Explainer: Fighting Cybercrime in Latin America

By Rachel Glickhouse

Governments and the private sector are developing strategies such as response teams and new legislation to protect against hacking and crimes like malware and phishing.

This is the second in a two-part explainer on cybercrime. The first explores how cybercrime is evolving in Latin America.

With the rise of cybercrime, governments and the private sector in Latin America seek new ways to protect against hacking and techniques such as malware and phishing. Cybercrime costs Latin America billions of dollars a year, with hackers managing to do everything from defacing government sites to robbing credit card information from bank customers to stealing confidential data. Cybersecurity plans, cyberdefense centers, and new cybercrime laws encompass some of the main strategies of governments, while companies invest in solutions to protect their data.

AS/COA Online looks at these strategies in the second of a two-part series on cybercrime in Latin America.

Explore by section:

Protecting Assets: Government Cyberdefense Agencies

Explore an infographic on the cost of cybercrime in Latin America.

As cybercrimes pose an increasing threat to the region, governments are creating new agencies to monitor and combat online criminals. A number of Latin America’s largest countries have begun the process in recent years.

In 2005, Argentina was one of the first countries in Latin America to establish a Computer Security Incident Response Team (CSIRT)—a national bureau to respond to cybercrime. In 2011, the government put a national cybersecurity plan into place, and the following year set up the National Program of Critical Information Infrastructure and Cybersecurity to protect Argentina’s vital infrastructure. In September 2013, the Argentine government announced it would start bilateral cooperation talks with Brazil on cybersecurity.

In 2010, Brazil’s military set up a national Cyberdefense Center and officially launched it in June 2012. The Center protects government assets online as well as critical infrastructure, and researches new cybersecurity methods. This military body is heavily involved in mega-events; it operated during the Rio+20 conference and will work on online security during the World Cup and Olympics. The federal government plans to spend around $17 million on cybersecurity during the latter two events.

Colombia, meanwhile, was the first Latin American country to adopt a comprehensive national cyberdefense strategy. In July 2011, the CONPES 3701—the country’s cyberdefense framework—established a police unit to investigate cybercrime, a joint cyber command for military responses to cyberattacks on the armed forces, and colCERT, a government bureau to coordinate cybersecurity measures. Panama also adopted a national cybersecurity and infrastructure defense plan in March 2013, while Chile, Peru, and Uruguay are each working on developing their own.

Mexico, too, is working on a national cyberdefense strategy. In 2010, the country created a national CSIRT with top technicians to monitor and secure government assets online. The following year, the government set up the Coordination Center for the Prevention of Electronic Crimes within the Federal Police force in response to escalating cyber attacks. This bureau responds to cybercrimes and investigates them, as well as protecting critical infrastructure.

On the Books: Passing Cybercrime Legislation

Chile has one of the oldest cybercrime laws on the books in Latin America, passed in 1993. While it provides a legal framework for crimes like hacking, some legal experts say the country needs an updated version in order to address technological advances made in the past two decades.

Venezuela was another early adopter of cybercrime legislation. Signed in October 2001, Venezuela’s Special Law against Cybercrime establishes penalties for a variety of online crimes, ranging from hacking to fraud.

In June 2008, Argentina passed a comprehensive cybercrime law, specifying penalties for online crimes like hacking, distributing child pornography, and illicit data interception. Known as Law 26388, the legislation includes sentences of up to four years in prison.

In January 2009, Colombia passed Law 1273, which altered the penal code and established a new legal framework for the protection of information and data. The law criminalizes hacking, illegal data interception, the robbery and use of personal data, and malware production and distribution. These crimes carry minimum sentences of 36 to 48 months in prison, plus fines. Passed the same year, Law 1336 requires internet service providers (ISPs) to give police IP addresses of those accessing child pornography. It also requires ISPs and internet cafes to prohibit child pornography in their terms of use.

In March 2012, Mexico’s Chamber of Deputies approved a cybercrime bill that altered the country’s penal code, with sentences of up to 20 years in prison. The bill outlines penalties for crimes such as hacking, cyberbullying, and child pornography. The bill has yet to be approved by the Senate.

Brazil passed two cybercrime laws last year that both went into effect in April 2013. The Carolina Dieckmann Law was named after a famous actress who had photos stolen from her computer and published on the web. The legislation criminalizes hacking and unauthorized access of information technology, with higher penalties for hacking members of the government and public officials. It also makes it a crime to interrupt phone or internet services, and to falsify credit cards. The Azeredo Law, named after the congressman who first introduced the bill in 1999, mandated police to create specialized units to investigate cybercrimes.

