In this special for the bulletin, first year student Andrea E. Robles Larios shares a policy brief on the state of Mexico's institutional capabilities to deal with cybersecurity threats. Please see the end of the brief for images and infographics.

Cyber-attacks have become a constant issue in the current technological era and being unprepared can lead to economic and national security problems. Governments have become one of the easiest targets due to the few or non-existent security measures implemented within them, which increase the number of technological vulnerabilities and thus the number of attacks. Mexico lacks the institutional capabilities required to deal with cyber threats, and its first attempt at implementing a National Cybersecurity Strategy has failed.

There are two possible alternatives to strengthen Mexico’s Institutional Capabilities that are consistent with the priorities of the current government:

• To resume and improve the design and implementation of the current National Cybersecurity Strategy
• To Include minimum Cybersecurity foundations within the National Digital Strategy

Cybersecurity is a broad concept approach from the public or private sphere and likewise in physical or cyberspace. There are several threats to this problem. The most common are loss of information, identity theft, personal data concerns, leaks of sensitive information, unethical hackers, cybercrime, and cyber threats such as viruses, malware, ransomware, etc. They can significantly impact daily gadgets, services, individuals, companies, governments, and international organizations. Unfortunately, Cybersecurity is often analyzed as a problem but not as a beneficial tool or solution.

Governments have become easy targets for cybercrime due to a lack of knowledge, specialists, and comprehensive strategies. The more the cyber threats expand, the more the international community relies on the government’s capabilities to strengthen national security and minimize the social and economic impact that technological vulnerabilities can cause (European Union Agency for Network and Information Security, 2016).

Referring to the public sphere, the primary concern of having a weak Cybersecurity approach is not that the information on a public servant’s computer will be lost. But that, cyber-attacks may alter electoral records, delete immunization registries, block access to electricity in hospitals, activate critical controls in power plants, leave large cities without subway service, threaten the autonomy of central banks, and even promote espionage.

Mexico lacks institutional capabilities required to deal with cyber threats. The government has not paid the necessary attention to this issue and has ignored that public institutions are vulnerable to attacks. National cyber contingency plans, security measures, priorities, and specific responsibilities among institutions do not exist. The government is currently promoting strategies such as the National Digital Strategy 2021-2024 (NDS); Unfortunately, the NDS was created exclusively to increase digitalization and access to public services while reducing public spending on technology (Llamas Covarrubias, 2021). In this strategy, strong Cybersecurity foundations are still missing.

Mexico’s Cybersecurity efforts started in 2017, with the publication of the National Cybersecurity Strategy (NCS). The inter-ministerial Committee for the Development of e-government (CIDGE) was established as the public entity in charge of promoting the participation and collaboration of its members –representatives of each Ministry–, organize initiatives and encourage capacity building (Estrategia Nacional de Ciberseguridad de Mexico, 2017). However, CIDGE’s role is merely organizational, which leaves the Mexican government without the required institutional framework and governance to develop a sound Cybersecurity strategy and facilitate its execution.

     Moreover, since the change of government in December 2018, only one session of CIDGE’s Committee has been held, and since then, its website has not shown any further updates. After reviewing the content of NCS and its low impact, its failure since the implementation stage can be related to the following reasons:

• Weak enforcement capabilities coordinated among relevant institutions of the public administration
• Loosely defined actions to be executed by relevant stakeholders
• Limited political awareness and willingness to invest resources

Having a NCS only on paper without a clear roadmap for its implementation and inadequate law enforcement has resulted in broader security gaps and an increasing number of attacks with its respective economic losses. According to (Martínez, 2021) Mexico is the third Latin American country with the highest number of cyberattacks (17% of the region’s total attacks). The country also receives 53% of the viruses launched in the world (Kosevich, 2020), and was the last of the 6 Latin American countries that have developed a National Cybersecurity Strategy. Overall, the economic cost of cybercrime in Mexico is estimated at US$3 billion per year.

