Brazil: Cyber-security strategy

Executive summary

In this document, ARTICLE 19 analyses the Strategy of Information and Cyber-Security and Communication of the Brazil Federal Public Administration for 2015-2018 (the Estratégia).

The Estratégia is a binding document within the broader framework of the general strategic planning of the Government of Brazil. It develops the Normative Instruction GSI/PR 01/2008 of the Chief Minister of the Cabinet of Institutional Security of the Presidency of the Republic regarding the management of security of information and communications in the Federal Public Administration. The Estratégia has been prepared and approved by the aforementioned Cabinet. The text has the stated aim of seeking best practice in the area of security of information and cyber-security and establishing the main strategic objectives and goals for the next four years, which will inspire and guide further and more specific actions.

ARTICLE 19 believes that since the Estratégia is relevant to the protection of wide range of human rights, and in particular the right to freedom of expression, it must be reviewed for compliance with international standards, as well as with domestic freedom of expression and human rights laws. The Estratégia proposes relevant principles regarding protection of human rights, multi-stakeholder approach, access to information and participation. However, our analysis finds that there are serious shortcomings. In particular:

  • The Government fails to ground the Estratégia firmly in the international and domestic protection of human rights. There is minimal reference to domestic protection of human rights, especially those related to freedom of expression and digital technologies;
  • Among the goals of the Estratégia is the achievement of certain results for the benefit of society, including transparency, the protection of privacy, the democratization of access to information, and the safeguard of confidential information assets. This objective is relevant to and quite in line with the applicable national and international legal standards. However, the Estratégia fails to elaborate further specific recommendations in this area. Moreover, the enumeration of the different concrete strategic objectives in the central part of the Estratégia does not mention or even take into account these important values and rights.
  • While the execution of some of the guidelines set out in the Estratégia will require the involvement of different groups of private actors, those who will primarily apply and follow its directives will be the various departments and agencies of the Federal Administration. Significantly, it is the vagueness of the provisions guiding the actions of these public actors that is the most problematic part of the Estratégia, with strong implications for human rights.
  • In the development of the Estratégia, no relevant consultations with stakeholders have taken place; it has been consulted only within the Federal Administration. We find it problematic that civil society, organizations, individuals and other Internet stake-holders were not given the chance to analyze and make contributions to the Estratégia. While this document formally establishes the cyber-security strategy of the Federal Administration, and acknowledges the main responsibilities of public institutions, it must not be mistaken for a mere “internal” set of directives. We also note that such consultations have been organised previously around similarly important legislation, such as Marco Civil da Internet; these consultations have been broadly appreciated as a highly positive approach.

ARTICLE 19 calls on the Government of Brazil to revise the text of the Estratégia in the light of recommendations outlined in this analysis and ensure that a broad range of stakeholders are involved in the process. 

Summary of recommendations:

  • As a matter of principle, public policies – including those related to security of information and communications and cyber-security – should be open to a broad and comprehensive discussion among all the relevant stakeholders. This discussion must be based on clear and comprehensive documents and proposals elaborated by competent public bodies; the proposals should also take into account all relevant legislative parameters established at a national level, as well as international standards;
  • Respect for human rights, especially the rights to freedom of expression and privacy, should be properly incorporated into the panoply of objectives and guiding principles of the Estratégia, as well as references to public participation, accountability, and access to information of public interest.  A vision of cyber-security beyond internal administrative dynamics should also be integral to the premises and purpose of the document;
  • All guiding principles and objectives should be drafted in a more precise way, incorporating the values clearly established in the national legislation as well as the language and aims included in several international documents;
  • Guidelines on multi-stakeholders’ discussions about decisions on national investment in SIC and SegCiber need to be introduced and developed;
  • Any training or formative program in this area must not give disproportionate importance to the defence of national sovereignty as a component of cyber-security. National security concerns must be properly balanced with human rights, accountability and access to information;
  • Research on SIC and SegCiber should be comprehensive and complete, and therefore go beyond technological issues to cover areas such as human rights and public policy, in the broadest sense of these terms;
  • The governance model to be implemented regarding the SIC and SegCiber  should be properly defined; more specifically, it should be developed in consultation with different actors and must incorporate among its priorities the adequate protection of human rights, full accountability and the adoption of a multi-stakeholder approach;
  • References to partnerships to improve confidentiality or the integrity of information should be accompanied by more clear and specific directives vis-à-vis the protection of privacy and the adequate exercise of the right to freedom of expression;
  • The Estratégia needs to be more specific on the actions to be taken regarding the protection of critical infrastructures; in particular, it needs to elaborate on the involvement of different stakeholders, citizens’ right to information on these matters, and the establishment of proper safeguards for an adequate protection of human rights. It also needs also to set out clear guidelines regarding the cooperation between public institutions and private actors in this area;
  • In order to achieve the strategic objective of promoting citizens’ awareness about SIC and SegCiber, the Estratégia needs to establish mechanisms for the adequate dissemination of comprehensive information, particularly regarding the effective exercise and protection of human rights and the different mechanisms available to achieve such aims.

Read the full legal analysis – here in English, here in Portuguese.