Cybersecurity must be seen beyond the technicalities and focus on designing security, resilience and crisis management strategies. That is one of the premises held by Werner González, master in Cybersecurity and professor at the Universidad del Valle de Guatemala (UVG).
His professional experience includes leadership of response teams to cyber incidents, as well as the design of secure and resilient infrastructures for strategic sectors. One of the most relevant cases in which he participated was the response to the cyber attack that affected Costa Rica in 2022, considered one of the most impactful incidents recorded in the region.
What is your diagnosis regarding the cyber attacks that occurred in different State institutions between last April and May?
Incidents in public institutions and educational entities — including reported impacts in systems of entities such as DIGECAM, the Ministry of Labor, SAT, RENAP and some public and private universities — show a digital surface vulnerable to advanced and highly specialized global threats.
Added to this is the constant exposure of other strategic institutions such as the Ministry of Finance, the TSE, the INE and the Ministry of Health, among others, which due to the nature of the information and services they manage constitute high-value objectives and are recurring targets of persistent threat actors.
These attacks, which include theft and exposure of confidential information, interruption of critical services and exploitation of exposed systems, demonstrate an environment where threats operate in an automated and large-scale manner.
Do you find gaps between the public sector infrastructure and that of the private sector?
The country faces global threats with unequal capacities between different sectors. On the one hand, banking and telecommunications have an advanced level of maturity, due to their regulation, privacy and the importance of the information they handle. In contrast, the public sector is mature with much opportunity for development.
Faced with increasingly sophisticated threats, and despite the fact that there have been diagnoses since 2015, Guatemala lacks a catalog of critical infrastructures. It is studied, it is considered, why not take action?
Guatemala is taking steps in the right direction. The generation of critical infrastructure protection law initiatives (6465) and the cybersecurity law (6347) seek to implement in the public sector a protection strategy for critical infrastructures that provide key services such as health, energy, communications, by creating a catalog to identify and protect them.
However, the problem goes beyond legislation. Success or failure depends on an effective and sustainable implementation over time, which establishes a governing entity with that cybersecurity baseline that each institution must implement to have resilience against threats. The challenge is not only to legislate, but to correctly implement these initiatives to see results in actions that are mature over time.
What happens in a country without a legal framework that supports and protects these infrastructures?
The absence of a legal framework on cybersecurity and a governing authority can lead to national crises, such as the one that occurred in Costa Rica in 2022, during the attack attributed to the Conti ransomware. At that time, the protection of technological services had not been a priority of the State.
It was a high-impact attack that forced a response under enormous pressure and in critical conditions. I lived that experience firsthand when leading one of the teams in charge of responding to incidents.
International cooperation, particularly from the United States and South Korea, was decisive in strengthening the country’s capabilities. As a result of this crisis, legal reforms were promoted and a centralized cybersecurity structure was consolidated and a national cyber defense strategy was developed.
Currently, the system is financed through public resources and international cooperation, and Costa Rica has one of the strongest security postures in the region. It is an example of how a crisis can accelerate institutional maturation. That is why I insist that the challenge is not only technological: it requires a legal, strategic and execution approach.
What budget would the country need to shield itself?
I don’t know, but what I can tell you is that investing in cybersecurity is cheaper than reacting to a national incident or crisis. It is an issue of national security and must be seen as a pillar of development.
How does the protection model change with an agentic AI with autonomy, vs a State that walks slowly?
Agentic AI is changing the rules of the game. While AI allows us to automate informed decisions at greater speed; In cybersecurity, targeted attacks are happening that are faster, more intense and difficult to detect. Hence, Guatemala faces the challenge of not having the maturity in the use of AI for cyber defense to respond to this level of threats.
It is increasingly important to have a cyber defense framework as a national security priority. Also understand that in the global war context, Central America and the Caribbean are a target of cyber attacks due to the alliance with the United States, which intensifies the number of targeted attacks in the region.
What is your reading of the limited progress of cybersecurity initiatives in Congress, do you attribute it to the interests of a particular sector or another reason?
I don’t know the political context, but in the end it is of interest to all Guatemalans. Something similar happened in Costa Rica in that these initiatives were stopped by political interests, but after the Conti crisis, this remained in the background and made the country react.
The idea is that we do not reach this point in Guatemala. One thing that concerns me about Critical Asset Protection Initiative 6465 is that it is very general. The proposal addresses the need for a centralized entity, governing the national security strategy, but does not delve into technical aspects, such as the standards or types of controls to be implemented, which could lead to weak implementation, international security frameworks, response to security incidents (NIST) is not mentioned. More in-depth advice was lacking.
Given the technical weakness, what are the challenges and advances in the training of professionals?
The talent exists. Guatemala is training professionals in cybersecurity, we seek to form technical strengths, but also with a strategic vision that allows us to design technology, not only implement it, but also govern it. But supply does not cover demand.
Regarding governance, what type of institutionality would you recommend?
The three main vulnerabilities in governance in Guatemala are:
First, the lack of central governance. The fact that each public and private sector implements cybersecurity, according to its own investment agenda, is a root problem. Second, the absence of defined international minimum standards, such as ISO 27001 or NIST (National Institute of Standards and Technology), for public and private institutions. And third, the lack of approved security monitoring and incident response capabilities.
What is your recommendation in light of the recent wave of attacks?
Guatemala must recognize that this is not a future or isolated threat, but rather an active and sustained reality. We are facing constant pressure in cyberspace that can directly affect the continuity of essential services, institutional trust and the stability of the country, in a context where cyber defense capabilities are unequal and, in many cases, insufficient.
It is urgent to accelerate the approval of legal frameworks such as cybersecurity and critical infrastructure initiatives, accompany them with investment in real cyber defense capabilities and strengthen international cooperation to close gaps against increasingly sophisticated threats.
Guatemala should not wait to face a national crisis to act. Cybersecurity must be assumed as a pillar of national security, because in this context not acting is also a decision that puts the security of Guatemalans at risk.
This content is produced under the editorial alliance “Don’t let them scam you”, in conjunction with the Banking Association of Guatemala, an agreement that seeks to raise awareness among Guatemalans about the dangers of online scams.