Illustration by Jika

Since early June, when news website The Intercept began publishing leaked private messages exchanged by members of Operation Car Wash, Brazil has been confronted with the issue of cyber security. According to the Federal Police, roughly 1,000 Brazilian authorities have been victims of some sort of hacking or phone identity theft—including Economy Minister Paulo Guedes, House Speaker Rodrigo Maia and even President Jair Bolsonaro

The apparent ease with which a gang of hackers apparently managed to access private information of top state figures raises serious doubts about how prepared the Brazilian government is when it comes to cyber security.

After confirming that at least two of his cell phones were accessed by hackers (four of which have been arrested), President Bolsonaro said that “nothing sensitive” would leak, as he doesn’t discuss state matters on messaging apps.

The same can&#8217;t be said for his Justice Minister. As <em>The Intercept</em> <a href="https://brazilian.report/opinion/2019/06/25/the-intercept-strategy-covering-car-wash-leaks/">reports</a> show, he discussed several key issues regarding Operation Car Wash—including practices that were outside his remit as a judge. The leaks sparked a political crisis within the administration, and led many to believe that Operation Car Wash, the largest anti-corruption effort in Brazilian history, was severely biased, in particular against former President Lula.</p> <p>After Mr. Moro&#8217;s messages became public, government officials began using phones encrypted by the National Intelligence Agency—although it seems like too little, too late.</p> <h2>Data breaches: an old problem in Brazil</h2> <p>The Car Wash leaks were not the first major data breach affecting public officials. During the 2010 presidential campaign, a 21-year-old hacker accessed then-President Dilma Rousseff&#8217;s email and unsuccessfully tried to sell a batch of 600 messages to opposition parties.&nbsp;</p> <p>Ms. Rousseff was also spied on by the U.S. National Security Agency, according to information leaked by now infamous whistleblower Edward Snowden—and published by journalist Glenn Greenwald (<em>The Intercept</em>&#8216;s co-founder).</p> <p>In 2011, hackers performed multiple attacks on government agencies, successfully obtaining passwords from IBGE, Brazil’s official statistics agency. Later in 2014, the Ministry of Foreign Affairs was attacked and several cables, email lists, passwords and official data were stolen. Last year, the group Anonymous Brazil hacked then-President Michel Temer’s website; his wife, Marcela Temer, also had her phone attacked.</p> <p>However, things will have to change, one way or another. The General Law of Data Protection (LGDP), Brazil’s first legislation on data privacy, will come into effect next year, aiming to increase the protection of private data and holding both the government and private companies accountable.</p> <script src="https://www.buzzsprout.com/299876/1452826-70-in-brazil-new-terms-and-conditions-will-apply.js?player=small" type="text/javascript" charset="utf-8"></script> <p>In order to understand the deep impact this case will have on Brazil’s privacy landscape, we talked to the executive director of ITS, <strong>Fabro Steibel</strong>, and <strong>Marcelo Lau</strong>, coordinator of the Cybersecurity masters’ program at the Paulista University of Computing and Administration. See below for their views on Brazil’s ability to protect important information and develop legislation that can effectively target hackers and prevent cyber attacks.</p> <p><em>Note: This interview has been condensed and edited for clarity.</em></p> <h4>How has Brazil been handling cybersecurity issues?</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>Brazil does have an advanced legislation concerning online protection. The Marco Civil da Internet (Civil Rights Framework of the Internet) contains an article about storing data and that’s why it was possible to track the hackers. They used VOIP (Voice over Internet Protocol) and, because of the law, this data must be kept for 6 months, so that’s how they tracked the hackers’ IP. The GSI (the president’s internal security agency) is responsible for security and they have an advanced plan governing the matter, but ministers have free will. The vulnerability identified is that they did not have a two-step verification set-up on their phones (the process in which a system sends you a message to confirm it is you). If they had, this wouldn’t have happened. But if you look at the glass half full, at least it wasn’t a mass attack on the entire population, like what may happen if we adopt some mechanisms that Brazil may end up adopting.&nbsp;</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>In the early 2000s, there were a series of attacks on the financial system, which led to an increase in cyber protection. In the beginning, hackers were very isolated but now they work in groups. Although Brazilian hackers aren’t as advanced as those in other countries, they are extremely creative. They have effective tools to breach privacy, and they are very good at tricking people using false identities. Nowadays, you can even find professionals who can steal data and defame people in exchange for money. In Brazil, many hackers are identified because they’re young and don’t have a lot of experience, so they don’t know how to hide the money that they’re offered. But police have made a lot of mistakes too. Institutions that are very well equipped can do good work, but these organized crime groups are developing at the same rate [as government institutions].