BrazilÂ hasÂ embracedÂ theÂ digitalÂ ageÂ with more gusto than most. It is one ofÂ theÂ top users of social mediaÂ and recently signed-off on a bill of rights forÂ theÂ Internet,Â theÂ Marco Civil.Â TheÂ country is also a leader inÂ theÂ development of online banking withÂ more than 43 percent of web usersÂ engaging such services, and can be proud of a thriving software industry, including some world classÂ companies.
But as computer users aroundÂ theÂ world are beginning to grasp,Â theÂ spread ofÂ theÂ digitalÂ world has its dark side. Alongside allÂ theÂ great thingsÂ theÂ Internet offers, not leastÂ new forms of political and economic empowerment, it brings some very seriousÂ threats.
Brazilians areÂ waking upÂ toÂ theÂ reality of online scams, hacking, espionage andÂ digitalÂ surveillance. And whileÂ theÂ government is taking cyber malfeasance seriously, it may have seriously misinterpretedÂ theÂ nature and significance of those threats and, as a consequence,Â theÂ best way to tackleÂ them.
For political reasons,Â Brasilia hasÂ outsourcedÂ most responsibility forÂ theÂ countryâ€™s cybersecurity toÂ theÂ military. WhileÂ theÂ armed forces has enthusiasticallyÂ embracedÂ this new role, placing them in charge of overall cybersecurity for both civilian and military networks is a mismatch that could have damaging consequencesÂ theÂ countryâ€™sÂ security.
Not all cyber threats are equal. PerhapsÂ theÂ most egregious one isÂ economically-motivated cyber crimeâ€”theÂ targeting of private banks, firms and individuals. Others are posed by domestic and internationalÂ hacktivist groupsÂ intent on disrupting government services and corporate websites.Â Brazilâ€™s popular protests of June-August 2013, for example, coincided withÂ a sharp rise in hacktivist activity.
Edward Snowdenâ€™s revelationsÂ have ratcheted-upÂ Brazilâ€™s concern with cybersecurity.Â TheÂ U.S. National Security Agency was routinely spying on state and commercial networks, including listening on Brazilian President Dilma Rousseffâ€™s phone conversations.Â Brazil is friendly to the United States at a time of rising anti-Americanism in Latin America. But it, too, harbors a historical skepticism toward US intentions and Washington should not underestimate the reputational damage that its global surveillance strategy has inflicted.Â Cyber espionageÂ and perhaps, further downÂ theÂ line,Â cyber warfareÂ are now threats that are being taken veryÂ seriously.
NotwithstandingÂ theÂ growing angst in Brasilia, and indeed many capitals across the Americas,Â comparatively little is actually knownÂ about what real dangers are lurking in cyberspace. There is virtually no public debate or research into those responsible for launching attacks, what their interests and motivations might be, how they operate, or if and how they might be connected to criminal and politicalÂ organizations.
There are only aÂ few expertsÂ evaluating public and private sector responses to these threats which appear to have increased exponentially in number and sophistication inÂ theÂ last three years. While operating to a large extent inÂ the dark,Â theÂ BrazilianÂ government has nevertheless rapidlyÂ constructed a sprawling cybersecurity and defense infrastructure.
Its response is narrowly focused on just one or two dimensions of these threatsâ€”especially foreign ones. AtÂ theÂ center ofÂ theÂ stateâ€™s response isÂ theÂ BrazilianÂ Armyâ€™sÂ Center for Cyber DefenseÂ (CDCiber), one ofÂ theÂ only such entities in South America. YetÂ theÂ emphasis on a military response may be incommensurate withÂ theÂ real (as opposed to existential) threats facingÂ theÂ country.Â DespiteÂ allegations of Hezbollah smuggling weaponsÂ toÂ BrazilianÂ gangs (these rumors have been circulating for decades),Â theÂ country has comparatively few external cyber threats from foreign governments or terroristÂ groups.
