Published by The Lawfare Institute
in Cooperation With
Editor’s note: This article was originally published in Spanish in Foreign Affairs Latinoamérica.
In 2007, Michael Reid, senior editor for Latin America at The Economist, published his book “The Forgotten Continent: A Battle for Latin America’s Soul.” In it he argued that the overall reading of the region had been one that claimed that it was neither poor enough to attract pity nor volatile or bellicose enough to be considered dangerous. The multiple political conundrums in the past couple of months have arguably challenged that sense of forgottenness of Latin America, even if temporarily. Highlighting the complexity and threats to democratic stability throughout the region are Brazil’s own Jan. 8 invasion of the capital by far-right rioters, the diplomatic éclat between Peru and Colombia and Mexico over the nonrecognition of Dina Boluarte’s presidency following the ousting of Pedro Castillo after he had attempted to dissolve Congress, and crackdowns on protesters in Peru leading to deaths and injuries..
However, alongside these more “traditional” or perhaps “structural” security concerns that cannot be swiftly shaken off, countries in the region have increasingly had to deal with the additional burden of cybersecurity threats. In April 2022, Costa Rica was hit by one of the most serious cyberattacks in Latin America. A week after Rodrigo Chaves was elected as Costa Rica’s new president, the Russia-based ransomware group Conti targeted 27 ministries, leaving nine of them badly affected. The cyberattacks lasted from April until June, leading to an unprecedented declaration of a state of emergency by Chaves on May 8. It felt as if, for the first time, in possibly a long time, Latin America was “on the map” of global cybersecurity—and, alas, not for positive reasons.
Despite this high-level and high-visibility attack, Latin America has indeed remained largely forgotten when it comes to cybersecurity—even though it has not fallen short of other cybersecurity threats. According to IBM, Brazil, Mexico, and Peru were the most targeted countries in the region in 2022. In 2020, Brazil’s Superior Court of Justice—one of the most important bodies of the judiciary—suffered a ransomware attack, leaving thousands of cases in limbo. Other cyber incidents in 2021 and 2022 left coronavirus vaccine apps and local governments in Brazil inoperative for months. Mexico faced one of its worst attacks in 2018, when the Interbank Electronic Payment System (Sistema de Pagos Electronicos Interbancarios—SPEI) was taken down following a cyberattack that led to a loss of approximately $42 million. In addition, a large number of organized crime groups have operated and evolved in their craft through early adoption of the online environment. Experts have even claimed that the region has reached a point where it exports hackers focusing on the banking sector.
So, if Latin America has had its fair share of cyber threats—and with wide societal and economic repercussions—why is cybersecurity still considered a secondary issue?
The Gap Between Development and Cybersecurity
When placing cybersecurity under the broader perspective of converging crises, it might seem that it is not only understandable but rather justifiable for governments in the region to leave it at the bottom of the priorities list. However, as the past decades have shown—and perhaps paradoxically so—crises within the region have not been enough to stop rampant digitalization. The region benefits from 74 percent of its population having access to the internet. Chile, Uruguay, Argentina, and Brazil are at the top of the list, with average rates of access at more than 80 percent. Brazil and Mexico are among the top 10 countries with the greatest number of social media users (165 million and 98 million, respectively). Growing access to mobile phones has helped boost individual access to e-commerce, and almost all countries in the region have adopted some form of digital or e-government strategy that lays out their ambitions for achieving digital transformation.
One of the problems is that while Latin American countries thirst for development and sustainability—which is undeniably and increasingly associated with the digitalization of its services and expansion of digital markets in the region—they are often slow to understand the importance of cybersecurity as a pillar for achieving the sustainable and resilient kind of development they seek amid more pressing agendas. This means that cybersecurity concerns are often addressed reactively—after a major incident—rather than proactively. The wave of incidents targeting the judicial system in Brazil since 2020, for example, rapidly set in motion the development of a cybersecurity committee specifically for the judiciary and policies dedicated to managing and responding to future events within that sector. Only recently—and especially during the pandemic—have political elites started to understand and grasp the transversal threat that vulnerabilities can pose to all sectors of society. Otherwise, the cybersecurity agenda can often seem detached, technical, and distant from individuals’ everyday concerns.
It also means that, given the reactive posture, governments face the risk of incorporating a skewed perspective of the threat. While notorious ransomware incidents have indeed crippled entire federal entities and local governments, many of the security issues and vulnerabilities derive not from sophisticated actors but from a basic lack of cybersecurity protocols being implemented by public and private entities.
