Chapter 14. Digital security risk management

National digital security strategies

Only six countries (Colombia, Mexico, Panama, Paraguay, Trinidad and Tobago and Uruguay) have a national digital security strategy, two of which (Mexico and Uruguay) address a national government strategy but not a digital security strategy per se.

Although 75% of countries in the LAC region still do not have a digital security strategy, a large number of countries, including Argentina, Brazil, Chile, Mexico and Paraguay, have government and public sector entities responsible for the co-ordination and protection of national security and critical infrastructure (OAS and Symantec, 2014).

The OAS has provided support and technical assistance to Costa Rica, Jamaica (OAS, 2015b), Paraguay and Peru in the implementation and improvement of their respective national digital security strategies (OAS, 2015a, 2015b, 2015c and 2015d).

A recent cybersecurity study (IDB and OAS, 2016) analysed the state of preparedness of 32 countries in the region based on 49 indicators in five areas: policy and strategy, education, culture and society, legal framework, and technology. Uruguay, Brazil, México, Argentina, Chile, Colombia and Trinidad and Tobago have achieved an intermediate level of preparedness, but lag advanced countries like the United States, Israel, Estonia and Korea.

The proportion of LAC countries with both substantive and procedural legislation to investigate and prosecute Internet and computer-related crime is still low (nearly 44%). Only 11 countries (Chile, Colombia, Costa Rica, the Dominican Republic, Jamaica, Mexico, Paraguay, Peru, Trinidad and Tobago, Uruguay and Venezuela) have substantive and procedural criminal legislation to counter cybercrime. However, some countries have reported problems not only with the enforcement of laws and concerns on how to keep cybercrime legislation up to date, but the need for training prosecutors and the judiciary to build capacity for law enforcement, given the knowledge gap among experts, as well as budget constraints (IDB and OAS, 2014).

Most government agencies of countries in the region tend to view digital security exclusively from one dimension (i.e. political, technical, industry-specific) rather based on a multidimensional perspective (IDB and OAS, 2014). Few place emphasis on the economic and social dimensions. As a result, governments do not sufficiently use public-private partnerships and co-operation to advance public policy objectives in this area.

Intra-governmental co-ordination

The proportion of LAC countries with government co-ordination mechanisms is very low (around 30%). Only eight countries (Brazil, Colombia, the Dominican Republic, Jamaica, Mexico, Peru Trinidad and Tobago and Uruguay) address some aspects of governmental co-ordination for developing their national digital security strategy. However, the information provided suggests that intra-governmental co-ordination is limited in practice and that most LAC countries do not yet have a whole-of-government approach to digital security risk.

OAS member countries have reported problems of co-ordination and alignment of digital security policies throughout government agencies. It is reported “a general lack of collaborative culture, which combined with budget constraints, makes the co-ordination of digital security policies a great challenge within government”. Other OAS members reported a fragmented approach on digital security matters within their governments, with independent institutions working in an isolated rather than in a co-ordinated fashion (IDB and OAS, 2014).

Computer Security Incident Response Teams (CSIRTs)

The proportion of LAC countries with a computer security incident response team (CSIRT) fully endorsed by the government is relatively high (more than 50%). Twelve countries (Argentina, Brazil, Chile, Colombia, Costa Rica, Guatemala, Jamaica, Mexico, Paraguay, Peru, Trinidad and Tobago and Uruguay) have a CSIRT fully endorsed or supported by its national government.

The Inter-American Committee Against Terrorism of the OAS (CICTE) has been working closely with all countries in the Americas on establishing and improving their incident response capabilities under OAS’ Programme for Developing a National Computer Security Incident Response Team. Under this programme, the number of national CSIRTs in the Americas has increased from 5 to 18. However, according to reports, “the lack of financial resources and of personal training are the major challenges for implementing a national CERT and improving countries’ response capacity to cyber threats in the Americas” (IDB and OAS, 2014).

Awareness and development of a skilled workforce that can manage digital security risk

Many countries in the LAC area have increased and improved their awareness-raising activities to enhance digital security and counter cybercrime (Box 14.2). “Stop. Think. Connect”, a multi-stakeholder partnership initially launched in October 2010 to help digital citizens stay safer and more secure online, continues to expand, and now includes four LAC government authorities (the Dominican Republic, Jamaica, Panama, Paraguay and Uruguay), CICTE and other private and public organisations in the region.1

The OAS recently launched an Awareness Campaign Toolkit on Cybersecurity, designed to provide governments and organisations guidance and resources in developing a cybersecurity awareness campaign (OAS, 2015e). However, capacity and training in countries in the region is often limited to the technical perspective. Training and capacity does not yet include skills to manage digital security from a broader perspective.

Building a comprehensive legal framework to mitigate cybercrime

The Dominican Republic and Panama are the only LAC countries that have ratified the 2001 Budapest Convention on Cybercrime (CoE, 2016), although the Council of Europe has officially invited seven other LAC countries (Argentina, Chile, Colombia, Costa Rica, Mexico, Paraguay and Peru) to sign (CoE, 2014).

