Chapter 4. Enhancing trust in the digital economy

2000-12: The first steps of digital security policy in Brazil

This period was characterised by the establishment of the fundamental building blocks focusing on digital security in the public administration (Box 4.1). In 2000, the government established an information security policy for the federal public administration and created and Information Security Management Committee (Comitê Gestor da Segurança da Informação, CGSI) tasked with advising the Executive Secretariat of the National Defence Council about its implementation.1 The Brazilian Public Key Infrastructure (PKI) was created in 2001 (ICP-Brasil). The Government Computer Emergency Response Team (CITR Gov) was established in 2004. As of 2006, the Institutional Security Cabinet of the Presidency of the Republic (Gabinete de Segurança Institucional/Presidência da República, GSI/PR) was designated as the primary agency for digital security matters and, over the years, adopted 3 general instructions and 22 supplementary standards (as of 2019). The Federal Court of Accounts (Tribunal de Contas da União, TCU) monitored their implementation by the federal public administration through surveys followed by recommendations. The 2010 GSI/PR Green Paper on Cybersecurity in Brazil (GSI/PR, 2010), which included recommendations for the establishment of a national cybersecurity policy, can be viewed as the first attempt to approach digital security policy from a holistic and strategic perspective.

2012-17: Increased attention to and focus on national security aspects

As of 2012, key events created the conditions for increasing the country’s operational digital security capacity while emphasising the national security dimension of digital security and raising awareness about privacy and civil liberties related to the Internet.

Between 2012 and 2016, the government significantly expanded its operational digital security capacity to protect several mega-events hosted in Brazil, such as the United Nations Conference on Sustainable Development (Rio+20 in 2012), World Youth Day (2013), the football Confederations Cup (2013) and the World Cup (2014), and the Olympics and Paralympics (2016). The Ministry of Defence played an important operational role, including by establishing a Cyber Monitoring Centre (Demetrio, 2012), and co-operating with several agencies as well as public and private incident response teams to successfully manage the situation (Hurel and Cruz Lobato, 2018).

In 2013, revelations of foreign espionage activities affecting Brazil led to the creation of a Parliamentary Committee of Inquiry on Espionage (CPI da Espionagem), which underlined weaknesses in the country’s cybersecurity from a national security perspective. The committee’s final report recommended the development of a National Cybersecurity Strategy, the adoption of measures to co-ordinate public and private actions in this area, and the creation of a cybersecurity agency within the federal public administration to address the issue in an overarching and more effective manner.

During the same period, a considerable amount of public attention was dedicated to privacy and civil liberties issues related to the Internet, in particular through the public consultations for and adoption of the Internet Civil Legal Framework (Marco Civil da Internet), establishing principles, guarantees, rights and duties for the use of the Internet in Brazil (April 2014).2

However, in 2014, the results of an audit carried out by the TCU emphasised a relatively low level of implementation of existing digital security requirements by the federal public administration. According to the TCU, most of the federal public administration was not aware of its exposure to IT risks, the likelihood of their occurrence or their possible impact on the achievement of their objectives, and many public organisations, despite being aware of IT risks, did not keep them at acceptable levels or costs by treating them appropriately. The TCU stressed the low level of maturity with respect to the risk management process in the public administration. The TCU underlined that this situation increased the likelihood of IT not delivering results to business in the agreed time, cost and level of quality, consequently affecting the achievement of the business objectives of the entities. For example, only 25% of audited organisations had established guidelines for the management of IT risks, and only 8% were fully aligned with existing requirements. Only 13 out of 355 audited organisations had formally defined their acceptable levels of IT security risk (i.e. risk appetite).3

In this context, the GSI/PR developed the Strategy for Information and Communications Security and Cybersecurity in the Federal Public Administration, 2015-2018. After describing the background and context, this document set the strategic mission and vision, defined 7 strategic values, 11 guiding principles, and 10 strategic objectives with targets to be reached by 2018.

2018 to present: Digital security in the context of the digital transformation of Brazil

A new phase started in March 2018 with the publication of the Brazilian Digital Transformation Strategy (see Chapter 1), which includes a thematic axis focusing on “building trust and confidence in the digital environment”, with the objective of “making the Internet a safe and reliable environment that enables services and business transactions while respecting citizens’ rights”. This thematic axis addresses “defence and security in the digital environment” and the “protection of rights and privacy”.

According to the Digital Transformation Strategy, important progress in the area of “cyber defence” has been accomplished over the years, but Brazil still needs to improve its regulatory and institutional framework to match the challenge of digitalisation of the society and economy. The strategy claims that digital security should be regarded as a national priority and that a comprehensive “strategy for cybersecurity and defence” should be developed. The Digital Transformation Strategy points out that co-operation between the public and the private sectors is a crucial factor for the effectiveness of the actions envisaged in the future strategy and plans. It identifies several strategic actions, including the need to enhance digital security in the public administration; protect national critical infrastructure; raise the awareness of the population; enhance digital security skills in the public and private sectors; invest in research and development; develop metrics and information sharing models; as well as increase international co-operation.

In December 2018, the government published a decree establishing the National Information Security Policy (Política de Segurança da Informação, PNSI).4 Developed by the GSI/PR, this decree sets out 16 principles and 7 objectives. It establishes the legal basis for the development of a national information security strategy and of national plans detailing its implementation, such as planning, organisation, use of resources and attribution of responsibilities. The PNSI also includes measures related to roles and responsibilities with respect to information security within the public administration (see below).

In 2019, the GSI/PR started a process to draft the National Cybersecurity Strategy called for in the PNSI. To inform the development of the strategy, it organised a consultation process inspired by the one carried out for the digital strategy. The process included a 7-month, 31 meeting-long consultation of 40 experts from government agencies, businesses and academia gathered into 3 working groups. Based on this input, the GSI/PR developed a draft National Strategy for Cybernetic Security – E-Ciber, released in September 2019 for a 20-day public consultation through the participative government platform.5 Forty-one participants, including 31 individuals and 10 organisations, posted a total of 166 comments on the platform. The final strategy was adopted on 5 February 2020.6

The strategy’s vision is for Brazil “to become a country of excellence in cybersecurity”. The objectives of the strategy are to: make Brazil more prosperous and reliable in the digital environment; increase Brazilian resilience to digital security threats; and strengthen Brazil’s performance in cybersecurity in the international scene.

