Late February this year, Brazil published its first national cybersecurity strategy. With more than 100 countries worldwide having released their strategies and considering that Brazil is the biggest economy in Latin America, one might ask: why has it taken so long for Brazil to take that step? What does a national strategy mean for Brazil, really?
There are many possible answers, but the lack of a Strategy certainly does not translate into a normative vacuum or disinterest. In the past fifteen years, Brazil has developed a plethora of documents, policies, norms and guides, that have gradually shaped cybersecurity and related issue-areas such as cybercrime and cyber defence. However, most of the attempts have remained fragmented and ad-hoc in nature. The National Cybersecurity Strategy – also called “E-Ciber” – is the country’s first coordinated attempt to develop an integrated view of cybersecurity that encompasses different sectors and the whole of society. It seeks to take a step further, by building a culture of cybersecurity and communicating more clearly the government’s role and convening power in the coming years. What is more, it will be followed by a National Cybersecurity Law.
Brazil currently ranks 70th in the ITU’s cybersecurity index, and is the second nation most affected by global ransomware attacks. In 2018 alone, the country faced approximately U$20 billion in economic losses due to malicious cyber attacks. Though these figures paint a ‘doom and gloom’ picture of the country – and points towards a long road ahead in terms of developing cyber maturity – the E-Ciber strategy is a big step towards consolidating a coherent approach to national cybersecurity. It establishes three strategic objectives guiding the country’s approach, namely: strengthening (i) digital security and prosperity, (ii) resilience to threats and (iii) Brazil’s role in international cybersecurity.
Though an important step, the E-Ciber only provides a glimpse of a decade-long process of complex normative, political and contextual dynamics. To understand it, one needs to look into the wider socio-political and historical timeline.
The Brazilian government places cybersecurity as a component within the wider umbrella of information and communications security – that also encompasses concepts such as cyber defence, physical security and organizational data security. In contrast to the Russian approach to information security – which highlights the role of the government not only in securing infrastructure but to control information flows in order to ensure political regime and state stability – Brazil’s vision is based on the phenomenon of technological convergence in ICTs and the concept of information society. Information security, in this regard, refers to all actions to assure the confidentiality, integrity and authenticity of information whilst respecting constitutional and human rights.
Cybersecurity, however, has remained a contentious area. It is broadly defined as the “art of assuring the existence and continuity of the Information Society of a nation by safeguarding and protecting, in cyberspace, its information and critical infrastructures.” The Institutional Security Office of the Presidency, Gabinete de Segurança Institucional (GSI), has been designated the key actor in developing norms and coordinating efforts across the public and private sectors. The GSI is a body dedicated to assisting the presidency in security and military affairs which includes the coordination and supervision of information security within the whole of the public administration. Historically it has been – together with the military – one of the centrepieces to the development of norms on information security, cybersecurity and cyber defence.
Throughout the past decade, Brazil has undergone a significant institutionalisation of its own national cybersecurity landscape. The introduction of cyberspace as a strategic domain for national security in the 2005 National Defence Policy – later crystallised in the National Defence Strategy of 2008 – marked what would be the start of a steep militarisation of cybersecurity and defence during the following decade. Since then, considerable parts of the annual budget were allocated to the Ministry of Defence to rapidly establish a Military System for Cyber Defense – which included, but was not restricted to, the Center for Cyber Defence (CDCiber) and the Brazilian Cyber Defence Command (ComDCiber). However, the budgetary incentives and ‘institutional boom’ only gained traction in the context of international events, also-called “Mega Events”, hosted in Brazil from 2012 until 2016, namely, Rio+20, World Cup, Olympics and others. These events generated mounting pressures for the government to develop internal capabilities to coordinate and respond to incidents.
Along with operational experience acquired during the Mega Events, the military also developed a series of documents that supported and configured part of the country’s approach to offensive and defensive action. The 2014 Cyber Defence Military Doctrine, for example, defines cyber defence as the set of offensive, defensive and exploratory actions to protect national information systems, gather data for national intelligence purposes and to compromise information systems of opponents. However, experience and institutional development preceding the doctrine had already placed the CDCiber, back in 2012, as the organ responsible for integrating and coordinating cyber defensive activities (that is, offensive, defensive and exploratory actions).
