Cyber security governance in Brazil: keeping silos or building bridges?
Louise Marie Hurel and Luisa Cruz Lobato
The year is 2008. This was the very first time that the Brazilian national defense strategy recognized cyberspace as one of the strategic domains for the country’s defense and national security. At that time, cyber attacks were becoming notorious and ever more reflective of geopolitical tensions. One year earlier, Estonia had suffered a major cyber attack from Russia, followed later on by further Russian attacks in Georgia. Not that differently from the growing global concern with cyber security, Brazil had then started to witness what would become a decade of fundamental institutional developments aimed at consolidating an architecture for cyber security governance within the federal government and a national cyber security agenda informed by concerns with external threats, “cyber wars,” and the country’s existent problem of terrorism. These initial concerns would later be replaced by an emphasis on combating cybercrime and digital propaganda — but not before bequeathing a set of institutional arrangements and organizations that have become part of the government’s cyber infrastructure. At the same time, the institutional legacy from this period came to coexist and interact with existing non-governmental organizations involved in technical response to cyber incidents and with developing Internet policy (Hurel, 2019).
How has this change taken place? How did the Brazilian cyber security ecosystem come into existence and how can we make sense of the shifts in the cyber threat landscape in the past decade? Additionally, how can we make sense of these shifts institutionally, within the federal government? In posing these questions, this chapter provides an overview of the state-of-art of cyber security governance in Brazil, presenting a complex landscape of actors and institutions responsible for the country’s cyber incident response, cyber policy, information security, and cyber defense strategies. It points to the current challenges that institutions and actors working with cyber security in Brazil face, including a persisting misalignment between threat perception and response, and a lack of concerted action among the variety of governmental and non-governmental bodies. The governance of cyber security in Brazil is characterized by a continuous tension between isolated responses to threats and attempts of concerted action, which substantially affects the effectiveness and coherence of existing strategies vis-a-vis actual threats, in addition to making it hard for extensive collaboration outside of already established niches sharing a similar understanding of threats.
The chapter is structured in four sections. The first section will draw a map of the cyber threat landscape in Brazil, which includes dimensions of defense policy, concerns with cyber terrorism, and cybercrime. It traces the shifting threat concerns since the initial build-up of the government’s cyber infrastructure and points to how it slowly adjusted to respond to high impact/low probability threats — instead of focusing on high probability ones. Second, the chapter presents an overview of the cyber security institutional landscape and the main concepts from the country’s national cyber security documents that have contributed to structuring the contemporary governance landscape. It then traces the challenges and opportunities for political action, concluding with the diagnosis that one of the main challenges faced by those engaged in cyber security policy making is the poor alignment between strategy' and actual threats.
Cyber security in Brazil Risk landscape
Cyber security emerged as a national concern in Brazil following profound transformations deriving from the digitalization of infrastructures, society, economy, and politics. Between 2008 and 2017, the country’s digital penetration rate jumped from 18 to 61 per cent (TIC Domicilios, 2018), financial institutions have gone fully digital with more than 604 financial start-ups across the country (FintechLab, 2019), and social media has achieved a central role in the creation and mediation of public opinion — with more than 120 million users in Brazil. On the other hand, reports from the Brazilian National Computer Emergency Response Team (CERT.br) highlight that the number of registered incidents increased from 3,107 in 1999 to 833,775 in 2017 - reaching its peak in 2014, with more than a million incidents reported. These incidents include Distributed Denial of Sendee Attacks (DDoS), computer invasion, scans, worms, fraud, and web attacks.
Understanding which cyber risks are established, prioritized and how they' feed into institutional responses to perceived threats is fundamental to the task of tracing the architecture of cyber security governance in Brazil, not least because they tell us what kind of institutional setting is prioritized as the most suitable to responding to upcoming threats. Thus, for example, a focus on cyber war might likely' lead to a protagonism of military doctrines and rationales as adequate responses and, thus, to an allocation of resources to military or defense-oriented actors. Likewise, a focus on “domestic threats,” i.e., local hacktivism and online political activism, or on “cy'bercrime,” might foster a greater investment on intelligence, surveillance, or investigative capacities within the current institutional landscape or even lead to the establishing of new organizations and institutions.
Risks are significantly distinct from threats, despite the fact that both are profoundly entangled when it comes to security (National Research Council, 1991). Whereas threats suggest the existence, present or in potentia, of something that can explore a vulnerability, cause damage, or destroy an asset; risk refers to the possibility of a threat to effectively cause destruction or damage (Dunn Cavelty, 2009). That is to say, risks are associated to threats in their potential, always pointing towards a future (immediate or not). Defining risks is a normative action that relies on the mobilization of a “risk grammar” that seeks to trigger actions to prevent the occurrence of or mitigate the impacts related to a particular risk. Risk is a call for action (both material and discursive) in face of uncertainty (Lobato, 2016).