The strategy focuses on the following ten actions:

1. 1. Strengthening digital security risk management governance in public and private sector organisations. This action includes holding fora, establishing minimum requirements in contracts with the public sector, promoting GSI/PR standards and norms, promoting international standards for security by design and default, nominating a chief information security officer, recommending digital security certification in accordance with international standards, etc.

2. 2. Establishing a centralised governance model at the national level. A national digital security system will be created to promote co-ordination of actors beyond the federal administration, promote the joint analysis of the challenges faced in combating cybercrime, assist in the formulation of public policies, create a national cybersecurity council, create discussion groups in different sectors, etc.

3. 3. Promoting a collaborative, participatory, reliable and secure environment involving the public sector, private sector and society. This action aims to encourage information sharing about incidents and vulnerabilities, carry out exercises, strengthen the national CERT (CTIR Gov), issue alerts and recommendations, encourage the use of cryptography, etc.

4. 4. Raising the level of government protection, including by encouraging the use of secure communication devices, keeping information systems’ security up to date, recommending the use of backup mechanisms, including digital security requirements in privatisation processes, etc.

5. 5. Raising the level of protection of national critical infrastructures by promoting interactions between sectoral regulatory agencies, encouraging the adoption of enhanced digital security policies by operators of critical infrastructures, encouraging their participation in exercises and the notification of incidents to CTIR Gov.

6. 6. Enhancing the legal framework on digital security, including by reviewing the existing framework, modifying the penal code to include cybercrimes, creating incentives to reduce the cybersecurity skills shortage, preparing a draft law on cybersecurity.

7. 7. Encouraging the design of innovative digital security solutions in order to align academic projects with the economic demand. For example, include digital security in research programmes, encourage the creation of research and development centres on digital security, stimulate the creation of digital security start-ups, encourage the adoption of global standards to facilitate international interoperability, establish minimum requirements for 5G technology.

8. 8. Expanding Brazil’s international co-operation on digital security. This includes promoting discussions in international groups of which Brazil is a member, expanding relations in Latin America, promoting international events and exercises, expanding co-operation agreements, etc.

9. 9. Expanding digital security partnerships between the public sector, the private sector, academia and society. Possible actions include partnerships to encourage private investments in digital security, meetings with leading digital security actors, etc.

10. 10. Raising the level of digital security maturity in society. For example, carrying out public awareness initiatives; encouraging public and private sector organisations to carry out internal awareness-raising campaigns; integrating digital security in basic education; encouraging the creation of higher education courses; creating professional training courses; improving mechanisms for integration, collaboration and incentives between universities, institutes, research centres and the private sector, etc.

The strategy includes a diagnostic distinguishing between thematic and transformative axes:

• Thematic axes: national cybersecurity governance, incident management and strategic protection, i.e. protection of the government and critical infrastructures identified in the National Policy for the Security of Critical Infrastructures (telecommunications, energy, transport, water, finance).

• Transformative axis: normative dimension, research, development and innovation, international dimension and strategic partnerships, and education.

In July 2019, the government expressed its intention to adhere to the Convention on Cybercrime (Budapest Convention). In December 2019, the Committee of Ministers of the Council of Europe invited Brazil to join the Convention (Ministry of Foreign Affairs, 2019).

The GSI/PR is at the centre of digital security governance

The GSI/PR’s responsibility covers three areas:

• Information security standards and their implementation: establishing information security risk management standards for federal government agencies and entities; approving guidelines, strategies, norms and recommendations; and elaborating and implementing information security programmes aimed at raising awareness and training for the public administration and society.

• Public policy: following the doctrinal and technological evolution at national and international levels; elaborating and publishing the National Information Security Strategy, in collaboration with the Inter-ministerial Committee for Digital Transformation (see below); supporting the elaboration of national plans related to the National Information Security Strategy; establishing criteria for evaluating the execution of the PNSI; and proposing the publication of the normative acts necessary for its execution.

• Products: establishing minimum security requirements for the use of products incorporating information security features, which are binding for the federal administration; these requirements are not binding for the wider Brazilian market and only serve as a recommendation.

The GSI/PR is one of the organs of the Presidency of the Republic. It is led by a minister who reports directly to the President, as do all other Brazilian ministers. The Institutional Security Cabinet is responsible for analysing and monitoring issues related to potential risks of institutional stability; co-ordinating federal intelligence activities, and providing advice on military and security issues, in addition to other supporting functions for the President.7 Until 2019, digital security matters were addressed by the GSI/PR’s Department of Information and Communications Security (Departamento de Segurança da Informação e Comunicações, DSIC), within the Secretariat for Systems Coordination, which also addresses nuclear and space issues.

In 2019, the DSIC was elevated from a department to a secretariat. In contrast with a department, a secretariat reports directly to the minister, manages its own budget and has more resources. Figure 4.4 shows where the Secretariat for Information Security stands within the broader structure of the GSI/PR. This important evolution reflects the increased awareness of the importance of digital security in the government. With a budget of USD 433 000 (BRL 1.7 million), the secretariat comprised 30 staff in January 2020 (including 8 working for CTIR.gov, see below), which represents a 100% increase compared to the previous year.

Figure 4.4. Institutional governance for information security in Brazil

Note: This simplified overview of the Institutional Security Cabinet of the Presidency of the Republic structure does not include all of the entities of the office.

Source: OECD, based on www.gsi.gov.br/sobre/estrutura.

Most senior positions in the GSI/PR are held by high-ranking military officers.8 The GSI/PR also hosts the Brazilian Intelligence Agency (Agência Brasileira de Inteligência, ABIN) and the Secretariat for Defence and National Security Affairs addresses issues related to the security of critical infrastructures, co-ordinates crisis management and carries out actions related to crisis prevention. However, many of the newly created positions created at the Secretariat for Information Security are filled by staff from other ministries, Anatel and public companies.

