With the series of cyberattacks on various government offices, the Supreme Court has taken preemptive measures and directed all judiciary officials and personnel to strengthen the courts’ cybersecurity measures to protect sensitive data and minimize the risk of cyber threats.
The SC through acting Chief Justice Marvic M.V.F. Leonen, issued the directive as he cited the recent data breach involving Philippine Health Insurance Corp. (PhilHealth).
In Administrative Order No. 150-2023 on “Proper Cyber Hygiene in Judiciary,” the SC said that “one of the most common ways of ransomware attacks is done through phishing emails which usually contain malicious links or attachments.”
“Do not open these links or attachments unless they have been verified to be legitimate,” the high court warned.
To avoid being victimized, court officials and employees were advised to examine carefully the sender’s email address.
“Phishers often use email addresses that look similar to ones used by legitimate organizations but may have small misspellings or inconsistencies. Always take a close look at the sender’s display name when checking the legitimacy of an email,” the SC said.
The SC added that court officials and personnel should “protect personal information; verify links prior to clicking by checking if the uniform resource locator (URL) or the web address, matches the legitimate website’s address; look for typographical errors, grammatical errors, or awkward language in the email; be cautious with urgent messages, as phishers often create a sense of urgency in their emails; check for generic greetings; double-check email attachments by scanning the same for viruses; and report suspicious emails as spam.”
On password security, the SC suggested that “under no circumstances should Judiciary personnel use personal information and dictionary words in creating passwords.”
Judiciary officials and employees are also urged to “use a longer password containing numbers, symbols, and both uppercase and lowercase letters; to avoid the same password for multiple accounts; to consider passphrases or a sequence of random words instead of passwords; to use a password manager; and to enable a multi-factor authentication system in their accounts.”
The SC also advised judicial employees and officials “to never share their passwords with others, even with those who claim to be from trusted institutions, and to make sure that any written passwords are stored in a secure place.”
They were also directed “to ensure that the operating systems of their devices such as laptops, desktops, smartphones, tablets, and other electronic devices are up to date.”
To protect important files and ensure their recovery in case of data loss, the guidelines recommend that court officials and personnel follow the “3-2-1 backup rule” to ensure data redundancy and availability in case of hardware failure, data corruption, or other catastrophes.
Under the “3-2-1 backup rule,” the SC said that users must maintain three separate copies of their data (original in their primary device and two additional copies in different locations of media); two backup media/formats (i.e., one copy in an external drive and another in cloud storage); and one offsite backup, or a physical location different from both the primary data and its backup.
On safe internet usage and device security, the SC urged court officials and personnel “to avoid visiting high-risk websites and downloading files from untrusted sources in order to protect their personal information, privacy, and security.”
It also recommended the downloading of files and software “only from reputable sources and utilizing only secure and judiciary-approved file-sharing platforms for work-related activities.”
Court officials and personnel were also directed “to lock their respective computers and devices when not in use, especially when in shared or public spaces.”
They were also instructed “to immediately report lost or stolen devices as well as suspicious emails, links, ads, or email attachments to the Supreme Court Management Information System Office (MISO), to prevent data leak and to maintain a safe online environment.”
At the same time, the SC warned court officials and employees against “the risk of using artificial intelligence (AI) in digital applications, particularly those which require users to submit several photos of themselves to generate, through AI, enhanced portraits.”
“This application compiles its users’ data and creates a digital person that mimics how a real individual speaks and moves. While this may seem harmless and amusing, it can be maliciously used to create fake profiles that can lead to identity theft, social engineering, phishing attacks, and other malicious activities. There has already been a report of such a case,” the SC said.
Also over the weekend, ACT-CIS party-list Rep. Erwin Tulfo called for the establishment of a National Cyber Security Office to protect and fight any attacks by hackers, or worse, by cyber terrorists, on the country’s computers and data systems.
He made the call amid a series of attacks by hackers on the computer data systems and websites of various government agencies, such as the Philippine Health Insurance Corp., Department of Information, Communication and Technology and even the House of Representatives.
“We have seen how vulnerable our government agencies are to attackers,” he said. “Despite having fixed the problem, we want to prevent a repeat of the problem.”
Because of digitalization of transactions, many countries have already put up their own cyber security agencies, he noted.
The National Cyber Security Office would have the ability to safeguard and protect the government’s digital files against attacks by hackers and possible cyber terrorists.
“Surveillance and intelligence gathering, monitoring and quick damage control and retrieval of lost or stolen data or files would come first, including identifying the hackers, cyber syndicates and the terrorists,” Tulfo said.
He mentioned separate incidents that happened to a bank and an e-wallet company that had been infiltrated by hackers a few months ago, saying these must serve as a reminder that syndicates are also in cyberspace.