Why Brazil Put Its Military In Charge of Cyber Security

Brazilian Marines take part in military training in the Formosa Training Camp, in Goias, north of Brasilia, on October 29, 2014.

Eraldo Peres/AP

AA Font size + Print

Brazilian Marines take part in military training in the Formosa Training Camp, in Goias, north of Brasilia, on October 29, 2014.

Brazil's military approach to cyber insecurity is consistent with a broader effort to find a role for the Brazilian armed forces in the 21st century. By Robert Muggah and Misha Glenny

Brazil has embraced the digital age with more gusto than most. It is one of the top users of social media and recently signed-off on a bill of rights for the Internet, the Marco Civil. The country is also a leader in the development of online banking with more than 43 percent of web users engaging such services, and can be proud of a thriving software industry, including some world class companies.

But as computer users around the world are beginning to grasp, the spread of the digital world has its dark side. Alongside all the great things the Internet offers, not least new forms of political and economic empowerment, it brings some very serious threats.

Brazilians are waking up to the reality of online scams, hacking, espionage and digital surveillance. And while the government is taking cyber malfeasance seriously, it may have seriously misinterpreted the nature and significance of those threats and, as a consequence, the best way to tackle them.

For political reasons, Brasilia has outsourced most responsibility for the country’s cybersecurity to the military. While the armed forces has enthusiastically embraced this new role, placing them in charge of overall cybersecurity for both civilian and military networks is a mismatch that could have damaging consequences the country’s security.

Not all cyber threats are equal. Perhaps the most egregious one is economically-motivated cyber crime—the targeting of private banks, firms and individuals. Others are posed by domestic and international hacktivist groups intent on disrupting government services and corporate websites. Brazil’s popular protests of June-August 2013, for example, coincided with a sharp rise in hacktivist activity.

Edward Snowden’s revelations have ratcheted-up Brazil’s concern with cybersecurity. The U.S. National Security Agency was routinely spying on state and commercial networks, including listening on Brazilian President Dilma Rousseff’s phone conversations. Brazil is friendly to the United States at a time of rising anti-Americanism in Latin America. But it, too, harbors a historical skepticism toward US intentions and Washington should not underestimate the reputational damage that its global surveillance strategy has inflicted. Cyber espionage and perhaps, further down the line, cyber warfare are now threats that are being taken very seriously.

Notwithstanding the growing angst in Brasilia, and indeed many capitals across the Americas, comparatively little is actually known about what real dangers are lurking in cyberspace. There is virtually no public debate or research into those responsible for launching attacks, what their interests and motivations might be, how they operate, or if and how they might be connected to criminal and political organizations.

There are only a few experts evaluating public and private sector responses to these threats which appear to have increased exponentially in number and sophistication in the last three years. While operating to a large extent in the dark, the Brazilian government has nevertheless rapidly constructed a sprawling cybersecurity and defense infrastructure.

Its response is narrowly focused on just one or two dimensions of these threats—especially foreign ones. At the center of the state’s response is the Brazilian Army’s Center for Cyber Defense (CDCiber), one of the only such entities in South America. Yet the emphasis on a military response may be incommensurate with the real (as opposed to existential) threats facing the country. Despite allegations of Hezbollah smuggling weapons to Brazilian gangs (these rumors have been circulating for decades), the country has comparatively few external cyber threats from foreign governments or terrorist groups.

This represents a mismatch with the real and emerging threats in cyberspace. Instead of focusing on international and domestic cyber-criminality, which constitutes by far the gravest risk, the state is doubling down on strengthening cyber war-fighting and anti-terrorism capabilities. This is not to suggest that cyberterrorism and cyber warfare are not real threats. Rather the government is overemphasizing broader issues of national security rather than addressing the most pressing challenges confronting citizens—that is cyber crime.

Although less than half of all Brazilians have bank accounts, the security of the country’s online banking infrastructure has always been more advanced that its American counterpart. Brazilian banks introduced double and even triple verification years before most other countries and biometric security is now the norm for most ATMs. Security in other online sectors, however, is far behind global standards and public or government sites are easily hacked.

The military approach to cyber insecurity in Brazil is consistent with a broader effort to find a role for the Brazilian armed forces in the twenty-first century. On the one hand, they are strengthening border control and anti-drug activities in the Amazon and the so-called tri-border area of Argentina, Brazil and Paraguay. On the other, the military is seeking to expand its reach and influence in cyberspace.

All of this has profound consequences for individual rights and public spending. The outsized military response risks compromising citizens’ fundamental rights owing to, among other things, the temptation to undertake surveillance and censorship. For instance, CDCiber and Brazil’s central intelligence agency (ABIN) created social media monitoring platforms in the aftermath of the 2013 protests.

Meanwhile, other public institutions such as the Federal Police are less generously resourced and supported. These developments are partly inspired by Brazil’s desire to enhance its geopolitical reach and relevance. As a rising power, the Brazilian government is mobilizing the country’s nascent cybersecurity architecture to project soft power in bilateral relations and multilateral arenas. For example, in 2013 the President requested that the UN develop a new global legal system to govern the Internet.

Brazil’s own Internet architecture is still work in progress. While there have been some important developments, there are conflicting lines of accountability among institutions, distorted funding priorities, confused public debate, contradictory legislative measures and the importation of outside solutions for local challenges. In the meantime, the military has “captured” resources for cyberdefense, with potentially dangerous implications for civil liberties more generally.

What is more, the comparatively limited engagement of civil society in cybersecurity debates in Brazil means that the armed forces have free reign to advance their interests. What is urgently needed is a balanced cyber security strategy, one that accurately gauges evolving threats to understand where future vulnerabilities reside.

First, the government should encourage people to talk. There is a now a lively conversation in Brazil about the many positive developments related to e-governance, smart cities, digital sovereignty and other new information technologies. Curiously, there is a silence on issues related to cybersecurity and cyberdefense. Where debated at all, conversations tend to be reserved to the highest levels of government, the armed forces, law enforcement agencies and a narrow group of businesses, though there are signs this may be starting to change.

The second step is to put in place measured and efficient strategies to engage cyber threats. Since the budgets allocated for cyber-related issues are hard to predict, there is considerable bureaucratic competition over funds. Military, law enforcement and civilian entities may exaggerate risks in order to increase their likely access to resources. If Brazil is to build a cybersecurity system fit for purpose, an informed debate is imperative.

At a minimum, Brazilians need to better understand the dynamics of cyber crime groups, and the ways in which traditional crime is migrating online. It also needs to monitor how security forces are adapting new surveillance technologies. Above all, the government should encourage a broader debate with a clear communications strategy about the need for cybersecurity and what forms this might take.

The authors would also like to give credit to Gustavo Diniz, a former researcher at the Igarapé Institute. This article is based on a new Strategic Paper by the Igarapé Institute—Deconstructing Cyber Security in Brazil: Threats and Responsesreleased in December 2014. An earlier version of this article was posted on OpenDemocracy

This post appears courtesy of CFR.org.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation


When you download a report, your information may be shared with the underwriters of that document.