The Secretariat for Information Security is responsible for:9

• planning and supervising information security within the federal public administration, including incident management, data protection,10 security accreditation and the handling of confidential information

• formulating and implementing the public administration’s information security policies

• elaborating normative and methodological requirements related to information security in the federal public administration

• managing the government CSIRT (CTIR.Gov), co-ordinating and carrying out actions for the management of incidents, and co-ordinating the network of government agencies’ and entities’ CSIRTs

• proposing and participating in international treaties, agreements or acts related to information security

• acting as a central security accreditation body for the treatment of classified information

• supervising the security accreditation of individuals, companies, agencies and entities for the treatment of confidential information

• co-ordinating with the state, municipal and Federal District’s governments; civil society; and organs and entities of the federal government, for the establishment of guidelines for information security policies for the public sector.

The secretariat includes three major branches:

1. 1. The General Coordination of Security and Accreditation Centre (Coordenação-Geral do Núcleo de Segurança e Credenciamento, CGNSC),11 which addresses issues related to information classification in the government.

2. 2. The General Coordination of Information and Communications Security Management (Coordenação-Geral de Gestão da Segurança da Informação e Comunicações, CGSIC),12 which elaborates proposals for information security guidelines, strategies, norms and recommendations; develops proposals for the National Information Security Plan; monitors its execution; plans and co-ordinates measures to guide information security implementation, such as for raising awareness and training; and monitors the doctrinal and technological evolution of activities related to information security at the national and international levels.

3. 3. The General Coordination of Government Network Incident Handling Centre (CTIR.Gov), the government CSIRT13 (described below).

The CGSI, gathering 21 ministries and government bodies covering a very large part of the federal public administration, provides advice to the GSI/PR. It meets at least twice a year and may establish up to four temporary sub-groups that cannot have more than seven members. The GSI/PR serves as the executive secretariat of the CGSI.14 The further operationalisation of this committee and the creation of working groups is one of the secretariat’s main objectives in 2020. For example, a working group within the Ministry of Economy is exploring the economic aspects of digital security in Brazil.

In November 2018, the Brazilian government published Decree 9.573 establishing the National Policy for the Security of National Critical Infrastructures. The policy aims to ensure the security and resilience of the country’s critical infrastructure and the continuity of services. The policy’s principles are: prevention and precaution; integration between government levels and branches, the private sector, and other segments of society; cost reductions benefiting the society resulting from investments in security; and safeguarding defence and national security. It also establishes the Integrated Critical Infrastructure Security Data System, the National Critical Infrastructure Security Strategy and the National Critical Infrastructure Security Plan. To address the complexity of digital security of critical infrastructures, a central organisation is expected to be established in order to co-ordinate all of the actors involved, public or private, as well as to call for accountability and action.

Each public sector entity is responsible for its digital security

The PNSI establishes a general principle whereby each organ and entity of the public administration is responsible for managing digital security in its own scope of action, including through the elaboration of its information security policy, designation of an internal information security manager, establishment of an information security committee, training, etc.15

The Ministry of Transparency and the Union Comptroller Office is tasked with auditing the implementation of the PNSI’s activities under the responsibility of federal organisations and entities.

Central Bank of Brazil

In April 2018, the Central Bank of Brazil (BCB) published a resolution16 to provide for the digital security policy and requirements on data processing and storage, including cloud computing. Such requirements shall be observed by financial institutions and other organisations authorised by BCB to operate in the financial market.

Financial institutions should implement and maintain a policy framework for digital security, respecting principles and guidelines for confidentiality, integrity, and availability of information systems and data.

The policy framework must include: the institution’s digital security objectives; procedures and controls to reduce the institution’s vulnerability; classification of data and information by relevance; definition of parameters to be used to assess incidents; mechanisms for dissemination of digital security culture in the institution; and information-sharing initiatives on relevant incidents.

BCB made other requirements, such as digital security policy disclosure to all employees; incident response and action plans; adoption of hard safety issues when contracting data-processing, storage and cloud-computing processes; and setting up monitoring and control mechanisms to ensure the implementation and effectiveness of the digital security policy.

BCB may rule out or restrict data-processing, storage and cloud-computing services contracts whenever it detects non-compliance with the provisions of the resolution or other BCB regulations. BCB may then establish a deadline for compliance.

BCB’s technical digital security expertise relies in part on its CSIRT, which serves the financial sector and is in contact with large banks in the country.

ComDCiber (Ministry of Defence)

Issues related to national security and cyber defence, which are not in the scope of this section, are under the responsibility of the Cyber Defence Command (ComDCiber) and the Cyber Defence Centre (CDCIber), both specialised command bodies part of the Brazilian army. However, it is important to highlight the role played by ComDCiber, which has significantly more resources and staff than the GSI/PR, in particular at the technical level, and can take initiatives beyond the strict protection of the defence domain, such as the Cyber Guardian Exercise.

The second edition of the Cyber Guardian Exercise took place on 2-4 July 2019 at ComDCiber in Brasilia. About 200 members from 40 organisations participated in this simulated digital security exercise, including representatives from the financial, nuclear, electrical and telecommunications sectors. ComDCiber conducted the simulated training in a shared environment with other agencies. The initiative fostered collaborative action between government agencies, academia, private sector organisations, and the wider security and defence community.

The virtual simulation used the Cyber Operations Simulator (SIMOC) programme, which emulated computer systems used by participating agencies and companies. The constructive simulation used information technology, media, legal and senior management crisis offices, which provided solutions for security events which could impact those organisations. Discussions in crisis offices resulted in action at the decision-making and management level (crisis management) as well as at the technical level (incident response). Through SIMOC, attack situations against critical infrastructures were reproduced in electrical, telecommunications, financial and nuclear environments.

For example, the nuclear exercise comprised three groups working in co-operation: the crisis cabinet, the nuclear regulatory framework implementation team and digital systems test team. The digital systems test team used a simulator to test digital systems installed in nuclear plants, which serves as a cyber training tool. The simulator is part of a project by the National Atomic Energy Agency, developed by the Navy Technology Centre in São Paulo and the University of São Paulo. It is used by 17 institutions from 13 countries.

