Attacks using disguised legitimate entities to obtain sensitive information.
• Rootkits: Malware designed to maintain covert access to a computer system.
• Botnets: Networks of compromised computers controlled remotely; often used for malicious activities like DDoS attacks.
• Social Engineering: Tricking people to divulge confidential information.