Different actors agree on the pressing need in Chile for a law to regulate cybersecurity, while there is a growing tendency in the business sector to begin integrating cognitive systems to guard against possible attacks.
By Alejandra Melo
In 2013, the former CIA contractor Edward Snowden leaked information about surveillance programs used by US government agencies including NASA, the CIA and FBI to The Guardian and The Washington Post newspapers. Once he had secured political asylum in Russia, Snowden then released thousands of documents related to more programs utilized to spy on the communications of citizens. Prior to the Snowden files, in 2010, WikiLeaks leaked a series of US Department of State documents and classified records about the wars in Iraq and Afghanistan.
Both of these events share one thing in common: they endangered the security of countries without the need to enter a building, or even come up against another person. This is because security is no longer simply conceived of as a physical attack, but also a digital one. The types of events involving Snowden and WikiLeaks mean that governments and companies have had to increase and modernize their standards of digital security, incurring greater investment costs as a result.
In Chile, cybersecurity is defined by the Interministerial Committee on Cybersecurity as, “a minimum of risks for cyberspace”, especially in relation to the protection of the confidentiality, integrity and availability of information circulating in the online environment, whether this pertains to the State or to private citizens.
Jaime Soto, Secretary General of the Chilean Association of Information Technology Companies (ACTI) explains that cybercrimes are committed committed via email, social media and smartphones. The type of data most vulnerable to theft is personal information and bank passwords.
According to the latest Latin American Security Analysts Summit, Latin America was subject to 1,100,000 malware attacks between August 2015 and August 2016, which is equivalent to 12 attacks per second. Similarly, the 2016 Cybersecurity Report compiled by the Inter-American Development Bank and the Organization of American States provides a number of important findings: four out of five countries in the region have no cybersecurity strategy or infrastructure protection plan; two out of three have no central command and control center for cyber security; and the vast majority of prosecutors lack the capacity to prosecute cybercrimes.
In the region, Uruguay, Brazil, Mexico, Argentina, Colombia and Chile are at an intermediate level in terms of cybersecurity maturity, but a long way behind the United States, Israel, Estonia and South Korea, where protection levels are high and the issue is a government priority.
Proposed law in Chile
Jaime Soto explains that, “a few months ago, Chile adhered to the European Convention (Budapest) on Cybercrime, which requires certain legal changes, for example, updating current legislation, amending Law 19.223 on information crimes, the legal categorization of phishing, and establishing legal responsibility for people committing cybercrimes, among other aspects”.
Regarding the digital arena, cybersecurity was not widely discussed in Chile until 2010. Furthermore, it did not form part of the official agenda until the administration of President Michelle Bachelet from 2014-2018, which began developing a digital security strategy with the mission to protect both public and private users.
By means of Supreme Decree 533, the Interministerial Committee on Cybersecurity (CICS) was created in 2015. The Committee is tasked with advising the Chilean president in regard to a new national policy, based on six core thematic areas: information infrastructure; the prevention, prosecution and sanction of cybercrimes; awareness raising, training and dissemination; cooperation and international relations; industrial and productive development; and cybersecurity institutions.
According to Raúl Arrieta, President of the Chilean Law and Technology Institute and Head of Gutiérrez & Arrieta Abogados legal firm, the proposal and creation of this type of law is essential because it relates, “to everyone who plays a role in a country”. For that reason, he says that it is necessary to devise a national policy which includes certain short-term measures.
He explains that the main asset of any modern knowledge-based society is information. This information, therefore, must be safeguarded. Consequently, Arrieta claims that the country needs to generate large investments in telecommunications infrastructure. Failing to follow through in this regard could jeopardize the services that depend on this architecture, such as data and voice applications, in the event of natural disasters, potentially leading to a blackout and consequently endangering the safeguarding of everyone’s information.
Simultaneously, he believes discussions should be held in relation to internet traffic data. “For how long is it stored? Why is it stored? Who has access to it? Does it make sense for a company to store internet traffic data for longer than the period in which customers can lodge a complaint about their billing? What does it mean to store it? What is stored exactly?” These questions are, Arrieta says, just some of the aspects to consider, in addition to acknowledgment of the fact that internet traffic data now includes a wide range of information such as geolocation, connectivity via mobile apps, general internet data, and more.
To confront these challenges, he suggests an amendment to Law 16.628 on information crime, as laid out in the Criminal Procedure Code, regarding the prosecution of related offenses.
Danic Maldonado, Commissioner of the Cybercrime Unit of the Investigations Police of Chile (PDI) explains that the industry most affected by cybercrime is the finance sector, particularly banking.
He claims that infected emails are especially common. This particular approach works according to the phishing methodology of cheating people out of confidential information in a fraudulent manner, primarily by means of obtaining users’ passwords and bank details.
Maldonado states that reporting of this type of crime increases significantly during periods of large-scale service-related payments, including the purchase of vehicle circulation permits and the income declaration season.
He stresses that while economic cybercrimes are the most widely reported, there are no formal statistics relating to the phenomenon. This is due to the lack of legislation that would make the reporting of these crimes mandatory. Without such a law, there is no basis from which to collect metrics for analysis purposes.
A range of actors recognize the need for public-private partnerships to combat internet banking fraud, as well as the importance of devising suitable legislation and enhancing telecommunications infrastructure.
“The key is for everyone to form part of this process. Both the general public and organizations must understand the value of partnerships of this type in protecting our private information and ensuring that it is safeguarded and secure”, says Jaime Soto.
