With the growing threat of cyber attacks in Latin America and the Caribbean (LAC), the Organization of American States (OAS) has been a crucial component in analyzing the threats’ origins and methods for defending against them. Belisario Contreras, the Cyber Security Program Manager at the OAS, spoke with The Cipher Brief about the cyber challenges facing LAC countries, and how the government and private sector can work together to best overcome them.
The Cipher Brief: How would you assess the cyber threat to Latin America? Who are the main culprits and what kinds of attacks are they conducting?
Belisario Contreras: Information and communications technology (ICT) use in Latin America and the Caribbean (LAC) is growing at one of the fastest rates in the world, and cybersecurity policies and societal awareness of cyber risks are struggling to keep pace with this rapid expansion. Therefore, cybercriminals see the region as a prime target for attacks. A recent study by Norton of select countries estimated that, by 2013, the cost of cybercrime reached $8 billion in Brazil, $3 billion in Mexico, and $500 million in Colombia.
It is difficult to attribute cyberattacks to their original source due to the use of infected computers (known as “zombies” or botnets) as proxies for attacks. Nevertheless, based on analysis of the “Cybercriminal Underground” in a report co-produced by the Organization of American States (OAS) and Trend Micro, as well as other studies, it is clear that many of the attackers operate from within the region, while a significant minority hail from other regions, namely Russia and Eastern Europe. Recently, hackers from Brazil and Peru – which sends many students to attend university in Russia – have teamed up with Russian cybercriminals to carry out sophisticated and lucrative cyberattacks. Popular methods include phishing attacks, web defacements, and denial-of-service (DoS) attacks. Malware, specifically in the financial sector, is also on the rise.
Another common cyber threat to LAC is Hacktivism. In recent years, the region has witnessed a growing community of politically-motivated hackers. Groups such as Anonymous and LulzSec (an offshoot of Anonymous) have defaced government websites and launched DoS attacks against government networks. While hacktivists are not necessarily interested in financial gain, their attacks disrupt important e-government and e-commerce services, and their decentralized structure helps other cybercriminals commit even worse acts under the guise of hacktivism.
Finally, there have been a few notable cases of LAC government websites being attacked by hackers claiming to represent terrorist organizations, such as ISIL (also known as ISIS or Daesh). While governments have responded quickly to these incidents, and it is not clear whether these hackers are truly connected to terrorist groups, cyberterrorism is a threat that the region should remain vigilant about.
Cyberattacks will continue to occur, and the costs of not confronting them can be tremendous. The question becomes not only whether LAC will be able to react to cyber incidents, but also whether it will be able to devise proactive policies and security measures that limit the number of successful attacks and mitigate their impact. The OAS Cyber Security Program works to help member states address both individual attacks and the cybersecurity ecosystem as a whole.
TCB: How is the cyber threat to businesses changing in Latin America? How does this differ from the cyber threat to Latin American governments?
BC: A 2015 joint OAS and Trend Micro Report on Cybersecurity and Critical Infrastructure in the Americas found that between one third and one half of all companies surveyed experienced attempts to delete or destroy their digital information. Industries across sectors are facing cyber threats that are increasing in both quantity and sophistication. As mentioned earlier, banking malware is on the rise in the region, which can have an enormous impact on national economies. As such, in many cases the private sector places a higher priority on cybersecurity than governments. Businesses are at the forefront when it comes to investment in security technologies, such as firewalls and secure private networks. Adoption of standards or risk management plans, however, is less common.
The cybersecurity needs and concerns of governments and businesses overlap considerably, and the OAS works with partners from across sectors to bridge the public-private divide. An example of our work in this area would be our partnership with the Argentine Association of Information and Communications Technology Users (USUARIA) to host SEGURINFO conferences, which bring companies together to share experiences in cybersecurity, in various LAC countries.
TCB: What role are Latin American governments playing in combatting this threat? What barriers do Latin American governments face in combatting the cyber threat, and how can they overcome these barriers?
BC: Government plays a vital role in the implementation of standards and regulations that contribute to a safer ecosystem for information and communication technology (ICT) and other critical national infrastructure (CNI). In addition, with technical and financial support from the OAS and other international actors, a number of Latin American and Caribbean countries are building excellent law enforcement agencies dedicated to stopping cybercrime. These developments will be important for dismantling international cybercrime networks. Law enforcement agencies may also share their knowledge and experiences with countries outside of the region to help them develop or strengthen their own cybercrime units.
One of the major challenges LAC countries face in combatting threats to cybersecurity is generating political will. While certain institutions or technicians may consider cybersecurity a priority, government as a whole may see cybersecurity as merely an isolated concern. To address this, cybersecurity agencies should work with different sectors to demonstrate the impact of cyber threats on everything from public security to economic development to education. They may also consider conducting risk assessment, something the OAS Cybersecurity Program facilitates, to better visualize their cybersecurity needs.
