{"id":483495,"date":"2023-07-05T17:30:03","date_gmt":"2023-07-05T20:30:03","guid":{"rendered":"https:\/\/revistapesquisa.fapesp.br\/?p=483495"},"modified":"2023-07-05T17:30:03","modified_gmt":"2023-07-05T20:30:03","slug":"more-barriers-to-prevent-cyberattacks","status":"publish","type":"post","link":"https:\/\/revistapesquisa.fapesp.br\/en\/more-barriers-to-prevent-cyberattacks\/","title":{"rendered":"More barriers to prevent cyberattacks"},"content":{"rendered":"

There is good reason to worry about leaks and misuse of personal or corporate information from cell phones and computers. In Brazil, cybersecurity still has plenty of room to improve, although Brazilian legislation is advancing thanks to the participation of experts from universities, companies, and research centers. Defined as a set of actions designed to protect machines and people against electronic attacks, cybersecurity requires continuous improvements in regulation, technology, and processes by governments, users, and the private sector.<\/p>\n

Electrical engineer Edmar Gurj\u00e3o of the Federal University of Campina Grande (UFCG), Para\u00edba, will present potential legal measures for reducing the vulnerability of 5G technology, which is currently being rolled out across Brazil, to the country\u2019s National Telecommunications Agency (ANATEL) in Bras\u00edlia in August. Gurj\u00e3o is leading a study involving 52 Brazilian researchers whose objective is to help the agency assess the need for specific legal controls for this type of technology. One of its recommendations will be that ANATEL demand factory certification of software installed on 5G-compatible devices to ensure that the security parameters are up to date. \u201cThe high-speed connection between 5G devices leaves users more exposed to cyberattacks,\u201d says the researcher.<\/p>\n

There is a lot of work to do. Networks and devices connected to the internet in Brazil are among the most vulnerable in Latin America. The country suffered 103 billion attempted cyberattacks in 2022, second only to Mexico (with 187 billion), according to a survey by American cybersecurity company Fortinet. The number of attacks in the country increased by 16% over 2021. The same survey found that worldwide, 82% of attacks designed to steal money from users and institutions used ransomware, which block access to data or accounts until the owner pays a ransom.<\/p>\n

However, between 2018 and 2020, Brazil jumped from the 70th<\/sup> position to 18th<\/sup> in the Global Cybersecurity Index, created by the International Telecommunication Union (ITU) to measure how well prepared each country is to deal with cyberattacks. The rapid progress is likely a result of improvements in legislation, one of the items evaluated by the ITU, in which Brazil obtained the maximum score. Experts warn that although legal instruments are essential, they alone are not enough.<\/p>\n

\u201cBrazil’s biggest challenge is not creating strong regulatory measures, but implementing and monitoring them,\u201d says Ana Lu\u00edza Calil, who is studying a PhD in administrative law at the University of S\u00e3o Paulo (USP). In an article published in the scientific journal International Cybersecurity Law Review <\/em>in May 2022, she and Roberto Carapeto, a lawyer from the University of Nagoya, Japan, analyzed legislation in Brazil and four other Latin American countries: Argentina, Chile, Colombia, and Mexico. They found that all five nations have created their own legal mechanisms to strengthen cybersecurity, but they are at different stages. \u201cBrazil has the most advanced set of regulations, followed by Chile,\u201d says Calil. According to her, Mexico is still in the early stages.<\/p>\n

Brazil\u2019s Civil Rights Framework for the Internet (Marco Civil da Internet), passed in April 2014, also paved the way for other important regulations. One of the most recent and significant is the General Data Protection Law (LGPD), in force since August 2020, which regulates the handling of personal data (a person\u2019s name, surname, ID number, address and computer ID, for example). \u201cIt is the only law in Brazil that objectively establishes fines for personal data leaks or inadequate data storage,\u201d says computer engineer Roberto Gallo, director of the cryptography company Kryptus and president of the Brazilian Defense and Security Industries Association (ABIMDE).<\/p>\n<\/div>

\n \n \n \n <\/picture>Alexandre Affonso \/ Revista Pesquisa FAPESP<\/span><\/div>
\n

\u201cThe LGPD makes it clear that personal data has to be protected, because the company responsible for the data will pay the price for any leaks,\u201d explains Gallo. \u201cIt is important to expand it or create legislation to protect other types of data, such as commercial, industrial, and critical systems data.\u201d<\/p>\n

One way the sector needs to move forward, in addition to implementing structured regulation, is to ensure companies invest in data security. In 2020, Gallo estimated that companies in Brazil spent less than 4% of their information technology budgets on the issue, while the figure was 10% to 15% in more developed countries. According to him, the ABIMDE does not have any up-to-date figures on the matter, but he believes there have been no major changes in the last three years. According to projections by American market intelligence firm IDC, spending on security solutions in Brazil will reach US$1.3 billion in 2023, 13% more than the previous year.<\/p>\n

Another important legislative framework is the National Cybersecurity Strategy (E-Ciber), approved as a decree in February 2020, which includes cybersecurity guidelines and strategic actions as an incentive for research. \u201cThe aim of E-Ciber is to unify the objectives of those dealing with cybersecurity, but it lacks clarity about the functions of everyone involved and how the actions should be monitored, including the federal government\u2019s relationship with states and municipalities,\u201d says Calil.<\/p>\n

She highlights, however, that the plan has had positive consequences, such as a resolution issued by Brazil\u2019s Central Bank in April 2021 containing cybersecurity guidelines for financial institutions. In June of the same year, the National Council of Justice (CNJ) issued cybersecurity regulations to all judiciary bodies on protecting data linked to more than 77 million digital processes.<\/p>\n