Participants acted collaboratively to prevent and resolve incidents involving information assets relevant to national defence. With this exercise, ComDCiber aims to integrate government, the private sector and academia in enhancing the protection of the national cyberspace.

Other actors of Brazil’s digital security governance

Brazil’s primary digital security focus on national security is evolving to include economic and social aspects

The focus of digital security policies in Brazil has evolved from a technical dimension in 2000-11, to a national security dimension in 2012-18, driven in part by the organisation of mega-events and the revelations by Edward Snowden about cyberespionage by the United States. The overarching mission of the Strategy for Information and Communications Security and Cyber Security in the Federal Public Administration 2015-2018, which was to “ensure and defend the interests of the state and society for the preservation of national sovereignty”, illustrates this evolution.

The 2018 Digital Transformation Strategy, which aims to “embrace digital transformation as an opportunity for the entire nation to take a leap forward”, is the first Brazilian policy document to address digital security as part of a broad prosperity agenda and not solely from the national security perspective. Digital security is presented as part of an enabling thematic axis on “trust and confidence” and the recommended strategic actions primarily focus on measures that can support the digital transformation in Brazil from an economic and social perspective. The thematic axis also addresses the “protection of rights and privacy”, echoing the trust policy dimension of the OECD Going Digital Integrated Policy Framework (OECD, 2019a). The Digital Transformation Strategy can therefore be viewed as a first step towards broadening the scope of Brazilian digital security policies to economic and social prosperity.

Nevertheless, the PNSI, published later in 2018, includes national sovereignty and human rights as the first and second principles, but does not consider economic and social prosperity as an objective of digital security.

A comparison of these two documents shows that this evolution is progressive. It is likely that each document reflects the perspective of the bodies that have developed it, namely the Ministry of Science, Technology, Innovations and Communications for the Digital Transformation Strategy, and the GSI/PR for the PNSI. The content of the National Cybersecurity Strategy and the consultation process carried out by the GSI/PR for its development demonstrate that Brazil is heading towards a more holistic approach to digital security, placing more emphasis on the economic and social dimension.

Brazil is at an early stage of promoting digital security across society

The general perception among experts in Brazil is that the government is starting to elevate digital security as a priority for the economy and society and that, apart from very large firms and some specific public sector bodies, most public and private stakeholders are not giving enough attention and resources to this issue.

In addition, over time, policy documents in Brazil have been using different concepts and terms to cover different aspects of digital security, including information security, cybersecurity, cyber defence, data protection, as well as related terms such as information assets, critical infrastructure, cyberspace, etc. Where available, definitions have not always been consistent over time, which can be explained by many factors, including that the approaches themselves have been evolving. However, definitions are sometimes confusing. For example, the PNSI defines information security as including cybersecurity, cyber defence, physical security and protection of organisational data; as well as actions to ensure the availability, integrity, confidentiality and authenticity of information (Article 2). This suggests that actions to ensure availability, integrity, confidentiality and authenticity are different from cybersecurity and cyber defence, which themselves are not defined.25

In addition, interviews carried out for this Review have shown that, beyond a circle of “information security” experts, there is widespread confusion between digital security and “data protection” (i.e. privacy protection). Many actors do not distinguish between the two areas and do not understand their relationship, including how they can strengthen or undermine each other. This situation is likely to evolve following the full implementation of the data protection law in Brazil.

This shows that the conceptual basis for approaching digital security policy in Brazil has considerably evolved over the last decade and is entering a new phase with the adoption of the National Cybersecurity Strategy.

At this juncture, a key challenge for Brazil is to recognise that, although in theory, “cybersecurity” (or “information security”, depending on terminological preferences) can be viewed as a monolithic challenge, it is in reality a multidimensional policy area. In practice, it can cover at least four dimensions: 1) national security; 2) economic and social prosperity; 3) technology; and 4) law enforcement ( Figure 4.5).

Figure 4.5. The four dimensions of “cybersecurity”

Actors and communities addressing each dimension have different cultures, backgrounds and objectives and can sometimes converge, overlap or compete, depending on the context and precise issue. Cryptography policy is a typical example of competing objectives, with businesses, organisations and consumers promoting the unregulated use of cryptography to support trust and facilitate e-commerce, digital governments and innovation on line, while law enforcement and intelligence call for more regulation to facilitate access to encrypted data in order to combat criminals and terrorists. Digital security of critical activities and infrastructure is another example where tensions can appear between economic and social prosperity and national security objectives, depending on the situation.

Ideally, terminology should reflect distinctions between the dimensions of digital security. For example, to reduce confusion and potential misunderstandings, the 2015 Security Risk Recommendation uses the term “digital” instead of the prefix “cyber”. The term “digital” is consistent with expressions that characterise the economic and social perspective of ICT policy, as in “digital economy”, “digital transformation”, “digitalisation”, etc. It is also common in business environments. In contrast, the prefix “cyber” is often used in relation to law enforcement (cybercrime) as well as national/international security (cyber warfare, cyber defence, cyber espionage, cyber command, etc.). The Security Risk Recommendation also uses the expression “digital environment” instead of “cyberspace”, which is common in military doctrines as a domain of operations in addition to air, sea and land.

The main priority for Brazil is to raise awareness and promote the adoption of good digital security practices by all stakeholders

Brazil has made an important step forward with the acknowledgement of digital security as an enabler of economic prosperity in its Digital Transformation Strategy. In line with the first principle of the OECD Security Risk Recommendation (Box 4.2), the next step is to raise the awareness of businesses, public sector organisations and individuals about the importance of digital security to foster trust and support digital transformation; and to encourage them to adopt good digital security practices, enhance their digital security skills and empower them to manage digital security risk.

To do so, it is important to understand that, in organisations, digital security is primarily an economic and social challenge rather than only a technical issue and why digital security risk management should be a business, as opposed to a technical, process.