While many LAC countries see cybersecurity as a priority, another challenge that arises is the need for a clear national cybersecurity strategy. To begin drafting a national strategy, government should designate an agency or individual to serve as a national cybersecurity coordinator. Next, a committee made up of multiple stakeholders representing government, the private sector, civil society, and academia should meet to discuss their cybersecurity needs, gaps, and strengths. The final strategy should delineate roles and responsibility; contain specific, actionable directives; and present a politically and economically sustainable model.
TCB: What is the role of the OAS in combatting the cyber threat? What are the benefits of addressing the threat as a region, as opposed to as individual states?
BC: The OAS is a leading institution researching, developing, and promoting cybersecurity in the Americas. The OAS Cybersecurity Program brings stakeholders from across government, the private sector, academia, and civil society to the table to develop a holistic, comprehensive national strategic vision, and set goals to address countries’ cyber needs while outlining actionable directives. To date, the OAS has helped four OAS Member States (Colombia, Jamaica, Panama, and Trinidad and Tobago) draft national cybersecurity strategies and has assisted several others (The Bahamas, Costa Rica, Dominica, Peru, Paraguay, and Suriname) in developing one. In addition, with financial assistance from Member States and Permanent Observer countries, the OAS Cyber Security Program has assisted in establishing, training, and equipping national Computer Emergency Response Teams (CERTs) in many countries of the Americas.
While strong national cyber regimes are a country’s first line of defense, cyber threats do not respect national borders and thus cannot be addressed by national laws and policies alone. Regional and international cooperation play important roles in three major areas: mutual legal assistance, incident response assistance, and internet governance.
Mutual legal assistance allows law enforcement agencies to seek help from other countries in matters involving transnational crime. Cybercrime, and related offenses, such as child pornography, are often transnational in nature. Together, with international cybercrime law experts, the OAS promotes international treaties, including the Convention on Cybercrime (also known as the Budapest Convention) and helps member states take the legislative steps necessary for their adoption.
Some cyberattacks have the ability to disable a government network in such a way that other countries’ response teams may be called in to help restore the network and/or analyze the attack. Through its Hemispheric Network of CSIRTs, the OAS connects incident response entities from across the region to share information and provide assistance in the event of cyberattacks. For example, in 2014, following growing cyber threats, the Government of Jamaica requested assistance from the OAS, who deployed a team of experts from the Uruguayan National Cyber Security Response Team (CERTuy), who provided the country with guidance on incident management procedures.
All countries have been impacted by the Internet; therefore, all have a stake in how it is governed. Historically, Internet protocols and management have fallen under the Internet Cooperation for Assigned Names and Numbers (ICANN), a nonprofit organization based out of the United States. Beginning in 2016, many of these functions will move to a multi-stakeholder model, whose parameters are currently being discussed. With Internet connections in LAC growing at one of the fastest rates in the world, it is important that the region play an active role in this process. The OAS serves as an observer to ICANN’s Governmental Advisory Committee (GAC), which provides policy guidance to ICANN during the transition. We encourage more OAS member states to join the GAC and get involved in this process.
TCB: How has the OAS been working with the private sector to understand the cyber problem? How can Latin American governments work more with the private sector to combat the cyber threat?
BC: With its innovative technology and talented human resources, the private sector has much to offer the cybersecurity community. Public private partnerships (PPPs) can be a useful way for governments to cooperate with the private sector on developing more resilient networks. The OAS Cybersecurity Program works in partnership with a number of private sector institutions, including Microsoft, Trend Micro, and Symantec, to research cybersecurity trends, conduct training, and provide technical assistance. The OAS brings national industry leaders to the table to discuss cybersecurity policy and cybercrime. Both government and the private sector should strive to understand each other’s respective roles and skillsets, so that they can make the most of the partnership without limiting each other’s ability to perform.
One issue facing small and medium-sized enterprises (SMEs) is that investing in cybersecurity can be expensive. One promising example for addressing this has been the U.S. Federal Communication Commission’s (FCC) Small Biz Cyberplanner, which helps small companies design their own cost-effective cybersecurity strategy.
Governments in the hemisphere will also need to find ways to encourage discussion with the private sector about cybersecurity breaches. In 2015, the OAS and Trend Micro report found that only 21 percent of critical infrastructure operators reported participating in dialogue with government about cyber resilience of their systems. Often, businesses worry that disclosing cyber incidents to the government will result in penalties or a lose of confidence by consumers. Government should foster an environment for industries to securely and confidentially report intrusions to government and law enforcement, and a business culture that rewards responsible disclosure.
Finally, The OAS considers it important that government partner with the private sector – as well as non-governmental organizations (NGOs), regional/international organizations, and academia – to raise public awareness about cybersecurity. Educating end users about good cyber hygiene is an interest shared by all partners, and cybersecurity awareness campaigns are able to reach a wider audience and present a more holistic message when they are the result of a partnership. For example, the OAS works closely with STOP.THINK.CONNECT, a non-profit organization that partners with many governments, companies and other NGOs to educate the public about cyber threats. Currently, five countries in LAC are partners with STOP.THINK.CONNECT.
