September 30, 2019

by Larry Clinton
On Friday I was honored to provide the closing keynote speech at the Organization of American States’ (OAS) Cybersecurity Symposium in Santiago, Chile.
The purpose of the event was to unveil and release the first Cyber-Risk Oversight Handbook for Corporate Boards targeted for the entire Latin American region. The Handbook is part of a re-energized regional-wide effort the OAS is undertaking to substantially upgrade their efforts to combat cybercrime.
The South American continent provides a perfect case study on how the digital revolution with its promise of critically needed economic development and cultural expansion can be undermined by lax cybersecurity.

Over the past decade Latin American companies and governments have invested heavily in the so-called “4th Industrial Revolution,” only to see dramatic increases in cybercrime. Latin American security programs are decades behind those of North America. Reports are as many as 90 percent of Brazilians have had their personal data stolen, Moreover, Brazil, Argentina, and Mexico ranked in the top 10 countries where cybercrime originates.

Ransomware attacks are increasing at 100 percent a year. The banking system, which has made a near total transition to mobile technology is regularly compromised, which has implications not only for Latin America but the United States due to the extensive interconnection of international financial systems.
The handbook we developed for the OAS, which is part of a much broader effort, is modeled on the successful National Association of Corporate Directors (NACD) model. It articulates the same five core Principles for enterprise management we have outlined for the U.S., German, and UK editions.
However, the OAS version required substantial adaptation. While the attack community has brought their highly developed methods to Central and South America, the maturity of not only the technical capabilities but defenders’ culture in Latin America is ‚ in the diplomatic language our Latin American colleagues use ” — formative” at best.

Perhaps on no other aspect of the challenge our colleagues face has to do with information sharing. Information sharing is, of course, the foundational principle of U.S. cybersecurity philosophy and policy for the past 20 years. We believe in the necessity of information sharing as the core of effective cybersecurity and talk about it so much that in his keynote at the recent Department of Homeland Security (DHS) Cyber Summit, Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs while a knowing its criticality, said he was sick and tired of it. It is obvious to all of us in the U.S. cyber bubble that you simply can’t have a cybersecurity program without information sharing.

Not so in Latin America.

To prepare for adapting the Cyber-Risk Handbook for Latin America, ISA worked with OAS on several in-region full day workshops. We conducted 11 international webinars and folded in over 700 cyber experts from government, industry, and academia covering 15 different Latin American countries. On more than one occasion we were literally laughed at when we raised the notion of industry-government information sharing. In essence we were told: “Are you kidding? Share information with the government? We would be sharing with the criminals.”

No, we certainly are not in Kansas anymore.

The OAS needs to be applauded, and assisted, as they undertake what is frankly a rather courageous effort. Sometimes when we travel and return home, we have a new awareness of just how good we have it here — even if we have problems of our own. Maybe that is a good thing for us to be mindful and aware of as we turn to Cybersecurity Awareness Month tomorrow.
Download photo image of Larry Clinton at the Cybersecurity Symposium in Santiago, Chile.