Accountability In Cyberspace

The pursuit of accountability as an absolute goal can limit policymakers from important considerations such as domestic and regional ambitions, economic priorities, and cultural context. In Latin America, governments and other stakeholders face internal challenges to the cybersecurity agenda that sideline accountability. This includes a growing reliance on the United States and China for digital infrastructure, the increasing militarization of cyber capabilities, and the often more pressing issue of economic growth and development. For any efforts in the region to take root, interpreting accountability and state responsibility in the context of regional politics and historical context is critical.

Contextualizing Accountability in Latin America

The UN framework for responsible state behavior and an evolving interpretation of how international law applies to cyberspace has set a normative benchmark for state conduct in cyberspace. However, the ways through which states interpret those international commitments and translate them domestically is an ongoing exercise – an important one nonetheless, as accountability relies on the domestic and international levers that countries devise to hold other state and non-state actors accountable for their actions, as well as the domestic mechanisms that also introduce checks and balances for their own actions in cyberspace.

While it is beyond the scope of this paper to conceptualize accountability, there are at least two dimensions of accountability that are relevant for the purposes of this piece. The first refers to negative accountability, that is, the actions taken by one party to ensure that the other party is made responsible for their acts or neglect. This could include, for example, sanctions or public attribution for malicious activities that violate the norms for responsible state behavior. The second refers to positive accountability, that is, the proactive measures by states and other stakeholders that support either a domestic or international regime that is more open, transparent, and/or inclusive. Examples of positive accountability range from international and domestic due diligence measures, development of cyber capacities, promotion and protection of human rights in cyberspace, and inclusive and democratic policy development, among others. This piece focuses largely on positive accountability, domestic and regional enablers and constraints, and cultural nuances for thinking about cyber accountability and responsibility from a practice-oriented perspective.

Latin America has its own pathways, experiences, and challenges in interpreting the links between accountability and cybersecurity. In fact, neither Portuguese nor Spanish possesses an exact word for “accountability”. The translation of the term relates to the responsibility of an organization or state for its decisions (and the consequences deriving from them), which is called “prestação de contas” or “redicion de cuentas” – the act of reporting or accounting for certain actions. The objective of this paper is thus to provide a contextualized, non-exhaustive view of enablers and blockers for accountability in cyberspace as it relates to the countries in the region.

Analyses of cybersecurity maturity and development in the region (and elsewhere) have often concentrated on “technical” or “cyber-specific” markers, such as the development of a national Computer Emergency Response Team (nCERT) or a National Cybersecurity Strategy (NCS). These and other maturity assessments have served, at times, as indicators of the responsibility of states in cyberspace within the region, as they directly relate to the measurement of the capacities of these countries to operationalize and implement the framework for responsible state behavior. While important, the discussion about accountability (or lack thereof) within Latin America (and arguably in other regions) needs to be understood as intimately connected to deeper historical, regulatory, and economic roots – all of which intersect in complex ways with the trajectory of cybersecurity agendas nationally and regionally.

The first of those complex intersections refers to the securitization and militarization of cybersecurity – both institutionally and in terms of technological development. Despite the history of military dictatorships, the relative peace amongst countries in the region has led to the repurposing of military personnel as a backup for civilian capacities to protect, defend, and respond to domestic security issues, including organized crime. For some countries, the armed forces have also become one of the national epicenters for the development of cyber capabilities. Militarised approaches to cyber policies and institutions, and strong emphases on combatting online crime, relate to different trajectories of securitization of cybersecurity in Latin America that have, time and again, posed a challenge for greater accountability. Even so, competing security and economic incentives have created disjointed narratives with a securitized and militarized vision of cyberspace, on the one hand, and the commitment to market innovation, digital economy, and digital security, on the other.

Secondly, questions around economic stability have impacted the pace, consistency, and political visibility of cybersecurity developments in the region. Economic stifling in Latin America following the 2008 global economic crisis, compounded by COVID-19, has led to a “second lost decade” of development in the region. This was marked by an average 0.9% annual growth between 2014-2023. Unsurprisingly, the difficult road for sustained economic development in Latin America has had a direct impact on cybersecurity. Even though it has reinforced the region’s commitment to capacity building, it has equally affected the degree through which political elites view cybersecurity as a priority – given other more pressing areas underpinning economic development.

