Brazil Prepares for Cyber War
By Dialogo December 14, 2011
The Brazilian government wants to revolutionize cyber security by readying the country’s military, law enforcement agencies and private sector for collaborative, preventive work.
In late November, security specialists gathered in Rio de Janeiro for a two-day Cyber Security International Forum that attracted top military officials, federal and state police, data processing entities, the Committee for Information Security, the Cyber Defense Center and the Presidential Institutional Security Cabinet (GSI), as well as private consultants and IT firms.
Maj. Brig. Álvaro Knupp, a director in the Defense Ministry, emphasized that cyber security and cyber defense are indeed a matter for society as a whole. “At the end of the day, in a war many more civilians die than soldiers,” he said.
The forum — organized by the Federal Service of Data Processing (SERPRO) — took place at Rio’s Windsor Atlântica Hotel and focused on the development of a national cyber security policy, known in Brazilian IT circles as the White Book. An initial step toward such a consolidated strategy was the Army’s recent launch of the Cyber Defense Center (CDCiber) to protect its communications networks.
“The Center is a step in the development of doctrines for the coordination of cyber security among all the branches of the Armed Forces and with other sectors of society,” said Army Lt. Gen. José Carlos dos Santos, commander of CDCiber.
Brazil constitution prohibits anonymity
In 2010, the GSI published its so-called Green Book of Brazil’s Cyber Security, intended as a conversation-starter to define the parameters of a collaborative national policy.
“National policies for any country are not the solution to the problems of Internet security that we all face,” said Vanda Scartezini, chair of the nominating committee of the Internet Corporation for Assigned Names and Numbers (ICANN), and one of the forum’s speakers.
The Green Book calls “to develop, cultivate and broaden a culture of cyber security in Brazil is a long-term and far-reaching challenge that merits prioritization and a joint effort in the building of consensus and premises and directives for the White Book.”
Specifically, a national cyber security policy includes symmetric cryptography, asymmetric techniques, security protocols, techniques for secure implementation, high-performance data processing, computation and quantum cryptography, project management and collaborative infrastructure, and human resources development.
“Brazil has an advantage in terms of law enforcement because our constitution prohibits anonymity. Therefore the identification of the owner of any domain is mandatory,” Scartezini said. The ideal would be to have international security legislation regulating all contracts with Internet providers and the sellers of domain names, “in order for the basis of the Internet to become more secure,” she said.
Scartezini said three components are essential to any cyber security policy. First, there should be international umbrella agreements that form the basis for establishment of country-specific legislation. Secondly, the policy needs an agreement that links registries, registrars, Internet service providers (ISPs) and domain name sellers. This would be based on a single code of conduct with penalties applicable by all countries for violations. Lastly, broader educational campaigns should be implemented to protect young people from possible online dangers.
Scartezini is not along on the demand for a more global focus.
“I strongly believe that as cyber is a global problem, it will require a global approach,” said William Beer, director of OneSecurity at PricewaterhouseCoopers. “Individual nations must not limit their focus to their own borders.”
Securing the nation’s data
SERPRO President Marcos Mazoni stressed the importance of information security for Brazil.
“People, businesses, all need to feel secure. The data that travels on our network and that of our clients is protected. We have created the conditions to provide and guarantee that security,” he said, recalling the attacks on SERPRO’s network a few months ago. “They said they got information from our network, but we proved it was not true. It was all public information, such as my email, for instance.”
The only thing that no security system can fully avoid is the mischief of professionals with access to information, he said. SERPRO has a partnership with the National Airport Authority to help with large events, starting with the Rio+20 Earth Summit next June. This will be a key test of the agency’s security.
“We will have several heads of state circulating through Rio de Janeiro. Our mission is to guarantee the cyber security of this event,” Mazoni said. “It is important that everybody know that security is not just a government matter, but a matter that should be debated by society as a whole.”
Cyber security now a defense issue
Since cyber-attacks have reached the level of national security threats, countries increasingly treat the protection of cyber space as a defense matter. The Brazilian Armed Forces are indeed playing a leading role.
“The need for preparation and technological knowledge imposes itself, but the military is not part of law enforcement,” said ICANN’s Scartezini. “Their readiness in cyber security is a function of a broader defense need, the defense of the state.”
Law enforcement agents have to be technologically well-equipped and trained and should act in concert with all other agencies in seeking a global policy of security for the net, Scartezini said.
Others, like PricewaterhouseCoopers’ Beer, said that the traditional approach to cyber security is simply not working and cannot keep up with the quantity, pace of change and complexities of cyber-attacks.
“A military mindset and approach can offer a more robust and focused manner to address the problem,” said Beer. “However, private-sector clients and the military are not used to working together and there is skepticism about collaborating from both groups.”
The Brazilian government’s invitation to the military and private sector to sit down to discuss the risks and potential solutions to cyber security is a step towards erasing some of that skepticism, which Beer says “is due to their different mentality and drivers, such as command and control vs. profit.”
Dos Santos, head of command at CDCiber, said multiple collaborations already exist between private industry and the government, and specifically the military on information technology, for instance, data and trend analysis.
“I think that, as the lines between our personal lives and professional lives become blurred due to consumerization and social media, a military approach will only work in large enterprises and behind the scenes in the data centers,” Beer said. “It is not suited for dealing with how you and I use the Internet for personal reasons.”
The limits of censorship
While it may be tempting, censorship is not the way to secure the Internet and reduce the virtual attacks, said Scartezini, who’s also a professor at the University of São Paulo. It would also stifle innovation by users, which has been the reason for the Internet’s success, she said, noting that “any action that restricts the Internet constitutes a direct attack on the capacity for innovation that it brings to the world.”
Scartezini puts stock in the importance of public awareness, in particular for youth. For her, meetings such as the Cyber Security International Forum promote a needed debate about Internet security and collaboration.
Since 2009, Brazilian law enforcement agencies have lobbied hard for international monitoring and capture of those who commit crimes via the Internet, particularly child pornography and human trafficking. But to be successful, she said, there must be an agreement to share information about domain names and ISPs. All this data needs to be preserved for investigation for a set period of time, with access to the data bank as well as continuous information exchange about sites associated with crimes such as pedophilia.
That would prevent the selling of new domain names to individuals wanted by any law enforcement agency for Internet crimes, she said.
“The best approach is to negotiate individual agreements and incorporate them in a structure that maintains an internal logic, so that in time we will have a complete, international legislation on the topic,” Scartezini said.