Cyberattack attempts are declining, but targets are increasing
The digital ecosystem has grown exponentially in recent years. The use of innovative technologies, new services and the transformation of traditional products has made the digital world an attractive place for criminals committing cybercrimes. According to Fortinet, the number of attempted cyber attacks in LAC in 2022 exceeded 360 billion, but the same source reports that this will fall to 200 billion in 2023. The Latin American countries with the most active cyber attack activity in 2023 were Mexico, Brazil and Colombia.
While acknowledging that cyber attacks have decreased compared to previous years, the report finds that ransomware activity continues to increase, with attacks becoming more specific and targeted, driven by attacker tactics, techniques and procedures becoming increasingly sophisticated, and a desire to increase ROI per attack.
As a result, although the number of attacks is decreasing, they are becoming more sophisticated and more likely to succeed because they are designed towards specific targets, unless organizations have modern, integrated, automated cybersecurity defenses in place.
Public and private organizations need to mitigate risks by protecting the information they manage. Everything related to cybersecurity needs to be seen as an investment, not an expense. The big challenge is to ensure that information security and incident prevention is not a silent event, but a win within your organization.
Achieving a secure digital ecosystem requires a holistic approach, including regulatory frameworks and the implementation of successful international principles and public policies based on lessons learned. We need to understand that the greatest success will come from fostering public-private collaboration.
Chile at the forefront of cybersecurity policy approaches
Internationally, regulatory approaches to cybersecurity issues vary: the European Union, for example, has a strong security framework;
Focusing on the Latin American region, there are various legislative initiatives aimed at regulating this issue, but it must be noted that there are projects that use cybersecurity as a screen to create excessive control by institutions dependent on the executive, potentially affecting fundamental rights.
The Cybersecurity and Critical Information Infrastructure Law passed in Chile, which creates a National Cybersecurity Agency (ANCI) with specific powers and clear mandates, is a positive development for the region.
Chilean Law No. 21.663, as the first regulatory standard addressing the problem of cyber attacks, was enacted by President Gabriel Boric on March 26, 2024 and published in the Official Gazette on April 8. In addition, the National Cybersecurity Policy 2023-2028 was also approved. Both measures are fundamental tools to realize a comprehensive security strategy, promising to effectively achieve the protection of digital rights and the fight against cyber threats.
What does the law accomplish?
By implementing these measures, Chile will become a regional pioneer in moving towards a comprehensive cybersecurity framework.
This will see the appropriate establishment of a National Cybersecurity Agency (ANCI) and a National Defence Computer Security Incident Response Team (CSIRT) with specific cybersecurity capabilities and financial resources.
Both agencies are headed by directors appointed in accordance with the rules of the Higher Public Management System established by Law No. 19.882, who are civilian commanders and work closely with the public security forces.
The ANCI is tasked with regulating, monitoring and sanctioning all public and private entities providing essential services, which must have strong measures in place to prevent, report and resolve cybersecurity incidents, including the obligation to report cyber attacks to the National CSIRT, and ensure a rapid and effective response to incidents.
Legal guidelines
A positive aspect of this legislation is that industry, academia and professional associations in this field were invited to give their input during the parliamentary debate. As mentioned above, cooperation with a comprehensive vision is essential for successful legislation in this area.
The main aspects presented are:
- It introduces a risk-based approach based on recommendations from the International Telecommunications Union (ITU) and the National Institute of Standards and Technology (NIST) to ensure compliance with global cybersecurity standards. This risk-based approach defines responsibilities according to the classification of an organization. Thus, the obligations of the public sector are the same as those imposed on the private sector (by classification), thus avoiding over-compliance for private companies.
- It defines cybersecurity based on information security protections as defined by International Organization for Standardization (ISO) standards.
- The NCAS has limited and clear powers to conduct public awareness campaigns, and any measures it takes to exercise those powers must be guided by the principle of reasonableness, since they must be necessary and proportionate to the exposure to risks and the likely social and economic consequences.
- Principles of security and privacy by default and by design. IT systems, applications and information technology should be designed, implemented and managed with the security and privacy of the personal data they process in mind.
- The Cybersecurity Law provides that violations of the law are subject to procedures and sanctions established in sectoral laws, and that sectoral authorities may, in cooperation with the Cybersecurity Agency, issue regulations on cybersecurity.
- Sanctions, violations and controls will be the responsibility of the authorities, avoiding duplication with sectoral regulations in the ICT field.
With this regulatory framework, Chile has ensured that cybersecurity is not just a matter for experts. Cybersecurity has far-reaching effects on everyday life, so ensuring a safe and trustworthy digital environment is fundamental to protecting constitutional rights and fostering a healthy economic environment. In this way, Chile seeks to address the increasing sophistication of cyber attacks that threaten the security of individuals, companies and the nation.
Summary of the principles of Chilean Cybersecurity Law:
- Create an independent authority, a national CSIRT, a civilian incident response team and a defense CSIRT, the ANCI, with a limited and clear mandate and respecting the principle of rationality.
- Cooperating with authorities to resolve cyber incidents
- Damage management through impact minimization measures and incident response
- Security and privacy by default
- Information Security
What should the government do?
Improving cybersecurity is on the agenda of every government. Digital security has become a fundamental pillar of national stability and development. Chile has enacted an important law creating a new legal framework, a major step forward in the fight against cyberattacks and strengthening the nation's resilience against digital threats.
Therefore, countries should implement national cybersecurity strategies in line with international best practices, develop experts with specific expertise, establish specialized agencies with clear and limited mandates and resources, and promote cooperation among countries and between public and private actors.
However, states alone cannot guarantee effective cybersecurity, so cybersecurity becomes the responsibility of all actors in cyberspace, from businesses to individuals.