By Robert Muggah and Misha Glenny
Brazil has embraced the digital age with more gusto than
most. It is one of the top users of social media and recently signed off on a
bill of rights for the Internet, the Marco Civil. The country is also a leader in
the development of online banking with more than 43 percent of web users engaging
such services, and can be proud of a thriving software industry, including some
world class companies.
But as computer users around the world are beginning to
grasp, the spread of the digital world has its
Brazilians are waking up to the reality of online
scams, hacking, espionage and digital surveillance. And while the government is
taking cyber malfeasance seriously, it may have seriously misinterpreted the
nature and significance of those threats and, as a consequence, the best way to
tackle them.
For political reasons, Brasilia has outsourced most
responsibility for the country’s cyber security to the military. While the
armed forces has enthusiastically embraced this new role, placing them in
charge of overall cyber security for both civilian and military networks is a
mismatch that could have damaging consequences the country’s security.
Not all cyber threats are equal. Perhaps the most
egregious one is economically motivated
cyber crime— the targeting of private banks, firms and individuals.
Others are posed by domestic and international hacktivist groups intent on disrupting
government services and corporate websites. Brazil’s popular protests of June-August
2013, for example, coincided with a sharp rise in hacktivist activity.
Edward Snowden’s revelations have ratcheted up Brazil’s
concern with cyber security. The U.S. National Security Agency was routinely
spying on state and commercial networks, including listening on Brazilian
President Dilma Rousseff’s phone conversations. Brazil is friendly to the United
States at a time of rising anti-Americanism in Latin America. But it, too,
harbors a historical skepticism toward US intentions and Washington should not
underestimate the reputational damage that its global surveillance strategy has
inflicted. Cyber espionage and perhaps, further down the line, cyber warfare
are now threats that are being taken very seriously.
Notwithstanding the growing angst in Brasilia, and indeed
many capitals across the Americas, comparatively little is actually known about
what real dangers are lurking in cyberspace. There is virtually no public
debate or research into those responsible for launching attacks, what their interests
and motivations might be, how they operate, or if and how they might be connected
to criminal and political organizations.
There are only a few experts evaluating public and private
sector responses to these threats which appear to have increased exponentially
in number and sophistication in the last three years. While operating to a
large extent in the dark, the Brazilian government has nevertheless rapidly
constructed a sprawling cyber security and defense infrastructure.
Its response is narrowly focused on just one or two
dimensions of these threats—especially foreign ones. At the center of the
state’s response is the Brazilian Army’s Center for Cyber Defense (CDCiber),
one of the only such entities in South America. Yet the emphasis on a military
response may be incommensurate with the real (as opposed to existential)
threats facing the country. Despite allegations of Hezbollah smuggling weapons
to Brazilian gangs (these rumors have been circulating for decades), the
country has comparatively few external cyber threats from foreign governments
or terrorist groups.
This represents a mismatch with the real and emerging threats
in cyberspace. Instead of focusing on international and domestic cyber
criminality, which constitutes by far the gravest risk, the state is doubling down
on strengthening cyber war-fighting and antiterrorism capabilities. This is not
to suggest that cyber-terrorism and cyber warfare are not real threats. Rather
the government is overemphasizing broader issues of national security rather
than addressing the most pressing challenges confronting citizens—that is cyber-crime.
Although less than half of all Brazilians have bank
accounts, the security of the country’s online banking infrastructure has
always been more advanced that its American counterpart. Brazilian banks
introduced double and even triple verification years before most other
countries and biometric security is now the norm for most ATMs. Security in other
online sectors, however, is far behind global standards and public or
government sites are easily hacked.
The military approach to cyber insecurity in Brazil is
consistent with a broader effort to find a role for the Brazilian armed forces
in the twenty-first century. On the one hand, they are strengthening border
control and antidrug activities in the Amazon and the so called tri-border area
of Argentina, Brazil and Paraguay. On the other, the military is seeking to
expand its reach and influence in cyberspace.
All of this has profound consequences for individual
rights and public spending. The outsized military response risks compromising
citizens’ fundamental rights owing to, among other things, the temptation to
undertake surveillance and censorship. For instance, CDCiber and Brazil’s central
intelligence agency (ABIN) created social media monitoring platforms in the
aftermath of the 2013 protests.
Meanwhile, other public institutions such as the Federal
Police are less generously resourced and supported. These developments are
partly inspired by Brazil’s desire to enhance its geopolitical reach and
relevance. As a rising power, the Brazilian government is mobilizing the country’s
nascent cyber security architecture to project soft power in bilateral
relations and multilateral arenas. For example, in 2013 the President requested
that the UN develop a new global legal system to govern the Internet.
Brazil’s own Internet architecture is still work in progress.
While there have been some important developments, there are conflicting lines
of accountability among institutions, distorted funding priorities, confused
public debate, contradictory legislative measures and the importation of
outside solutions for local challenges. In the meantime, the military has “captured”
resources for cyber-defense, with potentially dangerous implications for civil
liberties more generally.
What is more, the comparatively limited engagement of
civil society in cyber security debates in Brazil means that the armed forces
have free reign to advance their interests. What is urgently needed is a
balanced cyber security strategy, one that accurately gauges evolving threats
to understand where future vulnerabilities reside.
First, the government should encourage people to talk.
There is a now a lively conversation in Brazil about the many positive developments
related to e-governance, smart cities, digital sovereignty and other new
information technologies. Curiously, there is a silence on issues related to
cyber security and cyber defense. Where debated at all, conversations tend to
be reserved to the highest levels of government, the armed forces, law
enforcement agencies and a narrow group of businesses, though there are signs
this may be starting to change.
The second step is to put in place measured and efficient
strategies to engage cyber threats. Since the budgets allocated for cyber
related issues are hard to predict, there is considerable bureaucratic
competition over funds. Military, law enforcement and civilian entities may exaggerate
risks in order to increase their likely access to resources. If Brazil is to
build a cyber security system fit for purpose, an informed debate is
imperative.
At a minimum, Brazilians need to better understand the
dynamics of cyber crime groups, and the ways in which traditional crime is
migrating online. It also needs to monitor how security forces are adapting new
surveillance technologies. Above all, the government should encourage a broader
debate with a clear communications strategy about the need for cyber security
and what forms this might take.