Thirdly, growing dependency on the US and China for infrastructure provision poses significant geostrategic challenges and pressures for Latin American countries as they seek to combine both relationships in their favor. According to the World Bank, the United States remains the main export and import partner for Latin America and Caribbean countries, with China only slightly below the US in export markets. However, tensions have been constant around the provision of digital services and infrastructure. As of 2022, Huawei, ZTE, China Unicom, China Telecom, and China Mobile have at least 36 facilities distributed across Venezuela, Brazil, and Argentina.

It is within this context of complex intersections between the region’s historical and recent past that cyber accountability should be interpreted. To do so, the paper is divided into two main parts.

Enabling Positive Accountability Through Policy Responses

There are different ways in which countries can engage in positive accountability. That is the case of National Cybersecurity Strategies (NCS), which have become a key component to cyber accountability – and an equally relevant part of the development of responsible cyber behavior within the Latin American context in particular. These documents often represent the outcome of cross-government discussions, a public signal of the country’s interest in cybersecurity, and a confidence and transparency measure insofar as it translates the government’s ambitions to the broader population.

Throughout the past decade, many countries in Latin America have developed their own NCSs, with some having merely published their first version, others being in the process of developing or publishing a second version, and some already having laws on the topic. Most of these documents follow a similar structure, covering strategic pillars such as cybersecurity governance, development of a legal/policy framework, research and development, and cooperation.

While important, NCSs do not always mean that there is high political commitment to a cybersecurity agenda – and despite being a positive accountability measure domestically, its impact in ensuring greater political traction of cybersecurity or government-wide accountability should be taken with a grain of salt. Visibility of the topic by the presidency or political elites in the region remains minimal considering the competing and more pressing national agendas facing countries in Latin America such as climate resilience, public security, and economic stability (i.e. handling rising inflation). However, lack of political visibility does not mean that some countries have not been consistent with their cyber policy development. At times, it means that bureaucratic or sector-specific leads can push forward, albeit slowly. That is the case of Colombia, which now has three versions of their NCS, each of which has a different emphasis on cyber defense (2011) and digital security (2016, and 2020).

While lack of political visibility can be associated with limited accountability and transparency beyond a small group of bureaucratic or sector-specific leads, this is not always the case. High political visibility has, at times, resulted in the politicization and polarisation of cybersecurity discussions. That was the case of Colombia’s legislative proposals for the establishment of a National Cybersecurity Agency. Despite an agreement on the importance of having an agency, when the time came for the proposal to be presented, senators from the opposition associated the agency with a “spy agency” against citizens and other political parties – something that not even key privacy advocates and civil society organizations in Colombia had perceived as such.

Other contextual factors, such as large-scale cybersecurity incidents have, on the other hand, helped propel further policy developments as well as promote visibility of cybersecurity challenges facing countries in the region both domestically and internationally. The Conti Russia-based ransomware group’s 5-day intrusion on Costa Rica’s government ministries in 2022 led to an unprecedented declaration of a state of emergency. Part of the incident also took place during a presidential transition, raising pressures for the incoming government of Rodrigo Chaves to regroup and respond accordingly. Domestically, it has led to a series of policy developments. One of the immediate outcomes include heightened international cooperation between Costa Rica and the United States, Spain, and Israel – all of which already possessed Memorandums of Understanding (MoU) with the country. This was followed by a series of legislative proposals for a National Cybersecurity Agency and a national cybersecurity policy. Ultimately, it resulted on the publication of the country’s first NCS 2023-2027. In 2023, Costa Rica also joined the International Counter Ransomware Initiative and published its views on how international law applies to cyberspace, becoming the second country in the region to do so.

Despite the disruptiveness of large-scale incidents and their capacity to stress test a country’s capacity to react and respond, they also trigger policy processes. As Costa Rica’s case illustrates, the country has started to effectively invest and receive substantive support only after the incident. Such a combination has led to an increased interest and commitment of the country to enhance its own stance both on domestic and international cyber accountability.

Going from reactive (i.e. developing policies and responses after a disruptive incident) to proactive approaches (i.e. investing in prevention) to cyber accountability can often be a non-linear process and an even greater challenge when there is limited capacity or political appetite. Even so, some of the countries that have developed their NCS have been seeking to transform strategic thinking into institutional development through the establishment of National Cybersecurity Agencies. That is the case of Chile, Brazil, Colombia, and others, although each of these countries has its particularities. In Colombia, there have been four legislative proposals for the establishment of an NCSA since 2023. Despite political controversies, two have not gone forward and two proposals remain, one proposed by the Ministry of Science and Technology and another by Senator David Luna. In Brazil, the Institutional Security Office of the Presidency – the body responsible for cyber policy development – has previously indicated its interest in presenting a bill to establish the Brazilian NCSA (Agência Nacional de Cibersegurança, or ANCiber). The draft bill was first circulated in mid-2023 and it included the establishment of ANCiber, which has yet to be presented to Congress at the time of writing.