Approved by Congress and signed by the president last month, Peru’s new cybercrime law outlines six main criminal offenses online: illicit access, threats to data and system integrity, illegal personal data traffic, digital data interception, computer fraud, identity theft, abuse of computer devices, and sexual propositions to children online. These crimes range in sentences from one to 10 years in prison. However, the law—known as the Ley Beingolea, named after the congressman who introduced the bill—has come under criticism for threatening freedom of speech. Parts of the law are “poorly and vaguely worded, turning legitimate and common behaviors like investigative journalism, creating a Twitter parody account, or selling network analysis devices into crimes,” writes digital rights watchdog Access Now.

Ecuador’s Congress is assessing a new penal code, which includes cybercrimes. Police requested the bill include seven specific cybercrimes such as hacking and illegal data access. Under the current law, these types of crimes can be prosecutedwith fines and jail time, but only under regular statues relating to crimes like fraud and identity theft.

In Central America, there have also been efforts to pass cybercrime legislation. Costa Rica’s President Laura Chinchilla signed a cybercrime law in July 2012; the legislation criminalizes hacking, malware distribution, and identity theft, among other online wrongdoings. In September 2013, Panama’s Attorney General Ana Belfon introduced a cybercrime bill before the country’s National Assembly. The bill seeks to regulate and protect against hacking, identity left, online fraud, online financial crimes, child pornography, and other web-based crimes. The penalties range from one to eight years of prison time. El Salvador and Guatemala are also considering cybercrime bills. A 2007 law updating Nicaragua’s penal code included several cybercrimes, but efforts to pass a specific cybercrime law have so far been unsuccessful.

However, these laws aren’t always a complete solution. “One of the main impediments to curbing illicit cyber activity in 2012 was the lack of adequate legislation and robust cybersecurity policies,” says a July 2013 Trend Micro and the Organization of American States report. “Paired with inexperienced cybercrime investigators and the shortage of prosecutors who specialize in technology-related offenses, many countries are facing difficulties deterring and prosecuting hackers and other cybercriminals.” Johanna Mendelson Forman, a scholar-in-residence at American University’s School of International Service, wrote in May that without regional cybercrime laws, police and military “are unable to go after cyber criminals due to lack of clear rules and definitions of the crimes committed.”

Multilateral Law Enforcement Operations

Given the borderless nature of cybercrime, in the past few years Latin American countries began participating in multilateral operations to apprehend online criminals. In February 2012, Colombian law enforcement worked with authorities in Argentina, Chile, and Spain on “Operation Unmask” to uncover a transnational hacking ring that had brought down government sites in Chile and Colombia. Raids took place in 40 locations in 15 cities, leading to the arrest of 25 people. An additional six alleged hackers were arrested a month later in the Dominican Republic.

Operation Historia” took place in August 2013, coordinated by Interpol’s Argentina bureau. Law enforcement in Argentina, Brazil, Chile, Colombia, Costa Rica, Ecuador, Spain, Uruguay, and Venezuela participated in the operation to target child pornography distributors online. Police arrested 100 people in 63 cities, with nearly half of the arrests in Argentina. In September 2013, Argentine police arrested a 19-year-old “superhacker,” accused of stealing up to $50,000 online.

Cybersecurity in the Private Sector

Given risks to company data, Latin America’s private sector is increasingly looking for solutions to deal with cybercrime. According to an April 2013 survey by online security company ESET, around 86 percent of Latin American companies have an antivirus program installed on office computers, and around half of companies use basic preventative software controls. However, only 20 percent of companies have clearly defined internet security policies to help prevent against cybercrime, and three out of four companies lack an action plan in case of a cyberattack. 

Companies often deal with losing important data. A 2012 Symantec survey of 500 IT professionals in Latin America found that 80 percent reported losing important company information due to reasons such as human error, software problems, and theft of cell phones. Around 45 percent said important company information had been duplicated.

But with ongoing threats from malware and hacking, Latin American companies aim to invest more in cybersecurity. A July 2013 Dell SonicWALL Brasil survey discovered that half of Latin American companies plan to invest up to $50,000 in information security this year. Around 21 percent of businesses will spend between $51,000 and $100,000, while 9 percent will invest over $100,000. One route Latin American companies take is to hire managed security services (MSS), online and network security services outsourced to an external provider. In 2012, the Latin American MSS market amassed $346.7 million; the sector is expected to grow by nearly 15 percent by 2018. Firewalls and secure private networks count as the most popular MSS services in Latin America.