</p></blockquote> <h4>What kind of devices should officials be using instead?&nbsp;</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>End-to-end encryption guarantees no one outside the conversation reads the messages. What some governments want—and Brazil has made indicated it is taking steps in this direction—is to exploit two vulnerabilities: one is a master key, to have access to all conversations, and the idea of a back-door to have a copy of or privileged access to conversations. Any flaws in a system like that means that the mobiles of every Brazilian would be vulnerable. NSA hacked literally everyone exploiting these vulnerabilities.</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>The smartphones we use today, like Android and the iPhone, don’t guarantee security. However, there are more robust phones, including some Israeli equipment, that are more secure. The government’s security agencies can also monitor specific phones to guarantee their protection. But having a safer phone [specifically used to discuss issues of national importance] is not enough if you’re going to keep your regular smartphone sitting on the table during meetings. [Officials] must be aware of all the possible factors that may expose matters of national security.</p></blockquote> <h4>Why were Brazilian authorities unable to prevent cyber attacks? For example, why were they not using encrypted phones?</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>Both Mr. Bolsonaro and U.S. President Donald Trump have said they would rather use their personal phones. It is hard to blame security when the head of state wants to use a private phone. A head of state not heeding security advice is a risk for everyone.</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>This administration really worries about cyber security. In fact, our army has an intelligence agency that does surveillance work, but a lot of times we’re dealing with human error. Despite recommendations [about cyber security], people don’t think it will ever happen to them— and we’re not just talking about politicians, but also regular people. Of course, someone who is politically exposed must protect their data. Maybe the most crucial thing is that they must change their phones to ones that are more secure.&nbsp;</p></blockquote> <h4>So, who is to blame for that? Is the blame collective?</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>There is an element that we call cyber hygiene, so part of the blame goes to individuals who did not apply security measures like two-step verification. Another part is for the telephony carriers who allow inboxes to be accessed without a password. And the other part relates to techniques made to cheat systems. There are many who are responsible.</p></blockquote> <h4>How can these incidents pose a threat to national security?</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>There are many ways to have access to phones. Some are very specialized and then we would be talking about international espionage. In this sense, Brazil is protected with the best resources available. But that doesn’t mean that other attacks cannot occur. So, you need to have a security plan. Let’s look at it from a bottom-to-top perspective: what about at the municipal level? Who says mayors are protected? Ideally, they would be trained. Like, you can say some things on WhatsApp, not others. Companies already work with these standards, there’s no reason why the government shouldn’t follow suit.&nbsp;</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>Officials really shouldn’t be using regular smartphones. Some of the apps being used for messaging, such as Telegram, can be replicated on a computer screen. The hacker can literally see their messages [through the computer] at the same time as the user. If I had to choose a means of communication to convey information about the state, I would not have chosen Telegram or WhatsApp.</p></blockquote> <h4>How can a hack into the president’s phone affect the credibility of Brazil’s security systems?</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>It is hard to know. But it reinforces the need for a security policy. We know of only a small number of cases in which data was accessed, because an invasion is not always motivated by a desire to leak that data, but rather, it’s to use it in someone’s favor. Anyone who has ever seen House of Cards knows that leaking is not always Plan A, because information is power. We shouldn’t be asking why it was leaked, actually, we should be asking what else is compromised.&nbsp;</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>They really put the effectiveness of the government’s security in check. Although there are extremely skilled professionals with vast knowledge, we can see that, in practice, this wasn’t enough to protect [government officials]. I hope this serves as a lesson and that practices change. If the government wants to use social media for communication, I hope that [important officials] think again, because they risk exposure and can jeopardize the nation’s credibility. [Official communication] must be monitored more closely.</p></blockquote> <h4>Other than the Executive, how prepared are congressmen and Federal Supreme Court ministers to deal with issues of cyber security?