Brazil’s diplomacy has historically been one of soft power and brokering discussions. In Internet governance, the country has been internationally recognised for to its multi-stakeholder governance model and for advocating for privacy in the digital age. As cyber threats become a national security concern and a key part of the political agenda in the run-up to 2022 presidential elections, the country is faced with a pressing question: what is Brazil’s cyber diplomacy?
Since 2020, Brazil has faced some of the worst cyberattacks in its history – including but not restricted to attacks against Covid-pass app ConectaSUS and ransomware attacks targeting the Superior Court of Justice and nuclear subsidiaries, in addition to massive data leaks affecting more than 220 million individuals.
These and other concerns have factored into new responses at the national level, such as the publication of Brazil’s first national cybersecurity strategy, the establishment of data breach notification guidelines and the consolidation of an official cross-government network of incident response teams. While major incidents rapidly catapulted cybersecurity into higher levels of policy development across the government, the 2022 presidential elections could be one of the most intense moments in recent political history and potentially have ripple effects across cyberspace.
Besides being an intense moment for the future of Brazilian politics, the run-up to the elections has already triggered many discussions about protecting the integrity of electoral infrastructure and raised concerns about the potential of malicious actors to combine cyberattacks with disinformation campaigns.
For many years, Brazil has been known for its pioneering role in multi-stakeholder Internet governance – having advocated, together with Germany, for the landmark resolution on the Right to Privacy in the Digital Age. Internationally, the country has been vocal about its concerns about cyber espionage – without, however, developing a specific narrative or foreign policy dedicated to “cyber diplomacy”, and amid growing internal divisions on the subject. However, the publication of its views on the applicability of international law to cyberspace, along with its support of the reports of the United Nations Group of Governmental Experts (GGE) (to which Brazil has been part of all iterations since 2013) could provide some hints to the country’s foreign policy on cybersecurity.
More recently, the country has been called on to moderate important cyber-related processes such as the UNGGE and the UN Ad-Hoc Committee tasked with the development of a Cybercrime Convention – to which it was elected vice-chair in late February. However, it is still an open question whether the country’s cyber diplomacy is just diplomacy “as usual” or whether there’s something emergent about cybersecurity threats that is pushing and challenging Brazil to think more clearly about its diplomatic strategy in this area.
A Balancing Act
While some countries (e.g. Australia) have adopted a centralised approach to their international engagement in cyber and critical technologies, others, like Brazil, are pursuing a more decentralised approach. In Brazil, cybersecurity relies on coordination across multiple departments within the Ministry of Foreign Affairs (MFA) as well as the wider public administration.
This often means that, without clear boundaries or a clear understanding of what cyber diplomacy is, international representation and engagement can be a challenging “balancing act” across multiple interests and government bodies. Under Brazil’s decentralised approach, this includes the MFA, the Institutional Security Office of the Presidency (GSI/PR), the Cybercommand (COMDCIBER) and other agencies. This balancing act includes negotiating the sometimes-blurry line between the GSI/PR – a highly militarized body that has positioned itself as the national focal point for cyber policy development – and the MFA in terms of international representation. The GSI/PR, for example, has taken the lead in representing the country in some meetings, while at other times it has joined diplomats in their negotiations.
Despite these challenges, the country has taken steps to advance and slowly consolidate its cyber diplomacy at the ministerial level. In fact, it has taken a dual-layer approach to tech and cybersecurity affairs. In 2019, Brazil designated its first cyber diplomat, who has participated in two editions of the UNGGE and is responsible for international peace, security and defence-related affairs. In 2021, the MFA also designated its first ‘tech envoy’, who is responsible for engagement with tech companies in Silicon Valley. Such developments point both to an increasing recognition of the theme and an attempt to consolidate a coordinated approach to foreign policy development within the MFA.
A Broader Agenda
Even so, no government document has explicitly referred to the term “cyber diplomacy”. While the Brazilian National Cybersecurity Strategy hints at it by including “strengthening Brazil’s international engagement in cybersecurity” as one of its three strategic objectives, it remains vague and provides little insight into the country’s potential cyber diplomacy.