Risks and threats are culturally and historically constructed. Not only they are mutable across time and space, but they are most intimately dependent on and responsive to shifts in the political context (Giddens, 1990; Beck, 1992). This is important as it provides us with at least two considerations that inform the analysis of the competing notions of risks in Brazil. First, it allows us to consider who can “call to action” — identify risks or define priorities. Second, it places the notion of risks and threats in a wider horizon of political, social, and economic dynamics. Thus, the exercise of understanding cyber risks in Brazil should not be limited to actions and/or mitigation strategies (such as the repair, maintenance, and management of infrastructures). Rather, we should also consider how these priorities are negotiated and resources mobilized within this cultural and political context.
In this section we (i) identify the dominating understandings of cyber threats at the national level and (ii) trace the emergence and change in the perception of risks and threats in light of the shifts in the socio-political context. We contend that the institutional development of cyber security in Brazil was marked by specific concerns related to external threats such as espionage and foreign interference. However, the growing political instability in late 2015 onwards combined with the fast digitization of society created new conditions for a shift in threat perception. That does not necessarily mean that new threats emerged, rather that already-existing perceptions of risk/threats linked to cybercrime could emerge within this particular context. What is more, it sheds light to the competing and, at times, complementary perceptions of threat.
Brazil hosted five “mega-events” in a period of four years, starting with the Rio+20 Conference for Sustainable Development in 2012 and closing with the Olympic Games in 2016. The imminence of the so-called “mega-events” in the country, that is, large-scale international events that are characterized by the large-scale attraction of visitors, significant media outreach, high costs, and big transformations in the urban infrastructure, environment, and population (Muller, 2015), raised substantial concerns as to which would be the main sources of threats to the country’s Internet infrastructure. Scholarly literature (Gaffney, 2010; Cardoso, 2013) has noted that these events act as key moments for the transformation of public security governance (see Figure 43.1).
Consecutive events, such as the Confederations Cup, World Cup, and the Olympic Games, prompted preparatory responses by the federal government, which culminated in the creation of organizations and institutions that would add to the burgeoning Internet infrastructure (De Carvalho & Cukierman, 2015). Here we explore two dimensions of the threat landscape in the years that followed 2012.
The first dimension of the governance of national cyber security threat landscape in Brazil was one of combatting and identifying external threats. Between the years of 2012 and 2014
Figure 43.1 Timeline of “Mega Events” Hosted by Brazil Since 2012 Source: Authors’ illustration.
the main national concern revolved around low probability and high impact threats, such as cyber war and cyber terrorism. The early perception of cyber risks was substantially influenced by the — then — “newfound” threats to state security in cyberspace. Realization of these threats was intensified by media coverage and scholarly debates focusing on international events such as the cyber attacks against Georgia (2008) and Estonia (2007) and the discover)' of the Stuxnet worm in the Iranian nuclear plant in Natanz (2010) (Dunn Cavelty, 2007). Alarmism regarding the imminence of a cyber war and the cyber terrorist threat raised substantially in this period. Not only did it overshadow the public debate to actual high-risk cyber security threats — such as fraud (Nery, 2017), cybercrime, data breaches, and theft — but also raised ambiguous notions of cyber war and terrorism to the political agenda with little conceptual clarity to fallow (Diniz, Muggah & Glenny, 2014).
This ambiguity provides a fertile ground for the redefinition and contestation of red lines. Some policymakers, for example, have highlighted that the unauthorized access to government sensitive information should be configured as an act of war (Senado Federal, 2012). According to the National Cyber Defense Policy, cyber war is defined as the use of a set of offensive and defensive measures to deny, explore, corrupt, and destroy opponent’s values through information, information systems, and computers (Defesa, 2012). At that time, mainly 2012, the concern — at least, discursively — was with capabilities, that is, how ready the government was to address cyber terrorism and cyber war — despite the fact that both were not concrete nor imminent threats to the country.1
Distinctly from Western countries, cyber terrorism lags behind as a national security concern in Brazil and the country has not faced substantive terrorist threats in its history. Many scholars have argued that the misalignment between the perceived terrorist threat or the expectation of potential cyber war are indicators of the securitization of cyberspace by the state (Diniz, Muggah & Glenny, 2014; Cepik, Canabarro & Borne, 2014; De Souza & De Almeida, 2017; Hurel, 2019). Despite this, more recently, debates on cyber terrorism have been gradually returning to the political agenda as the Senate discusses a new antiterrorist law that seeks to incorporate the Internet as one dimension of the means and expressions of terrorism (Senado Federal, 2017).
According to the government, both information security and cyber security are becoming a priority for the strategic functions of the State. This includes the protection of critical infrastructures, information, individual rights such as privacy, and national sovereignty. Based on media articles and computer security companies’ reports (Kaspersky, 2017; Symantec, 2019), Figure 43.2 illustrates the likelihood and impact of the cyber events that were most highlighted during the mega-events period in the country, having as reference the national defense framework that guided most of debates in this period. As shown, it considers as high impact attacks those actions that could likely result in loss of human life, sensitive government information, or political instability.
