Written by: Abdías Zambrano – IPANDETEC Central America
The Central American region, one of the most unequal, violent and poorest in the world, is facing various challenges in its digitalization efforts, namely the consequences of a poor culture of cybersecurity, from various sectors, including decision makers and public policy makers.
The COVID-19 pandemic has significantly increased cyber-attacks, both on the general population and on public and private institutions.[ii] In this sense, Central America is one of the most vulnerable regions with a sustained increase of attacks during the last years as a result of the lack of trained human resources to face the challenges that it implies, small budgets for cybersecurity, the lack of interest from legislators and the lack of knowledge of citizens about these issues.[iii],[iv] Let us analyze the realities of cybersecurity in the region.
Cybersecurity issues in the region We could mention that one of the first problems is budgetary. In the region, cybersecurity expenditures are not so high, despite heavy investments in technological infrastructure in some countries[v] . This is due to the lack of governmental awareness of cybersecurity. By 2020, only three countries in the region had a cyber-attack response team. Some countries do not even have a catalog that identifies the country’s critical infrastructure. Even worse than this, laws do not have the capacity to act efficiently against cybercrime, while at the same time the laws violate various human rights.
This is the case in El Salvador where there is no CSIRT,[vi] while recently the Legislative Assembly passed a law that empowers the police to conduct covert online investigations, opening a wide and dangerous door to the persecution of opponents, human rights activists, among other groups that may be at risk. While Panama, the Dominican Republic and Costa Rica,[vii] are signatories to international treaties that oblige them to make changes to their legislation, they maintain a CSIRT that defends them from cyber-attacks, and a cybersecurity strategy. At the same time, the region is in the initial stages of legislating on data protection. Only Panama, Costa Rica and Nicaragua maintain a data protection law, Costa Rica’s being very outdated for the needs that digitization demands, while Nicaragua does not maintain a data protection authority that exercises the protection stipulated by law.[viii] These types of particularities, which are seen throughout the region, are unknown to public policy makers, which is another important problem to be addressed. Parliaments do not often include technology-related discussions as a priority because their committees and working teams do not include professionals specialized in areas related to information and communication technologies.
“By 2020, only three countries in the region had a cyber-attack response team. Some countries do not even have a catalog that identifies the country’s critical infrastructure.”
On the academic side, there are not many careers focused on cybersecurity and the vast majority of traditional careers do not include subjects that address this need, both on the technical and public policy side. This leaves the region ill-prepared for the challenges brought about by the COVID-19 pandemic and rapid digitalization in the labor market.[ix]
Positive developments
However, not everything is bad in the region, some countries are advancing ambitious bills that seek to create public policies on cybersecurity. This is partly due to their membership of the Budapest Convention on Cybercrime, a document that ensures human rights standards for the benefit of the inhabitants of the signatory member. At the same time, the Council of Europe provides them with frequent training, contacts and materials to address their commitment.
Similarly, Central American states are advised by regional organizations such as the Organization of American States (OAS) or the Central American Integration System (SICA). In this regard, the OAS maintains an Inter-American Committee against Terrorism (CICTE) and the Cyber Security Program, both of which provide support to States that require it when building capacities in their institutions, through training sessions for judges and members of judicial bodies, public policy makers, cyber-attack response teams, defense entities, among others.
From civil society, various organizations are advancing cybersecurity agendas. This is the case of IPANDETEC, where during 2019 and 2020, workshops were held to build capacities in cybersecurity and personal data protection in El Salvador, Honduras and Guatemala.[x] At the same time, the private sector is the one that invests the most in cybersecurity.[xi]
The pandemic has provided an unique opportunity for the region to change and improve its security plans, with increased citizen awareness of digitization and the importance of cybersecurity. Let’s see if they know how to take advantage of it.
“The pandemic has provided an unique opportunity for the region to change and improve its security plans, with increased citizen awareness of digitization and the importance of cybersecurity.”
NOTES
[i] Central America geographically comprises Guatemala, Belize, Honduras, El Salvador, Nicaragua, Costa Rica and Panama. This article focuses on Spanish-speaking countries belonging to the Central American Integration System, which excludes Belize and includes the concept of the Dominican Republic.
[ii] 77% de las empresas ven más riesgos de ciberseguridad en 2022 (forbes.com.mx)
[iii] Panamá presentó más de 767 millones de intentos de ciberataques en 2020 (laestrella.com.pa)
[iv] https://www.eleconomista.net/tendencias/El-Salvador-con-58–de-ciberataques-a-empresas-20210503-0008.html
[v] https://www.larepublica.net/noticia/mas-de-200-millones-de-intentos-de-ciberataques-afectaron-a-costa-rica-en-2020#:~:text=el%20a%C3%B1o%20pasado-,M%C3%A1s%20de%20200%20millones%20de%20intentos%20de,a%20Costa%20Rica%20en%202020&text=M%C3%A1s%20de%20200%20millones%20de%20intentos%20de%20ciberataques%20se%20registraron,mil%20millones%20en%20Am%C3%A9rica%20Latina.
[vi] CSIRT stands for Computer Security Incident Response Team. By definition, a CSIRT is a team of cybersecurity experts whose main task is to provide an organized response to computer security incidents
[vii] CIBERSEGURIDAD_IPANDETEC.pdf
[viii] https://www.vozdeamerica.com/a/tecnologia-ciencia_reporte-oea-bid-ciberseguridad-america-latina-caribe/6066175.html
[ix] Los 10 trabajos con más demanda en las mayores economías de América Latina, según LinkedIn – BBC News Mundo
[x] Los 10 trabajos con más demanda en las mayores economías de América Latina, según LinkedIn – BBC News Mundo
[xi] Empresas deben contemplar la inversión en ciberseguridad (eldinero.com.do)