The E-Ciber strategy is in effect until the end of 2023. Asked about plans to update the decree, the President\u2019s Office for Institutional Security (GSI), which was responsible for drafting the document, told Pesquisa<\/em> FAPESP<\/em>, that it has been assessing areas that need improvement since 2022.<\/p>\n

The agency stated that it will also analyze contributions \u201cfrom the cybersecurity community and public consultations,\u201d indicating that as occurred in the formulation of the current version, it plans to present the draft document for public review. It did not reveal, however, when this might be done.<\/p>\n

Gurj\u00e3o, from UFCG, emphasizes the importance of creating a unified center for recording cyber incidents, something which is covered in the E-Ciber plan. In his view, such a center would allow for faster joint defense actions across multiple institutions responsible for essential services such as water supply, energy, telecommunications, and public safety in the event of an attack.<\/p>\n<\/div>

\n \n \n \n <\/picture>Alexandre Affonso \/ Revista Pesquisa FAPESP<\/span><\/div>
\n

\u201cIt is important to form a coalition with the various sectors of government and civil society, since cybersecurity is concerned with a diffuse and hybrid threat that could affect any person, company, or institution,\u201d says Raquel Jorge de Oliveira, an intelligence analyst at cybersecurity startup Harpia Tech in Rio de Janeiro.<\/p>\n

During her master’s degree, completed at the University of Bras\u00edlia (UnB) in 2021, she compared Brazilian policy with that of four European countries\u2014Finland, Sweden, Denmark, and Norway\u2014of international renown in cybersecurity. In all four, there is continuous dialogue between institutions and internet users, which according to Oliveira, does not happen in Brazil. She detailed her conclusions in an article published in the journal Brasiliana: Journal for Brazilian Studies <\/em>in February 2022.<\/p>\n

\u201cCybersecurity legislation in Brazil provides for interactions between sectors of government and civil society, but always under the command of the GSI or the Ministry of Defense, with no permanent structure for coordinating interactions between government agencies and users,\u201d says Oliveira.<\/p>\n

Louise Marie Hurel, an international relations graduate studying a master’s at the London School of Economics, UK, shares a similar outlook. In an analysis published by the Igarap\u00e9 Institute, a nongovernmental institution based in Rio de Janeiro that studies climate and digital security, she wrote: \u201cAs much as the GSI already performs the role of coordination and facilitation within the federal government, its relationship with civil society remains fragile, with groups frequently pointing to a lack of transparency and militarization of the agenda by the GSI\u2019s Department of Information Security.\u201d<\/p>\n

When asked about this militarization, the GSI responded that national cyber defense is, in fact, one of the responsibilities of the Ministry of Defense. But the country’s cybersecurity, according to the agency, “is largely the responsibility of civil society organizations.” The agency cites the National Education and Research Network\u2019s Security Incident Response Center (CAIS) and the Brazilian Center for Security Incident Studies and Response (Cert.br), which manages incidents for the Brazilian Internet Steering Committee (CGI.br), as two of the most important civil institutions it works with. These organizations coordinate with the Government Center for Cybernetic Incident Prevention and Response (CTIR Gov).<\/p>\n

Calil says ANATEL helps maintain balance among all of these forces, expanding social participation. In 2021, the agency created the Technical Group on Cybersecurity and Critical Infrastructure Risk Management (GT-Ciber), composed of representatives from various telecommunications companies. The group edited ANATEL’s Act 77 of July 2021, which establishes cybersecurity requirements for telecommunications equipment and devices connected to the internet, such as routers, modems, cell phones, security cameras, and televisions.<\/p>\n

\u201cNow, we are waiting to speak with the new government and hoping for greater participation in updating the national strategy,\u201d says Gustavo Santana Borges, head of control of regulatory obligations at the agency and a member of GT-Ciber.<\/p>\n

Scientific articles
\n<\/strong>CARAPETO, R. & CALIL, A. L. Cybersecurity regulation in Brazil and Latin America: An overview<\/a>. International Cybersecurity Law Review<\/strong>. pp. 385\u2013410. May 2022.
\nHUREL, L. M. Ciberseguran\u00e7a no Brasil: Uma an\u00e1lise da estrat\u00e9gia nacional<\/a>. Igarap\u00e9 Institute.<\/strong> Online. Apr. 2021.
\nOLIVEIRA, R. J. Notes on the militarization of Brazilian cybersecurity: Current state of affairs and perspectives on the near future<\/a>. Brasiliana: Journal for Brazilian Studies<\/strong>. Vol. 10, no. 2. Feb. 2022.<\/p>\n","protected":false},"excerpt":{"rendered":"Brazilian data security legislation takes important steps forward, but devices connected to the internet are still vulnerable","protected":false},"author":684,"featured_media":483496,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[169],"tags":[219,264],"coauthors":[2721],"class_list":["post-483495","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-computation","tag-information-technology"],"acf":[],"_links":{"self":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts\/483495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/users\/684"}],"replies":[{"embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/comments?post=483495"}],"version-history":[{"count":2,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts\/483495\/revisions"}],"predecessor-version":[{"id":483517,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/posts\/483495\/revisions\/483517"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/media\/483496"}],"wp:attachment":[{"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/media?parent=483495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/categories?post=483495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/tags?post=483495"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/revistapesquisa.fapesp.br\/en\/wp-json\/wp\/v2\/coauthors?post=483495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}