DICT: Only 55 of 388 gov’t agencies responded on online vulnerabilities

MANILA, Philippines — Undersecretary Jeffrey Ian Dy said on Tuesday that only 55 of the 388 government agencies who were informed about vulnerabilities in their online sites responded to the Department of Information and Communications Technology (DICT).

In the hearing of the House of Representatives committee on information and communications technology regarding the recent hacking incidents on government websites, Dy explained that they have discovered 30,682 vulnerabilities on public assets since Project Sonar or Secure Online Network Assessment and Response System was started in December 2023.

Project Sonar is a system initiated by the DICT, which, as Dy said, conducts an automatic scan of the government’s ICT systems with or without the agency’s permission, leading to vulnerability assessments that can be used to manage online platforms.

“So the next thing that the DICT would do is to request for focal persons and contacts who would concentrate on the vulnerabilities discovered.  Because out of 388 — the agencies that we forwarded a report to — only 55 responded,” Dy told committee members during his presentation.

“Which means only 14.20 percent of the government agencies who got a report from us — this includes offices like the House of Representatives — gave a response.  So this is very low compared to what we expect,” he added.

According to Dy, the report is very important, considering the poor state of the government’s ICT assets and the high number of vulnerabilities discovered.

To ensure that government agencies address the issues pointed out by Project Sonar, Dy said they have been talking with the Department of Budget and Management (DBM) about including vulnerability response in grading an office’s performance.

“So the state of our government agencies does not look good, but please understand, your Honors, that this is not something we can resolve overnight. At least information is now on their hands, including what type of vulnerabilities were found, so that they can—if they need to procure something to defend themselves—that can happen,” Dy said.

“We’re also discussing with some officials of DBM; maybe we can include this on the scorecards of government agencies, that they resolve the vulnerabilities that were found and that we reported to them,” he added.

A probe into the hacking incidents is one of the topics pinpointed by House Speaker Ferdinand Martin Romualdez as matters to be discussed during the remaining days of the second regular session.

READ: House to focus on economy, nat’l security in remaining session days

Discussions on the hacking incidents came after successive attacks on Philippine government websites.  Last April 3, DICT confirmed that two terabytes of data belonging to the Department of Science and Technology (DOST) were feared to be leaked, in what is described as the biggest hacking incident under the present administration.

DICT also said it is probing the extent of the data leak that has affected the Bureau of Customs (BOC).  Initial assessments from cybersecurity group Deep Web Konek showed that it was possible that 4.5 gigabytes worth of BOC data was compromised by hackers.

Several officials, including Romualdez himself, have called for investigations into hacking incidents on several government websites.  As early as February, Romualdez urged that probes be made after the DICT said they traced back attempts to hack the Overseas Workers Welfare Administration (OWWA) to an internet protocol (IP) address located in China.

Read more...