However, if we change the reference point to the market sector and consider the main impacts in terms of financial costs, the figure substantially changes (see Figure 43.3).
This shift suggests that prioritization of a group of risks associated to threats to national defense has substantially shaped efforts to create and/or establish adequate responses to them. At first, Brazil’s cyber security governance architecture adjusted to respond to high impact, low probability threats partly as a strategy to address the international attention received during the Olympic Games and the World Cup, and partly as the continuation of a trend to focus on military and national defense issues on cyberspace (i.e., cyber war and cyber terrorism).
Whilst external threats such as cyber war and terrorism characterize the predominant government perspective in the early years of the “mega-events,” in particular 2012 and
Figure 43.2 The Cyber Threat Landscape in Brazil, 2012-2016 — (National Defense-Oriented)
Source: Authors’ illustration.
- *The figure portrays the 2012—2015 Brazil cyber threat landscape from the perspective of the national defense sector. It replicates the “perspective” of national defense institutions, including their threat characterizations and prioritizations. The figure splits the risk of a cyber threat to occur along two axes: the horizontal axis comprises the expected impact of such risk, ranging from “low” to “high,” whereas the vertical comprises the probability of a risk to take place and also ranges from “low” to “high.” Defining whether a risk is of low/high probability/impact depends on the estimated frequency of the event, on the one hand, and its expected financial, economic, information, or human loss, on the other. Our risk matrix adapts Bostrom’s and Cirkovic’s (2008) three variables of risk severity into two variables: impact and probability. In terms of impact, the severity of a risk depends on how many people it would affect (and how badly) and, in terms of probability, it depends on how likely it is to occur, provided the best evidence available at the time in which this judgment took place. High impact events would have to affect entire populations and cause great damage (thousands of fatalities, compromise of critical health and supply/transport infrastructures or pose great danger to national security), in contrast to low impact events which damage may include limited financial losses, minor nuisances and temporary suspension of non-essential services. Whether an event probability is high or low depends on the frequency with which it occurs.
- 2013, it is far from portraying the risk landscape in its entirety. In addition to the late 2000s cyber war debates, an important risk-driver during 2014 was precisely the impact of the revelations of US mass surveillance and how it targeted Brazilian institutions. The Snowden
Figure 43.3 Cyber Threat Landscape in Brazil, 2012—2016 Source: Authors’ illustration.
*This figure illustrates the cyber threat matrix using a market-oriented approach.
Revelations surfaced major concerns with foreign interference and espionage as well as resulted in direct political leadership engagement from former president Dilma Rousseff after having been targeted by the US government. It was also followed by key political and strategic responses, such as: (i) the approval of the Brazilian Internet Bill of Rights, (ii) the organization of NetMundial" in Sao Paulo; and (iii) the elevation of privacy and security as allies in the national political agenda (Hurel & Santoro, 2018).
However, shortly after, political instability crept in as the country' approached its presidential elections at the end of 2014, opening up space for a major political and economic crisis which later led to the impeachment of president Dilma, in 2016. During this period, waves of protest across the country preannounced a shift in the risk landscape from external to predominantly internal threats. Increasing polarization and use of social media created new conditions for the emergence of fake news, crimes, whistleblowing, and hacking as synonyms to risks associated with cyber security.
While political and economic instability contributed to a greater focus on domestic politics and threats, parallel events such as the 2016 Olympics also reflected similar internally focused concerns. In preparation for the international mega-event, the Brazilian intelligence agency publicly called attention to the role of hacktivism as one of the key drivers of potential attacks. The intelligence sector concerns with hacktivism prior to the Olympics was rooted on the experience with the cases reported during the Confederations Cup, in 2013, the massive street protests in the same year, and the 2014 World Cup, when government webpages were defaced with politically motivated messages (Abin, 2016).
An ever-present and yet rather forgotten dimension of cyber security debates during this period was cybercrime — mainly characterized by economically motivated and computer- mediated breaches, data theft, fraud, and financial crimes (Diniz, Muggah & Glenny, 2014; Kaspersky, 2017). The costs of cybercrime in Brazil are particularly alarming — McAfee estimate lasses reach approximately US$10 billion (Machado, 2018) — and the country has been at the epicenter of a global cybercrime wave (Muggah & Thompson, 2015). It ranks second in consumers losses by cybercrime (Statista, 2019a) and is the most targeted country' in Latin America (Statista, 2019b). This scenario should also be read in the context of Brazil’s banking sector’s innovations and rising e-commerce infrastructure. Not only is the country an early adopter of secure Internet banking (Rosenthal, 2012; Fernandez, 2016), but also of emerging technologies such as biometric ones (Schmidt, 2013). According to Brazilian Federation of Banks (FEBRABAN), 40 per cent of all transactions in 2018, that is, 31.3 billion, were solely through mobile banking (Febraban, 2019). Being the “avant garde” of transformation of digital economy, however, also comes with a greater attack surface for crimes — such as online fraud schemes which include, but are not restricted to, the creation of fake banking web pages to lure customers into giving sensitive information.
