Cosmetics manufacturer Natura and carmaker Honda were targets of cyber-attacks on their Brazilian operations in June. The two companies chose not to disclose details of the strikes or their impacts on the businesses. Natura and Honda are not alone. Some of the country’s largest sectors have suffered such attacks in 2020, including energy and logistics operators and agribusiness companies. Russian cybersecurity multinational Kaspersky recorded 1.6 billion attempts of cyber-aggression in Brazil between February and April, 60% of all threats registered in Latin America. Concerns over the issue doubled the demand for corporate insurance in Brazil during the first half of the year.
The primary threats in Brazil are ransomware attacks, in which hackers use malicious software (malware) to invade and take control of a user’s computer or smartphone. A message on the screen demands payment of ransom in cryptocurrency, such as bitcoin, to prevent the user’s files from being deleted (see inset on page 76). In one variation, known as double extortion, the data is accessed and the victim is threatened with having their sensitive information disclosed or sold in online auctions. Research by the Anglo-American cybersecurity company Sophos reveals that Brazil was number four in countries hit by ransomware attacks in 2019, behind Malaysia, India, and Australia.
Other types of cybercrime, such as Trojan horse attacks, are becoming increasingly common in Brazil. Victims inadvertently click on a seemingly harmless link and open the door to having their financial information stolen. And then there are spywares, programs targeted on obtaining strategic information from companies and public agencies, such as the Federal Police and the court system. In 2019, there were 19,100 security threats to government computer networks reported, with more than 10,000 confirmed attacks, according to data from the Brazilian Government Response Team for Computer Security Incidents (CTIR-Gov), linked to the National Security Office.
According to experts, investing in security will be required to address the problem, which has been amplified over recent months due to the coronavirus pandemic. The rapid increase of work being done from home offices has left company files and systems more vulnerable. American market intelligence consultancy IDC points out that Brazilian companies invested US$1.6 billion in information security in 2019, while worldwide expenditures were US$107 billion. Globally, the average amount invested in information security in the corporate world amounts to 18% of the total information technology (IT) budget.
In Brazil, average spending doesn’t reach 4%, estimates Roberto Gallo, president of the Brazilian Defense and Security Industries Association (ABIMDE). This average is raised higher by the investments of the financial sector, where around 10% of the IT budget is applied to virtual security, according to the Brazilian Federation of Banks (FEBRABAN). “If you subtract banks from that average, investments throughout the rest of the economy are trivial,” Gallo says.
The low level of investment makes it difficult to create a significant cybersecurity ecosystem in Brazil, points out electrical engineer and computer scientist Paulo Licio de Geus, from the Computing Institute of the University of Campinas (IC-UNICAMP). “We have companies in Brazil with the technical capabilities. However, they’re small in both size and number, with no global presence,” he adds. The problem, in Geus’s opinion, is that this type of security is not valued in Brazil. “It’s difficult for a local company to innovate, develop solutions, and survive in an environment where there isn’t a funding base available to finance its initiatives,” he concludes.
Another problem is the scarcity of qualified labor, both at companies developing solutions and at end-user companies, who need the guidance of professionals to implement programs that can meet the challenges imposed by cyber criminals. According to the Cybersecurity Workforce Study by the International Information System Security Certification Consortium (ISC2), there is a dearth of 600,000 cybersecurity specialists in Latin America, which is particularly felt in Brazil.
Computer engineering professor Altair Olivo Santin of Pontifical Catholic University of Paraná (PUC-PR) is the coordinator of the information security commission of the Brazilian Computer Society (SBC). In his estimate, beyond the scarcity of professionals, there is also a lack of a quality labor force. “Many of those who work in information security don’t have adequate training,” he maintains.
One of the SBC’s priority issues is to get the Ministry of Education to standardize the requirements for information security degrees. A basic curriculum proposal was already developed by international computing institutions in 2017 and is being analyzed by the SBC. Santin says cyber criminals are dynamic and constantly searching for new methods of attack. The fight demands large numbers of dedicated professionals, with the capacity to develop academic research and new solutions for companies. “Cybersecurity is not widespread in Brazil. It’s inevitable that criminals perceive us as vulnerable,” Santin states.
The Brazilian cybersecurity market is mostly served by multinational companies, which account for more than 80% of all orders. The adverse business environment does not, however, prevent Brazilian cybersecurity developers from gaining space in the local market and beginning to move toward internationalization, in search of market scale.
According to Gallo, from ABIMDE, Brazil has companies recognized for the technical quality of their solutions in antivirus protection, firewalls (devices that monitor network traffic and internet connections) and encryption systems (programs that encrypt messages and make them unintelligible to those without the security code). Gallo notes that the United States, the United Kingdom, Russia, China, and Israel, are the most prominent nations in cybersecurity globally, in that order. “In a ranking of international cybersecurity, we would be among the best,” Gallo speculates.
He observes that Brazilian companies enjoy one potential advantage in the global market. “Brazil doesn’t have a tradition of international espionage, and no one imagines that Brazilian companies are at the service of their government. This type of distrust affects companies in some major geopolitical powers. Nor do we have laws in this country that allow our government to violate the privacy of user data abroad, such as the US CLOUD Act,” he says.