In addition, the detachments between the cybersecurity and development agendas at the national level are no coincidence. For some countries, such as Brazil, Colombia, and Argentina, cybersecurity emerged initially as part of a national security agenda, often nested within ministries of defense and in the form of cyber commands. Brazil has developed its cyber defense and security quite separate from digital transformation. For example, on one side are two largely militarized bodies, the armed forces and the office of the security of the presidency, and on the other side are the Ministry of Science, Technology and Innovation and the Ministry of Economy’s office for digital government. While there is some interministerial coordination, the presence of cybersecurity concerns within the digital transformation strategy are far from explicit. Other countries, such as Peru (2020) and Ecuador (2021), have only recently inaugurated their cyber commands. In Uruguay, for example, cybersecurity came as an addendum to an already-existing digital agenda. Since 2005, the country has had a dedicated agency focused on digital government (Agencia de Gobierno Electrónico y Sociedad de la Información y el Conocimiento—AGESIC), prior to enhancing its capacities within the armed forces through the establishment of a Centro de Respuesta a Incidentes de Seguridad Informática (CERT) dedicated to the military sector later in 2013.
All of these developments provide a glimpse of the diverse institutional pathways and priorities that have led to the inclusion of cybersecurity within the national agendas of countries across the region. It also adds to the challenge of thinking about what regional cooperation and integration would mean for this agenda.
In November 2022, seven former presidents along with other high-level government representatives and key thinkers from the region presented a letter to the 12 presidents in Latin America, stressing that “la integracion es hoy mas necesaria que nunca” (“integration is more necessary today than ever”) and calling for the reestablishment of the Union of South American Nations (UNASUR) as the main space for tackling the conundrums of regional integration. The scenario, however, is grim. Latin America faces “a second lost decade,” aggravated by a post-pandemic economic crisis, an expected shrinkage in GDP growth from 3.1 percent in 2022 to 1.3 percent in 2023, and boiling political ideological clashes either triggered by or followed by elections. Where does cybersecurity factor in, if at all, in this complex landscape?
Regional dialogues and cooperation in cybersecurity are still incipient and fragmented. The most prominent regional venue has been the Organization of American States (OAS). For more than a decade, the OAS has conducted cyber simulations, engaged in capacity building, and supported the development of member states’ national cybersecurity strategies. What is more, OAS member states in 2017 established a Confidence Building Measures Working Group focusing on ensuring cooperation, transparency, predictability, and stability among states in cyberspace. Over the past six years, the working group has agreed on six voluntary measures that range from exchanging information about national cybersecurity policies to the designation of points of contact within their respective ministries of foreign affairs with the purpose of facilitating cybersecurity cooperation and dialogue across the Americas.
Other regional forums have been catching up on cybersecurity issues. Since 2020, the United Nations Economic Commission for Latin America and the Caribbean (ECLAC), for example, has been seeking to further integrate the development agenda with cybersecurity as part of its Digital Agenda for Latin America and the Caribbean (eLAC). The 2022 edition of the eLAC stressed that countries should promote regional harmonization of cybersecurity policies and norms, and the 2024 edition highlighted the need for states to promote cybersecurity policies that are consistent with human rights and set the goal of 20 countries (out of 33 in the region) having national cybersecurity strategies by 2024.
Even though all the developments point to a gradual recognition of the importance of cybersecurity within the region, it is still early to consider what a regional agenda for this topic would look like. Given that cybersecurity is not necessarily a partisan agenda, the current shifts or rifts from a so-called second political “pink tide” of leftist governments in Brazil, Chile, and Colombia, as well as the diplomatic clashes following Peru’s political crisis, might not have a direct impact on the cybersecurity discussions. This means that there would be little resistance to maintaining cybersecurity as a technical cooperation agenda or taking it to new proportions depending on the regional appetite.
On the one hand, Brazil’s announced return to ECLAC in December 2022, the legacy of President Lula in strengthening South-South cooperation, and the letter from regional leadership concerning UNASUR all point to a growing sense of regional integration. This context could be an opportunity for countries within the region to test the waters for a broader and structured dialogue on either regional integration or South-South cooperation for sustainable cybersecurity development. Brazil has been a thought leader on the topic before. After the Snowden revelations sparked a diplomatic clash between Brazil and the United States, former President Dilma Rousseff organized and hosted the NETmundial Summit—a high-level summit to discuss threats to privacy in the digital age.