A recent dimension of cyber risks that was left out of both Figures 43.2 and 43.3 is the impact of misinformation campaigns in Brazilian democratic institutions. Whereas formerly comprised in national defense concerns, impacts of digital technologies in regime stability was not a source of concern during the “mega-events” period and the institutional build-up of Brazil’s cyber security governance architecture. Attention was directed to this phenomenon after the election of US president Donald Trump and the Cambridge Analytica scandal and promptly fostered research on the impact of computational propaganda in Brazil (Arnaudo, 2017). As in the US case, the dynamics of misinformation in Brazil are closely related to the protection - or lack of thereof - of databases containing users’ personal information. The emergence of social media platforms and business models focused on collecting as much data as possible about users’ behavior in order to improve services and allow for targeted advertising potentialized propaganda in a rather unforeseen fashion. Not only does it serve as a means for manipulation, influence campaigns, and other mechanisms for disputing and changing public opinion, but it provides new grounds for charismatic leadership to communicate with and identify their particular audience. In light of how such means are associated to the election of Brazil’s president Jair Bolsonaro and his communication, the following years will likely see in-depth assessments regarding the actual impact and reach of these efforts.
Furthermore, the politicization of the image of the hacker and its constitution as a politically invested agent has characterized the recent scandals involving the leaking of online correspondence between public prosecutors from the Operation Car Wash (“Lava Jato”) (Fishman, Martins, Demori, De Sand & Greenwald, 2019), which investigated a high-profile corruption scandal involving government and business representatives. In reaction to accusations of partiality, illegality', and judicial misconduct during the investigations which culminated in the conviction of Brazil’s former president Luiz Inacio Lula da Silva, prosecutors, the minister of justice, and president Jair Bolsonaro have questioned the authenticity of the messages, suggesting that they were hacked and were therefore illegal.'
These developments suggest a continuation and possible deepening of actions and responses oriented towards an “internal” threat. That is to say, the prioritization of threats and consequent allocation of resources will likely keep following concerns with the possibility' of disruption (technical and political) caused by the actions of the much-fantasized threat of the hacker and an anxiety with tracing and monitoring “disruptive” subjects online. In practice, this would align with a build-up of investigative and monitoring capabilities of the Federal Police, ABIN and, possibly, CDCiber. The immediate imprisonment of four people by the federal police (headed by Sergio Moro) for allegedly hacking into public authorities’ phones could be indicative of how investment in investigative and monitoring capabilities strengthens the role of this particular institution.
Institutional and political landscape
Cyber threat awareness was significantly pushed forward by (i) the military sector’s perceptions of international cyber security incidents and framing of the issue in terms of cyber war; (ii) rising cybercrime costs; and (iii) concerns with cyber attacks and cyber terrorism during the mega-events years. These three phenomena influenced different aspects of what should be called the “Brazilian cyber security strategy.” Officially, there is not a single document unifying this strategy, as in the case of the US or many EU countries; instead, there are three core documents that summarize the country’s national strategy to address cyber threats: The National Defense Strategy of 2008, its revision of 2012, the National Information Security Strategy of 2015, and the National Information Security Policy of 2019. This section analyses the same timeline of events however, it departs from the understanding of the institutional and normative developments that both underpinned and emerged from the shifts in the risks landscape.
Concerns about cyber war, surveillance, and other foreign threats resulted in the inclusion of cyberspace as one of the key strategic sectors in the 2008 National Defense Strategy. This was a significant step, and perhaps the foundational moment for a national cyber security architecture to emerge under the auspices of the Ministry of Defense. The emphasis in this document paved the way for the government to create a new portfolio of activities and projects that would fall under the coordination of the Ministry of Defense and the Brazilian Army.
Cyber security’s ascent within the national agenda was not merely discursive, it also led to a significant resource mobilization. That does not come as a surprise as some companies and governments have a political and economic interest (and expectation of profitability) in echoing narratives of imminent cyber threat (Lindsay, 2017). The 2012 White Book of National Defense estimated 900 million Brazilian reais (approximately 220 million US dollars) in investments between 2011 and 2035 (Brasil, 2012a) for the army to establish a protection system for national cyberspace protection. This budget further included a list of six subprojects, three of which focused on the implementation of the: (i) National Cyber Defense Center (CDCiber), (ii) the Armed Forces’ Cyber Defense Command (ComDCiber), and (iii) the National School for Cyber Defense. That was the same year that the army had just established CDCiber and received a multi-year budget of 370 million to develop a national system for cyber defense (Brasil, 2012b). Moreover, 20 million reais were allocated solely for an integrated center for cyber security for that particular “megaevent” (Andrade, 2012).