Mexican Public Institutions are attractive targets for cybercrime, mainly due to the management of sensitive citizen information and its essential work of providing critical services to the population. The timeline (below) provides information related to the cyberattacks addressed to Mexican Public Institutions in the last three years (2018-2021).

It is worth noting that most of the attacks shown in the image occurred even after the approval of the NCS. No institution was able to contain the attack or repair the damage because none of them had a contingency plan. Also, some of the hacked Institutions can be considered critical infrastructure (i.e., PEMEX and Bank of Mexico).

According to (Clark et al., 2014), a comprehensive approach to Cybersecurity entails considerable attention to two aspects: i) Process, how individuals interact with information technology; ii) Policy, how organizations require, incentivize, or ask individuals to behave. As mentioned before, in 2021, the Mexican Government developed the NDS 2021-2024, which was created as a road map to address and align the efforts of all public institutions regarding technological initiatives. The NDS aims to fulfill the needs of public institutions and guide citizens’ requests regarding technological affairs (Diario Oficial de la Federación, 2021)

The Planning Process for the Digital National Strategy and Technology Policies (2018) defined seven general actions, three of which sit as the core of its digitalization policy:

• Migrating 50% of public network assets to IPv6[1] environments by the end of 2024, (Protocolo Nacional Homologado de Gestion de Incidentes Ciberneticos, 2021)
• Promoting the exclusive use of open-source software[2]
• Digitalizing frequent-request government services

Although Mexico’s development of a NDS is a remarkable achievement, pursuing these actions without implementing a robust Cybersecurity framework might be detrimental to the government’s safety. Interconnectivity might increase, but also hacking attacks. Mexicans will be at risk not only because the personal data provided on official websites could be exposed: credit cards, PIN, tax records, and pension status, but also because of inappropriate use, loss, or leakage of such information could lead to high economic cost for the institutions and legal problems.

Strictly speaking, a National Cybersecurity Strategy will traditionally not address the same issues as a National Digital Strategy, and these two topics demand different solutions in the technological era. Ideally, Cybersecurity must come first and create the foundations and safe conditions to implement digitalization projects. In the Mexican case, the recent efforts seem decentralized and narrow. Both initiatives show how national cyber capabilities are scarce, incomplete, and without enforcement to deal with cyber threats making public institutions easy targets to be hacked and incur financial losses.

Migrating public network assets, using open-source software, and digitalizing public services ensuring the safety of citizens in the process would require enhancing the government’s capabilities to tackle cybercrime and the economic losses it entails. Undoubtedly, the Mexican government needs to bridge the technological gaps of both initiatives identifying their key improvement aspects. The following scenarios can be helpful to guide the government of Mexico in this essential task.

Viable policy options

Two policy options present themselves: One would be to resume and improve the design and implementation of the current NCS. This first policy option departs from the National Cybersecurity Strategy engineered by the former administration, which unfortunately was not completed. Therefore, to implement this policy option, the current government has to do significant work to finish the NCS and take it a step beyond to meet the international standards for Cybersecurity in the public sector. One way of executing this policy option can be by implementing what ENISA recommends in “Good Practice Guide for National Cybersecurity Strategies” (2016), for the design and development stage. The table at the end of this document sheds light on the shortcomings and gaps of the Mexican NCS.

If the Mexican government was to go with this option, it will have to create a Risk Management approach from scratch, align its legal framework at the national and international levels and build partnerships with the private sector.

The second option would be to include minimum Cybersecurity foundations within the NDS.

Policy Option Number 2 consists of complement the exist NDS and introducing Cybersecurity capabilities to fulfill the current security information gaps. Figure three presents a summary of NDS’ general structure.

     Based on its structure, the area that would require the greatest strengthening efforts and where the highest number of technological vulnerabilities may originate is the sub-strategy “Digital Policy for Public Institutions.” Overall, the sub-strategy consists of six general objectives and 29 action lines and only 12 are somehow related to information security. Therefore, this section is where Mexico’s government should include the Cybersecurity foundations.