On the other hand, while there is no consolidated dialogue for either regional or South-South cooperation on the matter at the strategic level, such an opportunity could possibly be left aside, as a tool to be activated reactively—when the cost of suffering cyberattacks is too high for the sustainability and prospects of economic growth—similar to the NETmundial. The thing is that while developed countries can, at times, bear the luxury of dealing with crippling cyberattacks, developing countries cannot. In addition, countries in Latin America can be easy targets to groups seeking to train and raise funds for more orchestrated campaigns, not just because of the lack of cybersecurity investments and political will, but because there are many old operational systems still in place that pose a structural threat for many businesses (often small and medium ones) across the region. The question, therefore, is one of waiting to see when the agenda will be taken seriously enough by political leadership as a positive step toward development, whether current technical cooperation will be enough to deal with the evolving threat landscape, or if these concerns will continue to be seen as an add-on rather than a fundamental element for economic and social development.
The Biases of the Cyber Threat Intelligence Industry
Latin America’s cybersecurity challenges are not easily solvable, nor are they the region’s problem to deal with alone. A series of structural challenges need to be considered if one wishes to understand the complexity of the region’s cybersecurity dilemmas.
Most of the knowledge about cyber threats resides with private-sector companies dedicated to transforming data into threat intelligence, solutions, and services to help with identifying, processing, and mitigating threats and vulnerabilities—with some of them encompassing an even more expansive portfolio of cloud and infrastructure services to provide all-in-one packages that are attractive to developing countries. This international cybersecurity market is highly concentrated in a small number of companies, often based in the United States, such as Mandiant, Microsoft, Oracle, and CrowdStrike.
This presents a couple of challenges to countries in Latin America. First, the cyber threat intelligence market responds to a very specific set of high-level state-related threat actors that are linked to wider geopolitical concerns from the United States, the United Kingdom, European countries, and allies. Second, while some of them do provide services to countries across the region, the focus on publicity around “big” threat actors in Iran, Russia, China, and North Korea also results in secondary effects where companies are incentivized to publicly report these actors that are normally the object of interest from global cyber powers. Plus, focusing on these threats and writing about them also provides these companies with good publicity, showcasing their leadership in the cyber threat intelligence market because they deal with highly complex and sophisticated actors and operations. Third, this means that there is a considerable public “data gap” on the status of cybersecurity threats in Latin America if they do not meet that threshold—with very few exceptions.
Within the context of Latin America, cyber threats are less about high-profile state-sponsored attacks than about hacktivist groups, indigenous criminal actors, and broader organized crime online—even though cases of espionage operations have been reportedly conducted by other countries or proxies. Beyond the developed country commercial lock-in, cyber threat intelligence industry bias can lead to three consequences for Latin America and other developing countries. First, public accounts of high-level attacks remain restricted to state-related threat actors. In cases such as these, Latin American countries rarely make an appearance, and if they do it is because they have been the target of a wider operation. That was the case with a threat group operating out of China called Nickel/Ke3chang that had been heavily targeting governments in the region and stealing sensitive data since 2019. Second, countries within the region can be left with off-the-shelf basic services and less substantive (and public) information sharing of potential operations within and across the region. Tight cybersecurity budgets often mean that governments need to either outsource their security completely or combine it with in-house expertise, thus having to figure out how to acquire the appropriate technologies to assist them. Third, these structures of incentives can further discourage companies from investigating potential cyber operations within Latin America and producing more strategic (and public) assessments of the threat landscape.
Other structural factors add to the politics of the threat intelligence market along with the knowledge and data gap mix. European countries, the United Kingdom, and the United States have had their attention redirected toward tackling the war in Ukraine, addressing domestic politics, and steering economic crises, as well responding to their own cybersecurity threats. This means that the prospects of expanding bilateral cooperation on cybersecurity might prove trickier than before, given that not only are many of these countries having to redirect funding but also the current political crises in the region could slow down the likelihood of foreign investment in this area. However, depending on the country, that might change. Brazil, for example, signed a memorandum of understanding with the United Kingdom in November 2022.
Emerging Threats and a Legacy of Surveillance, Reloaded
Despite the multilayered obstacles for understanding what cybersecurity means for Latin America, the year 2022 was in many ways a wake-up call to countries in the region and a reminder of both old and emerging threats.
