Raising the Political Priority of Cybersecurity in Latin America

As George Orwell might have said, when it comes to understanding the impact of cyber threats in different parts of the world: all regions are equal, but some are more equal than others. No region can afford to be complacent about cyber threats from criminals, “hacktivists,” or hostile states. Developing countries such as those in Latin America are expected to respond effectively to cyber threats, but so far the global cybersecurity debate has neglected some of the structural factors that make this difficult.

While cybersecurity in the region made headlines last year, after a pair of ransomware attacks on Costa Rica crippled the country’s medical, government, and commercial systems, too often the issue does not get the attention it deserves–both internationally and across the region. Recent reporting about an alleged ransomware attack suffered by the government of Saint Kitts and Nevis demonstrates that the problem isn’t going away.

Structural barriers to a global conversation

There are at least three reasons why the region is overlooked. First, there are few incentives for threat intelligence companies to prioritize Latin America over larger markets. Second, there is a tendency in cybersecurity to focus only on high-visibility threat actors, rather than emerging ones. Third, disparities in development across the region mean that the cybersecurity needs of different countries can vary significantly.

These and other factors combine to produce an incomplete picture of threats and vulnerabilities in Latin America–all of which adds to the lack of political notoriety the agenda has received regionally. While technical cooperation has indeed increased through activities at Latin America and Caribbean Internet Address Registry (LACNIC), Organization of American States (OAS) and others, political initiatives remain ad-hoc and country-based. If Latin America is to take cybersecurity seriously, it needs to invest in a concerted dialogue for sustainable development with cyber at the heart of it. But dealing with structural challenges will also require better understanding of the threat landscape both from within and outside the region.

How can we raise the profile and political priority of cybersecurity in the region despite these barriers? What should countries in Latin America (and others) do to improve cybersecurity and resilience?

Cyber insecurity in Latin America

The fact is that the region faces many of the same cyber threats as others, ranging from apparently global hackers-for-hire to groups more ostensibly aligned to the interests of specific states with strategic interests in the region. This is unsurprising, as the region’s relatively peaceful inter-state relations do not reduce the perennial temptation of states to spy on each other–and, as recent history has shown, on their citizens.

It is neither new nor rare for Latin America’s governmental and other sectors to be targeted in cyberspace.  Threat actors have been operating in the region for many years now–both those that originate from the region and those based outside it. Chinese and North Korean groups have been targeting the region’s governments, nongovernmental organizations, and private companies reportedly since 2017–and other groups such as Dark Caracal and El Machete have reportedly been active in the region since at least the early 2010s.

And yet, unlike more developed countries, many of the region’s governments are ill-prepared and under-resourced to deal with the growing costs and wider impacts of these incidents. 

A very public example of the inadequacy of current governmental safeguards was the widely-reported Guacamaya hack-and-leak campaign in October 2022. This campaign targeted several defense and security institutions throughout Latin America, including revelations about a large surveillance program run by the Mexican government. The apparent ability of so-called ‘hacktivists’ to break into what should have been highly-secure defense and national security systems demonstrated that governments and citizens alike are vulnerable in this domain.

More can and should be done, systematically, to integrate existing knowledge and expertise within the region to counter cyber insecurity.

Progress in adversity

The Organization of American States (OAS) was the first regional body in the world to start developing a cyber strategy, in 2003. It remains a key player in regional cybersecurity capacity-building and an important point of contact for donor states, non-profits, and others to contribute to cybersecurity initiatives in Latin America. But implementing a coordinated approach to improving cybersecurity is hard enough domestically, let alone at the regional or global level–especially in a region with such varying levels of digitalisation and development.

Fast forward two decades since the region’s first cybersecurity efforts and it is still grappling with institutional and political barriers to enhancing cybersecurity. According to the International Telecommunications Union (ITU) Global Cybersecurity Index (GCI): twenty eight countries in the region provided no incentives to improve private sector cybersecurity (only Africa ranked lower regionally); seventeen countries lacked a national cybersecurity strategy that addressed critical infrastructure and resilience; and fourteen countries lacked a national computer incident response team.

Some progress has been made, but outcomes are very uneven. Brazil has jumped from 70th to 18th in the ITU GCI, after having passed a data protection law, established a data protection authority, and developed a national cyber strategy. Other countries in the region, however, such as Bolivia (140^th) and Nicaragua (165^th), slid even further down the other end of the table. And, as repeated hacks of public and private sector networks in Brazil demonstrate, neither institutional nor policy developments are in themselves sufficient to protect citizens and consumers from cybercrime.

As incidents like the ransomware attacks on Costa Rica’s government systems have demonstrated in the last year, not only are there still severe capacity gaps that leave countries in the region exposed to serious threats, but the region also features increasingly prominently as a target.

Latin American countries’ pathways to cyber resilience are far from linear. Despite challenges, they have nonetheless reaffirmed their commitments to norms for responsible state behavior in cyberspace, nine of them acceded to the Budapest convention that enhances mechanisms for transnational cooperation in fighting cybercrime, and OAS member states have agreed on a series of Cyber Confidence Building Measures since 2017 that seek to promote greater exchange of information on initiatives and incidents from across the region.

These initiatives are commendable and welcome, but also insufficient to the challenge. The region’s continuing trend of major governmental cyber crises is strong evidence that coordinated effort at the national and regional levels must be intensified. Part of the solution is to better understand what has worked–and what has obstructed further progress–in the region’s 20 years of cyber capacity-building experience.

Getting priorities straight

Latin America cannot solve its cyber insecurity on its own, nor should it face it alone. The region’s most cyber-capable countries, such as Brazil and Chile, should embrace a more active leadership role improving regional cybersecurity cooperation, including through the OAS as the region’s pre-eminent cyber capacity-building forum. Welcome initiatives would include more integrated threat-information sharing and incident response assistance, as well as better inclusion of the region’s non-profits and local companies in the field. There are global networks of expertise and assistance, but raising the political prioritisation of cybersecurity must start within the region itself and be sustained with strategic patience.  

Beyond governmental efforts, think tanks and academia should develop a public repository of incidents, bibliographies–such as the one produced by the Latin American Cybersecurity Research Network–and bring the region’s existing expertise into wider global conversations in cooperation with other sectors. These would be the next steps in raising the profile and real-world impact of cyber research produced in Latin America.

The region stands to benefit significantly from expanding digital access and skills. That is true in social interaction, economic activity, and the provision of public services. But improved cybersecurity must be an integral feature of this process, or else the darker side of cyber insecurity will continue to blight the region’s citizens, consumers, companies, and governments. Closing the region’s cybersecurity gaps will require re-invigorated governmental leadership, but it will only succeed through coordinated effort with other stakeholders, and deeper cyber awareness amongst policymakers, legislators, companies, and civil society.

Louise Marie Hurel is a Research Fellow at the Royal United Services Institute for Security and Defense (RUSI), PhD Researcher at the London School of Economics and Political Science, and founder of the Latin American Cybersecurity Research Network (LA/CS Net).

Dr. Joe Devanny is a Lecturer in the Department of War Studies at King’s College London and currently a British Academy Innovation Fellow.

The views expressed in the article are solely the authors’ and do not necessarily reflect the viewpoints or opinions of organizations they are affiliated with.