Brazilian data security legislation takes important steps forward, but devices connected to the internet are still vulnerable
Léo Ramos Chaves / Revista Pesquisa FAPESP
There is good reason to worry about leaks and misuse of personal or corporate information from cell phones and computers. In Brazil, cybersecurity still has plenty of room to improve, although Brazilian legislation is advancing thanks to the participation of experts from universities, companies, and research centers. Defined as a set of actions designed to protect machines and people against electronic attacks, cybersecurity requires continuous improvements in regulation, technology, and processes by governments, users, and the private sector.
Electrical engineer Edmar Gurjão of the Federal University of Campina Grande (UFCG), Paraíba, will present potential legal measures for reducing the vulnerability of 5G technology, which is currently being rolled out across Brazil, to the country’s National Telecommunications Agency (ANATEL) in Brasília in August. Gurjão is leading a study involving 52 Brazilian researchers whose objective is to help the agency assess the need for specific legal controls for this type of technology. One of its recommendations will be that ANATEL demand factory certification of software installed on 5G-compatible devices to ensure that the security parameters are up to date. “The high-speed connection between 5G devices leaves users more exposed to cyberattacks,” says the researcher.
There is a lot of work to do. Networks and devices connected to the internet in Brazil are among the most vulnerable in Latin America. The country suffered 103 billion attempted cyberattacks in 2022, second only to Mexico (with 187 billion), according to a survey by American cybersecurity company Fortinet. The number of attacks in the country increased by 16% over 2021. The same survey found that worldwide, 82% of attacks designed to steal money from users and institutions used ransomware, which block access to data or accounts until the owner pays a ransom.
However, between 2018 and 2020, Brazil jumped from the 70th position to 18th in the Global Cybersecurity Index, created by the International Telecommunication Union (ITU) to measure how well prepared each country is to deal with cyberattacks. The rapid progress is likely a result of improvements in legislation, one of the items evaluated by the ITU, in which Brazil obtained the maximum score. Experts warn that although legal instruments are essential, they alone are not enough.
“Brazil’s biggest challenge is not creating strong regulatory measures, but implementing and monitoring them,” says Ana Luíza Calil, who is studying a PhD in administrative law at the University of São Paulo (USP). In an article published in the scientific journal International Cybersecurity Law Review in May 2022, she and Roberto Carapeto, a lawyer from the University of Nagoya, Japan, analyzed legislation in Brazil and four other Latin American countries: Argentina, Chile, Colombia, and Mexico. They found that all five nations have created their own legal mechanisms to strengthen cybersecurity, but they are at different stages. “Brazil has the most advanced set of regulations, followed by Chile,” says Calil. According to her, Mexico is still in the early stages.
Brazil’s Civil Rights Framework for the Internet (Marco Civil da Internet), passed in April 2014, also paved the way for other important regulations. One of the most recent and significant is the General Data Protection Law (LGPD), in force since August 2020, which regulates the handling of personal data (a person’s name, surname, ID number, address and computer ID, for example). “It is the only law in Brazil that objectively establishes fines for personal data leaks or inadequate data storage,” says computer engineer Roberto Gallo, director of the cryptography company Kryptus and president of the Brazilian Defense and Security Industries Association (ABIMDE).
Alexandre Affonso / Revista Pesquisa FAPESP
“The LGPD makes it clear that personal data has to be protected, because the company responsible for the data will pay the price for any leaks,” explains Gallo. “It is important to expand it or create legislation to protect other types of data, such as commercial, industrial, and critical systems data.”
One way the sector needs to move forward, in addition to implementing structured regulation, is to ensure companies invest in data security. In 2020, Gallo estimated that companies in Brazil spent less than 4% of their information technology budgets on the issue, while the figure was 10% to 15% in more developed countries. According to him, the ABIMDE does not have any up-to-date figures on the matter, but he believes there have been no major changes in the last three years. According to projections by American market intelligence firm IDC, spending on security solutions in Brazil will reach US$1.3 billion in 2023, 13% more than the previous year.
Another important legislative framework is the National Cybersecurity Strategy (E-Ciber), approved as a decree in February 2020, which includes cybersecurity guidelines and strategic actions as an incentive for research. “The aim of E-Ciber is to unify the objectives of those dealing with cybersecurity, but it lacks clarity about the functions of everyone involved and how the actions should be monitored, including the federal government’s relationship with states and municipalities,” says Calil.
