Late last year, the Brazilian Senate Commission on Foreign Relations asked TechPolis to prepare a paper on cyber security. Against the backdrop of Edward Snowden’s revelations of U.S. espionage in Brazil, the Senate created a Special Investigative Commission (in Portuguese, CPI) to analyze the status of cyber security in the country and suggest new directions.
Now the work of the CPI is finished we are free to share our suggestions, most of which were incorporated in the final report of the commission, with the public.
Our view on espionage is starkly simple: You had better take care of yourself. The international system is anarchic, and states will and do try to obtain information which increases their ability to maintain and expand power. Most are not too worried about how they go about doing this. The Internet also has an anarchic design and is full of vulnerabilities. So, once again, you had better watch out and take care of yourself – because nobody else is going to.
Beyond being an easy target for government espionage, Brazil faces other digital security problems. It is a land of online banking security breaches, card cloning at ATMs, phishing, and malware. The government, the private sector and individual citizens can all do better at building stronger passwords and security systems.
One of our major findings is that most of the money invested in cyber security goes into prevention. Very little actually goes into investigating and punishing criminals. Therefore, in the absence of costs, the incentives for cyber crime are strong. Without breaking the incentive structure, both nationally and internationally, it is very hard to control cyber crime.
We made a few suggestions which were appreciated by the Senate, but still have a long way to go before they actually materialize:
• Define guidelines for cyber security policy in Brazil;
• Vote on the Data Security and Privacy Act draft bill prepared by the Ministry of Justice;
• Create a Brazilian Cyber-Security Agency. This would act as a focal point in the Executive branch for issues related to security and privacy over the Internet and other communications networks;
• Create a mechanism for cooperation between business and government to discuss cyber security;
• Strengthen the security of terrestrial points of data exit and entry from Brazil via submarine cables;
• Study ongoing cyber attacks in other countries;
• Conduct simulation exercises of cyber attacks against Brazil;
• Create training programs for people specialized in cyber security at technical, undergraduate and postgraduate levels.