Figure 43.4 Thematic Institutional Competencies
Source: Authors’ illustration, based on the Strategy for Information, Communications, and Cyber Security (see Brasil, 2015).
The Brazilian institutional architecture distinguishes cyber security competencies from information security and cyber defense (see Figure 43.4). This division follows competencies among different branches in the federal government, particularly as it incorporates military- civilian distinctions (cyber security vs. cyber defense) and — institutionally — differentiates security of the communications infrastructure (information security) from the security of machines and systems. In practice, this means attributing the competency for cyber defense to the anned forces (CDCiber and ContDCiber) while leaving information security within the institutional responsibility of the federal government through the Institutional Security Cabinet (GSI) and the Brazilian Intelligence Agency (ABIN).
The GSI is responsible for coordinating the information security activities and maintaining the Centre for Incident Response of the Governmental networks (CTIRgov) (CTIR, 2018). It is the main organisational body in charge of developing guidelines, strategies, and policies for information security at the national level. The CDciber, on the other hand, integrated the Cyber Defense Command (ContDCiber). Its key activities are risk analysis, automatic incident detection, incident analysis, alert diffusion, and statistic recommendations.
To map and delve deeply into the different institutions that emerged in the past two decades would be a paper in itself. Figure 43.4 (Flurel & Lobato, 2018) is a representation of the key sectors and competencies that currently compose the wider national cyber security governance landscape. What is important within this panorama is to understand that though securitizing trends and predominant external threat perceptions have made the steep institutional inflation of governmental bodies and anned forces, operationally and strategically, cyber security is much broader in the sense that it entails coordination efforts.
Figure 43.5 Domestic Cyber Security Governance (Post/Olympics and Marco Civil Law) Source: Hurel and Lobato (2018).
This was evident during the “mega-events” where different technical bodies came together to establish coordination and integration efforts to respond to cyber attacks and vulnerabilities (Figure 43.5). During the 2014 World Cup, CDCiber established a center for operations with a central cyber defense body in charge of coordinating 13 teams scattered in key cities all across Brazil (CDCiber, Diniz, Muggah & Glenny, 2014). In 2015, collaborative efforts continued to take place whilst preparing for the Olympics in the following year. However, paradoxically, these exercises and actions were considerably restricted to the government bodies such as the Federal Police, National Telecommunications Agency, National Intelligence Agency, and specific representatives from academia (Agenda, 2015).
Conclusion: a strategic approach to national cyber security in-the-
To better understand the progression of cyber security governance in Brazil, we separate the institutional development into three stages. These should be understood as a framework of reference rather than an attempt to portray the totality of factors that play in the temporal development of national cyber security.4
The years of 2008 to 2012 were key for the normative and strategic consolidation of cyber security in the national security landscape. It was during these years that the concepts of information security, cyber security, and cyber defense began to take shape in the strategic agenda. Even though, historically, these terms appeared in 2000 in the Green Book on Information Society issued by the Ministry of Science and Technology, it was only after 2008 that a strategic pool of resources were allocated to support the construction of a cyber security organizational complex that would join both GSI (presidency), Armed Forces, and Computer Incident Response Teams (CSIRTs).
During the same period Internet governance was slowly maturing within the country. Thus, new technical organizations, such as the national Computer Emergency Response Team (CERT.br), were created, in order to act as a designated focal point for reporting threats, incidents, and attacks.
These were the years of the “mega-events.” In Brazil, such events acted as important “contextual triggers” to the institutional and operational development of national cyber security. These years served as testing grounds for the newly established CDCiber and ComDCiber, mobilized financial resources, and began to consolidate specific networks of cooperation within the government and with some strategic sectors (critical infrastructure, federal police) through integrated centers of command and control.
The exercise of tracing threat perception in Brazil is a particularly relevant one as it enables us to unpack the factors which have substantively shaped the construction of the country’s national cyber security governance. As illustrated in the first section of this chapter, Brazil’s cyber risk landscape has been significantly affected by a series of internal and external events. The years preceding the World Cup (Diniz, Muggah & Glenny, 2014) and the Olympic Games (2016) in Brazil saw the progressive consolidation of an architecture of governance composed of actors from both the civilian and the military branches of the government, the private and financial sectors, and groups in the technical community. This architecture was however deeply shaped by militarized responses to a very specific set of projected cyber risks and included the build-up of a cyber defense system within the army which kicked off in 2008, with the publication of the National Defense Strategy. As of the moment of the writing of this chapter there were, at least, three branches of the army addressing some aspect of cyber defense: The Anny Electronic Communications and Warfare Command, established in 2009, the Cyber Defense Center (CDCiber), created in 2010, and the Cyber Defense Command (ComDCiber), established in 2016 to integrate joint responses to cyber threats from the army, the navy, and the air force.