• Define a central body for technical and economic analysis of technological projects
• Define technical standards for ICT projects
• Create an inventory of ICT goods and services
• Re-use, share, improve and update the government apps’ programming-code
• Migrate daily work and services to open-source software
• Encourage the development of new ICT experts
• Promote a general information security policy to preserve confidentiality, availability, and integrity of the Institutions’ safeguarded information
• Coordinate security evaluations to improve risk management
• Strengthen the coordination among public institutions to improve cyber incident-response
• Purpose key actions to strengthen information security among public institutions
• Promote database integration among the public institutions
• Develop a standardized protocol to manage cyber incidents

Mexico needs to develop a National Cyber Contingency Plan, secure digital identity, and build trust in digital public services to implement this policy option.

In analyzing which of the policy options described above would represent the best course of action, decision-makers should assess the feasibility of each alternative based on the following criteria:

• Continuous Implementation timeline: A lesson learned from NCS failure is that this type of policy requires sustained political efforts for a considerable period, which a change in administration could disrupt. In this context, Mexico will hold Presidential elections in 2024, thus two years will not be enough to re-arrange and improve the entire NCS.
• Alignment with political priorities: The achievement of any of these two policies will depend on political willingness to commit fiscal, technical, and institutional resources. In this regard, the President of Mexico and Congress have shown strong support for NDS but have largely ignored the development of NCS.
• Institutional capabilities: Policy Option Number 1 would require the development of a solid institutional and governance framework to complete NCS and take it to international best practices, which is unlikely under the current administration. Conversely, the Mexican government has already put together a framework to develop and execute NDS, facilitating the adoption of Policy Option Number 2.

Considering that the Cybersecurity strategy has lost political support since 2019 and instead, the digital strategy is currently in the implementation stage. It is highly recommended to choose Policy Option Number 2 in which the government can take advantage of the ongoing process of NDS’ action lines and smoothly integrate Cybersecurity measures in a short period. This action is not the optimal but the most feasible due to the current situation.

How can Mexico build a better security framework?

To strengthen this strategy with Cybersecurity pillars, the government of Mexico could follow international standards. One of the best practices can be found in The National Capabilities Assessment framework (2020), of the European Union Agency for Network and Information Security (ENISA). The design of this framework supports the Member States to build Cybersecurity capabilities both at the strategic and at the operational level. A brief overview identifies four significant clusters needed to manage Cybersecurity at the national levels: i) Governance and Standards; ii) Capacity building and awareness; iii) Legal and regulatory; and iv) Cooperation. Additionally, complement the clusters with 17 strategic objectives, specific goals, indicators, and suggestions for self-assessment. The fulfillment of each of these goals will result in a mature level of national Cybersecurity.

In the Mexican case, the development and implementation of this framework would take several years, making it inefficient. However, the government can take these standards as a starting point to strengthen the National Digital Strategy. The first phase must leverage the CIDGE’s political endorsement and focus on addressing the first three objectives within the “Governance and Standards” cluster. Here are the essential actions that suit better to Mexico's situation:

Objective 1 would be to develop a national cyber contingency plan. This would:

• Perform technical, operational, and political studies related to cyber contingency planning
• Promote Internal awareness campaign among public institutions to disseminate that cyber incidents constitute a crisis factor that could threaten national security
• Develop a national-level cyber crisis management plan. Engage with all relevant national stakeholders: national security, defense, civil protection, law enforcement, ministries and
• Create a multi-stakeholder cyber information committee with only essential decision makers and formally define the methods, platforms, or locations where all crisis response actors can access the same, real-time information when a cyber-crisis occur.