During that same period, the GSI developed a considerable amount of policy documents, such as the Green Book on Cyber Security, the reference guide on Critical Infrastructure protection and Information and Communications Security, a Strategy for the Public Administration on cyber and information security and others. All of them, taken together, have gradually shaped the vocabulary, practice and institutional change in inserting cyber security into the national agenda – the Green Book being the first document from the GSI dedicated to this matter back in 2010.
However, as the E-Ciber highlights, three main challenges remain for effective coordination and building a baseline for cyber security best practices nationally beyond the at times-criticised militarised approach:
- Fragmentation of initiatives across sectors;
- Lack of normative, strategic and/or operational alignment; and
- Disparate levels of cyber maturity across the government and private sector.
The financial sector, for example, has already passed specific measures, most notably a resolution from the Central Bank on minimum standards for cybersecurity and cloud services. Other ministries, such as the Ministry on Science and Technology have included cybersecurity (though only tangentially) in the Digital Transformation Strategy (2018), calling for a holistic approach aligned with action plans for different parts of the government. Legislations such as the Brazilian Internet Bill of Rights (Marco Civil) and the recent 2018 General Data Protection Law have also sought to integrate information security under a wider approach that includes privacy and secure data management.
Brazil has been internationally known for its multistakeholder approach to Internet governance and for having been a strong advocate in safeguarding digital rights. However, since president Dilma’s impeachment in 2015 the country has fallen into a deep economic, but most importantly, political crisis. With other priorities at hand, the political crisis, growing polarisation, Bolsonaro’s election and a persistent focus on the fight against corruption took the main stage of the national agenda in the years that followed. Since 2018, however, new developments have been taking place indicating a more holistic move towards the consolidation of a national approach the years to come.
Six days before president Michel Temer’s mandate came to an end, he passed a presidential decree (the National Policy on Information Security) that finally transformed a mirage into a concrete foreseeable provision: the national cybersecurity strategy. Elaborated by the GSI, the National Policy on Information security prescribed the establishment of a Strategy on Information Security to be published in issue-area modules, namely: (i) cybersecurity; (ii) cyber defence; (iii) critical infrastructure protection; (iv) security of classified information; and (v) protection against data leaks. They will be followed by the development of national plans to guide the implementation of the strategic goals and objectives outlined in the respective strategies.
Adopting modules-based approach provides a strategic horizon for policy-development within the government in a moment of political and economic uncertainty. In spite of growing domestic tensions (and unpopularity) regarding Bolsonaro’s role (with more calls for his impeachment) those have not been fully translated as an impediment to developments in cybersecurity. It has, however, already resulted in several challenges to the implementation of the Data Protection Law and to ensuring proportionality and right-protections in the context of increased pandemic surveillance to enforce self-isolation during COVID-19.
With the E-Ciber being the first out of five, cybersecurity has evidently become the flagship of Brazil’s information security approach. The Strategy is the outcome of 7 months of work, 3 thematic subgroups, 31 closed meetings and a 20 day period of public consultations (with 166 contributions). It outlines a vision for the years 2020-2023 that provides a diagnostic view of the current landscape in Brazil (outlined above), establishes thematic axes, and focuses on three major objectives and ten strategic actions:
The Strategy fulfils much of what the previous documents of the GSI had already suggested, that is, promoting a holistic approach to cybersecurity that stimulates the development of a culture. Given that the GSI is the main body tasked with coordinating across sectors, a considerable challenge remains as to how the strategy will translate into change. Many have criticised it for not being operational or action-oriented enough. The plan is that the operationalization of the E-Ciber and the National Information Security Plan will take the shape of security ‘plans’ developed by each Ministry and sector (public and private).
However, there are important (novel) elements within the strategy that already indicate what the next steps might look like:
First, it proposes a centralised model for cybersecurity. This proposal is a direct response to the diagnosed lack of coordination and mechanisms to ensure a strategic and operational alignment at the macro-political level. The wording itself leaves considerable ambiguity as to what this centralised model is. Next steps will need to ponder carefully whether this will take the form of National Cybersecurity Centers or more loose arrangements with a central coordination point under the GSI.
