IT Infrastructure in Cebu City Hall Faces Potential Threat:

IT Infrastructure in Cebu City Hall Faces Potential Threat:

In a privilege speech delivered on August 5, 2025, Councilor Winston Pepito raised concerns about the vulnerability of the City's IT systems, which are crucial for City Hall operations. The lack of a problem backup system, a centralized repository for source code, and formal structure, protocols, and standard operating procedures make the City's operations vulnerable to a complete shutdown if a server fails.

Moreover, the City's IT systems could compromise sensitive data, as some programmers have unrestricted access to database servers, posing a security risk. Councilor Pepito also highlighted potential legal issues with the City's IT systems, as under the Intellectual Property Code of the Philippines, programmers employed by the City Government have no rights to own programs created during office hours for the City.

To address these challenges, the City must treat cybersecurity as a governance priority. Experts from the Department of Information and Communications Technology, the Philippine National Police's Anti-Cybercrime Group, and the City Hall's Management Information and Computer Services will be present in an executive session convened at 9 a.m. Thursday, Aug. 7, to review IT policies.

The best practices for securing city IT systems and ensuring data protection include implementing comprehensive, layered cybersecurity programs based on established frameworks, strengthening access controls, regular staff training, and detailed incident response planning.

Some key measures to address these challenges are:

1. Implement a formal, comprehensive cybersecurity program that ensures the availability, confidentiality, and integrity of systems and data. This involves risk identification, impact assessment, threat detection, incident response, and post-incident recovery procedures.
2. Adopt strong access controls, notably multi-factor authentication (MFA), to restrict system access only to authorized individuals.
3. Regularly update and patch software to protect systems against known vulnerabilities.
4. Use data encryption to safeguard sensitive information both in transit and at rest.
5. Train all employees routinely on cybersecurity awareness tailored to their roles, including recognizing phishing and social engineering attempts.
6. Develop and periodically test an Incident Response Plan with clear protocols for preparation, detection, containment, eradication, recovery, and post-incident review to minimize damage from breaches.
7. Implement network defenses including Zero Trust Architecture (ZTA), limiting access based on strict verification and segmenting networks to contain attacks, especially critical for public systems and cyber-physical systems like utilities.
8. Establish continuous monitoring and threat detection, including deploying specialized tools for operational technology and Internet of Things (IoT) environments, which traditional IT security tools might not fully cover.
9. Comply with legal and regulatory frameworks, such as the Ohio House Bill 96, which mandates local governments have cybersecurity programs consistent with best practices and that ransomware payments require legislative approval.
10. Maintain comprehensive data backups and recovery capabilities to ensure city operations can be quickly restored after an attack.
11. Partner with specialized cybersecurity providers to augment in-house capabilities and keep current with emerging threats and compliance mandates.

In addition, the resolutions passed by Councilor Winston Pepito request the IT department to submit its policies and procedures to the committee on information technology. The resolutions also ask the City Legal Office to investigate how to take action against uncooperative staff. Some programmers were reportedly hesitant to share the source code, and third-party libraries, possibly without full licenses, have been integrated into the City's system.

The City must act swiftly to address these issues to protect its digital infrastructure from total shutdowns and data breaches, preserving public services and trust.

1. Councilor Winston Pepito's concerns about Cebu's vulnerable IT systems extend to potential cybersecurity issues and the risk of compromised sensitive data, as some programmers have unrestricted access to database servers.
2. To mitigate these risks, the City Government must adhere to best practices such as implementing a comprehensive cybersecurity program, strengthening access controls, regular staff training, and data encryption.
3. In response to potential legal issues highlighted by Councilor Pepito, the City must work closely with the City Legal Office to investigate uncooperative staff and address the integration of third-party libraries without full licenses into the City's system.

Read also: