The number of cyber attacks in Latin America is increasing. Will citizens, governments, and private entities be able to deal with this growing threat landscape? The Cipher Brief spoke with Frederic Lemieux, Program Director for the Master’s degree in Cybersecurity Strategy and Information Management at The George Washington University, to get his thoughts on the issue.
TCB: With development often comes new threats. This is happening with the cyber field in Latin America. Why is the region at risk for increased cyber attacks over the coming years?
Frederic Lemieux: Latin Americans represent approximately 10 percent of the world’s Internet consumers, and the number of Internet users in the region has increased by 17 percent since 2013. According to several reports on Internet usage in Latin America, the growth is simply phenomenal. For example, in 2015 Brazil reached more than 160 million Internet users, Chile has more than 15 million, and Mexico has reached more than 60 million users.
This rapid progression is just the beginning of a trend that will intensify as several South American countries are experiencing economic booms—increases in industrial productivity, salary, and overall Internet demand. According to the news outlet LaRazon, the use of mobile devices to surf the web increased by 61 percent in 2014. By 2015, Internet services, such as downloading sites, web hosting, and email servers, were used by approximately 98 percent of Internet consumers on a regular basis.
But there is the downside. According to Internet analytics company ComScore, about 50 percent of Latin Americans active on the Internet are using online piracy services or websites that utilize file sharing or streaming services. This type of behavior poses risks related to the propagation of malware hiding on piracy websites and the exposure to all sorts of phishing scams and data breaches. According to a report published by Symantec, cybercrime costs have reached $8 billion in Brazil, $3 billion for Mexico, and $464 million for Colombia. According to consulting firm Deloitte, more than 50 percent of Latin American financial institutions experienced some type of data breach in 2014. Finally, a report published by security company FireEye shows that in Latin America, most of the attacks perpetrated are launched from another Latin American country. If the digital revolution is an important factor supporting economic development, then it also represents an extraordinary opportunity for cyber criminals operating in Latin America.
TCB: Are countries in the region working together on intelligence sharing on cyber threats? If so, how? If not, should they be?
FL: First of all, it is important to understand that Latin America is composed of three sub-regions: Central America, South America, and the Caribbean. This geographical reality translates into several complex challenges. The first one is the crushing imbalance in terms of the level of sophistication of information technology. Many countries are barely experiencing the digital revolution due to internal difficulties (conflicts, stagnating economies, widespread poverty, etc.). A second challenge is related to the divergence of regulations and laws from one country to another, impacting how cyber crime is defined (if defined at all) and how it should be enforced. A third challenge is the level of corruption that plagues Latin American countries, resulting in a trust deficit when it comes to inter-agency cooperation. Another important challenge is the culture of cyber security or “cyber insecurity” that prevails in Latin American countries. More precisely, too often small and medium sized businesses, and government agencies tend to believe that nobody is really interested in harming them and, therefore, they invest minimally on preventive programs and/or proactive measures.
As for Latin American countries sharing intelligence on cyber threats, the reality seems to indicate that information exchange channels are rather limited. Of course transnational organizations such as the Organization of American States (OAS), the Organization for Economic Cooperation and Development (OECD), and Ameripol provide relevant and trustworthy forums where information about cyber threats, digital security risk management, and national cybersecurity strategies are discussed. In terms of effective intelligence sharing, it would be interesting to see if some approaches developed in the United States (e.g. Infragard and ISAC) could be implemented throughout Latin America.
TCB: How can the private sector aid in cyber defense? Are there current examples of successful public-private partnerships on cybersecurity in Latin America?
FL: Public-private partnerships (PPPs) in cyber defense can be perceived as risky due to high levels of corruption and a long history of political violence in Latin American countries. PPPs are often stigmatized by abuse of power and illegal surveillance of civilian communication.
Having said that, several Latin American countries have reached political stability and maturity, offering more opportunities for PPPs. For instance, in Brazil, the Ministry of Science, Technology and Innovation (MCTI) has developed partnerships with sizeable economic sectors, like banking and telecom, and has collaborated with international research centers.
However, when it comes time to really articulate and implement PPPs in cyber defense, Latin American countries are confronted by the issue of “technological sovereignty” (e.g. the capability and the autonomy to select, generate, acquire, and exploit commercial technology needed for cybersecurity defense). Many cybersecurity technologies are coming from Western countries and are usually protected by regulation that controls their exportation. For instance, in the United States, several cybersecurity technologies are subject to Export Administration Regulations (EAR) and International Traffic Arms Regulations (ITAR).
TCB: How does the public play into all of this? Citizens need to be aware of cyber threats in order to protect themselves. Is there growing awareness in Latin America?
FL: A 2016 report released by the Inter-American Development Bank, the Organization of American States, and the Global Cyber Security Capacity Center at the University of Oxford shows that Latin American countries are unprepared to face the security challenges of the twenty-first century digital society. The report presents a thorough analysis of 32 Latin American countries based on 49 cybersecurity readiness criteria in five critical areas: policy and strategy; culture and society; education; legal framework; and technology. The findings show that half of the countries (16) have no coordinated capacity to respond to a cyber attack. Countries like Argentina, Brazil, Chile, Colombia, and Mexico were found to be at an intermediate level of preparedness, meaning that they “have a structured program of education in cybersecurity, including the budgetary stability and mechanisms necessary for research on cyber threats and learning how to respond to them.” The existence or absence of structured education programs in cybersecurity seems to be closely related to the level of awareness of the general public about cyber threats and vulnerabilities. A vast number of Latin American countries have not yet put in place awareness strategies or campaigns to inform the public about the perils of the Internet. Interestingly enough, the report states that in many countries, privacy issues, data protection, and human rights are of concern to the population.
TCB: What’s the future of the cybersecurity threat in Latin America? Will ample progress be made to ensure a safe environment, or will we see the number of threats increase?
FL: All things considered, the threat landscape in Latin America is not much different than the one in North America. The frequency and the amplitude of cyber attacks will increase with the growth of Internet and the use of information technology in the region.
However, what is really alarming is the level of preparedness and resources that Latin American countries have to counter digital security risks. In order to understand the scope of the challenge, we only have to look at the cybersecurity workforce. Keep in mind that the United States currently is challenged in terms of a skilled workforce, where several thousand cybersecurity related positions remain unfilled. According to a 2015 Symantec report, by 2019, the world cybersecurity workforce will increase to up to six million professionals, with a shortfall of 1.9 million workers. Yes, a 1.9 million deficit. With such a global demand, how will Latin American countries be able to supply a cybersecurity workforce when more than 50 percent of the countries currently have no structured education programs in cyber? How will Latin American countries be able to attract a foreign skilled workforce and compete in an environment where salary and benefits will be inflated by a severe gap in the global supply? The question is not necessarily about the increase in the number of threats, but rather a lack of human capital to manage existing and emerging digital security risk.