Second, it foresees the development of norms and legal frameworks for enhancing the security of emerging technologies and a specific Cybersecurity Bill. One month after the publication of the E-Ciber, the government published a normative instruction (IN-4 GSI) outlining minimum requirements for cybersecurity that should be adopted in the establishment of 5G networks. There are no clear indications as to whether this norm would stop Huawei from accessing the Brazilian market, for example, but it does leave room for future restrictions based on vulnerabilities and backdoors. Also, there is still little information on the Bill, however, the E-Ciber states that the objective of this law is to provide specific guidelines for strategic alignment on cybersecurity. However, it will provide a binding element that the strategy lacks. The GSI is officially tasked to develop it and has already signalled its intent to have it out by the end of the year. As the first drafts go through Congress and the Senate, much caution is needed to ensure that rights and security walk side by side – especially in a context of crisis where not all policymakers are up to speed with cybersecurity.
Third, it explicitly mentions the need to enhance Brazil’s role in international cooperation. While Brazil has been referred by many as a swing state – pursuing a purposefully ambiguous cyber diplomacy – it has managed to play an increasingly important role internationally, leading global efforts in data protection and internet governance and becoming one of the only two countries chairing the UNGGE twice.
Whilst internal coordination remains a challenge for pursuing strategic efforts abroad, it has not impeded the establishment of new avenues for cooperation. Brazil’s cyber diplomacy has largely focused on ICT and economic development dialogues with Mercosur, OAS, BRICS and the EU. Security cooperation in this area, though existent, remained restricted to capacity building, professionalisation and training at the technical level.
However, growing interest in cybersecurity as a strategic agenda within the government has led to some initial efforts such as the recent Brazil-EU dialogues (track 1 and 1.5), the OAS CBMs working group, and cyber cooperation within the BRICS there is certainly space for strengthening cooperation and exchanging best practices.
Product of more than a decade of work, the strategy is the country’s first attempt to take a clearer stand on minimum measures for advancing a nation-wide plan. Though loosely coordinated, recent developments point towards a slightly more comprehensive approach to cybersecurity, one that transcends a focus on military capabilities and encompasses the development of operational coordination, international engagement and capacity building efforts. However, the publication of its Digital Transformation Strategy (2017), National Policy on Information Security (2018) and E-Ciber are just some of the more recent steps in configuring a quite specific approach to security and ICTs.
While Brazil’s (and particularly Bolsonaro’s) increasing lack of response to the COVID-19 outbreak has cast yet another light upon the ideological cleavages in the population, emerging digital challenges also require doubled attention, especially when it comes to cybersecurity and privacy. A recent bill passed in the Senate postpones the deadline for compliance with the Brazilian Data Protection Law from August 2020 to January 2021 – with sanctions applicable only after August 2021. While this eases the pressure on small and medium companies in the short run, civil society organizations and privacy advocates have already pointed out that it weakens privacy and data protections while surveillance technologies to curb, track, and respond to COVID-19 are being put to use. What is more, the Data Protection Law also introduces strong data security requirements that will be left unaddressed if the bill is approved in the House of Representatives.
In the development of the Cybersecurity Bill, much caution is required not to conflate cybersecurity with content-related issues such as disinformation or fake news. Even though the GSI is leading the initiative, policymakers have previously attempted to place them both together. Doing so can result in further challenges to ensuring that constitutional rights to freedom of speech walk hand in hand with building cyber resilience – one of the premises of both the Information Security Policy and the E-Ciber. Conflating content regulation with cybersecurity could also result in greater confusion about the roles and responsibilities of the GSI (cybersecurity), Armed Forces (cyber defense), and Federal Police (cyber crime). Even though the three should continue to ensure better coordination in incident response, greater confusion will not only increase the three cleavages highlighted by the E-Ciber, but also prove to be risky in a context of development of the National Cybersecurity Law. Communicating effectively with the population and interacting with civil society organisations and academia now and in the short and long run is more pressing than ever. What is more, the consolidation of the strategic vision of the E-Ciber depends not only in the development of the cybersecurity plans and the law but, most importantly, in building trust with different sectors, especially civil society and academia – and the Cybersecurity Law might just be the next step to do so!