Aligned with the global trend, Latin America has experienced colossal growth in access to information, facilitated through the Internet and information communication technology (ICT). Because ICT enables efficiencies across all disciplines, gains realized through advancements in ICT have a compounding effect on many aspects of life—sometimes for good and sometimes for bad.
When I asked a group of colleagues whether Asia or Latin America boasts Internet usage by a higher population percentage, many were surprised to learn the answer is Latin America. Given the near 100 percent penetration in major population centers like Seoul, Tokyo, Hong Kong, and Shanghai, it would seem that Asia is likely the hands-down winner. But the reality is that, across Latin America, 53 percent of the population uses the Internet, whereas just 35 percent of the population does across Asia, with a worldwide average of 42 percent. With 310 million Internet users, Latin America accounts for over 10 percent of the global user base—more than the United States.
How are Latin America’s 310 million Internet users spending their time on the Internet? By and large, they are focused on social media. Over 292 million Latin Americans use Facebook, and their usage hasn’t just been limited to sharing pictures with friends. For instance, during the 2015 anti-corruption protests in Brazil, Facebook was used both to denounce the perceived corruption of the government and to organize demonstrations. There are many similar examples from neighboring countries.
Brazil is a particularly interesting case within the group of Latin American countries, and not just because it represents by far the largest portion of the region’s Internet users and leads most other key economic indicators. In 2014, Brazil passed the Marco Civil Da Internet—a civil rights framework that covers aspects of privacy and net neutrality on the Internet. Brazil is currently collaboratively developing the follow-on to this legislation, which will seek to establish laws governing the protection of data by all companies and government organizations.
Despite its high rate of Internet usage, Latin America at large lags in the development and adoption of standards and regulations governing cyber security, privacy, and data protection. The Organization of American States (OAS) has led the charge in coordinating the region’s efforts towards improving this, most noticeably through the development of 2004’s Comprehensive Inter-American Strategy to Combat Threats to Cyber-Security. However, many individual Latin American countries have only just started developing national-level laws and comprehensive strategies for cyber security. The major economic powers in the region have a head start here, but most other countries are years behind, and even the countries with strategy, policy, and laws pertaining to cyber often lack the expertise and training necessary to implement them.
Brazil is leading the civil liberties charge with some forward-thinking policy aimed at protecting rights. The fact that this legislation is being developed transparently and with input from the public is a fantastic step, which should be viewed as a model for use by all countries—in both the developing and developed world. However, I can’t help but worry that the enforcement of this legislation, currently entirely in the purview of Brazil’s military, could be heavy-handed – as evidenced through Brazil’s December 2015 decision to block the WhatsApp instant messaging app referencing Marco da Civil infractions. Military control over the Internet could also conceivably lead to quashed freedom of speech, particularly concerning political dissidence and protest organization. That being said, in light of the huge and growing cyber crime problem in Brazil and all Latin American countries, a heavy-handed approach may actually be needed to overcome the immediate hurdles while setting the stage for future stability.
Brazil ranks fifth in the world for cyber attacks, and the rate of attack is increasing, with a 197 percent year-over-year increase seen in 2015. The Ponemon Institute’s 2015 Global Cost of a Data Breach lists Brazil as the most likely country in the world to suffer a data breach affecting more than 10 thousand people. Last year, Brazil’s widely used Boleto payment platform was abused via a concerted and narrowly focused malware campaign, which resulted in a potential $3.75 billion loss to fraud—the actual figure is still unknown. Over 30 banks were affected, and major doubts were cast on the reliability of a payment system used in literally billions of transactions per year.
If my experience in cyber security throughout both developed and developing economies is any indicator, the astounding figures presented above are actually on the lower end of the reality. Cyber crime tends to go unreported until it is truly massive in scale, and the volume of smaller-scale attacks is enormous.
And, Brazil is not an outlier when viewing these trends across other Latin American countries. The prevailing economies in Latin America—Mexico, Colombia, Chile, Argentina, and, to a somewhat lesser extent, Venezuela—all reported similar increases in both ICT penetration and cyber crime. Colombia, particularly, has a long history of combating criminal and terrorist organizations, and these organizations appear to have adopted ICT just as quickly as legitimate businesses. Traditional criminal organizations worldwide have adopted cyber crime as a new revenue stream, and organizations throughout Latin America are no different in this regard. Organizations, like the FARC, are actively using crypto-currency to surreptitiously transact business, and they are also using malware, exploit kits, and phishing attacks to generate both revenue through fraud and intelligence through espionage.
Colombia views the cyber threat to critical infrastructure as the highest risk to its national security and has led the region in its response to these threats via the National Policy of Cybersecurity and Cyber Defense, which includes stakeholders from both the public and private sectors. The Organization of American States (OAS) shares Colombia’s focus on cyber threats to critical infrastructure, naming Critical Infrastructure Protection (CIP) as a key initiative. Indeed, viewed through the lens of the recent nation state-led attack on the Ukrainian power grid, I’m inclined to agree. The effectiveness of the newly developed regulations, frameworks, and key strategic initiatives is yet to be determined and can be viewed as canaries in the coal mine portending things to come across the economies in Latin America.
While preparations to defend against this flavor of threat strengthen, other ICT-facilitated non-national security threats may go overlooked. This appears to be the case most markedly in the human trafficking space. This is an aspect of ICT-enabled crime I expect to significantly worsen in Latin America in 2016 and beyond.
A pattern I’ve seen within the developing world is a focus on curing the symptoms of poor cyber security. Vulnerabilities in systems or applications are usually prioritized instead of their root causes–low risk awareness and inadequate information governance. This kind of flawed approach is a characteristic trait amongst nascent cyber security programs too focused on reducing counts of vulnerabilities and not focused enough at building sustainable programs designed to minimize risk over time.
From a business perspective, I’ve seen a recent uptick in business at my own firm coming from Latin America, with the majority of that interest centered around performing enterprise risk assessments, compromise assessments, and security control gap analyses against frameworks, like NIST’s 800-series or ISO 27001. I view this as a positive sign, indicating the right kind of strategic thinking amongst the business and government communities across Latin America. But, like everywhere else, success in this space is defined by being able to take the tactical steps needed to realize a long-term strategy.
The key to Latin America’s long-term success in ICT and cyber security specifically is education and awareness across all sectors. Overall, while I do have hope that the focus on key strategic initiatives will, in time, enable Latin American countries to reduce risks to both critical infrastructures and the civilian population at large, I have serious concerns that the major powers in the region are unprepared to deal with the magnitude of the problem they are currently facing.