The International Telecommunication Union (ITU) published the latest Global Cybersecurity Index (GCI), “a trusted reference that measures the commitment of countries to cybersecurity at a global level”. The overall score has increased. The United States got a perfect rating, and the overall percentage of South America has decreased.
The first time ITU published the GCI was in 2015 (with data from 2014). At the beginning of this year, the fourth report with the 2020 data was published, whose closest comparison is the third report published in January 2019. The GCI analyzed 193 countries and data collected by ITU granted by each of the organization’s members.
The 2021 report notes a "median overall score growth since 2018" of 9.5%. However, in Latin America, this was not the tendency, although there is a pair of surprising cases. The most notorious one is Brazil, South America’s leader. It rose from 70th place to the 18th worldwide, surpassing, on the global scale, countries such as Belgium, Italy and Finland. However, most Latin American countries worsened in the ranking. Such is the case of Colombia, which went from 73rd place in 2019 to 81st one; Uruguay went from being the best country in Latin America with the 51st place to being the third one with the 64th place, below Mexico and Brazil.
How were these results obtained?
The primary input is a study covering 82 questions related to cybersecurity commitments. All questions can be consulted at the end of the report. Each of these questions can be classified into any of the following categories: legal measures, technical measures, organizational measures, capacity development measures, cooperative measures. The questions were multiple choice (with two or three answer options) that had to be supported with a document or a link where that information is officially endorsed. Once all the data were collected, the questionnaire was analyzed in two different validation stages. There, each provided document (or ink) attached to the question was examined. The result was then discriminated into five categories with 20 maximum points per category so that the total sum was equal to 100.
The categories are as follows: - Legal measures. It examines how a country deals legislatively with cybersecurity threats. If a country has adequate legislation to respond to cyberattacks, it can undertake relevant investigations and sanction impositions. - Technical measures. If a country has expert institutions of a technical nature responsible for cybersecurity, it would have a good rating here. Among the technical aspects to be evaluated are the "accreditation schemes for software applications and systems." If a country does not demand minimum standards from its institutions (public or private), it will have a low rating in this criterion. - Organizational measures. If a country manages to efficiently coordinate its institutions around the development and implementation of cybersecurity strategies, then it will score well in this criterion. Each country must have a national plan, a governance model and supervisory bodies to verify the implementation of cybersecurity standards. - Capacity development measurements. A high ranking in this criterion shows that there are well-established education programs in the country. In both the public and private sectors, professionals are certified to face cybersecurity tasks in the best way. This implies being aware of the technicalities behind cybersecurity and the political and economic implications that flow from it. - Cooperative measures It happens that cybersecurity problems are no longer just a matter for a country but also depend on the security of allied nations. In this regard, governments have a shared responsibility. Being coordinated with other countries on security issues is essential. This is the case, for example, in Europe, where there are joint regulations thanks to the General Data Protection Regulation.
The United States and Canada remain on the regional podium occupying first and second place. The United States earned a perfect rating in this report, obtaining first place globally and replacing the United Kingdom. The worst-ranked countries are Haiti, Dominica and Honduras. All three countries were also in the worst positions in the last report. This time they worsened their overall ratings. Haiti went from 164th in 2019 to 167th, Dominica from 172nd to 174th, and Honduras from 165th to 178th.
Brazil, Costa Rica and Suriname considerably improved their overall positions by climbing 52, 39 and 36 places, respectively. In contrast, Guatemala and Nicaragua decreased by 38 and 25 seats, respectively. Countries that remained relatively stable were Cuba, which moved from 81st to 82nd place, Argentina, from 94th to 91st and Bolivia, from 135th to 140th. Peru and Chile stood out slightly after increasing 11 and 17 places. However, in this report, the Latin America tendency was to decrease its global score. Countries such as Colombia, Venezuela, Panama, Ecuador and Paraguay decreased their overall scores. To be exact, they dropped 8, 17, 6, 21 and 18 positions, respectively, on the global scale.
Colombia had been ranked 73rd in the world in 2019, a place occupied by Zambia now Compared to the best countries in the region (i.e., Brazil and Mexico) Colombia has two criteria far below: legal and organizational measures. Brazil has a perfect score in the first, while that’s the lowest score in Colombia. Contrary to Colombia, a score in which almost all South American countries excel is in Legal Measures. Latin American countries that are below Colombia has better ratings in Legal Measures. Cuba (17.62), Paraguay (10.41), Peru (who has a perfect score in that criterion), Argentina (12.15), Panama (10.41), Suriname (11.13) and Guyana (13.12) surpass Colombia in this criterion (see Figure 3). We must go down to Venezuela, 35 places below Colombia, to find a lower score in Legal Measures (8.80).
Latin America has a relatively adequate legislative response to cybersecurity threats. In other words, the legal systems of their countries provide appropriate sanctions for cybercrimes. This also incentivizes investigations by the relevant control bodies. In contrast, the weakest criterion of Latin American countries is technical measures, ironically, one of the best criteria in Colombia (17.58). Countries well placed in the ranking, such as Chile (9.39) or Costa Rica (9.14), have scored much lower than Colombia. And even the three best countries in Latin America do not exceed the colombian score by far: Brazil (18.73), Mexico (17.90) and Uruguay (18.27).
In conclusion, although the world is strengthening its cybersecurity policies and getting more conscious to face such threats, the reverse phenomenon seems to be occurring in Latin America. A more significant effort is needed from Latin American nations to reach the global widespread commitment. More outstanding engagement is required in formalizing institutions whose mission is to ensure the nation’s cybersecurity.
We hope you have enjoyed this post!
Fluid Attacks, we look forward to hearing from you.
Recommended blog posts
You might be interested in the following related posts.
Tips for choosing a vulnerability management solution
Definition, implementation, importance and alternatives
Keep tabs on this proposal from the Biden-Harris Admin
Vulnerability scanning and pentesting for a safer web
Definitions, classifications and pros and cons
Is your security testing covering the right risks?
How this process works and what benefits come with it
Get an overview of vulnerability assessment