It is urgent to strengthen cybersecurity for institutions that handle sensitive data

Home News It is urgent to strengthen cybersecurity for institutions that handle sensitive data
It is urgent to strengthen cybersecurity for institutions that handle sensitive data

During recent weeks, various public sector institutions were victims of cyber attacks, including the General Directorate of Arms and Ammunition Control (Digecam), the National Registry of Persons (Renap), the Ministry of Labor (Mintrab) and the University of San Carlos de Guatemala (Usac).

According to Pablo Barrera, director of Cybersecurity Services at ES Consulting, government institutions are usually vulnerable to this type of attacks because they do not have the necessary cybersecurity measures; Therefore, it is necessary to evaluate the exposure levels that each sector has.

Barrera acknowledged that some institutions do have personnel and measures aimed at computer security, but stated that there is no general standardization on minimum cybersecurity controls in state agencies.

In that sense, he also pointed out that Guatemala faces delays in legislation related to cybersecurity, protection of personal data and prosecution of cybercrime. He indicated that many attacks are carried out from abroad, which is why the country is required to join international treaties to pursue criminals.

This is an excerpt from the conversation he had with Free press.

How prepared can a public institution be to receive these types of attacks or prevent them?

There are public institutions that do care about these issues and even have personnel dedicated to cybersecurity, but not all. That is the problem: there is no standardization on cybersecurity or information security issues in the government.

Some become concerned on their own initiative or because they must comply with certain regulations. Others, from whom no one demands anything, are further behind on these issues.

There is no standardization in government on what government organizations that handle citizen data should comply with.

How serious can a cyber attack against a government institution be?

Everything will depend on the data that is stolen or the function that that institution fulfills. For example, in the case of Digecam, which was compromised, there is the country’s entire weapons registry: who carries them, telephone numbers, addresses and even passwords.

That is dangerous because that information, in the hands of criminals, can be used for different purposes. In other cases, such as the Usac, there may be people’s financial information, personal data and bank accounts. They are sensitive data.

At Renap it is not 100% known if there has been a breach, but, if there was, it would involve personal data, biometrics, affiliation, children and dates of birth. With biometric information alone it would be a delicate situation.

Many validation processes in organizations and companies are based on the Personal Identification Document (DPI), the Tax Identification Number (NIT), name or address. That would have to change.

What measures should a government take after detecting a cyber attack?

One of the first measures they should take is to establish a cyber hygiene baseline across all their institutions. That is, define what cybersecurity or information security controls all institutions should comply with at a minimum; stricter controls for entities that handle personal data, and even stricter for institutions like Renap, which is basically the country’s database.

That should be the first thing: establish that baseline and measure how far or close they are from those good practices. That step would help them understand what effort they need to make to get to where they should be.

Another issue is legislation. Guatemala does not have sufficient legislation on cybersecurity, information security and personal data protection.

Mexico has a Federal Personal Data Protection Law; Brazil also has legislation, as do Panama and Argentina. There is no cybersecurity law, critical infrastructure law or personal data protection law here. These are the points that the government should implement immediately.

What mistakes do governments frequently make when it comes to cybersecurity?

A common mistake is wanting to do everything technological without taking cybersecurity into account. They seek to implement electronic government, which sounds good, but they do not consider that they are also creating another exposure surface where, if there are no laws, standards or protection, the information is exposed. It is delivered on a golden platter to criminals.

How much priority should the State give to investment in security?

Safety must be a reasonable issue. If an institution does not handle sensitive data and all the information it manages is public, the risk of information theft is different.

But if you handle sensitive personal data, biometric or financial data that should not be public, investment is needed to implement adequate controls.

It must be a reasonable investment according to the information handled and the importance of the institution.

How important is it to update servers and software within the State?

It is very important to avoid this type of situation. The hacks that have occurred recently respond precisely to that, because there are vulnerabilities exposed in internet portals where anyone can reach, exploit the flaw and obtain access, information or even disable the service.

Does Guatemala need a unified national cybersecurity strategy?

There is a national cybersecurity strategy. But it is one thing for it to exist and another for it to be executed. Paper supports everything, but the important thing is that it is implemented. The problem is not just having it, but taking it seriously and putting it into practice.

The problem is that they don’t take her seriously. Maybe they celebrate that they made a strategy and the glasses ring, everyone is happy, but the reality is that it is not happening.

In a country like ours, many times, if it is not mandatory, it is not done. There should be a baseline that, through decree, law or similar instrument, requires institutions that handle personal and sensitive data to comply with cybersecurity standards.

What legal loopholes exist in the country to investigate and punish cybercrimes?

The hackers who allegedly committed these crimes are not even in the country. Some would be in South America and others in different places. Cybercrime is a global issue, not just a local one.

International cooperation is needed to pursue these criminals. This is achieved by adhering to international conventions such as the Treaty of Budapest.

For years the country has been invited to join, but it has not been possible because Congress has not approved the necessary laws. There should also be a cybersecurity law, a personal data protection law and specific legislation on cybercrime. It’s nothing out of this world; what is needed is will.

How difficult is it to identify those responsible for attacks when they operate anonymously or from abroad?

Everything that is done on the internet leaves its mark. Yes, it is complicated, but you can find out what happened. The important thing is to have cooperation agreements with other countries to be able to request information or allow international entities to participate in the investigation of this type of crimes.

Without these legal mechanisms and international cooperation, these cases may remain unpunished.

Source