Objective 2 of this plan would be to establish baseline security measures such as:

• Performing a study to identify requirements and gaps for public institutions base on internationally recognized standards such as ISO27001, BS 15000 and PCI-DSS
• Defining security measures in compliance with international standards and make them mandatory within public institutions
• Consulting private sector and other stakeholders when defining baseline security measures
• Implementing sector specific security measures across critical sectors

Objective 3 would be to secure digital identity and build trust in digital public services by:

• Performing studies or gap analyses to identify the needs to secure digital public services to citizens and businesses, such as the risk of moving them to the cloud or any digital transformation project
• Building a strategy to promote secure national electronic trust services (e-signatures, e-seals, e- registered delivery services, time stamping, website authentication) for citizens and business
• Promoting privacy by designing methodologies in all e-government projects
• Engaging with private stakeholders in designing and delivering secure digital public services
• Implementing a minimum-security baseline for all digital public services

The correct implementation of these actions in the NDS and its enforcement through a centralized entity such as the CIDGE, will prevent public institutions from being hacked, avoid economic waste and make government digitalization a reality in the medium term without compromising national security.

[1] Internet Protocol system with improvements in confidentiality and encryption (Why IPv6 Matters for Your Security | Sophos)

[2] Decentralized and collaborative software code. Usually flexible, durable, and membership free because companies do not own it (What Is Open Source? | Red Hat).

Sources consulted:

•Brennen, J. S., & Kreiss, D. (2016). Digitalization. In The International Encyclopedia of Communication Theory and Philosophy (pp. 1–11). John Wiley & Sons, Ltd. doi.org/10.1002/9781118766804.wbiect111

•Clark, D., Berson, T., & Lin, H. S. (2014). AT THE NEXUS OF CYBERSECURITY AND PUBLIC POLICY. 150.

•Diario Oficial de la Federación. (2021, September 6). DOF - Diario Oficial de la Federación. Secretaría de Gobernación. dof.gob.mx/nota_detalle.php

•Estrategia Nacional de Ciberseguridad de Mexico 2017. (n.d.). Retrieved 17 February 2022, from www.gob.mx/cms/uploads/attachment/file/271884/Estrategia_Nacional_Ciberseguridad.pdf

•European Union Agency for Network and Information Security. (2016). NCSS Good Practice Guide [Report/Study]. www.enisa.europa.eu/publications/ncss-good-practice-guide

•European Union Agency for Network and Information Security. (2020). National Capabilities Assessment Framework [Report/Study]. www.enisa.europa.eu/publications/national-capabilities-assessment-framework

•Kosevich, E. (2020). Cyber Security Strategies of Latin America Countries. IBEROAMERICA, 1, 137–159. doi.org/10.37656/s20768400-2020-1-07

•Llamas Covarrubias, J. (2021, September). México tiene su Estrategia Digital Nacional 2021-2024 | Foro Jurídico. forojuridico.mx/mexico-tiene-su-estrategia-digital-nacional-2021-2024/

•Martínez, C. (2021, January 7). México ocupa el tercer sitio en la región por ciberataques. El Universal. www.eluniversal.com.mx/cartera/mexico-ocupa-el-tercer-sitio-en-la-region-por-ciberataques

•Proceso de Planeacion de la Estrategia Digital Nacional y de la Politica Tecnologica. (n.d.). Retrieved 28 February 2022, from www.gob.mx/cms/uploads/attachment/file/623514/Proceso_de_Planeaci_n_de_la_Estrategia_Digital_Nacional_y_de_la_Pol_tica_Tecnol_gica.pdf

•Protocolo Nacional Homologado de Gestion de Incidentes Ciberneticos. (n.d.). Retrieved 18 February 2022, from https://www.gob.mx/cms/uploads/attachment/file/676695/Protocolo_Nacional_Homologado_de_Gestion_de_Incidentes_Ciberneticos.pdf

Timeline courtesy of:

Metabase Q. (2021). El Estado de la Ciberseguridad en México. https://www.metabaseq.com/recursos/el-estado-de-la-ciberseguridad-en-mexico-2021

Cover photo by Canva

~ The views represented in this blog post do not necessarily represent those of the Brandt School. ~