</h4> <p><strong>Mr. Lau: </strong>They debate this all the time. Congressmen should be well advised. They have to think about their own actions, and how they can protect government officials. You don’t necessarily have to improve technology [to increase cyber security], but congressmen must be aware that these risks are easily encountered. But I ask myself, will people remember this in six months? I fear that this will become a situation like Brumadinho [bursting of a dam in January 2019], where there’s a lot of attention around an issue and six months later, no one talks about it anymore.&nbsp;</p> <h4>Some people are considering <em>The Intercept</em> to be accomplices, or even criminals, for publishing data obtained through hacking. How do these criticisms implicate the press?&nbsp;</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>Brazil does not have whistleblower protection, like some countries do. But this is necessary for democracy. Whistleblowers were pivotal to Operation Car Wash, for example. The press should be free to publish public-interest issues. But they may not use hacking as an investigative tool, like the British <em>News of the World</em> did, invading celebrities inboxes to gather stories. The question is: has <em>The Intercept</em> only publicized the case—in which case it should be protected—or has it acted to procure the messages, in a criminal act? Some investigative reports essential to democracy, like Wikileaks or Watergate, were related to leaks, but it is important not to commit crimes to obtain that information.&nbsp;&nbsp;&nbsp;</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>Freedom of the press must be guaranteed to any outlet. Sources must be guaranteed anonymity, but we have to be careful. Readers must question the legitimacy of those [anonymous sources]. Outlets must also be aware that when they’re receiving information resulting from a crime, they may also be committing a crime. It’s important [to scrutinize the information] so that any distorted facts are identified. The press must be careful not to lose credibility. It’s extremely important that the population receives truthful information so they can form opinions about their own country.&nbsp;</p></blockquote> <h4>What challenges do authorities face to punish criminals? What could be improved?&nbsp;</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>We don’t need more laws, we need to implement the ones already in place. The Carolina Dieckmann law is great, but how many people were actually arrested for breaching it? We need to undertake planning to enforce data protection laws and provide police with the necessary equipment to help them produce digital evidence, so that prosecutors may act.&nbsp;</p></blockquote> <blockquote class="wp-block-quote"><p><strong>Mr. Lau: </strong>In this specific case, the four suspects were identified and imprisoned very quickly. Unfortunately,&nbsp; it is not like that for the investigations that we are familiar with. Few cities have police stations specialized in cyber crimes. Citizens have difficulty in denouncing crimes ranging from a post on a social network to something more serious, like fraud. Punishment is also light for these crimes, so criminals may think it is worth the risk because they’ll be free soon.</p></blockquote> <h4>President Bolsonaro urged that those responsible be punished. Should authorities also be punished over negligence?&nbsp;</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Steibel: </strong>No, they are victims. There’s a difference between negligence and attempts made against them. Otherwise you keep looking for people to blame when the damage is already significant. Besides, the president is not there to judge, there’s a legal process for that. We need to follow it. What he could do to help is order every civil servant to use two-step verification, for example. I understand this case may become political, but there’s something else underneath it, that is the security of the Brazilian state.&nbsp;</p></blockquote> <h4>How should authorities manage cyber security issues, considering that Brazil’s new data protection law will come into force next year?</h4> <blockquote class="wp-block-quote"><p><strong>Mr. Lau:</strong> There’s a strong concern as regards citizens’ data protection. Whether in the public or the private sector, data should be protected by all means necessary. From my point of view, the government has an important role to play in this process—not only in overseeing it. It must help citizens understand the law through awareness campaigns.&nbsp; Companies, on the other hand, should also be protected to ensure citizens’ security. The national data protection authority has to be a body concerned with regulation, overseeing and helping companies. If it only works to apply fines then maybe the data protection measures won’t end up being something positive for the people, but instead end up merely a partisan fund.&nbsp;

Read the full story NOW!

BY Martha Castro

Martha Castro is an intern at The Brazilian Report. She is a Brazilian journalism and political science student at Northwestern University in Evanston, Illinois.

BY Natália Tomé Scalzaretto

Natália Scalzaretto has worked for companies such as Santander Brasil and Reuters, where she covered news ranging from commodities to technology. Most recently, worked as an Editor for Trading News, the information division from TradersClub investor community.