The following is a guest post by Robert Muggah and Misha Glenny.
Brazil has embraced the digital age with more gusto than most. It is one of the top users of social media and recently signed-off on a bill of rights for the Internet, the Marco Civil. The country is also a leader in the development of online banking with more than 43 percent of web users engaging such services, and can be proud of a thriving software industry, including some world class companies.
But as computer users around the world are beginning to grasp, the spread of the digital world has its dark side. Alongside all the great things the Internet offers, not least new forms of political and economic empowerment, it brings some very serious threats.
Brazilians are waking up to the reality of online scams, hacking, espionage and digital surveillance. And while the government is taking cyber malfeasance seriously, it may have seriously misinterpreted the nature and significance of those threats and, as a consequence, the best way to tackle them.
For political reasons, Brasilia has outsourced most responsibility for the country’s cybersecurity to the military. While the armed forces has enthusiastically embraced this new role, placing them in charge of overall cybersecurity for both civilian and military networks is a mismatch that could have damaging consequences the country’s security.
Not all cyber threats are equal. Perhaps the most egregious one is economically-motivated cyber crime—the targeting of private banks, firms and individuals. Others are posed by domestic and international hacktivist groups intent on disrupting government services and corporate websites. Brazil’s popular protests of June-August 2013, for example, coincided with a sharp rise in hacktivist activity.
Edward Snowden’s revelations have ratcheted-up Brazil’s concern with cybersecurity. The U.S. National Security Agency was routinely spying on state and commercial networks, including listening on Brazilian President Dilma Rousseff’s phone conversations. Brazil is friendly to the United States at a time of rising anti-Americanism in Latin America. But it, too, harbors a historical skepticism toward US intentions and Washington should not underestimate the reputational damage that its global surveillance strategy has inflicted. Cyber espionage and perhaps, further down the line, cyber warfare are now threats that are being taken very seriously.
Notwithstanding the growing angst in Brasilia, and indeed many capitals across the Americas, comparatively little is actually known about what real dangers are lurking in cyberspace. There is virtually no public debate or research into those responsible for launching attacks, what their interests and motivations might be, how they operate, or if and how they might be connected to criminal and political organizations.
There are only a few experts evaluating public and private sector responses to these threats which appear to have increased exponentially in number and sophistication in the last three years. While operating to a large extent in the dark, the Brazilian government has nevertheless rapidly constructed a sprawling cybersecurity and defense infrastructure.
Its response is narrowly focused on just one or two dimensions of these threats—especially foreign ones. At the center of the state’s response is the Brazilian Army’s Center for Cyber Defense (CDCiber), one of the only such entities in South America. Yet the emphasis on a military response may be incommensurate with the real (as opposed to existential) threats facing the country. Despite allegations of Hezbollah smuggling weapons to Brazilian gangs (these rumors have been circulating for decades), the country has comparatively few external cyber threats from foreign governments or terrorist groups.
This represents a mismatch with the real and emerging threats in cyberspace. Instead of focusing on international and domestic cyber-criminality, which constitutes by far the gravest risk, the state is doubling down on strengthening cyber war-fighting and anti-terrorism capabilities. This is not to suggest that cyberterrorism and cyber warfare are not real threats. Rather the government is overemphasizing broader issues of national security rather than addressing the most pressing challenges confronting citizens—that is cyber crime.
Although less than half of all Brazilians have bank accounts, the security of the country’s online banking infrastructure has always been more advanced that its American counterpart. Brazilian banks introduced double and even triple verification years before most other countries and biometric security is now the norm for most ATMs. Security in other online sectors, however, is far behind global standards and public or government sites are easily hacked.
The military approach to cyber insecurity in Brazil is consistent with a broader effort to find a role for the Brazilian armed forces in the twenty-first century. On the one hand, they are strengthening border control and anti-drug activities in the Amazon and the so-called tri-border area of Argentina, Brazil and Paraguay. On the other, the military is seeking to expand its reach and influence in cyberspace.
All of this has profound consequences for individual rights and public spending. The outsized military response risks compromising citizens’ fundamental rights owing to, among other things, the temptation to undertake surveillance and censorship. For instance, CDCiber and Brazil’s central intelligence agency (ABIN) created social media monitoring platforms in the aftermath of the 2013 protests.
Meanwhile, other public institutions such as the Federal Police are less generously resourced and supported. These developments are partly inspired by Brazil’s desire to enhance its geopolitical reach and relevance. As a rising power, the Brazilian government is mobilizing the country’s nascent cybersecurity architecture to project soft power in bilateral relations and multilateral arenas. For example, in 2013 the President requested that the UN develop a new global legal system to govern the Internet.
Brazil’s own Internet architecture is still work in progress. While there have been some important developments, there are conflicting lines of accountability among institutions, distorted funding priorities, confused public debate, contradictory legislative measures and the importation of outside solutions for local challenges. In the meantime, the military has “captured” resources for cyberdefense, with potentially dangerous implications for civil liberties more generally.
What is more, the comparatively limited engagement of civil society in cybersecurity debates in Brazil means that the armed forces have free reign to advance their interests. What is urgently needed is a balanced cyber security strategy, one that accurately gauges evolving threats to understand where future vulnerabilities reside.
First, the government should encourage people to talk. There is a now a lively conversation in Brazil about the many positive developments related to e-governance, smart cities, digital sovereignty and other new information technologies. Curiously, there is a silence on issues related to cybersecurity and cyberdefense. Where debated at all, conversations tend to be reserved to the highest levels of government, the armed forces, law enforcement agencies and a narrow group of businesses, though there are signs this may be starting to change.
The second step is to put in place measured and efficient strategies to engage cyber threats. Since the budgets allocated for cyber-related issues are hard to predict, there is considerable bureaucratic competition over funds. Military, law enforcement and civilian entities may exaggerate risks in order to increase their likely access to resources. If Brazil is to build a cybersecurity system fit for purpose, an informed debate is imperative.
At a minimum, Brazilians need to better understand the dynamics of cyber crime groups, and the ways in which traditional crime is migrating online. It also needs to monitor how security forces are adapting new surveillance technologies. Above all, the government should encourage a broader debate with a clear communications strategy about the need for cybersecurity and what forms this might take.
Robert Muggah is research director of the Igarapé Institute and also director of policy and research at the SecDev Group. Misha Glenny is author of McMafia and Dark Markets. The authors would also like to give credit to Gustavo Diniz, a former researcher at the Igarapé Institute. This article is based on a new Strategic Paper by the Igarapé Institute—Deconstructing Cyber Security in Brazil: Threats and Responses—released in December 2014. An earlier version of this article was posted on OpenDemocracy.