Gallo is the founder of Kryptus, a company specializing in cryptography, founded in 2003. The company received four grants from the FAPESP Research for Innovation in Small Businesses program (RISB, or PIPE in the Portuguese acronym) to develop a high-performance cryptographic security hardware module. The solution was adopted by several corporate clients and is an integral part of the Brazilian electronic voting system. It is also used by the Integrated Border Monitoring System (SISFRON), a project that the Armed Forces are implementing with the goal of curbing illegal acts along the Brazilian border (see Pesquisa FAPESP issue no. 282).
In July, Kryptus received an investment of R$20 million from the Aerospace Investment Fund (FIP) formed by aircraft manufacturer Embraer, with the Brazilian Development Bank (BNDES), the Brazilian Funding Authority for Studies and Projects (FINEP), and the São Paulo funding agency Desenvolve-SP. The funds were authorized with the goal of developing a plan for expanding and exporting Brazilian expertise in cryptography and security.
Soon after announcing the investment, Kryptus announced the opening of a branch office in Switzerland. “The European market requires proximity. It’s important to have a local team,” says Gallo. He notes that Switzerland was a strategic choice because of its reputation for having qualified IT professionals and a government that doesn’t interfere in its businesses.
Kryptus obtains 30% of its revenues—an amount which it doesn’t disclose—from exports. In Europe, it serves customers in Germany, Switzerland, Spain, and Portugal, and does business in African nations like Angola, Cape Verde, and Morocco. But its forte is exports to Latin America, aimed at companies in Colombia, Peru, Ecuador, Argentina, and Chile. With the new office in Switzerland, sales are expected to increase in Europe, Africa, and the Middle East. “In three years, more than 50% of our revenue should come from these regions,” Gallo forecasts.
Another recent move in the national cybersecurity sector was the purchase of the Pernambuco-based company Tempest by Embraer, which already included cybersecurity solutions in its portfolio. According to Fernando Silva, Tempest’s vice president of strategy and marketing, the agreement retained the Recife company’s administrative structure. “We’re going to begin developing new products and services aimed at sectors of defense, aerospace security, air traffic control, and critical infrastructures, such as those maintained by energy companies,” Silva adds.
Launched in 2000, Tempest’s primary area of operations is finance, which accounts for 60% of the R$120 million billed in 2019. One software program the company developed for preventing online fraud, Allow Me, is a feature in the mobile banking apps of Brazil’s principal banks, installed in 30 million cell phones. In 2012, the company opened an office in London, England, and supplies its systems to The Economist magazine, The Guardian newspaper, and the Tesco supermarket chain. Today, 5% of its revenue comes from abroad. “Embraer is going to open new markets for Tempest, mainly in the defense sectors of Latin American countries, where it already has a strong presence,” says Silva.
Popularization of digital currencies could boost the data security market
The demand for cybersecurity technology in Brazil is expected to expand in the coming years due to a growing perception of risk created by the popularization of cryptocurrencies. This is the estimation of Ulisses Penteado, a partner at BluePex, a company in Limeira, São Paulo that specializes in security solutions such as antivirus protection, firewalls, and anti-malware. “Until recently, Brazilian hackers invaded data to tag websites and show off. Foreign hackers didn’t see most companies in Brazil as strategic targets for data theft. Attacks here didn’t cause a lot of damage,” he says.
Cryptocurrencies have opened up new vistas for criminals. It’s difficult to follow the movements of these currencies and there are widespread technological resources to throw the tracker off. “The possibility of success in monetizing such crime is high,” Penteado says. Furthermore, carrying out cybercrime does not require expertise, since there are a wide range of ready-made and easy-to-use tools for conducting attacks. This new opportunity has led ordinary criminals to migrate to cybercrime, and the attacks have become increasingly intensive and damaging. “The threats have been taken to the next level, so companies will have to invest to protect themselves.”
The General Data Protection Law (LGPD) approved by the Senate in August, which recently went into effect, should also help spur cybersecurity investments in Brazil. Businesses have become legally responsible for maintaining the data privacy of their customers and business partners, and will have to take preventive information security measures to prevent theft and unauthorized data exposure. According to the Brazilian Software Association (ABES), 60% of Brazilian companies are still not ready to meet the new law’s requirements. They have little time to adapt.
1. HSM Kryptus: Innovative technical add-ons in Brazilian HSM for inclusion in the national and international market (no. 15/50579-0); Grant Mechanism Research for Innovation in Small Businesses (RISB/PIPE); FINEP Agreement/Pappe Subsidy; Principal Investigator Roberto Alves Gallo Filho (Kryptus); Investment R$956,344.00.
2. High performance cryptographic module project (HSM) (no. 04/02906-8); Grant Mechanism Research Innovation in Small Businesses (RISB/PIPE) Principal Investigator Roberto Alves Gallo Filho (Kryptus); Investment R$16,584.46.