OAS releases report with recommendations on cyber security in Brazil

Report “Review of Cybersecurity Capacity – Federative Republic of Brazil

In October 2020, the Organization of American States (OAS) released the report “Review of Cybersecurity Capacity – Federative Republic of Brazil” ¹, prepared between August 2018 and June 2020, aimed at investigating the maturity of the security capacity cybernetics in the country and support for strategic prioritization of investments in the sector.

Cybersecurity is an exponential challenge that needs to keep pace with technological changes. The aim is to ensure data integrity and privacy, through technologies and procedures aimed at risk and incident management, technical, legal and regulatory compliance, internal controls, governance standards and educational campaigns.

This discussion, although not recent, has spread rapidly because of the massive and virtually real-time migration of face-to-face operations to the remote mode, triggered by the pandemic. The concern with cybersecurity, however, must be permanent. After all, among the most accentuated technological risks are cyber attacks, breakdown of information infrastructure, fraud and data theft (Global Risks Report 2020), while the growth of cyber attacks on global companies (Global Information Security) Survey).

This is the context in which the approval of the National Cybersecurity Strategy (“E-Cyber”) was shown to be relevant through Decree nº 10.222 / 2020. Its content is associated with strategic planning in the area, which projects the basis for a national debate through a broad set of recommendations on the design of a model of cyber governance, cyber-resilience, legal framework, participation, partnership and collaboration between interested parts.

The OAS report is divided into five dimensions of cybersecurity capacity, which are part of the training maturity model, designed by the Global Cyber ​​Security Capacity Center, in Oxford, namely: cybersecurity policy and strategy; cyber culture and society; cybersecurity education, training and skills; legal and regulatory structures; standards, organizations and technology.

It was found that “the maturity of Brazil’s capacity to protect critical infrastructure varies between public and private operators”. Despite the initiatives, cyber security legislation in Brazil remains under development, lacking a comprehensive regulatory framework that explicitly considers this topic. This is reflected in the dissemination of a culture in this area, in view of the absence of a national awareness program and the need to train professionals specialized in this subject.

The conclusion of the report is divided into seven groups of recommendations, based on the information provided during the preparation of the document. The purpose is to provide guidance to Brazil regarding the improvement of the existing cybersecurity capacity. In summary, the recommendations are as follows:

(1) Adherence to standards: adopt, at the national level, cyber security standards and good practices in the public and private sectors, establishing an institution responsible for the implementation, auditing and evaluation of the effectiveness of these standards, through monitoring metrics, as well as legislation that allows the application of disciplinary measures for violation of policies;

(2) Resilience of the internet infrastructure: improving coordination and collaboration in the public and private sectors, carrying out regular assessments, according to international guidelines, in order to identify and map critical flaws. In addition, establish a system to formally manage national infrastructure;

(3) Software quality: develop catalog of secure software platforms and applications in the public and private sectors, designating an institution to stipulate common requirements for software quality and functionality in these sectors, monitoring and evaluating the quality of those;

(4) Technical security controls: set of initiatives that includes frequent training for IT employees, provision of protection services against malware and viruses by internet service providers, institution of extensive and updated technical security controls, with metrics to measure its effectiveness, promoting best practices for users and carrying out regular tests;

(5) Cryptographic controls: encouraging the development and dissemination of these controls in all sectors and for all users, aiming to protect data at rest and in transit, in accordance with international standards and guidelines;

(6) Cybersecurity market: extend collaboration to the private sector and academia in relation to R&D, promoting the exchange of information and best practices between organizations;

(7) Responsible disclosure: develop a structure responsible for the disclosure of vulnerabilities in the public sector, stimulating their adoption in the private sector, requiring the disclosure deadline, scheduled resolution and recognition report, together with the definition of notification requirements for all sectors.

Therefore, the OAS report is expected to encourage discussions on cybersecurity in Brazil, with the participation of all stakeholders, drawing a joint and collaborative effort of governance architecture in this area, which directly contributes to the perception of market and user confidence.

By: Wilson Sales Belchior

¹ OAS. Review of cybersecurity capacity – Federative Republic of Brazil, 2020. Available at: http://www.oas.org/pt/ssm/cicte/docs/PORT-Revisao-da-Capacity-de-Ciberseguranca.pdf, Access in : Oct 30 2020