Chile: a frontrunner in cybersecurity in Latin America
Fewer but more targeted cyber-attack attempts
The digital ecosystem has grown exponentially in recent years. The use of innovative technologies, new services and the transformation of traditional products make the digital world an attractive place for criminals to commit cybercrime. According to Fortinet, the number of attempted cyber-attacks in LAC in 2022 was more than 360 billion, but the same source reports that this will fall to 200 billion in 2023. The Latin American countries with the highest cyberattack activity in 2023 were Mexico, Brazil and Colombia.
While acknowledging the decrease in cyberattacks compared to the previous year, the report reveals that ransomware continues to see significant activity and that attacks are becoming more specific and targeted, thanks to the increasing sophistication of attackers’ tactics, techniques and procedures and the desire to increase the ROI (return on investment) per attack.
As a result, attacks are fewer in number, but because they are designed for specific targets, they are more sophisticated and more likely to succeed if organisations do not have integrated, automated and up-to-date cybersecurity defences in place.
Both public and private organisations need to mitigate risk by protecting the information they manage. Everything related to cybersecurity should be considered an investment, not an expense; the big challenge is to ensure that information security and incident prevention is not something that happens quietly but is a victory within organisations.
To achieve a secure digital ecosystem, a holistic approach is needed, with regulatory frameworks or the implementation of successful international principles and public policies based on lessons learned, understanding that the greatest success is to promote joint work between the public and private sectors.
Chile at the forefront of cybersecurity policy approach
Internationally, the regulatory approach to cybersecurity issues varies. The European Union, for example, has a robust security framework.
Focusing on the Latin American region, there are various legislative initiatives that aim to regulate the issue, but it should be noted that there are projects that could affect fundamental rights, with cybersecurity being used as a screen to generate excessive control by bodies dependent on the executive.
The case of the Cybersecurity and Critical Information Infrastructure law passed in Chile is a favourable development in the region, as it creates a National Cybersecurity Agency (ANCI) with specific powers and clear competences.
Chilean law 21.663 was enacted on 26 March 2024 by President Gabriel Boric, published in the Official Gazette on 8 April, as the first regulatory standard to address the problem of cyber-attacks. In addition, the National Cybersecurity Policy 2023- 2028 was also approved. Both instruments are fundamental tools to achieve a comprehensive security strategy, promising to effectively achieve the protection of digital rights and the fight against cyber threats.
What does the law achieve?
With the implementation of these measures, Chile becomes a pioneer in the region in moving towards a comprehensive cybersecurity framework.
It rightly creates the National Cybersecurity Agency (ANCI) and the National and Defence Computer Security Incident Response Team (CSIRT) with specific cyber security functions and financial resources.
Both bodies will be headed by a Director appointed in accordance with the rules of the High Public Management System established in Law Nº 19.882, being civilian commanders, although they have a close collaboration with the public security forces.
ANCI has a regulatory, oversight and sanctioning role for all entities, both public and private, that provide essential services. These entities must adopt robust measures to prevent, report and resolve cybersecurity incidents, including the obligation to report any cyber-attack to the National CSIRT, ensuring a rapid and effective response to incidents.
Guiding principles of the law
A positive aspect of the enactment of the law was that, during the parliamentary debate, industry, academia and professional associations in the field were invited to provide their input. As mentioned above, cooperation with a holistic vision is the cornerstone of a successful law in this area.
The main aspects introduced are:
- It is aligned with global cybersecurity standards, introducing a risk-based approach based on recommendations from the International Telecommunication Union (ITU) and the National Institute of Standards and Technology (NIST). This risk-based approach provides for responsibilities according to the classification of the entity. Thus, the obligations faced by the public sector are the same (according to the classification) that will be implemented for the private sector, avoiding over-compliance for private companies.
- Defines cybersecurity based on the protection of information security as defined by the International Organisation for Standardisation (ISO) standards.
- The National Cybersecurity Agency has limited, clear competences and powers to conduct awareness-raising campaigns for citizens. Furthermore, it must be governed by the principle of rationality in the measures it takes to exercise its powers, as they must be necessary and proportionate to the degree of exposure to risks and the possible social and economic impact.
- Principle of security and privacy by default and by design. IT systems, applications and information technologies should be designed, implemented and managed with the security and privacy of the personal data they process in mind.
- The Cybersecurity Law establishes that breaches of the law will be subject to the procedure and sanctions established in the sectoral legislation. It also states that the sectoral authority may issue regulations on cybersecurity in coordination with the Cybersecurity Agency.
- Sanctions, infringements and control will be the responsibility of the Agency, avoiding duplication with sectoral regulations in the ICT sector.
With this regulatory framework, Chile has ensured that cybersecurity is not just a matter for experts. Its cross-cutting impact on daily life means that ensuring a secure and trustworthy digital environment is fundamental to protecting constitutional rights and fostering a robust economic environment. In this way it seeks to address the growing sophistication of cyber-attacks that threaten the country’s personal, corporate and national security.
Outline of the principles of the Chilean Cybersecurity Law:
- Create ANCI an independent agency, a national CSIRT, civilian incident response team and a defence CSIRT, with limited and clear competences and respecting the principle of rationality.
- Cooperation with the authority to resolve cyber incidents
- Damage control with actions to minimise impacts and incident responses
- Security and privacy by default and by design
- Information security
What should governments do?
Improving cybersecurity is an issue that needs to be on the agenda of all governments. Digital security has become a fundamental pillar of a country’s stability and development. Chile has enacted an important law creating a new legal framework, which is a significant step forward in the fight against cyber-attacks and strengthening national resilience to digital threats.
States should therefore implement national cybersecurity strategies in line with international best practices, train professionals with specific expertise, create specialised agencies with clear and limited competences and resources, and promote cooperation between countries and between public and private actors.
But a State alone cannot guarantee effective cybersecurity, so cybersecurity is the responsibility of each and every actor in cyberspace, from businesses to individuals.