In 2020, the Brazilian federal government published its first National Cybersecurity Strategy (E-Ciber), indicating for the first time, how it intends to establish a whole-of-society approach to cybersecurity policies and guidelines.
The strategic paper “Cybersecurity in Brazil: an analysis of the national strategy”, by the Igarapé Institute, looks into the E-Ciber and presents recommendations for a multistakeholder vision for cybersecurity governance. The study positions the Strategy historically, reviews the strategic objectives in light of other international experiences and provides recommendations for its implementation.
Public oversight of the E-Ciber could enhance transparency and accountability in monitoring how strategic objectives are being met. To do so, we recommend the publication of an annual report detailing the achievements and challenges for implementing the E-Ciber.
Establish communication channels with civil society and recognize its role as an important actor with experience in training programs. This communication will be fundamental for a more transparent discussion about national cybersecurity and for the inclusion of human rights as a fundamental element in the FPA’s cybersecurity agenda.
Improve public and private sector information sharing mechanisms related to incidents and vulnerabilities, and establish directives for coordinated vulnerability disclosure. Guides and reports with recommendations from the government on this topic should be accessible to the whole of society.
Although the Strategy includes consultation mechanisms like the Council, its implementation also depends on improving communication between GSI, CSOs and academic groups (from the humanities and from the natural sciences). To this end, it is imperative that GSI construct a communication and outreach to engage more effectively with these groups.
Assess GSI’s internal capacities vis à vis expanding its roles and responsibilities in national cybersecurity. Future efforts should prioritize multistakeholder implementation plans.
Evaluate timing and/or necessity of a Cybersecurity Bill avoiding further confusion between cybersecurity and other themes, such as disinformation.