Brazilian Marines take part in military training in the Formosa Training Camp, in Goias, north of Brasilia, on October 29, 2014.

Brazilian Marines take part in military training in the Formosa Training Camp, in Goias, north of Brasilia, on October 29, 2014. Eraldo Peres/AP

Science & Tech

Why Brazil Put Its Military In Charge of Cyber Security

Brazil's military approach to cyber insecurity is consistent with a broader effort to find a role for the Brazilian armed forces in the 21st century. By Robert Muggah and Misha Glenny

Robert Muggah and Misha Glenny,
Council on Foreign Relations

|
By Robert Muggah and Misha Glenny,
Council on Foreign Relations

Brazil has embraced the digital age with more gusto than most. It is one of the top users of social media and recently signed-off on a bill of rights for the Internet, the Marco Civil. The country is also a leader in the development of online banking with more than 43 percent of web users engaging such services, and can be proud of a thriving software industry, including some world class companies.

But as computer users around the world are beginning to grasp, the spread of the digital world has its dark side. Alongside all the great things the Internet offers, not least new forms of political and economic empowerment, it brings some very serious threats.

Brazilians are waking up to the reality of online scams, hacking, espionage and digital surveillance. And while the government is taking cyber malfeasance seriously, it may have seriously misinterpreted the nature and significance of those threats and, as a consequence, the best way to tackle them.

For political reasons, Brasilia has outsourced most responsibility for the country’s cybersecurity to the military. While the armed forces has enthusiastically embraced this new role, placing them in charge of overall cybersecurity for both civilian and military networks is a mismatch that could have damaging consequences the country’s security.

Not all cyber threats are equal. Perhaps the most egregious one is economically-motivated cyber crime—the targeting of private banks, firms and individuals. Others are posed by domestic and international hacktivist groups intent on disrupting government services and corporate websites. Brazil’s popular protests of June-August 2013, for example, coincided with a sharp rise in hacktivist activity.

Edward Snowden’s revelations have ratcheted-up Brazil’s concern with cybersecurity. The U.S. National Security Agency was routinely spying on state and commercial networks, including listening on Brazilian President Dilma Rousseff’s phone conversations. Brazil is friendly to the United States at a time of rising anti-Americanism in Latin America. But it, too, harbors a historical skepticism toward US intentions and Washington should not underestimate the reputational damage that its global surveillance strategy has inflicted. Cyber espionage and perhaps, further down the line, cyber warfare are now threats that are being taken very seriously.

Notwithstanding the growing angst in Brasilia, and indeed many capitals across the Americas, comparatively little is actually known about what real dangers are lurking in cyberspace. There is virtually no public debate or research into those responsible for launching attacks, what their interests and motivations might be, how they operate, or if and how they might be connected to criminal and political organizations.

There are only a few experts evaluating public and private sector responses to these threats which appear to have increased exponentially in number and sophistication in the last three years. While operating to a large extent in the dark, the Brazilian government has nevertheless rapidly constructed a sprawling cybersecurity and defense infrastructure.

Its response is narrowly focused on just one or two dimensions of these threats—especially foreign ones. At the center of the state’s response is the Brazilian Army’s Center for Cyber Defense (CDCiber), one of the only such entities in South America. Yet the emphasis on a military response may be incommensurate with the real (as opposed to existential) threats facing the country. Despite allegations of Hezbollah smuggling weapons to Brazilian gangs (these rumors have been circulating for decades), the country has comparatively few external cyber threats from foreign governments or terrorist groups.

This represents a mismatch with the real and emerging threats in cyberspace. Instead of focusing on international and domestic cyber-criminality, which constitutes by far the gravest risk, the state is doubling down on strengthening cyber war-fighting and anti-terrorism capabilities. This is not to suggest that cyberterrorism and cyber warfare are not real threats. Rather the government is overemphasizing broader issues of national security rather than addressing the most pressing challenges confronting citizens—that is cyber crime.

Although less than half of all Brazilians have bank accounts, the security of the country’s online banking infrastructure has always been more advanced that its American counterpart. Brazilian banks introduced double and even triple verification years before most other countries and biometric security is now the norm for most ATMs. Security in other online sectors, however, is far behind global standards and public or government sites are easily hacked.

The military approach to cyber insecurity in Brazil is consistent with a broader effort to find a role for the Brazilian armed forces in the twenty-first century. On the one hand, they are strengthening border control and anti-drug activities in the Amazon and the so-called tri-border area of Argentina, Brazil and Paraguay. On the other, the military is seeking to expand its reach and influence in cyberspace.

All of this has profound consequences for individual rights and public spending. The outsized military response risks compromising citizens’ fundamental rights owing to, among other things, the temptation to undertake surveillance and censorship. For instance, CDCiber and Brazil’s central intelligence agency (ABIN) created social media monitoring platforms in the aftermath of the 2013 protests.

Meanwhile, other public institutions such as the Federal Police are less generously resourced and supported. These developments are partly inspired by Brazil’s desire to enhance its geopolitical reach and relevance. As a rising power, the Brazilian government is mobilizing the country’s nascent cybersecurity architecture to project soft power in bilateral relations and multilateral arenas. For example, in 2013 the President requested that the UN develop a new global legal system to govern the Internet.

Brazil’s own Internet architecture is still work in progress. While there have been some important developments, there are conflicting lines of accountability among institutions, distorted funding priorities, confused public debate, contradictory legislative measures and the importation of outside solutions for local challenges. In the meantime, the military has “captured” resources for cyberdefense, with potentially dangerous implications for civil liberties more generally.

What is more, the comparatively limited engagement of civil society in cybersecurity debates in Brazil means that the armed forces have free reign to advance their interests. What is urgently needed is a balanced cyber security strategy, one that accurately gauges evolving threats to understand where future vulnerabilities reside.

First, the government should encourage people to talk. There is a now a lively conversation in Brazil about the many positive developments related to e-governance, smart cities, digital sovereignty and other new information technologies. Curiously, there is a silence on issues related to cybersecurity and cyberdefense. Where debated at all, conversations tend to be reserved to the highest levels of government, the armed forces, law enforcement agencies and a narrow group of businesses, though there are signs this may be starting to change.

The second step is to put in place measured and efficient strategies to engage cyber threats. Since the budgets allocated for cyber-related issues are hard to predict, there is considerable bureaucratic competition over funds. Military, law enforcement and civilian entities may exaggerate risks in order to increase their likely access to resources. If Brazil is to build a cybersecurity system fit for purpose, an informed debate is imperative.

At a minimum, Brazilians need to better understand the dynamics of cyber crime groups, and the ways in which traditional crime is migrating online. It also needs to monitor how security forces are adapting new surveillance technologies. Above all, the government should encourage a broader debate with a clear communications strategy about the need for cybersecurity and what forms this might take.

The authors would also like to give credit to Gustavo Diniz, a former researcher at the Igarapé Institute. This article is based on a new Strategic Paper by the Igarapé Institute—Deconstructing Cyber Security in Brazil: Threats and Responsesreleased in December 2014. An earlier version of this article was posted on OpenDemocracy

This post appears courtesy of CFR.org.

NEXT STORY: The Very Real Future of Iron Man Suits for the Navy

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.