This represents a mismatch withÂ theÂ real and emerging threats in cyberspace. Instead of focusing on international and domestic cyber-criminality, which constitutesÂ by farÂ theÂ gravest risk,Â theÂ state is doubling down on strengthening cyber war-fighting and anti-terrorism capabilities. This is not to suggest that cyberterrorism and cyber warfare are not real threats. RatherÂ theÂ government is overemphasizing broader issues of national security rather than addressingÂ theÂ most pressing challenges confronting citizensâ€”that is cyber crime.
Although less than half of all Brazilians have bank accounts, the security of the countryâ€™s online banking infrastructure has always been more advanced that its American counterpart. Brazilian banks introduced double and even triple verification years before most other countries and biometric security is now the norm for most ATMs. Security in other online sectors, however, is far behind global standards and public or government sites are easilyÂ hacked.
TheÂ military approach to cyber insecurity inÂ BrazilÂ is consistent with a broader effort to findÂ aÂ role forÂ theÂ BrazilianÂ armed forces inÂ theÂ twenty-first century. OnÂ theÂ one hand, they areÂ strengthening border control and anti-drug activitiesÂ inÂ theÂ AmazonÂ andÂ theÂ so-called tri-border area of Argentina,Â BrazilÂ and Paraguay. OnÂ theÂ other,Â theÂ military is seeking to expand its reach and influence inÂ cyberspace.
All of this has profound consequences for individual rights and public spending.Â TheÂ outsized military response risks compromising citizensâ€™ fundamental rights owing to, among other things,Â theÂ temptation to undertake surveillance and censorship. For instance, CDCiber andÂ Brazilâ€™s central intelligence agencyÂ (ABIN) created social media monitoring platforms inÂ theÂ aftermath ofÂ theÂ 2013Â protests.
Meanwhile, other public institutions such asÂ theÂ Federal PoliceÂ are less generously resourced and supported. These developments are partly inspired byÂ Brazilâ€™s desire to enhance its geopolitical reach and relevance. As a rising power,Â theÂ BrazilianÂ government isÂ mobilizingÂ theÂ countryâ€™s nascent cybersecurity architecture to project soft powerÂ in bilateral relations and multilateral arenas. For example, in 2013Â theÂ President requested thatÂ theÂ UN develop a new global legal system to governÂ theÂ Internet.
Brazilâ€™s own Internet architecture is still work in progress. While there have been some important developments, there are conflicting lines of accountability among institutions, distorted funding priorities, confused public debate, contradictory legislative measures andÂ theÂ importation of outside solutions for local challenges. InÂ theÂ meantime,Â theÂ military has â€œcapturedâ€ resources for cyberdefense, with potentially dangerous implications for civil liberties moreÂ generally.
What is more,Â theÂ comparatively limited engagement of civil society in cybersecurity debates inÂ BrazilÂ means thatÂ theÂ armed forces haveÂ free reign to advance their interests. What is urgently needed isÂ a balanced cyber security strategy, one that accurately gauges evolving threats to understand where future vulnerabilitiesÂ reside.
First,Â theÂ government should encourage people to talk. There is a nowÂ aÂ lively conversationÂ inÂ BrazilÂ aboutÂ theÂ many positive developments related to e-governance, smart cities,Â digitalÂ sovereignty and other new information technologies. Curiously, there is a silence on issues related to cybersecurity and cyberdefense. Where debated at all, conversations tend to be reserved toÂ theÂ highest levels of government,Â theÂ armed forces, law enforcement agencies and a narrow group of businesses, though thereÂ are signs this may be starting to change.
TheÂ second step is to put in place measured and efficient strategies to engage cyber threats. SinceÂ theÂ budgets allocated for cyber-related issues are hard to predict, there is considerable bureaucratic competition over funds. Military, law enforcement and civilian entities may exaggerate risks in order to increase their likely access to resources. IfÂ BrazilÂ is to build a cybersecurity system fit for purpose, an informed debate isÂ imperative.
At a minimum, Brazilians need to better understandÂ theÂ dynamics of cyber crime groups, andÂ theÂ ways in which traditional crime is migrating online. It also needs to monitor how security forces are adapting new surveillance technologies. Above all,Â theÂ government should encourage a broader debate with a clear communications strategy aboutÂ theÂ need for cybersecurity and what forms this mightÂ take.