Brazil deals with most cyberattacks as criminal issues due to the historical development of capacities within the Federal Police, national cybercrime legislation on the theme and emphasis on criminal prosecution of gangs and operations. Historically, the country has continuously sought to engage in regional and international cooperation fronts with Interpol and Ameripol and within the Organization for American States REMJA group.
In 2019, the country was invited to accede to the Budapest Convention on Cybercrime. In December 2021, after a speedy process and little public debate, Brazil became the sixth South American signatory to the Convention. Brazil’s longstanding diplomatic position had been to refrain from signing the Budapest Convention, because it did not participate in its development. The government’s sudden 2019 reversal caused some puzzlement, but reflected a tilt towards a more Western-centric alignment in security affairs coupled with an increasingly shaky relationship between the presidency and China. President Jair Bolsonaro’s critiques of China, especially in the context of the Covid-19 pandemic, and other moves – such as visiting Taiwan during his last presidential campaign – have contributed to Beijing not looking favourably upon his candidacy for the 2022 presidential elections.
These and other tensions have also placed Brazil in a challenging foreign policy situation with regards to the mounting 5G US-China “tech-lash”. Initially, Bolsonaro took a stand against Huawei, while the Minister of Economy advocated a more liberal approach. In the end, Brazil did not ban Huawei or any other company from participating in the 5G auction process held by the country’s telecommunications regulator (Anatel), but the decision came too late to make amends with Beijing. And Washington, which had expected a ban, was let down even further.
In spite of Bolsonaro provoking cold shoulders from both Beijing and Washington, Brazil’s cyber diplomacy is aligned with neither of the great power poles. Siding with “Western” countries at some times and siding at other times with the BRICS countries (or other countries in the Global South) has been a key feature of the country’s past decisions, more explicitly illustrated now in the context of emerging cyber threats. During Lula da Silva’s presidency, Brazil sought to strengthen South-South cooperation ties, which included taking interests in both regional and other mechanisms such as the IBSA Forum (India, Brazil and South Africa). President Dilma Rousseff provided some continuity to that approach. During her presidency, new and more specific avenues for cooperation on cybersecurity started to emerge in the context of the BRICS (e.g. the Expert Group on Incident Response). Bolsonaro’s government has been marked by paradoxes, but they have not necessarily impeded cooperation on cybersecurity. Recent examples include a series of bilateral agreements and dialogues with Finland, the UK and Suriname, among others. And while there might not be ideological alignment with the Biden administration, that has not hindered technical cooperation in other spaces, such as Brazil’s participation in NATO’s major cyber exercise, Locked Shields.
Diplomatic Continuity: the GGE and OEWG
Internationally, the GGE can be seen as an example of traditional Brazilian cyber diplomacy. Brazil has not only been involved in since its inception (2003-2004), but also had the opportunity to chair the group twice (2014-2015/2019-2021) – reaching, on both occasions, a consensus report.
Brazilian Ambassador Guilherme Patriota, chair of the GGE, faced two key challenges at the start of the process. His first challenge was to move the conversation beyond the perceived “dead end” of the failure of the 2016-2017 GGE while curbing some of the frustration around the process so that the discussion about the applicability of international law to cyberspace could advance. His second challenge was to work alongside the Open-Ended Working Group (OEWG) on ICTs, which was, at the time, a new process established by a Russia-led resolution.
The appointment of Ambassador Patriota as chair of the GGE could be seen as a recognition of Brazil’s soft-power diplomacy in the context of cybersecurity. While the chair is nominally a neutral position – and the selection was based on both the ambassador’s personal expertise and experience in chairing other GGEs – the selection of a chair from Brazil was still a geopolitically strategic one. It was a way of navigating the political cleavages and tensions between the US, China and Russia left by the failed 2017 GGE.
