Latin America and the Caribbean: Climbing the Cybersecurity Ladder

The fast-evolving integration of cyberspace into the daily lives of the people in the region and countries’ critical infrastructure offers numerous social and economic opportunities. It also poses significant challenges, particularly for countries with nascent digital economies.  Latin America and the Caribbean are experiencing an internet boom, with a growth of 1,808.4 percent in the last decade alone (source: Internet World Stats). Yet 45% of the region’s population is not yet online and significant investments in broadband and infrastructure will be required for the region and its population to more fully reap the benefits of the digital economy. It is estimated that a 10% increase in broadband penetration in the region could boost GDP by an average 3.2% and increase productivity by 2.6% (source: IDB).

Written by: Alfred Schandlbauer, Executive Secretary, Inter-American Committee against Terrorism, Organization of American States

Risks to data integrity, availability and confidentiality

Based on a survey on cybersecurity and critical infrastructure conducted by the Organization of American States (OAS) and the cybersecurity company Trend Micro in 2015, 53 percent of respondents noticed an increasing tempo of attacks on their computer systems, and 76 percent stated that cyberattacks were getting more sophisticated. The risk to data integrity, availability and confidentiality could negatively affect the productivity and economic growth of a region that is still struggling to propel itself into the digital age.  A digital economy can only flourish in an open, stable and secure environment trusted by its users; hence, it is critical that ICT investments are matched with similar investments in cybersecurity. The latter requires a comprehensive approach, ranging from technological investments to policies aimed at fostering a culture of digital safety.

Bearing this in mind, the OAS, in collaboration with the Inter-American Development Bank (IDB), recently published a comprehensive report on the state of cybersecurity preparedness in the 32 countries of Latin America and the Caribbean entitled: 2016 Cybersecurity: Are We Ready in Latin America and the Caribbean?

Cyber readiness across five dimensions

The report provides an in-depth assessment of the cybersecurity capabilities of the countries of the Western Hemisphere, based on the Capability Maturity Model (CMM) developed by the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford.  That model, employed for the first time in the world in this study on Latin America and the Caribbean (LAC), provides analysis based on five dimensions: (i) National Cybersecurity Policy and Strategy; (ii) Cyber Culture and Society; (iii) Cybersecurity Education, Training and Skills; (iv) Legal and Regulatory Frameworks; and (v) Standards, Organizations and Technologies.  Each dimension encompasses a number of indicators, which are graded according to five “maturity” levels, from an initial stage of maturity –in which a country may have just started discussing cybersecurity matters– to a stage in which a country is able to rapidly adapt to changes in the cybersecurity landscape.

By indicating the level of cybersecurity maturity in these different dimensions, our study highlights current advances in the 32 LAC countries, as well as insights with respect to prioritizing cybersecurity investments, providing national stakeholders with a complete understanding of their country’s cybersecurity situation.

The report concluded that of the countries in the region, Argentina, Brazil, Chile, Colombia, Mexico and Uruguay have relatively more developed cyber regimes. However, despite having fewer resources to direct at the issue, the Caribbean and Central American countries are as advanced in their legal frameworks.  Overall, Latin American and Caribbean countries have made significant efforts in updating domestic legislation to combat cybercrime.  Despite these advances, though, procedural cybercrime legislation requires reform to allow for the adequate prosecution of cybercrimes.  Likewise, privacy and data protection frameworks could be improved and benefit from the participation of civil society actors in this discussion.

Similarly, Brazil, Colombia, Mexico and Uruguay perform strongly in the areas of developing a cyber culture and educating their populations about its importance.  Other countries in the region could benefit from greater investment in those areas. To that end, governments, the private sector, and civil society should work together to increase national awareness of cyber risks and the potential impact of cyberattacks. Public-private partnerships must be formed and utilized to gain better understandings of each country’s urgent needs in the marketplace as it relates to cybersecurity. An early introduction of computer science and information security courses at all levels of the education system throughout the hemisphere would better prepare the next generation workforce.

A need for national cybersecurity strategies

The two least developed of the dimensions examined by the survey for the entire LAC region were “Policy and Strategy” and “Technologies,” With the latter dimension being essential to ensure the resilience of national critical infrastructure against cyberattacks.  To strengthen that dimension, many countries would benefit from inventories of their essential services, critical assets and critical information infrastructure in terms of cybersecurity for the purposes of conducting risk assessment and implementation of mitigation measures.  Many countries in the region, particularly in the Caribbean, have yet to create and implement national Cyber Security Incident Response Teams (CSIRTs), which are essential to coordinate incident response at the national level and to serve as points of contact for international incidents.

Finally, slow implementation and development of well-coordinated critical cybersecurity policies in the region significantly affects maturity levels in the “Policy and Strategy” dimension.  In many cases this is attributable an unclear governance structure to address cybersecurity at the national level.  A clear coordination structure for cybersecurity is one of the first steps a country must take to move further up the cybersecurity ladder by also improving progress in the other four dimensions; as such a structure would clarify lines of action and the roles that must be played by the different stakeholders to strengthen national cybersecurity.

We believe reports of this nature are important to provide a comprehensive understanding of not only the challenges and gaps in cybersecurity, but also the opportunities and strengths that each country can explore to continue to improve its cyber capacities.  In particular, it is our view that this report contributes to the cybersecurity literature by providing a more complete perspective of the LAC region. Given the dynamic nature of cybersecurity, the reapplication of the model utilized in our report on a periodical basis is critical to verify the region’s improvements and assess what still needs to be done.