With (i) institutions set in place within the government’s organizational structure, (ii) operational experience from an exceptional period of “mega-events,” and (iii) a consolidated repository of doctrines, strategies, and white papers to guide the actions of government bodies approach to information security and cyber security, Brazil has been shifting its efforts to refining information sharing, cooperation, and coordination practices. At the technical and operational level, some best practices include the establishment of cross-sector exercises to enhance information sharing in identifying and mitigating incidents. One example is the Guardiao Cibernetico, an exercise developed by CDCiber and universities to explore alternative threat scenarios whilst integrating more sectors to the coordination of incident handling and response (Grossmann, 2019).
In contrast, policymaking processes still struggle to transcend the centrality of bodies such as GSI and the Armed Forces, leaving civil society and academia side-tracked. One example is that the National Policy for Information Security (published in 2019) mentioned that different parts of society and private sector would be included in the development of the National Cyber Security Strategy. In practice, that was not the case. The draft Strategy will only gather public comments during the already foreseen period of consultations. Cases such as this shed light on the existing gaps in communication, collaboration, and governance. An important part of building a culture of cyber security depends on the inclusion of these sectors in the actual “making” of policies. This also results in a poor alignment between threats and the strategies designed to counter them and can further enhance a dichotomous view of privacy and security — all of which are central to the development of policies and efficient mechanisms for cooperation among stakeholders. A more balanced policy development approach would likely benefit from increasing cross-sector dialogues.
Furthennore, with a shift in the nation’s focus from combating externally generated threats to combating predominantly internal threats, the initial turn to militarized solutions has been gradually obfuscated by a concern with cyber crime and digital malfeasance (such as fake news and misinformation). In the case of cyber security threats, the fluidity of action and the transnational nature of actors, practices, and attacks repositions the notion of security as the state where “a set of dangers is counteracted or minimised” (Giddens, 1990: 36; see also, Beck, 1992). Whereas managing, repairing, and maintaining surely add to the prevention of risks, this reposition also implies responses that include regulating, prosecuting, tracing and taking down illegal flows, malicious activities, misinformation, and other identified threats.
Politically, the development of laws, regulations, and policies shape the understanding of threats, security, and risks. Two examples are worth mentioning. First, the approval of Brazil’s National Data Protection Law. Information security and cyber security are associated with the integrity, reliability, and confidentiality of data (see Figure 43.4). However, with the approval of the Data Protection Law, the understanding of security is less contrasting with data protection, rather it is complementary in the sense that both governments and companies are required to have minimum security standards to safeguard data. Second, the emergence of sectoral regulations that seek to establish minimum security standards. That is the case of the Central Bank’s 2018 regulation that sets specific security and cloud requirements for all financial organizations operating within the country.
Whereas cyber security has always been transversal to the operation and governance of companies and governments, there remains a large gap between recognition of this fact and cyber threat response in Brazil. In fact, the recognition of the transversality of cyberspace (across borders, domains, and competencies) vis-a-vis the framing of threats as either internal and external has been a constitutive tension during the institutional build-up of cyber security in the country and likely contributed to shape (either coordinated or misaligned) institutional responses to these threats. The contrasting of responses that sought, on the one hand, the build-up of a militarized architecture, and responses that have, on the other hand, recurrently focused on “domestic” events — such as hacktivist campaigns, “politically invested hackers,” and even electoral misinformation propaganda — have very much contributed to a misleading stabilization of notions of internal vs. external threats as the basis of action. Not surprisingly, responses have either come within “silos” of organizations and institutions with similar competencies and threat grammar, with limited space for (truly) concerted multi-stakeholder action in this field.
- 1 This was also a time when cyber terrorism reached main international media headlines, with the early accounts of the Islamic State and their use of social media tools for global terrorist recruitment (see Weimann, 2005; Awan, 2017).
- 2 International event for advancing a rights-respecting and multi-stakeholder Internet governance that was held in April 2014 following the Snowden Revelations.
- 3 There was no contestation to the content of the chats.
- 4 Scholars such as Souza and Almeida have suggested a different approach in the analysis of the institutionalization of cyber security in Brazil. Adopting a securitization theory lens, they contend that the first stage (until 2000) was one of non-politicization, from there on, politicized, and after 2008, securitized.