She highlights, however, that the plan has had positive consequences, such as a resolution issued by Brazil’s Central Bank in April 2021 containing cybersecurity guidelines for financial institutions. In June of the same year, the National Council of Justice (CNJ) issued cybersecurity regulations to all judiciary bodies on protecting data linked to more than 77 million digital processes.
The E-Ciber strategy is in effect until the end of 2023. Asked about plans to update the decree, the President’s Office for Institutional Security (GSI), which was responsible for drafting the document, told PesquisaFAPESP, that it has been assessing areas that need improvement since 2022.
The agency stated that it will also analyze contributions “from the cybersecurity community and public consultations,” indicating that as occurred in the formulation of the current version, it plans to present the draft document for public review. It did not reveal, however, when this might be done.
Gurjão, from UFCG, emphasizes the importance of creating a unified center for recording cyber incidents, something which is covered in the E-Ciber plan. In his view, such a center would allow for faster joint defense actions across multiple institutions responsible for essential services such as water supply, energy, telecommunications, and public safety in the event of an attack.
Alexandre Affonso / Revista Pesquisa FAPESP
“It is important to form a coalition with the various sectors of government and civil society, since cybersecurity is concerned with a diffuse and hybrid threat that could affect any person, company, or institution,” says Raquel Jorge de Oliveira, an intelligence analyst at cybersecurity startup Harpia Tech in Rio de Janeiro.
During her master’s degree, completed at the University of Brasília (UnB) in 2021, she compared Brazilian policy with that of four European countries—Finland, Sweden, Denmark, and Norway—of international renown in cybersecurity. In all four, there is continuous dialogue between institutions and internet users, which according to Oliveira, does not happen in Brazil. She detailed her conclusions in an article published in the journal Brasiliana: Journal for Brazilian Studies in February 2022.
“Cybersecurity legislation in Brazil provides for interactions between sectors of government and civil society, but always under the command of the GSI or the Ministry of Defense, with no permanent structure for coordinating interactions between government agencies and users,” says Oliveira.
Louise Marie Hurel, an international relations graduate studying a master’s at the London School of Economics, UK, shares a similar outlook. In an analysis published by the Igarapé Institute, a nongovernmental institution based in Rio de Janeiro that studies climate and digital security, she wrote: “As much as the GSI already performs the role of coordination and facilitation within the federal government, its relationship with civil society remains fragile, with groups frequently pointing to a lack of transparency and militarization of the agenda by the GSI’s Department of Information Security.”
When asked about this militarization, the GSI responded that national cyber defense is, in fact, one of the responsibilities of the Ministry of Defense. But the country’s cybersecurity, according to the agency, “is largely the responsibility of civil society organizations.” The agency cites the National Education and Research Network’s Security Incident Response Center (CAIS) and the Brazilian Center for Security Incident Studies and Response (Cert.br), which manages incidents for the Brazilian Internet Steering Committee (CGI.br), as two of the most important civil institutions it works with. These organizations coordinate with the Government Center for Cybernetic Incident Prevention and Response (CTIR Gov).
Calil says ANATEL helps maintain balance among all of these forces, expanding social participation. In 2021, the agency created the Technical Group on Cybersecurity and Critical Infrastructure Risk Management (GT-Ciber), composed of representatives from various telecommunications companies. The group edited ANATEL’s Act 77 of July 2021, which establishes cybersecurity requirements for telecommunications equipment and devices connected to the internet, such as routers, modems, cell phones, security cameras, and televisions.
“Now, we are waiting to speak with the new government and hoping for greater participation in updating the national strategy,” says Gustavo Santana Borges, head of control of regulatory obligations at the agency and a member of GT-Ciber.
This article may be republished online under the CC-BY-NC-ND Creative Commons license. The Pesquisa FAPESP Digital Content Republishing Policy, specified here, must be followed. In summary, the text must not be edited and the author(s) and source (Pesquisa FAPESP) must be credited. Using the HTML button will ensure that these standards are followed. If reproducing only the text, please consult the Digital Republishing Policy.