The GGE and the OEWG have pushed Brazil to take a clearer stance on international cybersecurity, by reinforcing its commitment to international law (IL). Although some countries in the region – including Mexico, Chile, Colombia and Argentina – have developed considerable cyber capacities in recent years, most are still developing their views on IL with some remarks on specific principles. Although Mexico was also a member of the GGE, Brazil was the first country in Latin America (in conjunction with other states) to publish its views on the application of IL in cyberspace, following the guidance of the GGE Resolution.
Brazil’s view on the applicability of IL is not surprising, but it has some unique nuances. While the United Kingdom does not recognise the “general concept” of sovereignty in cyberspace, and the US leaves some margin for “non-consensual cyber operations”, Brazil notes that interception of telecommunications would be considered an intentionally wrongful act violating the principle of sovereignty even if it had not crossed the threshold of armed conflict. This focus on interception reflects the Snowden revelations, which exposed the interception of communications with high Brazilian government officials, including former president Dilma Rousseff. Among the Latin American countries that haven’t taken official positions on the applicability of IL in cyberspace, there are differing opinions on the topic. Bolivia has stressed sovereignty as a standalone rule, while others, such as Chile, have suggested that it could be read as a principle.
Brazil’s public statements and contributions to the OEWG provide insight into some other key national concerns, including attacks against electoral infrastructures and the observance of international humanitarian law principles such as humanity, necessity, proportionality and distinction.
Brazil’s engagement in the GGE showed that a soft-power diplomacy was still possible even in a context of domestic political turmoil and political isolationism under former Minister of Foreign Affairs Ernesto Araújo. That is the case partly because cybersecurity is still seen as a technical and niche topic within the MFA – however that may not be the case going forward.
Brazil’s cyber diplomacy is evolving, and contains elements of both continuity and change. Its continuity is highlighted by the GGE and OEWG, while the changes are illustrated by the new positions within the MFA and new policies at the national level.
Internationally, Brazil faces challenges ahead. It has signed the Budapest Convention, but it’s still unknown how the country will position itself through the new UN process dedicated to drafting a Cybercrime Treaty. It has noted that it is “fully engaged” and “fully committed to the idea of a universal convention.”
The country’s national cyber strategy timeline 2020-2023 is ending. Going forward, the MFA should consider, in the medium term, developing clearer mechanisms for communicating its positions on such topics – possibly including a thematic whitepaper.
The Covid-19 crisis, shifts in its ministries and growing threats to democratic processes all pose real challenges to Brazilian diplomacy. While its cybersecurity diplomacy has not been directly affected by domestic instability, Brazil will continue to face challenges related to the politicisation of topics such as electoral interference. One key challenge the MFA faces is trying to maintain the country’s soft power diplomacy in the face of rising national political turmoil. Nationally, the country faces a political and economic crisis exacerbated by the challenges of Bolsonaro presidency, which has already caused considerable ruptures in the country’s diplomatic endeavours in other areas, such as climate governance.
As the country approaches the 2022 general elections, cyberattacks are likely to become even more of a lightning rod for national politics. During the municipal elections in November 2020, an attack directed against the Superior Electoral Court was followed by a disinformation campaign focused on the integrity of the voting process. Much worse can be expected from the 2022 electoral contest, as tensions heat up between Bolsonaro and former president Lula.
Brazil has been slowly building its cyber diplomacy. However, it faces a challenge in maintaining its longstanding commitments to multistakeholder governance, the protection of human rights, the application of international law, more equal international development and an inclusive international order while human rights defenders, activists and democratic institutions face serious threats in the run-up to the 2022 election.
About the Author
Louise Marie Hurel
Louise Marie Hurel is a Researcher and Project Coordinator at Igarapé Institute's Digital Security Programme, where she leads cyber policy engagement both nationally and internationally. She is also a PhD Researcher in Data, Networks and Society at the London School of Economics' (LSE) Department of Media and Communications and a non-resident fellow at American University's Internet Governance Lab. Her research focuses on incident response, cyber norms, non-state actors, technical security expertise and risks.