Convergencia Research, Consultoría especializada en Latinoamérica y Caribe
Thursday, January 20, 2022

Interview with Gustavo Sain, National Director of Cybersecurity

Argentina’s Minimum Cybersecurity Requirements to be taken to national universities

The official said that with this norm the security standard in the State has been raised. From the National Cybersecurity Directorate, it aims to integrate the provinces. In a talk with Convergencia, Sain warned of the greater sophistication of computer attacks and the need to train public employees in prevention.

<strong>Convergencia: Can you tell me about the status of the IT policy model to provide security to applications used in the State?

Gustavo Sain (GS): It is in the process of completion. It is a reference framework so that all the organizations of the National Public Sector can adapt their information security policies with regard to protecting their computer resources, which are central because they store and process citizen data. It also integrates servers that provide digital services and web applications.

For the latter case, we have prepared a Safe Development Guide, so that State programmers or outsourced providers establish cybersecurity conditions in developing web applications. It was prepared by the National Directorate of Cybersecurity, the national universities of Buenos Aires and La Plata; and the Sadosky and Vía Libre foundations. This is new to the Public Administration online, with the priority that the government has in terms of cybersecurity.

Convergencia: Catamarca was the first jurisdiction to adhere to the Minimum Information Security Requirements for the Public Sector. Can you tell me about other provinces that joined and how does Catamarca's safety standard improve for having joined this program?

GS: First, it should be noted that the Minimum Requirements are the only standard in the entire continent that requires government agencies to comply with guidelines based on international standards. It reaches the centralized and decentralized bodies of the National Executive Power, and being a federal country, other jurisdictions are invited to join. The National Cybersecurity Directorate assists in implementing internal regulations to adopt these guidelines at the provincial level, as in the case of Catamarca.

These minimum requirements have been approved by an Administrative Decision of the Head of the Cabinet of Ministers, which obliges the agencies of the provinces that adhere to report their compliance plans to the Directorate in my charge, and to the General Office of the Nation (SIGEN, in Spanish), to audit them periodically. We are working with other provinces for their accession, but we respect their autonomy.

The standard also opens the possibility for organizations in general to adhere. In this sense, we have signed a Memorandum of Agreement with the CIN (National Interuniversity Council) to extend these standards to all national universities.

Convergencia: At its various levels, the State is a user of different technologies, platforms, software and hardware that are used to carry out both critical and non-critical activities. In this diversity, tell me about the axis of the protection policy of the national State against cyber threats?

GS: First of all, compliance with the minimum requirements sets a high standard for information security, but something must be taken into account: nothing in computing is invulnerable. There are more or less secure systems, but none are 100% infallible. Similarly, there is the human factor. Unlike public security, where the State has a monopoly on the use of force, in cybersecurity there is an ecosystem where there is a clear pre-eminence of the private sector.

Most of the software used by both citizens and organizations, public or private, is commercial and its security conditions are unknown. If the program has a vulnerability that is not detected by the company that developed it, it can be exploited. What I mean is that the State, rather than relying on high standards and good practices at the cybersecurity level, cannot set these conditions per se. There are more or less secure systems, but none is 100% efficient. An example of this was the ransomware attack on the US fuel carrier Colonial Pipeline, which had to preemptively suspend the supply of gasoline throughout the east coast of that country for a week in May 2021. That same month a cyberattack left Fuenalabrada (Madrid) Oviedo (Asturias) and Vinaros (Valencia), among other municipalities in Spain without public services. Nobody is exempt.

Convergencia: Teleworking increased the risks of cyberattacks and you increased collections. Do you feel that the protection of state assets is better today than at the beginning of the pandemic? Tell me about the training of state personnel?

GS: At a global level, there was an increase in reports of computer crimes due to a greater use of ICTs for teleworking, distance education and the increase in the use of digital services in the cloud. Based on an analysis of cases of incidents managed by the National Center for Response to Computer Incidents (CERT.ar, dependent on the National Cybersecurity Directorate), which manages computer incidents –whether or not they are crimes–, it appears that there is a greater sophistication and complexity in techniques used in the commission of certain crimes. There are basically two types: at the level of private users, online fraud and scams, and at the level of organizations, mainly private, ransomware attacks.

This results in the presence of new forms of existing crimes. As for online fraud and scams, the majority occurred through phishing campaigns. The most common fraud in Argentina is bank phishing. During the pandemic, requests directed at individuals began to include victim data. This modality is called spearphishing. Although the National Directorate of Cybersecurity does not receive complaints directly and its target community is the national public sector agencies, for the latter we have prepared alerts and recommendations with cases that involved usurpation of the identity of public agencies with false ANSES web pages to the supposed payment of the IFE, for example. Regarding ransomware attacks, in the Public Administration we have managed to mitigate many of these attacks from the National CERT, but there have been cases of public knowledge where some organizations were their victims.

As for training personnel, the National Cybersecurity Directorate has tripled the offer of courses aimed at national public employees from the National Institute of Public Administration (INAP). More than 4,500 workers signed up this year. We also created a one-year professional training program in which the National University of La Plata provides free training through scholarships granted by state unions to 50 employees in the IT and systems areas of the entire APN.

This interview was published in the Communications Atlas and Yearbook 2021, published by Grupo Convergencia in January 2022.

Last news and analysis

América Latina · Convergence

28/03/2024

Convergencialatina returns on Wednesday, April 3

Puerto Rico · Fixed Broadband

28/03/2024

Puerto Rico must deploy fiber optics in more than half of the island's homes

The data came from a Fiber Broadband Association webinar that revealed the island's situation in FTTH services. There is a plan for the footprint to reach one hundred percent of homes in 2027 financed by federal funds and privately executed.

Puerto Rico · Fixed Broadband

28/03/2024

Puerto Rico must deploy fiber optics in more than half of the island's homes

The data came from a Fiber Broadband Association webinar that revealed the island's situation in FTTH services. There is a plan for the footprint to reach one hundred percent of homes in 2027 financed by federal funds and privately executed.

Uruguay · Pay TV · Internet & OTT · Operators

27/03/2024

Through agreements with Claro and Movistar, cable operators expand their Internet offer

These are agreements of different types, which include leaving the last mile for the cable operator or contracts for available bandwidth. Antel could join with infrastructure leasing. Some cable operators are already building their own networks.

Paraguay · Operators

26/03/2024

Government analyzes partial privatization of Copaco

The state operator is going through a delicate moment. Its income does not cover operating expenses and it must fulfil a debt obligation of US$110 million. Furthermore, the lack of investments led to the obsolescence of its infrastructure. Oscar Stark, president of the firm, states that alternatives are being evaluated to obtain the necessary funds, including the possibility of adding private partners. And he believes that in 18 months "the situation will be resolved."

Search news