First, digital security incidents due to insufficient digital security risk management will potentially harm an organisation’s economic and social objectives, operations, competitiveness, and reputation, as well as its customers’ and users’ trust and, potentially, privacy. Therefore, ensuring effective digital security risk management should be a business (as opposed to a technical) leadership’s responsibility. To the extent that it can threaten the organisation as a whole, it should be owned by the highest level of leadership and followed at board level in an organisation-wide manner.

Second, although digital security measures aim to protect economic and social activities, they can also inhibit them by increasing costs, reducing performance and the openness and dynamic nature of the digital environment, which are essential to realising the full benefits of digital transformation. Business (as opposed to technical) decision makers should own digital security risk related to their business activities rather than delegate it to technical security experts. While technical security experts understand the technical aspects of digital security risk, they cannot assess the possible business impact of security measures on every line of their organisation’s business and support activities. They should, however, support business decision makers as best they can to ensure their informed risk management decisions.

For example, one option to eliminate a virus from a system might be to shut down that system, clean it and turn it back on. While this may sound like a technical decision, it is in fact a business decision, because there might be negative business consequences in interrupting that system, such as stopping a production line or preventing customers from placing orders, etc. The decision maker owning the responsibility for shutting down the system should also own the responsibility for the possible negative consequences of doing it. S/he relies, however, on technical experts to most appropriately assess the technical risk and take the best-informed risk management decision.

Last, although they aim to create trust, digital security measures can also undermine confidence by raising suspicion related to human rights and fundamental values, in particular privacy. Digital security and privacy protection can reinforce or undermine each other depending on how they are managed. It is therefore essential that digital security and privacy protection be approached in a coherent manner, including from a legal and ethical perspective.

As a result, leaders and decision makers in organisations need to adopt a business-driven (as opposed to a technology-driven) approach that leads to the most appropriate selection and management of digital security measures, in light of the economic and social activities at stake as well as the need for trust and confidence. They should understand and be responsible for digital security risk and work in co-operation with technical security experts to take digital security decisions.

This means that public policies aiming at encouraging businesses and public sector organisations to step up their digital security should target leaders and decision makers as well as ICT professionals and experts, instead of only the latter.

Brazilian policies promote a risk management approach to digital security (e.g. the PNSI, Article 3-VIII) and encourage the implementation of information security risk management standards in the public administration. However, they primarily focus on the protection of information systems, networks and data rather than on the economic and social activities that rely on them. In other words, they approach digital security as a technical rather than as an economic and social matter. Most countries have followed the same steps, at different paces, and many are struggling to shift from a technical to an economic and social digital security approach. The development of the National Cybersecurity Strategy provides an opportunity for Brazil to make progress in this area.

Brazil should establish more robust and better resourced governance for digital security

The Digital Transformation Strategy, the PNSI and the National Cybersecurity Strategy cover many key aspects of an up-to-date digital security policy framework. These include standards and norms for digital security in the public administration, awareness raising, education and skills development, research and innovation, the protection of critical infrastructure, etc. However, most of them are addressed at a very high level, and implementation measures have not yet been defined. Implementation plans are expected to fill the gap. The definition and implementation of many of these implementation plans will require collaboration across several federal government agencies, regional and local bodies, as well as non-governmental stakeholders.

The Digital Transformation Strategy and the PNSI also mention human rights, fundamental values and privacy, as well as multi-stakeholder collaboration. These areas are particularly important, and can be challenging for Brazil.

Since 2006, digital security governance has been co-ordinated by the GSI/PR, an entity that has developed a certain degree of expertise in this area but which is characterised by its national security/military culture. During this period, some have criticised

The GSI/PR’s Secretariat for Information Security reports to the same minister as the Brazilian Intelligence Agency.

A key challenge for the GSI/PR will be to build trust with other government agencies at different levels (e.g. federal, regional, local, etc.), businesses (including foreign companies) and other non-governmental stakeholders in order to establish a long-standing partnership to promote digital security for prosperity in Brazil.

The Department for Information Security at the GSI/PR has significantly evolved over time. It has more and diversified staff, is better recognised at the political level, in particular following its elevation to a secretariat. It has also adopted a more open culture, illustrated by the working groups organised to develop the first draft of the National Cybersecurity Strategy through the public consultation held to gather input for the document. Many stakeholders have praised this evolution, noting, however, that the consultation process could have benefited from more publicity in order to involve more stakeholders. This is definitely a step in the right direction.

A key challenge is that the GSI/PR does not have competence to regulate the private sector. Instead of regulating, it publishes standards, makes their implementation mandatory by the federal administration, and encourages their voluntary adoption by other stakeholders. This includes various means, such as requiring compliance with these standards for public procurement. The general Brazilian governance approach with respect to digital security regulation is decentralised: as illustrated by the Central Bank example above, sectoral regulators are competent to regulate digital security in their area. As there is no centralised digital security agency in Brazil, sectoral regulators are invited to build upon the standards and good practices provided by the GSI/PR. This approach is closer to that of Sweden and the United Kingdom rather than France.

There is no universal model for digital security policy governance. Centralised and decentralised approaches have different pros and cons. For example, the decentralised approach enables sectoral regulation carried out by sectoral regulators to be better tailored to the sector’s specificities. However, it raises the issue of each sectoral regulator aggregating a sufficient critical mass of expertise in order to be able to issue balanced and effective regulation, as well as to supervise its implementation. It also creates a situation where regulated entities may be reluctant to share digital security risk-related information with a government body tasked with regulating their activities more generally.

More generally, most governments have been struggling to set the most appropriate governance framework for cybersecurity, finding it difficult to strike the right balance between economic and social, national security, criminal law enforcement, and technical aspects. A good practice is to recognise the need for a whole-of-government approach co-ordinated at a high level of government with a view to balance the potentially competing objectives of each dimension. However, again, there is no one-size-fits-all model for how to implement this good practice. Governance frameworks and co-ordination mechanisms vary considerably, reflecting countries’ history, style of government and maturity in this area.