The convergence of policy debates around the establishment of NCSAs in Latin America shows that there is institutional appetite to transform strategy into action. It also highlights that many of these countries share the view that the first step to do so entails designating a focal point for cybersecurity that has the competency to provide action and oversight over national cybersecurity. While most of the countries in the region are still discussing the NCSA, there are already other existing models of governance in place that reflect the specificity of how accountability is bounded to the country’s institutional culture. Uruguay is an emblematic case. Instead of having an NCSA, it established in 2005 a National Agency for E-Government and Information and Knowledge Society (Agesic). One year later, the country’s Accountability Law was amended to add information security as part of its core competencies: The agency was then tasked with “planning and coordinating projects related to Electronic Government as a basis for the transformation and greater transparency of the state and conceiving and developing a national policy on information security issues that allow prevention, detection, and response to incidents that may affect the country’s critical assets”.

However, the discussion on accountability in cyberspace is not restricted to government agencies, bureaucratic elites, and a small pool of decision-makers. In addition to policy and institutional levers of accountability, some countries in the region have been historically and proactively engaged in technical cooperation. At the regional level, the Latin America and Caribbean Internet Address Registry (LACNIC) – responsible for assigning critical Internet resources and providing a forum for regional cooperation on Internet governance – has been one of the focal points for the technical security community to collaborate and exchange information. The LACNIC community established a Warning, Advice, and Reporting Point (WARP) in 2014 that later became the LACNIC CSIRT network. The network is composed by LACNIC members (i.e. national CERTs and private actors) and seeks to coordinate and strengthen incident response capacity as it relates to the Internet Protocol and Autonomous Systems through training, information sharing, and incident management. The Organisation of American States’ Inter-American Committee Against Terrorism (CICTE) has also established the CSIRTAmericas Network with national CERTs from over 20 countries in the region and has equally focused on supporting and developing incident response capacity across the Americas.

These and other initiatives illustrate that governmental cyber accountability can and has benefited from non-governmental initiatives, especially when the focus has been to create a space for sustained technical collaboration with cybersecurity experts, companies, and other parts of the private sector and law enforcement. More importantly, it illustrates that a regime of positive domestic accountability can grow and expand if and when it leverages other stakeholders and initiatives. However, this section also highlights that accountability is not a one-sided coin or an absolute value that is achieved; there are complexities and nuances that need to be further unpacked and navigated. When considering broader government incentives to engage in cybersecurity at the domestic level, political visibility does not always translate into desirable political traction or accountability – even though legislative processes obey broader policymaking accountability measures already in place.

Challenges for Cyber Accountability

Despite the gradual progress of countries in both policy and technical cooperation, the region still faces fundamental challenges when it comes to cyber accountability. The thirst for capacity development can often translate to countries seeking to “buy off” cybersecurity and not be guided by strong concerns around privacy and human rights.

While it might be reasonable to assume that countries will seek to outsource their cybersecurity – a posture reflective of both developed and developing countries given the perennial ownership of services by the private sector – lack of commitment from ministries or certain parts of the public administration may feed a one-off, solutions-driven approach. There are different reasons why the debate about the outsourcing of cybersecurity tooling within a developing country context – especially Latin America – can present some challenges to cyber accountability.

First, many of the technologies and solutions are not based in the region. This means that there is increased dependency of national governments on cybersecurity services based elsewhere (either with a national or regional office), especially the US. This external reliance has not always been dealt in the smoothest of ways and has previously raised significant tensions with US-based companies. In 2015 and 2016, WhatsApp was temporarily suspended because the company did not comply with law enforcement investigations in Brazil. A few years later, in 2022, Telegram was also “blocked” in Brazil after a Supreme Court ruling ordered the platform to comply with law enforcement. Albeit not strictly cybersecurity focused, the case illustrates an extreme measure taken in a context in which a government sought to reclaim its capacity to act in a highly privatized space. The challenges for countries in the region involve how to balance Small and Medium-sized Enterprises (SME), local, and international cybersecurity service providers. Neglecting other contractual avenues such as consortium models can balance dependencies in a small pool of companies and leverage local and global expertise, though this is beyond the scope of this paper and would require a piece all on its own.

