Securing Brazil’s e-Government services – Ensuring government e-services are safe from cyber threats

Summary

This project is part of the United Kingdom Foreign, Commonwealth & Development Office (FCDO) commitment to build national cyber security capacity and resilience to cybersecurity threats in five middle-income countries. The UK Government’s Digital Access Programme provides support through: Government-to-Government technical assistance; cyber hygiene training; public awareness-raising; and research. It aims to reduce the impact of cyber harms on their governments, economies and citizens – particularly amongst groups vulnerable to online exploitation.

Details

Aim

The Brazilian government is currently digitising e-government services however its imperative that secure by design controls are implemented. With a suitable Security by Design framework in place to be used when digitising Brazil’s government services, everything from access controls, firewalls and encryption through to governance and privacy considerations can be addressed from the outset. Such a framework provides reassurance over the safety of citizens’ personal data and safeguards services’ integrity and availability. The latter is a particularly important consideration for Brazil’s large, remote, rural communities with limited physical access to public services.

Context

To reduce bureaucracy and provide more efficient access to public services, Brazil is currently digitising all its government services. It’s a huge undertaking, involving more than 250 government departments and thousands of apps, webpages and online processes. Such a wholescale shift to online services could expose citizens to cyber harms unless security and privacy concerns are comprehensively addressed when new services are being designed.

Outcomes

• Strengthened national cybersecurity through governmental protection of sensitive and personal data on e-Government services.
• The objectives of Brazilian Law 14.129 are supported in its intention to de-bureaucratize digital government and make Privacy by Design for digital services required.
• Knowledge sharing workshops were attended by 222 participants from over 70 different government organisations. Empowering participants to utilize global best practice methodologies and  meet E-Ciber objective 2.3.8 (Expand Brazil’s international co-operation in cybersecurity) through improving international digital co-operation.

Outputs

• An assessment of the maturity of SGD’s current approach to Security by Design, identifying where improvements were required.
• A Security by Design framework for SGD to use in its digitisation programme.
• E-Government services, created with new Security by Design procedures.
• A new additional framework that consolidates NIST, ISO, LGPD and CIS controls that SGD can use to implement additional security and privacy measures and controls in government organisations. The framework includes a controls assessment that government organisations can use to assess compliance to and understand required actions to meet the target state.

Activities

• Two knowledge sharing workshops; one with the UK government on Security by Design and one with KPMG and incident response SMEs on government incident responses.

Having understood the technical requirements of the government’s various online services, the project team developed the framework and an action plan for its implementation. Training was created to demonstrate how the framework should be used, alongside a rating mechanism for retrospectively evaluating the security of services that had already been digitised.

• Training over 70 departments on how to implement the framework’s technical controls and a review of SGDs progress on the implementation of the secure by design framework.