By Louise Marie Hurel

  In February 2020, the Decree 10.222 established Brazil’s National Cybersecurity Strategy (E-Ciber) — the first official document to provide an overview regarding Brazil’s role in cybersecurity, as well as objectives and guiding principles for its development between 2020 and 2023. With the Covid-19 pandemic, thousands of people, governmental agencies, and businesses have rapidly adapted their activities to a largely virtual environment. This sudden migration led to new threats and attack surfaces for exploiting vulnerabilities. More than ever, different sectors must be prepared and trained to respond to and resist these threats. However, this was precisely the period in which Brazil suffered the worst cyber attack in its history – highlighting, yet again, that many challenges remain for ensuring that concerns with security turn into action across different sectors. This strategic paper identifies the main gaps and challenges for cybersecurity governance in Brazil. We unpack the main elements of E-Ciber in order to understand and place the country’s strategic vision historically as well as in relation to other international experiences. We adopt a principlesbased approach that seeks to strengthen and inform the implementation of strategic cybersecurity objectives in Brazil, which include: national and international coordination and cooperation; knowledge integration; sustainability of efforts; and cybersecurity-related training. 1 See Annex 1 for greater detail on the various challenges. This document is the result of three months of interviews with specialists from various sectors, thematic document analysis, and ethnographic work in different areas, forums, and debates. Challenges identified in interviews and field work include:1 (i) The absence of a shared vocabulary when referring to cybersecurity/digital issues in society; (ii) The association of cybersecurity with military affairs, responsibilities and institutions; (iii) Lack of understanding regarding specific and shared digital risks across sectors; (iv) The absence of mechanisms for sharing information regarding security risks/threats and knowledge across sectors; (v) Lack of normative, strategic, and operational alignment for incident response; and (vi) (vi)The existence of various cybersecurity maturity levels throughout society

Brazil: Igarape Institute, 2021. 43p.