Brazil has embraced the digital age with more gusto than most countries. It is one of the top users of social media and recently signed-off on a bill of rights for the Internet, the marco civil. The country is also a leader in the development of online banking with more than 43% of web users engaging such services, and can be proud of a thriving software industry, including some world beating companies.
But as computer users around the world are beginning to grasp, the spread of the digital world has its downsides. Alongside all the great things the Internet offers, not least new forms of political and economic empowerment, it brings some very serious threats.
Brazilians are waking up to the reality of online scams, hacking, espionage and digital surveillance. And while the government is taking cyber malfeasance seriously, it may have seriously misinterpreted the nature and significance of those threats and, as a consequence, the best way to tackle them.
For political reasons, Brasilia has outsourced most responsibility for the country’s cyber security to the military. While the armed forces have enthusiastically embraced this new role, placing them in charge of overall cyber security for both civilian and military networks is a mismatch that could have damaging consequences for the country’s security.
Not all cyber threats are equal. Perhaps the most egregious one is economically-motivated cyber-crime – the targeting of private banks, firms and individuals. Others are posed by domestic and international hacktivist groups intent on disrupting government services and corporate websites. Brazil´s popular protests of June-August 2013, for example, coincided with a sharp rise in hacktivist activity.
The revelations by Edward Snowden have ratcheted-up Brazil´s concern with cyber security. The US National Security Agency (NSA) was routinely spying on state and commercial networks, including listening in to the President’s phone conversations. Cyber espionage and perhaps, further down the line, cyber warfare are now threats that are being taken very seriously.
Notwithstanding the growing angst in Brasilia, and indeed across Latin American capitals, comparatively little is actually known about what real dangers are lurking in cyberspace. There is virtually no public debate or research into those responsible for launching attacks, what their interests and motivations might be, how they operate, or if and how they might be connected to criminal and political organizations.
There are only a few experts evaluating public and private sector responses to these threats which appear to have increased exponentially in numbers and sophistication in the last three years. While operating to a large extent in the dark, the Brazilian government has nevertheless rapidly constructed a sprawling cyber-security and defense infrastructure.
Its response is narrowly focused on just one or two dimensions of these threats – especially foreign ones. At the center of the state´s response is the Brazilian Army’s Center for Cyber-defense (CDCiber), one of the only such entities in South America. Yet the emphasis on a military response may be incommensurate with the real (as opposed to existential) threats facing the country. Despite allegations of Hezbollah smuggling weapons to Brazilian gangs (these rumors have been circulating for over a decade), the country has comparatively few external cyber threats from foreign governments or terrorist groups.
This represents a mismatch with the real and emerging threats in cyberspace. Instead of focusing on international and domestic cyber-criminality, which constitutes by far the gravest risk, the state is doubling down on strengthening cyber war-fighting and anti-terrorism capabilities. This is not to suggest that cyber terrorism and cyber warfare are not real threats. Rather the government is overemphasizing broader issues of national security rather than addressing the most pressing challenges confronting citizens – that is cyber-crime.
The military approach to cyber insecurity in Brazil is consistent with a broader effort to find the role of the Brazilian armed forces in the twenty-first century. On the one hand, they are strengthening border control and anti-drug activities in the Amazon and the so-called tri-border area of Argentina, Brazil and Paraguay. On the other, the armed forces are seeking to expand their reach and influence in cyberspace.
All of this has profound consequences for individual rights and public spending. The out-sized military response risks compromising citizens’ fundamental rights owing to, among other things, the temptation to undertake their own surveillance and censorship. For instance, CDCiber and Brazil’s central intelligence agency (ABIN) created social media monitoring platforms in the aftermath of the 2013 protests. Meanwhile, other public institutions such as the Federal Police are less generously resourced and supported.
These developments are partly inspired by Brazil´s desire to enhance its geopolitical reach and relevance. As a rising power, the Brazilian government is mobilizing the country’s nascent cyber-security architecture to project soft power in bilateral relations and multilateral arenas. For example, in 2013 the President requested that the UN develop a new global legal system to govern the Internet. Brazil´s own architecture is still work in progress. While there have been some important developments, there are conflicting lines of accountability among institutions, distorted funding priorities, confused public debate, contradictory legislative measures and the importation of outside solutions for local challenges. In the meantime, the military has “captured” resources for cyber defense, with potentially dangerous implications for civil liberties more generally.
What is more, the comparatively limited engagement of civil society in cyber security debates in Brazil means that the armed forces have free reign to advance their interests. What is urgently needed is a balanced cyber security strategy, one that accurately gauges evolving threats to understand where future vulnerabilities reside.
First, the government should encourage people to talk. There is a now a lively conversation in Brazil about the many positive developments related to e-governance, smart cities, digital sovereignty and other new information technologies. Curiously, there is a silence on issues related to cyber-security and cyber-defense. Where debated at all, conversations tend to be reserved to the highest levels of government, the armed forces, law enforcement agencies and a narrow group of businesses, though there are signs this may be starting to change.
The second step is to put in place measured and efficient strategies to engage cyber threats. Since the budgets allocated for cyber-related issues are hard to predict, there is considerable bureaucratic competition over funds. Military, law enforcement and civilian entities may exaggerate risks in order to increase their likely access to resources. If Brazil is to build a cyber security system fit for purpose, an informed debate is imperative.
At a minimum, Brazilians need to better understand the dynamics of cyber-crime groups, and the ways in which traditional crime is migrating online. They also need to monitor how security forces are adapting new surveillance technologies. Above all, the government should encourage a broader debate with a clear communications strategy about the need for cyber security and what forms this might take.
Gustavo Diniz is a former researcher at the Igarapé Institute.
Misha Glenny is a former BBC correspondent, the author of 3 books on Eastern and South Eastern Europe, including The Balkans: Nationalism, War and the Great Powers, 1804-1999 (Penguin, 2001). His latest book is on trans-national organised crime and globalization, McMafia and Dark Markets.
This article is based on a forthcoming Strategic Paper by the Igarapé Institute – Deconstructing Cyber Security in Brazil: Threats and Responses – coming out in December 2014. See www.igarape.org.br.
This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.