Waging weaponless warfare

WRITTEN BY GIAN DE GUZMAN

GRAPHICS BY JON BONIFACIO

HISTORICALLY, WAR OFTEN involves the use of arms or weapons. The Japanese used swords and bayonets during the World War II, while the Americans had pistols and rifles. The Egyptians had naboots made out of wood and rattan. The Filipinos used bolo knives during the Philippine Revolution. But today, war is not just about weaponry; technology has already enabled modern warfare to transpire in networks and computer systems.

A battlefield is being built on the Philippine Identification System (PhilSys) proposed by the Philippine Statistics Authority (PSA) and signed by the President just this August. And now, PSA is already in preparation for its implementation. According to the PhilSys Act of 2018 or RA 11055, the PhilSys is a foundational identification system that serves as valid proof of identity for both citizens and resident aliens.

The key to this system is the development of a national ID called the Philippine Identification System ID (PhilID) that shall be issued to all those registered under PhilSys. The PhilID contains the PhilSys Number (PSN), quick response (QR) code and personal information that are all unique to its holder. The holder’s identity can be authenticated by either presenting the PhilID or using their biometric information.

Authentication can be conducted by validating biometric and personal information. Personal information, in the context of our law, is any information that directly identifies the individual such as full name, sex, birthdate, birthplace, blood type, address, and citizenship. Meanwhile, biometric information pertains to front-facing image, fingerprint, iris scan, and/or other distinguishable features. A set of at least two fingerprints shall be encrypted on the QR code at the back of the card. With this system, the PSA targets to provide more convenient public and private transactions, promote seamless delivery of services, curtail corruption, and enhance financial inclusion.

Though it appears promising to have a national ID that identify someone as a citizen, the PhilSys Act allows a record history that holds the location and date of transactions whenever the card is used. This takes us into considering the “war” the country is involved in. The Philippines has been a constant target for cyberattacks. This fact have made not just this questionable provision but the system as a whole, an area of contention between involved parties and stakeholders.

“You’d be scared if you knew the timeline and complexity of the system,” said Peter John Francisco, a lecturer from the Department of Computer Science (DCS), in a public forum on PhilSys ,tagged as #IDknow, held last September 19. He stated that a complex system likely enables connectivity, which poses security problems. He cited that the country is the eighth most vulnerable to malware, as per 2017 data from Microsoft. Malware or malicious software includes programs that are optimized for damaging and accessing systems. Vulnerability to malware allow hackers to exploit weaknesses in a system, increasing the likelihood of security breach. Hackers already rattle the Philippines, even in the absence of a consolidated database for our 33 government IDs.

In addition, the one-year period of completion and full implementation of the PhilSys is insufficient to meet the intricate construction of a single database where information of more than 100 million Filipinos would be encrypted. Although 30 billion pesos was allotted for the implementation, the huge amount of money cannot guarantee optimal security, given that the system apparently needs more than a single year to be performing at its best.

Meanwhile, in the “Public Forum for the IRR of RA 11055” on October 2, 2018 at the UP School of Statistics, authorities from PSA and partner agencies like the Department of Information and Communications Technology (DICT) emphasized that they hold utmost priority on the security of the national ID system. According to Cesar Manuel, Jr. of DICT, the national ID is safeguarded with at least 10 security features. PSA representatives also clarified that the record history will include logs of which agencies asked for authentications and when. They noted that the PSN will not be easily subjected to fraud because it is tied to the holder’s biometric information. They also stated that PSA will be responsible for the access and storage of the data. Specific access by some agencies will be dependent on the decision of PSA and the PhilSys Policy and Coordination Council (PSPCC), which is composed of partner government agencies.

Doubts surrounding the PhilSys were further fueled by the ambiguity of the RA 11055 and its Implementing Rules and Regulation (IRR). The signed act had loopholes and failed to specify necessary details. For example, it is uncertain whether the permanent or present address will be included on the card; neither of which are applicable to nomadic indigenous peoples and the homeless. The drafted IRR also failed to explain that there are different levels of authentication Apparently, authentication can be done by presenting the card, having your biometrics scanned, or both. This weakens the need for a physical ID card, if the system were designed to ask for the biometric information of the holder. PSA representatives also did not specify the process of selecting experts outside the government who will be consulted for technological matters.

However, it is argued by the concerned agencies that these vague provisions can still be compensated by updates on the IRR even after the system has been implemented. In rebuttal to this, Atty. Maria Cecilia Soria, data privacy lawyer, said that that whenever a law is passed, there already has to be an accompanying IRR for it.

“In the operation point of view, when there’s a project or system that you will implement, you also want rules for how the system will work,” Soria said. “In this case, the IRR is both for the law and for the system, which does not exist yet.”

Varying inconsistencies on the design and implementation policies of the PhilSys, along with technological deficiencies, imply that the system may not yet be ready. There is also inadequate preparation time for amassing all present government IDs into a single system. The inner workings of the system that will hold huge amount of information require rigidity which means there is no room for uncertainty. A slight breach in the system entails an opportunity for attackers to erode its security, subsequently causing our information and identity be vulnerable to possible exploitation. With the lack of the country’s cyber arsenal, enabling a hastily assembled system is almost like admitting defeat in this modern war. ●