Second, dependency in private and public support in areas such as threat intelligence and incident response also raise important challenges concerning the sustainability of investments and capabilities for countries in the region. In Costa Rica’s post-Conti recovery, the US committed $9.8 million to support the country in developing its own Cybersecurity Operations Center by 2026 through the Foreign Military Financing (FMF) grant. While important, it also raises the question of how countries such as Costa Rica will work to maintain existing licenses after the 2026 cycle of investment – and how they can transform immediate reliance on foreign support into a sustainable approach that diminishes external dependencies. Thus, even though cyber capacity building projects and international assistance might seek to address gaps, upskill, or provide technology and infrastructure support for countries in the region and elsewhere, it creates a double accountability risk: On the one hand, there is a risk of projects not effectively helping recipient countries transition from reliance on foreign aid to sustainable development of capacities; on the other hand, the risk is that donors invest in Cyber Capacity Building (CCB) and cyber crisis response but fall short of being accountable themselves for the impact and sustainability of investments made in a third country.

However, the most concerning outcome of such a highly private dependent incentive’s structure is the acquisition of intrusive cyber capabilities (i.e. spyware or other tooling – such as Malware-as-a-Service or Access-as-a-Service made commercially available). For nearly a decade, countries in Latin America have reportedly used third-party spyware and often tooled against their own citizens. The infamous Italian group Hacking Team held Latin America as one of its biggest regional markets. Countries such as Ecuador, Mexico, Panama, and others were part of the extensive list of buyers – most of which were driven by governments’ intent on spying on political opponents.

Even though the Hacking Team may now look like a historical reference, the market supply for intrusive software remains compelling and attractive for countries in the region, arguably for the same reasons it did so 10 years ago. If in 2014 Ecuador was sending emails to Hacking Team asking them to provide the tool that would support the intelligence agency SENAIN in spying on a political dissident, in 2024 the Brazilian government fired the head of the intelligence agency after discovering that during Bolsonaro’s government the intelligence agency had been using Israeli tool FirstMile to eavesdrop on Supreme Court justices. Mexico, an already avid client of some of these tools, was the first country to close the deal with the Israeli company NSO Group and deploy the Pegasus tool against criminals and political opponents – and along with other Latin American countries such as El Salvador, which has also deployed the tool against civil society groups and journalists.

Even though many countries in the region do have data protection laws, the fact that some of them do not cover the protection of use of data for intelligence, national security, or public security cases, raises additional challenges for cyber accountability in the region. The Brazilian Data Protection Law (LGPD), though seen as an adaptation of the GDPR, notes in Art. 4 that the law is not applicable to the treatment of personal data used exclusively for public security, national defence, national security, or investigation or repression of infringements to the criminal code. The Argentinian Data Protection Law notes in Art. 23 that the processing of personal data for the purposes of national defence or public security without the consent of the affected parties is limited to cases and categories of data in strict compliance with missions legally assigned to national defence, public security, or repression of crime (criminal investigation).

Conclusion

In an increasingly privatized cybersecurity market in which governments heavily rely on third-party solutions, cyber accountability should be seen increasingly as co-responsibility. However, when observing the actions of governments in Latin America, the first section of the paper showed how one should more carefully position the discussion about state responsibility and accountability within the historical and cultural background of a particular region. The second section explored how different countries have sought to enact and showcase positive accountability. It also highlighted that the term accountability should not be taken as an absolute goal, but rather in domestic policymaking, there are internal challenges that might emerge when accountability comes with greater political visibility of the cybersecurity agenda. The third part of the paper outlined some of the challenges and blockers to the operationalisation of accountability in the region – both from intragovernmental incentives to the delegation of cybersecurity to the perpetration of human rights abuses through intrusive commercial cyber tools in Latin America.

The panorama of cyber accountability in Latin America is a complex mix between national ambitions to develop cyber capacities, the thirst for innovation and economic growth, and the increasing commitments to policy and institutional developments. While this paper is far from exhaustive, it does illustrate that there are historical underpinnings that inform cyber accountability in Latin America as well as nuances when it comes to the economic structure of incentives for countries heavily outsourcing in the region.

Louise Marie Hurel is a Research Fellow at RUSI’s Cyber Team. Throughout the past years, her research has focused on multiple areas of cyber policy, including but not restricted to incident response, cyber capacity building, cyber operations, cyber diplomacy, and non-governmental actors’ engagement in cyber security.