For example, Australia, Japan and the United Kingdom have assigned policy co-ordination to the Prime Minister through the Cabinet Office. France established a national co-ordination agency within a pre-existing co-ordination body under the Prime Minister (ANSSI), and Israel created a national agency reporting directly to the Prime Minister (INCD); the United States established a Cybersecurity and Infrastructure Security Agency (CISA) in its Department of Homeland Security; Canada, Germany and the Netherlands have placed the main responsibility for digital security under an existing ministry (respectively Public Safety, Interior, and Security and Justice). In all of these cases, there are also different arrangements with respect to which agency or agencies) is/are responsible for policy and operational matters. For example, in the United Kingdom, the Department for Culture, Media and Sports is responsible for economic and social policy while the National Cyber Security Centre is responsible for operational aspects. In contrast, both aspects are addressed in a centralised agency in France. In Germany, the Ministry of Interior has the lead for public policy making but the Federal Office for Information Security has the technical competence and responsibility. Lastly, multi-stakeholder co-ordination is also concretely carried out differently across countries. In many countries, it took a couple of new versions of the initial cybersecurity strategy to set a relatively stable governance model.

Implementation of the strategy

The adoption of the strategy is an excellent first step, but it now needs to be translated into specific action items. In doing so, it is important to recognise that Brazil is at an early stage of development in this area and needs to take a step-by-step approach, distinguishing short-, medium- and long-term priorities.

Policy recommendations: To develop the agenda for the implementation of the National Cybersecurity Strategy, the government should build upon and expand the multi-stakeholder efforts undertaken to develop the strategy. For example, it could create a broad community of digital security leaders in the public and private sectors, academia, and civil society and hold annual meetings to develop the implementation plan and assess progress in its implementation over time. Such meetings would also provide an opportunity for the broader multi-stakeholder Brazilian digital security community to emerge, gather and dialogue, including through a national conference. It could aim at eventually becoming the main cybersecurity event in Brazil and Latin America, echoing, for example, the Israeli Cyber Week (Tel Aviv), the Dutch ONE Conference (The Hague), the French International Cybersecurity Forum (Lille) or the Singapore International Cyber Week.

Being at an early stage, awareness raising and education are particularly critical. In practice, Brazil should identify gaps in awareness and knowledge about digital security in society among businesses, governments and individuals. On this basis, it should develop an action plan to strengthen digital security training and education programmes at all levels (primary, secondary, higher education and vocational training), identify existing digital security experts who can teach and train the trainers, perhaps through a national register of digital security trainers; and encourage students to pursue carriers in digital security. The recently published National Cybersecurity Strategy points in this direction.

It will also be important for Brazil to periodically assess the effectiveness of its strategy, as experience from OECD countries demonstrate. Brazil would benefit from developing tools to evaluate the implementation of the strategy, assess progress and needs to revise the strategy.

Co-ordination and decentralised responsibilities

According to the National Cybersecurity Strategy, the GSI/PR will continue to co-ordinate digital security at the national level. Is the GSI/PR the most appropriate institution to promote digital security risk management to the private sector, to encourage digital security innovation, to stimulate digital security education and training, etc.?

Policy recommendations: It seems that, to achieve the best results, Brazil should follow a co-ordinated decentralised approach, where different ministries and agencies would have the lead in their area of competence, leveraging their expertise and networks, with the GSI/PR having a co-ordination role. However, there is currently limited digital security expertise that can be leveraged outside of the GSI/PR to develop more tailored initiatives led by other ministries and agencies. One option would be for Brazil to train digital security policy experts to progressively enable each ministry and agency to start developing and implementing action plans in their respective areas.

Multi-stakeholder dialogue

Will the military and national security culture inherent to the GSI/PR be appropriate in the long run to promote digital security as an economic and social challenge and to facilitate trusted relationships with all economic and social actors? Digital security is an economic and social policy priority that requires the participation of all stakeholders. Sustainable trust between the co-ordinating government agency, other parts of the government and non-governmental stakeholders is essential. It aims to: establish a constructive public-public and public-private dialogue with a large number of stakeholders; ensure that policy measures are appropriately balanced and do not create unnecessary obstacles to the use of digital technologies for innovation and growth; create the conditions to share risk-related information with businesses; facilitate the promotion and dissemination of good practice throughout society by civil society; and ensure the protection of privacy and other human rights. The organisation and simplification of digital security governance in Brazil should aim at enabling digital security to grow while engaging all stakeholders in a sustainable manner.

Policy recommendations: One option might be to build on the lessons learnt from the Brazilian Internet governance model (CGI) to create a multi-stakeholder setting to facilitate debates and co-ordination. In addition, the government should encourage the establishment of a digital security governance structure for the private sector. It should also facilitate the creation of groups bringing together chief information security officers and other security professionals throughout Brazil, without necessarily taking part in their discussions. Such groups would then become discussion partners for the government, thereby facilitating the exchange of information on digital security threats, vulnerabilities, incidents, and risk management measures in both the public and private sectors.

Growth of domestic and cross-border e-commerce

According to data from the Brazilian Consumer and Retail Association, B2C e-commerce sales are relatively small in Brazil, representing 3%35 of all retail sales (export.gov, 2019; Administrative Council for Economic Defence of Brazil, 2018). Nonetheless, e-commerce sales in Brazil grew at an annual rate of 16% in 2019, far exceeding growth in the economy as a whole (Ebit Nielsen, 2020).

Brazil’s e-commerce market, however, seems to offer outstanding opportunities for online retailers at local, regional and global levels. According to Euromonitor International, Brazil generates about 42% of all B2C e-commerce in Latin America. In 2017, an estimated 52.8 million people were shopping on line in the country, representing an increase of 11% compared to 2016 (Société Générale, 2019). A recent study conducted by PwC found that that 53% of Brazilians use their smartphones to research products, and 32% use online payments to purchase goods (export.gov, 2019). Increased consumer interest in, and adoption of, mobile devices to search and compare products on line, including on social media, is expected to further boost e-commerce transactions.

