Brazil Must Rebalance Its Approach to Cybersecurity
Council on Foreign Relations
September, 2016
When Brazil attends the Group of 20 Summit in Hangzhou next week, cybersecurity will be on the top of everyone’s mind. This includes President Obama who received a letter from U.S. senators this week urging him raise the issue with his Chinese hosts. A spate of high profile cyberattacks against U.S. government agencies, UK phone retailers and South Korean credit card companies are a dark reminder of the real dangers of security breaches and data theft. Cyber criminals are far ahead of international and domestic law enforcement. And the costs of cybercrime to the global economy are enormous, estimated to reach $2.1 trillion a year by 2019.
Brazil also has reason to be nervous. The country is at the epicenter of a global cybercrime wave. It ranks second in the world for online banking fraud and financial malware. And the problem appears to be worsening. The number and intensity of cyberattacks has risen significantly over the past few years. A 2012 study estimated the annual costs of cybercrime at R$16 billion (US$4.9 billion). An electronic banking payment scheme netted hackers over R$8 billion (US$2 billion) alone over a two-year period. There is a ready supply of cybercrime tools and skills on the dark web.
One of the reasons Brazilians are so vulnerable is because the country was an early adopter of online banking. The latest data indicate that more than 54 percent of all banking transactions are made using internet-connected devices. Brazil’s online migration also spawned a generation of cyber criminals with a demonstrated ability to wreak digital havoc. In 2015, more than half of the cyberattacks reported to Brazilian authorities were of Brazilian origin, though it is an issue seldomly discussed in local media.
Brazil has taken a number of steps to fight the problem. The Ministry of Justice and the Federal Police have ramped-up the investigation and prosecution of online crimes such as child pornography. Brazil’s experience with mega-events has steadily expanded the role of the armed forces, with the Ministry of Defense’s cyber defense center (CDCiber) gaining more responsibilities. Some civil liberties advocates fear that the pendulum may have swung too far in favor of a securitization of cyberspace.
An open question is whether Brazil’s approach to addressing cybercrime is the right one. The massive outlay of digital security and surveillance infrastructure for the 2014 World Cup and 2016 Olympic Games is a case in point. If these platforms are left running indefinitely without adequate oversight by civilian authorities, there is real potential for abuse. Justice Minister Alexandre de Moraes has said explicitly that Brazil intends to maintain the surveillance infrastructure now in place, though he has offered few details about checks and balances to guarantee that civil liberties are protected.
There are also signs that Brazil’s Congress is ratcheting up its surveillance of cyberspace. As a result of a congressional commission on cybercrime (CPICIBER), there are a number of bills that purport to increase penalties for cyber criminality, but may in fact curb basic digital freedoms. For example, one bill proposes that social media content that impugns someone’s honor must be removed within 48 hours. CPICIBER’s legislative proposals were widely condemned and several digital rights groups issued their own set of recommendations and guidance in addition to sending an open letter to Brazil’s Congress—efforts which resulted in some modest modifications to the commission’s proposals.
Brazil should consider taking a closer look at other G20 countries for effective ways to address cybercrime. Germany, for example, recently enacted legislation requiring financial institutions to report when they are a victim of a data breach or other cyber-attack, imposing penalties for non-compliance. The European Parliament recently issued a similar directive, which EU countries must now implement into domestic legislation. The Brazilian government should consider adopting similar reporting mechanisms.
Brazil could also consider joining the other 49 countries that have signed and ratified the Budapest Convention, a framework that facilitates international cooperation on fighting cybercrime while protecting human rights and due process. While Brazil has complained about not being involved in its original drafting, it is the only internationally-binding instrument to address cybercrime. At a minimum, the government needs to require greater transparency of service providers and financial institutions to ensure a more data-driven approach to cybersecurity.
Brazil has good reason to work with G20 partners to prevent cybercrime. After all, the majority of its citizens have been victimized by digital criminals operating abroad and, for the most part, at home. But the answer is not more intrusive surveillance. Rather, the focus must be on strengthening federal policing capabilities, developing sound legislation and improving Brazilians’ digital hygiene. If Brazil continues on its present course, there is a real danger that the proposed cure will be worse than the disease.