Nevertheless, the proportion of LAC countries that have adopted substantive and procedural legislation in line with the Budapest Convention keeps growing (nearly 43%). Eleven countries (Chile, Colombia, Costa Rica, the Dominican Republic, Jamaica, Mexico, Paraguay, Peru, Trinidad and Tobago, Uruguay and Venezuela) have passed legislation to counter cybercrime. The cases of the Dominican Republic and Panama are noteworthy (Box 14.3).

Allocation of budget and resources to set up a digital security strategy

As addressed in Chapter 2 on regulatory frameworks and digital strategies, the great majority of LAC countries have an annual budget allocation for a national digital strategy, although the budget varies significantly from one country to another. Mexico’s National Digital Strategy has an annual budget of USD 1.740 million (MXN 29 million), while Colombia allocated nearly USD 2.6 million for the first three years of its National Digital Strategy (Vive Digital). Chile budgeted USD 850 million for its National Digital Strategy. Nevertheless, the percentages dedicated to digital security are unclear.

Besides the general annual budget for national digital strategies, specific ministries can also allocate their own budgets for the digital security strategy. This is not common, however, in most LAC countries. In 2014, only Colombia allocated an annual budget to the National Defence Ministry equivalent to USD 1.5 million (COP 4.6 million) for colCERT, the Cybercrime Police Centre (CCP) and the Cyber Task Force of the Armed Forces.

Most recently, Mexico’s Ministry of National Defence requested an annual budget of USD 100 million to create a Cyberspace Operation Centre in 2016. Its main purpose would be to build strategic capacity and training to counter cybercrime, threats to information security and the protection of critical national infrastructure (Stettin, 2015).

International co-operation and mutual assistance

The proportion of LAC countries implementing international co-operation and mutual legal assistance is low. Only five (Brazil, Chile, Mexico, Peru and the Dominican Republic) are part of the G8 24x7 Contact Network, designed to help national law enforcement authorities in other countries obtain and exchange information related to cross-border criminal investigations, including crime committed through the use of ICTs (Velasco, 2016).

The proportion of LAC countries with mutual legal assistance treaties in the field of extradition and regional judicial co-operation is relatively high. Fifteen countries (Brazil, the Plurinational State of Bolivia, Chile, Colombia, Costa Rica, the Dominican Republic, Ecuador, Guatemala, Honduras, Mexico, Panama, Paraguay, Peru, Uruguay and Venezuela) have extradition treaties and bilateral agreements on international judicial co-operation in criminal matters in force.

Overall situation

Several LAC countries have adopted national digital strategies or are in the process of implementing one. Unfortunately, the great majority of national digital strategies in place lack a clear long-term vision on digital security risk and face a number of challenges, such as:

• creating and improving legal frameworks on digital security

• creating operational security risk management capabilities

• a clear distribution of responsibilities among government institutions

• international and multi-stakeholder co-operation (OAS, 2014).

All indications are that the majority of LAC countries are not approaching digital security risk from the economic and social perspective, as called for by the OECD. At the time of writing, this approach is still relatively new, and it is thus not surprising that it is not yet reflected in current policy frameworks. It should also be acknowledged that some LAC countries face various additional challenges that limit their ability to adopt this approach (OAS and Symantec, 2014).

The implementation of co-ordination mechanisms within governments to formulate and carry out national digital security strategies is a key challenge in LAC countries. Instead of distinguishing clearly the various facets of what is often known as “cybersecurity”, and addressing them through an overarching strategy that ensures government co-ordination and coherence, governments often view this issue from a single perspective, such as national security, international security or cybercrime. As a result, the economic aspects are set aside and the issue addressed in isolation from non-governmental stakeholders, in a public policy silo. Budgetary concerns have constrained the adoption of co-ordination mechanisms among government agencies of the region. Only a few countries have allocated annual budgets for national digital strategies by the respective ministries and competent authorities.

Stakeholder engagement in most national digital security strategies has improved, but it is not yet mature in most LAC countries. Many still lack flexible mechanisms and medium and long-term plans to support stakeholders in developing policies and legal frameworks on digital security (OAS and Symantec, 2014). By contrast, a significant number of countries, including Colombia, Mexico, Panama and Peru have established national CSIRTs fully endorsed by their respective national governments, which have been very active in facilitating the exchange of information on security and computer incidents and threats and providing training on information security to their staff and the general public.

The number of LAC countries that have adopted legislation to counter cybercrime pursuant to the Council of Europe’s Budapest Convention keeps growing. Many in the region are interested in formally requesting access to the convention and its Additional Protocol. This, however, will involve a complex and long-term political process.