Investing in security
Despite continuous attempts to carry out cyberattacks and the lack of regulations to legislate against these crimes, Nicolás Corrado, Cybersecurity partner at Deloitte, states that at the corporate level, Chile possesses strong protection technology that helps it to raise security levels. However, as in the rest of Latin America, weaknesses in intelligence monitoring and specialized human capital are constantly “unresolved”, whereas rectifying these shortfalls would enable enhanced detection and rapid response.
“A US company has spent the last few years conducting global analyses of the average financial cost of losses caused by cyberattacks. In 2015, it found that at the global level the annual cost of losses per company was US$7.7 million, which is equivalent to US$400 billion per year. During 2016, this amount has increased by 23%, to US$9.5 million”, says Corrado. He adds that the projection to 2019 for the cost of cybercrime is US$2 trillion.
Specific findings from the report show that the average cost of user identity theft is US$232 per incident. In terms of ransomware (a computer program that restricts access to certain files of an infected system and requests a ransom in exchange for removing the restriction), the average cost is US$157. The cost of cards and even personal details of users is even more highly valued in the deep web (parts of the internet that remain hidden). Approximately 40% of this cost is due to information losses or leaks.
On the other hand, Corrado warns that the impact of the lack of suitable measures at the personal and business levels are considerable and go beyond just economic factors. “While the average cost of information leaks are well documented, the long-term negative effects on company and brand reputation can mean that losses last far longer”, he notes.
Marcelo Zanotti, Management and Technology partner at the consultancy firm EY explains that at the global level the biggest investor in security is the financial sector. Cybersecurity has now become such an important factor that it is no longer considered sufficient to oversee the area from the technology departments of businesses. Rather, he says, it has become, “an issue of senior management and company directors”.
According to EY’s 2015 cybersecurity survey, 89% of companies at the international level had increased their security budgets over the preceding 12-month period, and the same percentage planned to follow suit during the subsequent 12 months (i.e., 2016). With this context in mind, Zanotti says that it is important not to reduce security budgets during periods of economic contraction; in the case of a cyberattack, this would jeopardize the operational continuity of the business and could have serious medium- to long-term consequences. Accordingly, 62% of respondents of the aforementioned EY survey said that budget cuts were the main obstacle to guaranteeing the security of company information.
To combat this danger that transcends borders, different companies have begun to research and create their own solutions. For example, security is a fundamental part of all Google’s tools and products. That is why the company has maintained a full-time team of highly trained security engineers to work towards this end. In Chile, Google conducts local activities on prevention and has even worked with the PDI on counter-cybercrime measures.
In light of the increasing numbers of cyberattacks brought about by digital transformation, since 2014 different companies around the world have chosen to create research and cyberintelligence centers. The aim behind these centers is to detect and combat early web threats, facilitated by the design of test spaces.
Deloitte was one of the pioneers in creating these centers. In 2015, the company inaugurated its own Cyberintelligence centers which were deployed all over the world, including one in Santiago. The centers share information about attacks in order to improve the protection, monitoring and resilience of organizations.
Nicolás Corrado states that, “the Cyberintelligence centers offer a personalized, 24/7 solution for preventing, detecting and responding to cyber threats. They also provide improved cyber performance by managing and interpreting information relating to the particular industry and business in question in order to provide a real-time response”.
IBM is undertaking similar work through the IBM X-Force Command Cyber Range. This space allows users to immerse themselves in simulated cyberattacks to train participants on how to prepare, respond to, and manage a variety of threats. The Range involves the use of live malware, ransomware and other tools utilized by hackers from the real world, extracted from the dark web.
By the end of 2015 and the beginning of 2016, the trend that really began to gain traction in the field of cybercrime was the incorporation of cognitive systems. The reasons why this approach has become an effective cybersecurity tool is due to its ability to collect large amounts of data, to compare this data against registries of previous cyberattacks, to reduce the time in which these actions are undertaken, and to allow for greater assertiveness.
“Currently, it is said that to achieve the same kinds of results (as a cognitive system), an operator would have to read ten thousand documents just to understand the cyberattack, which is impossible for a human but not a computer system”, explains Diego Marcor, Head of IBM Security in Chile.
He continues by explaining that IMB has launched an initiative called Watson For Cyber Security. “Watson, the company’s artificial intelligence system, looks for unstructured information on websites, which account for 75% of the internet, in which the security systems do not arrive as blogs, and (Watson subsequently) links this information with the attack experienced by the relevant company. In this way, Watson suggests possible responses to the attack and how to avoid it”, says Marcor.
The impenetrable blockchain?
Alternatively, there is the blockchain, which is the technological basis behind the workings of Bitcoin and other crypto-currencies. The blockchain consists of a shared and encrypted database that works like a registry of purchases and sales trades or other transactions. It is growing in popularity, particularly in the financial sector.
Precisely because it operates on a collective basis, with multiple information verifiers, experts believe it to be a more secure way of conducting transactions around the world.
Despite its fast rise to prominence, it is only currently available in the United States and certain European countries, although the outlook in terms of its dissemination to other parts of the world is positive. According to Accenture, investment in the blockchain has risen from US$30 million in 2015 to US$75 million in 2016, due to a number of success stories.
In reference to the blockchain, Ignacio Vera, Head of the Operations and Technology Division at Banco de Chile, says that the bank is, “currently evaluating its use in the traceability and security of our monetary transactions”.
Only time will tell if this new platform will be cyberattack-proof.