Amaudo, D. (2017a). “Computational Propaganda in Brazil: Social Bots during Elections,” Oxford Internet Institute Working Paper 2017. 8. http://blogs.oii.ox.ac.uk/politicalbots/wp-content/uploads/ sites/89/2017/06/Comprop-Brazil-1 .pdf
Diniz, G., Muggah, R. & Glenny, M. (2014). Deconstructing cyber security in Brazil: Threats and responses,” Institute Igarape, 3-32. https://igarape.org.br/en/desconstruindo-a-seguranca-cibemetica- no-brasil-ameacas-e-respostas/
Hurel, L. M. & Lobato, L. C. (2018). A Strategy for Cybersecurity Governance in Brazil,” Igarape Institute Strategic Paper no. 30. https://igarape.org.br/wp-content/uploads/2019/01/A-Strategy-for- Cybersecurity-Governance-in-Brazil.pdf
Hurel, L. M. & Santoro, M. (2018). “Brazil, China and Internet Governance: Mapping Divergence and Convergence,” Journal of China and International Relations, 4(1): 98—115. https://journals.aau.dk/ index.php/jcir/issue/view/218
Abin. (2016, April 04). “Agenda expoe ameacas ciberneticas contra os Jogos Olimpicos em CPI da Camara.” www.abin.gov.br/agencia-expoe-ameacas-ciberneticas-contra-os-jogos-olimpicos-em-cpi- da-camara/
Agenda. (2015, September 21). “Forfas Armadas e orgaos publicos e privados trabalharao para seguranca do ciberespaco.” www.fab.mil.br/noticias/mostra/22963/olimpIadas—forcas-armadas-e-orgaos-publi cos-e-privados-trabalhanio-para-seguranca-do-ciberespaco/destaquese054.html?ajax_load= 1
Andrade, H. D. (2012, May 28). “Rio+20 tera 15 mil homens na seguranca e centra contra ataques ciberneticos, diz ministro.” https://noticias.uol.com.br/cotidiano/ultimas-noticias/2012/05/28/ rio20-tera-15-mil-homens-na-seguranca-e-centro-contra-ataques-ciberneticos-diz-ministro.htm
Arnaudo, D. (2017). “Computational Propaganda in Brazil: Social Bots during Elections,” Oxford Internet Institute Working Paper 2017. 8. http://blogs.oii.ox.ac.uk/politicalbots/wp-content/ uploads/sites/89/2017/06/Comprop-Brazil-l.pdf
Awan, I. (2017). “Cyber Extremism: Isis and the Power of Social Media,” Social Science and Public Policy, 52(2): 138-149.
Beck, U. (1992). Risk Society: Towards a New Modernity. London: SAGE.
Bostrom, Nick & Cirkovic, Milan M. (eds). Global Catastrophic Risks. Oxford: Oxford University Press, 2008.
Brasil. (2012a). “Liuro Branco de Defesa Nacional.” Brasilia: Ministerio da Defesa.
Brasil. (2012b). A(des Oiyamcntarias Integrantes da Lei Orfamentaria para 2012. Brasilia: Ministerio do Planejamento e Gestao.
Brasil. (2015). Estrategia de Seguranya da Informafao e Comunicafoes e de Seguranca Cibemetica da Administrafdo Publica Federal 2015-2018. Brasilia: Gabinete de Seguranca Institucional.
Cardoso, B. D. V. (2013). “Megaeventos esportivos e modernizacao tecnologica,” Horizontes Antropologicos, 40, 119-148.
CTIR. (2018). “Oficina Equipes de Tratamento e Resposta a Incidentes em Redes Computacionais - ETIR [PowerPoint slides].” www.ctir.gov.br/arquivos/eventos/l_Oficina_2018/Oficina2018_Pales tra01_CTIR_Democlydes.pdf
De Carvalho, M. S. R. M. & Cukierman, H. L. (2015). “The Dawn of the Internet in Brazil,” IEEE Annals of the History of Computing, 37(4): 54—63. https://ieeexplore.ieee.org/document/7343726 Diniz, G., Muggah, R. & Glenny, M. (2014). “Deconstructing cyber security in Brazil: Threats and responses,” Institute Igarapk 3—32. https://igarape.org.br/en/desconstruindo-a-seguranca-cibernetica- no-brasil-ameacas-e-respostas/
Dunn Cavelty, M. (2009). Securing the digital age: The challenges of complexity for critical infrastructure protection and 1R theory,” in J. Eriksson & G. E. Giacomello (eds.), International Relations and Security in the Digital Age (pp. 85—105). New York: Routledge.
Dunn Cavelty, M. (2007) Cyber-Security and Threat Politics: US Efforts to Secure the Information Age. CSS Studies in Security and International Relations. London: Routledge.
Febraban. (2019). “Pesquisa FEBRABAN de Tecnologia Bancaria de 2019.” https://cmsportal.febraban.
org.br/Arquivos/docuinentos/PDF/Pesquisa-FEBRABAN-Tecnologia-Bancaria-2019.pdf Federal, S. (2012). “lnimigos invisiveis: A guerra cibemetica,” Em Debate — Revista de Audiencias Publicas do Senado Federal, 3(10). www.senado.gov.br/noticias/Jornal/emdiscussao/defesa-nacional/razoes- para-a-implementaao-da-estrategia-nacional-de-defesa/inimigos-invisiveis-a-guerra-cibernetica.aspx Fernandez, A. N. (2016, November 1). “Americans are finally about to get online banking features that Brazil has enjoyed for years.” https://qz.com/823178/the-zelle-app-will-change-online-banking- and-money-transfers-in-america-but-brazil-has-been-enjoying-that-for-years/
FintechLab. (2019, June 12). “8a Edicao do Radar FintechLab Registra mais de 600 iniciativas.” https:// fintechlab.com.br/index.php/2019/06/12/8a-edicao-do-radar-fmtechlab-registra-mais-de-600- iniciativas/
Fishman, A., Martins, R. M., Demori, L., De Santi, A. & Greenwald, G. (2019, June 9). “Breach of ethics: Leaked Chats Between Brazilian Judge and Prosecutor Who Imprisoned Lula Reveal Prohibited Collaboration and Doubts Over Evidence.” https://theintercept.coin/2019/06/09/brazil- lula-operation-car-wash-sergio-moro/
Gaffney, C. (2010). “Mega-events and socio-spatial dynamics in Rio de Janeiro, 1919-2016,” Journal of Latin American Geography, 9(1): 7—29. www.jstor.org/stable/25765282 Giddens, A. (1990). The Consequences of Modernity. Cambridge: Polity Press.
