Brazil’s cybersecurity ecosystem has developed in a haphazard and ad-hoc manner, making Latin America’s largest nation one of the most exposed in the world to cyber attack, as Alexander Stronell explains. Can its latest cyber security strategy make a positive difference?
By Alexander Stronell*
In a recent cyber security ranking, Brazil scored a middling 61st globally – above average among Latin American nations, though middling at best among its larger Latin peers, coming in ahead of Mexico and Peru, but behind Argentina and Colombia. Globally, Nigeria, Uganda and India continue to score higher. Brazil’s position on the International Telecommunication Union’s most recent cyber security index is similarly middling both globally and among Latin American nations.
Brazil’s first National Cyber Security Strategy (‘E-Ciber’), signed into force by President Jair Bolsonaro in early February is, therefore, well overdue. Running from 2020 to 2023, the strategy sets Brazil the goal of becoming a ‘country of excellence’ in the cyber-security sphere. Acknowledging that Brazil has become a prime target for cyber attack, E-Ciber sketches ten strategic actions to be undertaken, including the centralisation of the national cyber-security system; the widening of international cooperation; the strengthening of cyber governance in both the public and private sectors; and the enhancement of protection for critical infrastructure. Another key initiative envisioned is a cyber-security law, which is currently being drafted and is expected to go before Congress before the end of the year. The new law is intended to be comprehensive in its regulation of cyber security in Brazil.
The lack of streamlining and centralisation of Brazil’s cyber-security policy has been identified as a critical area of weakness. As part of a concerted effort to rectify the situation, E-Ciber is the first of a number of cyber-focused initiatives (or ‘modules’) envisioned under Brazil’s 2018 National Information Security Policy. Four further modules will focus on cyber defence, critical infrastructure security, the protection of confidential information and data leak safeguarding.
Lofty ambitions, little substance
The impressive consultation process behind E-Ciber, run by the Presidential Institutional Security Office (GSI) – an important executive body in the Brazilian security establishment – is said to have involved seven months of study and debate, as well as active contributions from ministries, the private sector, academia and the general public. It is thus surprising that E-Ciber lacks focus and substance. The document is exceptionally vague in outlining precisely how Brazil can achieve its stated goal of cyber-security excellence.
While E-Ciber designates the GSI as the ‘macro-strategic coordinator’ of Brazil’s cyber-security system – a function which, in practice, it had already assumed – it does not define competencies anywhere else across government. Some sections, including the strategic concept, have been left largely undeveloped.
Moreover, the strategy lacks a number of key features for success in any large government programme. In particular, it fails either to define timeframes for the achievement of milestones, or to provide a budget or cost assessment for what will presumably be a costly series of projects. Despite a declared intention to bring the new law before the legislature this year, almost no detail is provided on the kind of provisions that can be envisioned in the new legislation.
National cyber-security debate
E-Ciber is – according to its contributors – only intended to sketch a general overview of government direction and to start a debate on cyber security in Brazilian society ahead of the passage of the new cyber-security law. However, it is also symptomatic of previous failures to kickstart such a debate in Brazil. The far more comprehensive Green Book on Cyber Security, released by the GSI in 2010, was also published with the intention of sparking a national debate: that a decade later E-Ciber has been deemed necessary would suggest that it has failed to do so.
Given its vagueness and inaccessible language, E-Ciber is also unlikely to have the desired effect – ordinary citizens, businessmen and even civil servants are unlikely to want to devote time to reading it. It is also eclipsed in quality by Brazil’s own pre-existing strategy documents: for example, the GSI’s 2015 Information and Communication Security and Cybersecurity Strategy for the Federal Public Administration, which, though not purely focused on cyber security, nor reaching beyond the federal government in its scope, set clear milestones and budget allocations.
Furthermore, the Brazilian government seems to have expended little effort in promoting E-Ciber to society, business or the international community. Only a handful of niche international tech sites and blogs reported on E-Ciber’s release, and the domestic coverage which it has received has been almost universally negative. For a strategy purporting to be the nation’s roadmap to cyber excellence, few Brazilians are even likely to be aware of its existence, and those who are will be unlikely to want to pay it heed.
The deficiencies of E-Ciber throw into sharp relief some clear ingredients for an effective cyber strategy. As governments across the world turn their attention to their cyber-security ecosystems, the importance of cultivating high-quality strategic roadmaps must be underscored. In particular, questions such as budgeting and timeframes, accessible language and sufficient publicity must be taken into consideration both in the drafting and release of cyber strategies. Lacking all of these elements, the new Brazilian strategy – though it is likely to gain greater detail in the coming law – does not lay out a coherent roadmap to excellence.
*Alexander Stronell is Research Assistant for Cyber, Space and Future Conflict