Strategy – But is it Enough?
On February 7, Jair Bolsonaro, the president of Brazil, signed a decree that took Brazil a step closer to having a strong cybersecurity strategy. The initiative, part of the National Information Security Strategy, seeks to strengthen the country’s defenses against cyber threats and bolster its digital trustworthiness on the international stage.1 Over the past few years, Brazil has faced several challenges to its evolving digitization, including data protection, and an increasing number and sophistication of cyberthreats. Last year saw 19,150 notifications of attacks on government networks, a rise of 3,875 from 2018. More than 10,000 of these have already been identified as fraud, site abuse, or vulnerability, but this figure may increase as further data is processed.2
A recent report by Trend Micro ranked Brazil as second in a list of countries most hit by ransomware, only just behind the US.3 The security company also found that it blocked almost 700 million email threats, including BEC (business email compromise) scams, ranking the country in third place in the world after China and the US.4 Brazil also came in the top twenty for detected malware, malicious URLs, and malicious apps on cellphones.5 In another report, by the International Telecommunication Union (ITU), Brazil was once again found to the ‘second worst affected nation in terms of economic losses due to cyberattacks.6’ The amount lost to cybercrime was over US$20 billion, and around a third of the population was impacted by such attacks.
Why is Brazil so Vulnerable to Cybercrime?
The short answer is a lack of investment in cybersecurity infrastructure, even though the number of internet users and the high take-up of cloud-based services has increased. This has left the country vulnerable to malicious actors who see it as a soft target. Other factors include:
- Lack of qualified cybersecurity professionals. While the skills gap is global, it seems particularly bad in developing economies, like Brazil.
- To have the best protection against attacks, companies need to employ a range of defensive measures, from monitoring and identification software to a response plan and staff trained to recognize cybersecurity threats. At present, it appears that many companies are only willing to invest in one area.
- Although 70% of Brazilians now have access to the web either via their smartphones or computers, there is still a lack of awareness when it comes to personal cybersecurity.7
Brazil’s government has a reputation for dragging its heels when it comes to a cybersecurity strategy. This latest decree has come after 31 meetings in seven months and includes these key points, as summarized in The Brazilian Report :
- ‘Efforts to include new types of cybercrimes in the penal code.
- ‘Elaborate norms on emerging technologies.
- ‘Draft a bill for a future Cybersecurity Law, with guidelines that will provide “macro-strategic alignment” to the sector and “contribute to elevating the security of citizens and organizations.”
- ‘Establish minimum security requirements for the “full, responsible, and safe use of 5G technology.”
- ‘Propose the inclusion of basic cybersecurity teachings in Brazil’s education curriculum.
- ‘Stimulate the Creation of cybersecurity-related university programs and startups in the field.
- ‘Stimulate the use of encrypted information for sensitive data.
- Make the use of digital certificates more widespread.
- Perfect and encourage the use of safe devices by government officials and agencies. 8
Even though these points are a promising start, they still lack clarity and focus – something that is badly needed if the country wants to move forward and form economic partnerships with other nation-states. Hopefully, more specific measures will be included when the draft of the new cybersecurity policy is presented to Congress before the end of the year.
Data Protection – Another Sore Point
In October 2019, the personal information of 92 million Brazilians – nearly all of the country’s population) was offered for sale on a site on the Dark Web.9 The records consist of names, locations, dates of birth, driving license IDs, and taxpayer IDs. Some of the data also contains phone numbers, license plate numbers, and business details. It is thought that the information was stolen from the Department of Federal Revenue of Brazil, although the government has not admitted to any recent data breaches.10 This theft shows how damaging a lack of security can be and how far behind the country still is, both in preventing cybercrime and data protection.
The current data protection legislation, like that for cybersecurity, is patchy in nature and generally concerns the regulation of ISPs and how they store data for law enforcement and government purposes. According to a survey carried out on behalf of IBM, 96 percent of Brazilians don’t believe that companies in Brazil do enough to protect their data, and six in ten have either had their data leaked, or know someone else who has.11 A more recent data leak, that of the data of 1.4 million consumers involved names, addresses, dates of birth, salaries, ID and telephone numbers. The company involved, Consiga Cred, offers loans, and other banking services. It also acts as a middleman for 50 banks. However, despite its size and the sensitive information of its data, it was not aware of the system flaw, which caused the breach until contacted by the Brazilian website, The Hack. Even then, it took a week for the company to act and take down the directory at the source of the problem.12
There is light at the end of the tunnel, however. Brazil’s General Personal Data Protection Act (LGPD) is expected to come into force in August of this year. This should address the creation of a framework on how to handle data, as well as advise companies on how to implement the new rules. The government also plans to implement a single database of citizens that can be accessed by every government department.13 However, after the massive breach experienced by the Department of Federal Revenue of Brazil, this will require top-level cybersecurity. And that, at the moment, despite the positive initiatives going forward, is not there yet.
- Gustavo Ribeiro, ‘Brazil Takes a Step Forward in Cybersecurity,’ The Brazilian Report, 02/10/2020, accessed at https://brazilian.report/newsletters/brazil-weekly/2020/02/10/brazil-takes-step-forward-cybersecurity/
- ‘Why is Brazil so Vulnerable to Cyberattacks?’ BN Americas, 01/06/2020, accessed at https://www.bnamericas.com/en/features/why-is-brazil-so-vulnerable-to-cyber-attacks
- ‘Trend Micro alerta: Brasil é o segundo país que mais sofre com ameaҫas ransomware, Trend Micro, May 2019, accessed at https://www.trendmicro.com/pt_br/about/newsroom/press-releases/2019/fast-facts-may-2019.html
- Ibid.
- Ibid.
- ‘Why is Brazil so Vulnerable to Cyberattacks?’ BN Americas, 01/06/2020, accessed at https://www.bnamericas.com/en/features/why-is-brazil-so-vulnerable-to-cyber-attacks
- Ibid.
- Gustavo Ribeiro, Brazil Takes a Step Forward in Cybersecurity, The Brazilian Report, 02/10/2020, accessed at https://brazilian.report/newsletters/brazil-weekly/2020/02/10/brazil-takes-step-forward-cybersecurity/
- Scott Ikeda, ‘Citizen Data of 92 Million Brazilians Offered For Sale on Underground Forum,’ CPO Magazine, 10/10/2019, accessed at https://www.cpomagazine.com/cyber-security/citizen-data-of-92-million-brazilians-offered-for-sale-on-underground-forum/
- Ionut Ilascu, ‘Details of 92 Million Brazilians Auctioned on Underground Forums,’ Bleeping Computer, 10/04/2019, accessed at https://www.bleepingcomputer.com/news/security/details-of-92-million-brazilians-auctioned-on-underground-forums/
- Angelica Mari, ‘Most Brazilians Believe Companies Don’t Protect Their Personal Data,’ ZDNet, 12/02/2019, accessed at https://www.zdnet.com/article/most-brazilians-believe-companies-dont-protect-their-personal-data/
- Ramon de Souza, ‘Exclusivo: financeira expõe informaҫões bancárias de mais de 1,4 milhão de brasileiros,’ The Hack, December 2019, accessed at https://thehack.com.br/exclusivo-financeira-expoe-informacoes-bancarias-de-mais-de-1-4-milhao-de-brasileiros/
- Angelica Marie, ‘Brazilian Government to Create a Single Citizen Database,’ ZDNet, 10/11/2019, accessed at https://www.zdnet.com/article/brazilian-government-to-create-single-citizen-database/