Grossmann, L. O. (2019, July 4). “Guardiao Cibernetico testa reacao a ataques contra redes de telecom.” www.convergenciadigital.com.br/cgi/cgilua.exe/sys/start.htm?UserActiveTemplate=site&UserActi veTemplate=mobile per cent252Csite&infoid=51121&sid=18 Hurel, L. M. & Santoro, M. (2018). “Brazil, China and Internet Governance: Mapping Divergence and Convergence,” Journal of China and International Relations, 6(1): 98-115. https://journals.aau.dk/ index.php/jcir/issue/ view/218
Hurel, L. M. (2019). “Securitizacao e a Governance da Seguranca Cibemetica no Brasil,” in J. Reia, P. A. P. Francisco, M. Barros & E. Magrani (eds.), Horizonte Presente: Tecnologia e Sociedade em Debate (pp. 320—342). Belo Horizonte: Editora Letramento.
Hurel, L. M. & Lobato, L. C. (2018). “A Strategy for Cybersecurity Governance in Brazil. Igarape Institute," Strategic paper no. 30. https://igarape.org.br/wp-content/uploads/2019/01/A-Strategy- for-Cybersecurity-Governance-in-Brazil.pdf
Kaspersky. (2017, March 27). “Cybersecurity in financial institutions 2016 — And what 2017 holds.” www.kaspersky.com/blog/ffom-the-perils-to-strategies/6682/
Lindsay, J. (2017), “Restrained by design: The political economy of cybersecurity,” Digital Policy, Regulation and Governance, 19(6): 49.3—514.
Lobato, L. (2016). “Unraveling the cyber security market: The struggles among cyber security companies and the production of cyber (insecurity,” [Master thesis], www.maxweU.vrac.puc-rio.br/colecao. php?strSecao=resultado&nrSeq=27784@2
Machado, F. (2018, February 21). “Brasil perde US8 10 bilhoes por ano com cibercrime, diz McAfee.” https://veja.abril.com.br/econoinia/brasil-perde-us-10-bilhoes-por-ano-com-cibercrime-diz- mcafee/
Muggah, R. & Thompson, N. (2015, September 17). “Brazil’s Cybercrime Problem,” Foreign Affairs.
www.foreignaffairs.coin/articles/south-america/2015-09-17/brazils-cybercrime-problem Muller, M. (2015) “What makes an event a mega-event? Definitions and sizes,” Leisure Studies, 34(6): 627-642.
National Research Council. (1991). Computers at Risk: Safe Computing in the Information Age. Washington, DC: National Academy Press.
Nery, C. (2017, March 14). “Prioridade £ Combater Fraudes.” www.valor.com.br/empresas/4898002/ priori dade-e-combater-fraudes
Rosenthal, J. (2012). The Economist: International Banking: Retail Renaissance. London: Penguin.
Schmidt, A. (2013, August 6). “Brazilian banks lead way on biometrics.” www.marketplace.org/2013/ 08/06/brazilian-banks-lead-way-biometrics/
Senado Federal. (2017, October 16). “Audiencia aponta que terrorismo usa tecnologia para crescer.” wwwl2.senado.leg.br/noticias/materias/2017/10/16/audiencia-aponta-que-terrorismo-usa- tecnologia-para-crescer
Statista. (2019a). “Consumer loss through cyber crime worldwide in 2017, by victim country (in billion U.S. dollars).” www.statista.com/statistics/799875/countries-with-the-largest-losses-through- cybercrime/
Statista. (2019b). “Countries in Latin America most targeted by cyber attacks in 2017.” www.statista. com/statistics/818412/latin-american-countries-highest-share-cyber-attacks/
Symantec. (2019). “Relatorio de Amcacas a Seguranca na Internet de 2019.” www.symantec.com/pt/ br/security-center/ threat-report
TIC Domidlios. (2018). “TIC Domicilios 2017.” https://cetic.br/media/analises/tic_domicilios_2017_ coletiva_de_imprensa.pdf
Weimann, G. (2005). “Cyberterrorism: Sum of All Fears?” Studies in Conflict & Terrorism, 28(2): 129-149.