With respect to cross-border e-commerce, available data show that 23% of Brazilian consumers shop on US-based websites versus 9% of European consumers. Half of the Brazilian population (around 100 million people) has purchased through international websites, at least once. Chinese and other websites are also very popular, including AliExpress (45% of consumers), Amazon.com (40%), eBay (26%), DealExtreme (12%) and Apple Store (10%) (Société Générale, 2019).

Consumer complaints

Consumidor.gov.br36 and the National Consumer Defence Information System (SINDEC)37 are two main databases maintained by Senacon,38 containing consumer complaint data about e-commerce transactions. As explained later in this report, while Consumidor.gov.br serves as an online dispute resolution system, SINDEC39 provides all stakeholders with information concerning companies about which consumers have complained the most.

As shown in Figures 4.6 and 4.7, a growing number of e-commerce problems has been reported by consumers since 2017 on both platforms. The highest number of consumer complaints are related to non-delivery or late delivery of products. A number of consumers also experienced various problems throughout the transaction process, including payment confirmation and cancelling of transactions, and communicating with a business.

Figure 4.6. E-commerce complaints submitted to Consumidor.gov.br, 2017-19

Source: Consumidor.gov.br (2020), Indicatores (database), https://consumidor.gov.br/pages/dadosabertos/externo/ (accessed in March 2020).

Figure 4.7. Major e-commerce complaints reported on SINDEC, 2017-19

Source: OECD, based on information provided by the National Information System for Consumer Protection (Sistema Nacional de Informações de Defesa do Consumidor, SINDEC).

As shown in Figures 4.8 and 4.9, mobile phones attracted the highest number of consumer complaints on both platforms from 2017 to 2019. Consumers also encountered problems with a wide range of products, including furniture, electronic devices, clothing, and Internet and travel services. Figure 4.10 shows that a number of consumers faced problems with online retailers and marketplaces.

Figure 4.8. E-commerce complaints per product category submitted to Consumidor.gov.br, 2017-19

Source: Consumidor.gov.br (2020), Indicatores (database), https://consumidor.gov.br/pages/dadosabertos/externo/ (accessed in March 2020).

Figure 4.9. E-commerce complaints per product category reported on SINDEC, 2017-19

Note: IT = information technology.

Source: OECD, based on information provided by the National Information System for Consumer Protection (Sistema Nacional de Informações de Defesa do Consumidor, SINDEC).

With respect to cross-border transactions, issues associated with long delivery times (44% of consumers buying across borders) and a lack of security (31%) have also been reported by consumers (PagBrasil, 2018). However, it should be noted that neither Consumidor.gov.br nor SINDEC contains a specific issue category on cross-border transactions, thus information on available consumer complaint databases does not help to understand the degree to which Brazilian consumers experience problems with cross-border transactions.

Figure 4.10. Complaints by economic group reported on SINDEC, 2017-19

Source: OECD, based on information provided by the National Information System for Consumer Protection (Sistema Nacional de Informações de Defesa do Consumidor, SINDEC).

Institutional oversight

The E-commerce Recommendation highlights the need for authorities to have:

• the power to investigate and take action to protect consumers against fraudulent, misleading or unfair commercial practices and the resources and technical expertise to exercise their powers effectively

• the ability to co-operate and co-ordinate their investigations and enforcement activities with their counterparts in foreign jurisdictions.

Authorities with powers to act at the domestic level

The main Brazilian consumer protection authority is Senacon, which sits under the Ministry of Justice and Public Security. Created in 2012, Senacon succeeded to the DPDC, which was established in 1990 by the CDC.

Senacon’s main powers and attributions are provided in Article 106 of the CDC and Article 3 of Decree 2.181 of 20 March 199741 that regulates the NCDS. Senacon oversees the development, implementation and enforcement of consumer protection laws, including through co-ordination with the NCDS. Senacon also maintains Consumidor.gov.br, which is a free public out-of-court service that can be used by consumers and companies to resolve their disputes arising from online transactions. In addition, Senacon has the power to engage in international co-operation with authorities in other countries. It does so mainly through the UN Conference on Trade and Development’s (UNCTAD) Informal Group of Experts on Consumer Protection, the Southern Common Market (Mercosur), the Ibero-American Forum of Consumer Protection Agencies, and the Organization of American States.

The NCDS encompasses a number of public entities at the federal, state and local level, such as the Consumer`s Protection and Defence Authorities (Procons), the public prosecutor’s offices, the public defenders offices, specialised police offices (Decons), as well as private entities and civil organisations promoting programmes and assistance in protecting consumers rights. Procons are responsible for co-ordinating their own local or state consumer policies. Moreover, Procons provide support for consumers and investigate consumer problems, while Senacon does not carry out these functions. Senacon’s main objective is to co-ordinate the functioning of the NCDS in order to promote harmonised national policies for consumer relations.

The entities of the NCDS contribute to Senacon’s general task to design and promote policies regarding consumer protection, including in an e-commerce context. Some of the programmes promoted by Senacon are: the National School of Consumer Protection, the National Consumer Policy programme, the National Information System for Consumer Protection (SINDEC), and the National Consumer and Citizenship Plan (Plandec).

In recent years, Senacon has explored ways to improve the effectiveness of Brazil’s institutional framework. The agency has, in particular, signalled that it would need more resources and expert staff to engage in international co-operation.

Senacon currently has 90 staff, of which about 30 are technical experts. It has an annual direct budget of USD 950 000. According to a 2018 OECD study on cross-border enforcement co-operation across 31 countries, on average (despite great variations among countries), consumer agencies have 369 employees and a budget of USD 33 million (OECD, 2018).

The need for resources to assist in the implementation of Brazil’s consumer protection framework may increase as the country introduces new measures for consumer data protection. On 14 August 2018, Brazil enacted a new General Data Protection Law (Law 13.709) and is working towards the establishment of a National Data Protection Authority (NDPA). Senacon is expected to co-operate with the NDPA to address consumer data-related issues. Moreover, following the adoption of Decree 10.197 in 2020, Consumidor.gov.br has become the official federal government platform for handling consumer dispute resolutions. As a result, issues associated with consumer data protection are within the scope of the platform, and consumer complaints regarding consumer data protection are filed at Consumidor.gov.br.