Since 2020, and especially in 2022, the region has been hit by a swarming wave of ransomware attacks targeting both public- and private-sector entities. Many of these groups have developed sophisticated business models to sell ransomware services to specific clients. These so-called Ransomware-as-a-Service groups infiltrate systems, encrypt stolen files, and demand ransom for data recovery—they might also publish part of the data in dark web forums or Telegram groups as proof that they have had access to big chunks of compromising financial or politically sensitive data. Costa Rica’s case, perpetrated by Conti ransomware, was the most emblematic one, but it was far from isolated.
Many Russia-based groups, such as Conti, BlackByte, LockBit 2.0, and ALPHV, have sought to target governments and companies in Latin America for financial or political reasons. In 2022, the countries affected most heavily were Peru, Costa Rica, Ecuador, Brazil, Argentina, Colombia, and Chile. In December, the ransomware group RansomHouse attacked Keralty, a company that provides health-related services to approximately 11 countries and owns private companies that administer the health care of more than 5 million Colombians. After the attack, users joined RansomHouse’s Telegram channel, where the group publishes information about its leaks, and wrote, “las victimas son usuarios pobres” (“the victims are the poor users”). The expansion of ransomware highlights that cybersecurity is far from a highly technical concern. Rather, it has increasingly exposed and affected the everyday citizen. Russian groups might be more focused on extortion and profiteering. China, by contrast, has not resorted to “loud” and “more visible” methods such as ransomware but instead has sought to engage in operations to retrieve data from strategic victims in government, nongovernmental organization, and the private sector—knowledge that can be leveraged in strategic partnerships and negotiations with countries in the region.
Latin America has become not only a lucrative site for ransomware business models but also a testing ground for groups seeking to gather funds and exploit other regions. That is the case for the ARCrypter group, which attacked a government agency in Chile and across the region and later decided to expand its operations worldwide—to Germany, the United States, Canada, and other countries. Other cyber incidents that have been added to the list include attacks against Colombia’s National Food and Drug Surveillance Institute, the Secretary of Health of the State of Morelos in Mexico, Rio de Janeiro’s State Secretary of Finance, the municipality of Quito in Ecuador, Peru’s Dirección General de Inteligencia, and the list goes on.
However, while 2022 was marked by the consolidation of emerging threats such as ransomware, it also revived a long-standing discussion around government acquisition and use of surveillance and hacking tools to target specific groups. In October 2022, the environmentalist collective and hacktivist group Guacamaya released documents from the armed forces in El Salvador, Colombia, Chile, Peru, and Mexico, exposing the scale and overreach of some intelligence operations that targeted and tracked dissidents and civil society groups within their respective countries.
The “Guacamaya Leaks” is the latest chapter in the ongoing practice of government hacking—that is, the disproportionate use of surveillance and intrusion tools against sectors of the population. In 2021, the NSO Group—the company responsible for the development and commercialization of Pegasus spyware, the tool used by Saudi Arabia to spy on journalist Jamal Khashoggi, who was later assassinated in Turkey—reportedly sold Pegasus to Panama, El Salvador, and Mexico and tried to sell it to the Brazilian government after being stopped by a coalition of civil society organizations. Mexico, in particular, has the greatest number of publicly reported cases of Pegasus use in the region, with a variety of targets that range from journalists seeking to investigate drug cartels to public health campaigners and even President Andrés Manuel López Obrador. However, records of government hacking also date back to 2015, when WikiLeaks published correspondence between the Hacking Team and governments throughout the region and showed that seven countries had acquired remote control systems to spy on activists and political dissidents.
Transnational Threats, Fragmented Action
The tale of cybersecurity in Latin America is not a simple one. Technology has become a stepping stone for development that requires countries to go through many hoops—some of which they might want (modernizing military forces and using spyware to track dissidents) and others they might not find to be too attractive or achievable in the short run (investing in cybersecurity education and skills).
From a political standpoint, a considerable amount of convincing is needed to focus high-level political elites’ attention on the issue of cybersecurity. At the same time, as debacles and geopolitical challenges shift the focus of the United States and European countries away from Latin America (except perhaps for the climate security agenda), governments in the region could be given the space needed to rethink how and where cybersecurity fits within regional integration efforts. What is more, given the notoriety of countries as primary targets of ransomware groups, countries could enhance channels to share lessons learned from their own mistakes while developing a vision of cybersecurity that will pragmatically speak to the goal of achieving sustainable development—but if the attacks so far have not been able to move governments to take practical cooperative steps, then the question remains as to what would?
Curbing market forces will be harder. Countries will continue to depend on threat intelligence from the big players, but that could be complemented by nationally bred bespoke companies to provide richer contextual analysis and expertise in addition to the usual suspects.