Awareness and understanding of digital security risk management

Over the years, awareness of digital threats and incidents has increased globally. However, there is still a limited understanding of some aspects and in particular, confusion over its economic and social dimension. The 2015 OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity and its companion document provide key concepts, principles and guidance to develop public policies in this area, as well as policies to manage risk in public and private organisations (OECD, 2015a). The OECD approach is based on the recognition that:

• Digital security risk is an economic and social issue rather than solely a technical challenge.

• It is impossible to create a fully safe and secure digital environment where risk is entirely avoided, other than by eliminating digital openness, interconnectedness and dynamism, and thus renouncing any of the associated economic and social benefits.

• Risk can nevertheless be managed and reduced to an acceptable level, determined by the economic and social objectives and benefits at stake, as well as the context.

• Digital security risk management can drive the selection of appropriate digital security measures that do not undermine the activity they aim to protect, take into account the interests of others, and preserve human rights and fundamental values.

• Leaders and decision makers are best placed to steer the changes needed to reduce risk to an acceptable level.

• Digital security risk management should be integrated with economic decision making and the broader risk management framework, to facilitate strategic, agile and effective leadership.

National Strategy for the Management of Digital Security risk

Many countries worldwide are adopting what they often call national “cybersecurity strategies”. Their content, however, varies extensively. Regardless of what they are called and the type of document or documents in which they are reflected, it is essential that governments adopt strategies to create the conditions for all stakeholders to manage digital security risk and to increase trust and confidence in the digital environment. Such a strategy may be part of an over-arching policy that addresses the national and international security dimension of cybersecurity, as well as the fight against cybercrime. It can also be included in a national digital strategy to promote the use of ICTs for economic and social prosperity.

Such a strategy should clearly state that it aims to:

• take advantage of the open digital environment for economic and social prosperity, by reducing the overall level of digital security risk within and across borders, without unnecessarily restricting the flow of technologies, communications and data

• ensure the provision of essential services and the operation of critical infrastructure, protecting individuals from digital security threats while taking into account the need to safeguard national and international security and to preserve human rights and fundamental values.

The strategy should be directed at all stakeholders, tailored as appropriate to small and medium enterprises and to individuals, and articulate stakeholders’ responsibility and accountability according to their roles, ability to act and the context in which they operate.

Finally, it should result from a co-ordinated intra-governmental approach and an open and transparent process involving all stakeholders. It should also be regularly reviewed and improved based on experience and best practices, using internationally comparable metrics where available.

The OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity (OECD, 2015a) includes guidance for measures that the strategy can include, such as how the government can lead by example, measures to strengthen international co-operation and mutual assistance, how to engage with other stakeholders and how to create the conditions for all stakeholders to collaborate in the management of digital security risk. Such measures include, for example:

• ensuring that the national digital strategy is conducted and managed in a manner conducive to innovation and prosperity, keeping the environment open, maximising the potential of ICTs for growth and development and facilitating international and regional co-operation

• improving and updating training programmes and ensuring the development of national awareness-raising campaigns

• creating a comprehensive national programme to measure digital security risk and facilitating co-ordination mechanisms and sharing of responsibility among government agencies

• encouraging mutual assistance in the identification of Internet crime and prosecution of perpetrators between law enforcement authorities in the region

• establishing national points of contact to address cross-border requests related to digital security risk management issues and improving responses to domestic and cross-border incidents and threats, including through co-operation with CSIRTs, co-ordinated exercises and other tools for collaboration

• encouraging national partnerships between ICT companies and government agencies on digital security and the creation of flexible cross-border co-operation mechanisms.

International Cooperation and Mutual Assistance

International co-operation and mutual assistance is a good policy practice. It can help detect cross-border crime and the development of international and regional co-operation mechanisms to enforce national laws against criminals located in different jurisdictions.

Colombia, Mexico, Peru, Paraguay and Uruguay actively participate in the OAS Cybersecurity Programme and the various activities organised by the Inter-American Committee Against Terrorism (CICTE)2 to counter cybercrime with the participation of various stakeholders from the public and private sector.

Engagement with other stakeholders

Promoting the active participation of stakeholders, through national consultations on digital security, encouraging the management of digital security among different stakeholders, and sharing responsibilities is a good policy practice (Box 14.4).

Computer Security Incident Response Teams (CSIRTs)

Computer Security Incident Response Teams (hereinafter CSIRTs) play a key role in in identifying threats to information security systems and networks, and crime committed through the use of information technologies. There is consensus that a CSIRT is a “team of experts that responds to computer incidents, coordinates their resolution, notifies its constituents, exchanges information with others and assists constituents with the mitigation of the incident” (Box 14.5). CSIRTs also serve as reliable points of contact for reporting security incidents, disseminating relevant information on computer incidents, mitigating security risks and co-ordinating their response efforts with other similar institutions. Establishing a national CSIRT is a good policy practice to facilitate international and regional co-operation on information security. Private-sector CSIRTs (e.g. business, academia) can also be encouraged.

As noted above, 12 countries in the LAC region have a CSIRT fully endorsed or supported by the national government. The cases of Brazil, Costa Rica and Mexico are described here (Box 14.6).