Cross-border co-operation

The E-commerce Recommendation puts a strong emphasis on enhancing and facilitating international co-operation in fights against fraudulent and misleading commercial practices across borders. The issue is becoming particularly important as global consumer complaint data show that the growing volume of cross-border transactions on line has been coupled with an increase in cross-border fraud, and a growing availability on line of unsafe products that have been banned or recalled from the offline marketplace.

In such a context, where new business models and technologies have made it easier to use virtual borders to evade regulations by setting up in one country and targeting consumers in another, deeper and more routine cross-border co-operation is needed. In 2018, more than 29 000 international complaints were reported to econsumer.gov,42 a website dedicated to collecting cross-border complaints maintained by the International Consumer Protection Enforcement Network, which is an informal network comprised of consumer authorities from over 60 countries (including 14 G20 economies).

To date, there is no specific framework on cross-border co-operation in consumer protection in Brazil. Aside from the lack of resources to engage in cross-border co-operation, the lack of framework for cross-border co-operation has been identified as a barrier to international co-operation. Hence, Senacon should be equipped with the abilities and tools necessary to further enhance cross-border co-operation.

Senacon has signed a Memorandum of Understanding on consumer protection with seven countries, including Argentina, Germany, Korea, Paraguay, Peru, Portugal and Uruguay. Recently, it has also strengthened its engagement in cross-border co-operation within the framework of the OAS’ Health and Safe Consumption Network, to address product recall issues. Senacon is one of the founders of the RCSS, which covers recalls of products, foods and medicines. Senacon has also co-operated with counterparts within the framework of the Mercosur in areas such as consumer complaints handling.

Until 2018, Senacon did not have the necessary resources to engage in cross-border co-operation with foreign consumer protection agencies nor to enhance its collaboration with the OECD and other fora, such as UNCTAD. Senacon is currently in the process of obtaining more resources (including budget and expert staff) to promote and engage in international co-operation, including to help enhance the capacity of the NCSD to collaborate with the international co-operation carried out by Senacon. Senacon has started a process for joining the International Consumer Protection and Enforcement Network, and intends to also participate in the econsumer.gov platform, once the Portuguese version of the platform is launched.

Role of industry associations

There is a large number of private associations and chambers involved in the development of guidance and policies related to information technology, including policies concerning digital issues and studies on e-commerce and Internet. These entities are not linked to the NCDS associations.

The most active private sector organisations focusing on e-commerce in Brazil are:

The Brazilian Chamber of Electronic Commerce (Camara e-net)43 is the most representative Brazilian entity in the digital economy whose major role has been to promote security in electronic transactions, formulate public policies and improve sectoral regulatory frameworks that provide legal support to the incentive measures necessary for the development of the country. It also aims to encourage innovation, knowledge generation and the sustainable development of the digital economy. Camara e-net has eight special committees that companies may join and support their work: 1) Antifraud and Risk Management; 2) Trusted Digital Identities; 3) Insurtechs; 4) Legal; 5) Internet Payment Systems; 6) Micro, Small and Medium Enterprises; 7) Traveltech; and 8) Online Retail. Camara e-net also promotes consumer trustmarks like Clique e-Valide44 and supports national campaigns to help consumers navigate and purchase safer on line, like Internet Segura45 and DETONAWEB 2019.46

The Brazilian Electronic Commerce Association (ABComm)47 is a non-profit organisation composed of a large number of national retail companies from the information technology sector. The association promotes the interests of technology companies with government institutions. ABComm’s website contains useful information on e-commerce, including studies and surveys.

Senacon oversees the implementation of a number of co-regulation initiatives. For instance, in 2019, the telemarketing industry launched a “Do not call” initiative to ensure that businesses do not make unsolicited telemarketing calls to consumers. Similarly, in 2020, the Brazilian Federation of Banks will commence a “Do not call for credit offers” platform.

The role of consumer associations

Consumer associations play an important role in the development and implementation of Brazil’s consumer policy framework. Some consumer associations, including Idec and Proteste, are members of the NCDS, and take part in the development and dissemination of consumer policy.

In addition, many consumer associations in Brazil help raise consumers’ awareness through their website, publications and other promotional activities. For instance, a number of consumer associations have participated in annual consumer awareness campaigns in relation to Black Friday sales.

Dispute resolution mechanisms and redress for consumers

Education and awareness

One relevant instrument that Brazil developed in this area was the Foreign Consumer Guide50 created by the Procon of the state of Parana under the supervision of the Brazilian Institute for Metrology, Standardisation and Industrial Quality (INMETRO).51 The main purpose of the guide is to provide guidance to foreign consumers in Brazil on their rights and obligations in their relations with businesses and entities in different areas of the economy. The guide was drafted based on the rights and obligations of businesses and consumers in the CDC. It contained information such as where to file a complaint and how to obtain legal redress and provides a list of consumer and defence organisations and associations that may support consumers through their disputes. It has not, however, been updated.

The National School of Consumer Protection (NSCP)52 was created on 13 August 2007, through Ministerial Ordinance 1.377. It is actively engaged in fostering knowledge and education on consumer protection by providing specially designed training to members of the NCDS across the country, as well as building specific knowledge on consumer relations, which are essential for the elaboration of public policies. The NSCP has a large number of digital manuals and guides to protect consumer rights. For example, it created a guide on data protection in consumer relations and credit information. The NSCP has a partnership with the University of Brasilia to implement an official certification system. It has expanded its public education programmes by engaging other national public agencies like the National Health Surveillance Agency; the National Civil Aviation Agency; the Central Bank of Brazil; the National Telecommunications Agency; the Ministry of Agriculture, Livestock and Supply; and the National Health Agency, among others.

New initiatives have been implemented in recent years to educate and raise consumer’s awareness of their rights in e-commerce and to increase their digital competence. For instance, Senacon produced an educational video on consumer issues related to the digital economy.53 In addition, educational programmes targeting vulnerable or disadvantaged consumers have been developed, which look at the impact of social media on the youths’ consumption trends.54