What is the proposed National Cybersecurity Council?

MANILA, Philippines – As the Philippines undergoes rapid digital transformation, lawmakers are moving to institutionalize a National Cybersecurity Council (NCC). 

The NCC is being legislated through multiple concurrent measures in the 20th Congress, including Senate Bills (SB) 1492, 1891, 1946, and 2085, as well as House Bills (HB) 7927, 8071, 8096, and 8482, and 12 other similar HBs. 

Here’s what’s being proposed:

From fragmented to centralized approach 

The push for a centralized authority comes amid a stark rise in digital threats. 

House Bill 8096 describes the increasing cybersecurity risks that the country faces: 

“In recent years, the Philippines has consistently ranked among the most targeted countries in Southeast Asia for cyberattacks, including phishing, ransomware, data breaches, and distributed denial-of-service (DDoS) attacks… Repeated attacks on government databases and online platforms have exposed sensitive personal data, undermined public trust, and highlighted the country’s fragmented and reactive cybersecurity posture.”

“Failure to enact a comprehensive cybersecurity law poses serious risks to national security and public welfare” and risks related to critical infrastructure, such as power, water, transportation, and emergency services, and other essential services, it said.

The strategic backbone: NCSP 2023-2028

Providing the technical and strategic backbone for the proposed NCC is the National Cybersecurity Plan (NCSP) 2023-2028 formulated by the Department of Information and Communications Technology (DICT), as mandated by Republic Act 10844. 

While the bills provide the legal framework, the NCSP sets a vision for a “trusted, secure, and reliable cyberspace,” and identifies what is Critical Information Infrastructure (CII) and the potential impact if they fail, and prioritizes building a cyber-workforce.

Institutionalizing a 2019 Executive Order

A key objective of the current legislation is to institutionalize the National Cybersecurity Inter-Agency Committee (NCIAC), which was originally created under Executive Order (EO) No. 95, series of 2019.

Several measures, such as SB 1891, SB 2085, and HB 8071, explicitly seek to rename and reorganize this existing committee into a permanent, legislated National Cybersecurity Council. This shift moves the body from an executive creation to a permanent institution with defined powers, attached administratively to the Office of the President.

Council composition and leadership

The NCC is designed to be an inter-agency body to ensure a “whole-of-government” defense.

The Senate bills and HB 8071 identify the secretary of the DICT as the chairperson of the NCC while House Bills 7359, 7927, 8096, and 8482 propose a different leadership structure where the director-general of National Intelligence Coordinating Agency (NICA) serves as the chairperson.

Members of the NCC include Cabinet-level officials from the Department of Foreign Affairs, Department of Justice, Department of National Defense, Department of Science and Technology, Department of Energy, Department of Interior and Local Government, and Department of Transportation; the governor of the Bangko Sentral ng Pilipinas; and the heads of the National Bureau of Investigation and the Philippine National Police.

What are its responsibilities?

1. Strategic planning and policy formulation

The NCC is primarily responsible for formulating, updating, and overseeing the implementation of a unified National Cybersecurity Plan and related policies to strengthen digital resilience. It is tasked with advising the President and Congress on all cybersecurity aspects and proposing necessary legislation or amendments.

2. Vulnerability assessment, monitoring

A major mandate across the bills is the continuous assessment of the country’s digital weaknesses:

• Systemic assessments: The NCC must assess national vulnerabilities and conduct periodic strategic planning to reduce risks.
• Automatic scanning: Several House bills mandate the NCC to develop the capability to automatically scan all government and critical information infrastructure (CII) assets exposed on the internet to provide “risk scores”.

3. Incident response oversight

The NCC serves as the high-level coordinator for active defense operations:

• NCERT/NSOC Operations: It oversees the establishment and continuous operation of the National Computer Emergency Response Team (NCERT) and the National Security Operations Center (NSOC) to respond to incidents.
• Directing agencies: The NCC has the power to direct its member agencies and other appropriate bodies to implement specific cybersecurity measures required by a situation.
• Cyber-terrorism: It is mandated to coordinate closely with the Anti-Terrorism Council (ATC) to prevent and respond to digital threats that endanger national security.

4. Information sharing, public protection

The bills tasks the NCC with bridging the gap between the government, the private sector, and the public:

• Threat database: It must develop and maintain a National Cybersecurity Threat Database that is accessible to the public and updated regularly.
• Citizen support: Senate Bills 1492 and 1946 propose establishing a Public Cyber Complaint and Rapid Response Unit and a Cyber-Justice Assistance Desk to provide free legal aid to victims of online scams and abuse.
• Misinformation mitigation: House bills mandate the NCC to initiate partnerships with social media platforms to create protocols for reporting and mitigating misinformation and online harms.

5. Standards and capacity building

• Security protocols: The NCC must issue updated security protocols to all government employees for the proper handling and distribution of all forms of documents.
• Minimum standards: It is responsible for recommending or setting minimum cybersecurity standards and risk-management protocols for both public and private ICT systems.

6. International coordination

The NCC serves as the country’s primary coordinating arm for domestic, international, and transnational efforts pertaining to cybersecurity, representing the Philippines in international cooperation initiatives.

The proposed NCC represents a strategic pivot toward a legislated framework, one that is unified rather than fragmented, using the NCSP 2023-2028 as its blueprint, as a means to improve the country’s cybersecurity standing, and in turn, national security. – Rappler.com