This article is adapted from AQ’s special report on cybersecurity | Leer en español | Ler em português
In February, Jamaican authorities revealed a cyberattack had targeted the prime minister’s office. While this incident did not cause the severe government disruption experienced in places like Argentina or Costa Rica in 2022, it did prompt Jamaica to seek international assistance in strengthening its cyber defenses. Initial dialogues with the United States and multilateral organizations resulted in a $10 million investment through grants and loans from the U.S. Agency for International Development (USAID) and the Inter-American Development Bank (IDB). In addition, Jamaica’s government dedicated an internal investment of J$20 million ($130,000) to bolster its cybersecurity capabilities.
This event shows the growing need for international collaboration in bolstering cybersecurity defenses in Latin America and the Caribbean (LAC). It also illustrates how the United States is actively working to present itself as a partner of choice in the cyber realm, which is a relatively new and increasingly active front in its escalating competition with China for influence in the region. Cybersecurity is a new battleground for the U.S.-China competition in Latin America and the Caribbean. While the U.S. is making strides, there is much more it and LAC countries can do together to improve defenses against the emerging cyber threat.
A range of available tools
Latin America and the Caribbean present a particularly appealing landscape for cyber criminals. A scarcity of resources, underdeveloped policy and regulatory mechanisms, and largely antiquated digital infrastructure have together cultivated an environment where cybercrime thrives.
Surprisingly, only half of the LAC countries have established a cybersecurity strategy, with even fewer implementing cybersecurity-related legislation. Existing criminal codes that acknowledge cybercrime often merely give a nod to the illegality of breaching government systems. Furthermore, countries inconsistently pinpoint vital infrastructure systems needing protection, struggling with both personnel and financial constraints. These challenges are compounded by legacy systems with inherent vulnerabilities and outdated protective software. To highlight the importance of this digital transformation, a recent report funded by Google estimated that the right investments could help boost exports of six LAC countries to $140 billion annually by 2030. The report emphasized that current digital exports would quadruple with investments in building more resilient digital infrastructure, bridging the digital skills gaps, promoting digital security and trust among businesses and consumers, and implementing trade facilitation measures and policies.
This situation is a significant concern for the U.S., which has a vested interest in fostering LAC’s digital safety. Simply put, a prosperous and secure LAC strengthens the Americas as a whole. In the context of the great power competition with China, democratic countries may be inclined to look to the U.S. for help given its broader range of cybersecurity investments, but many also face a delicate dilemma: Should they wait for Washington’s support to come through for large ticket items such as information and communication technologies (ICTs) and infrastructure development — or should they take the flurry of resources provided in the short term by China?
Indeed, from the Chinese perspective, the ICT sector has emerged as a primary area of investment to challenge U.S. influence in LAC. Chinese companies, such as Huawei, have made significant investments in deploying 4G and 5G networks across the region, with notable projects in Brazil, Chile, and Mexico. For instance, in Brazil, the Huawei ICT Academy Program has gained traction, with more than 90 universities and educational institutions joining and approximately 36,000 students trained since 2013. This foothold has enabled Beijing to further expand its presence in cloud computing, digital transformation, and e-commerce, particularly focusing on data-heavy investments. One of the major concerns expressed by the U.S. relates to China’s Data Security Law, which governs the “collection, storage, use, processing, transmission, provision, and disclosure” of data within China. These concerns primarily revolve around how Chinese companies handle this data and the potential for user data, regardless of its country of origin, to come under the control of the Chinese government.
Considering these realities, the U.S. has an added incentive to invest in digital infrastructure protection for partner countries so they are not drawn into exploitative agreements with Beijing. The U.S. acknowledged this in its recently released National Cybersecurity Strategy. The strategy repeatedly emphasizes the need to bolster partner nations against cyber criminals and adversarial nations like China and Russia. Correspondingly, the strategy’s fifth pillar, appropriately titled “Forg[ing] International Partnerships to Pursue Shared Goals,” focuses on enhancing countries’ resistance to cyber threats. This effort involves leveraging existing international alliances, fortifying digital resilience — particularly for critical infrastructure systems — and ensuring the security, reliability and integrity of global supply chains.
To fortify their resilience against cyber threats, LAC countries can leverage existing international initiatives. Currently, nine LAC nations are members of the Budapest Convention, while five more are observers. Although not flawless, this convention reflects states’ dedication to global norms and collaboration in tackling cybercrime. In 2017, member nations signed the Organization of American States’ (OAS) Inter-American Committee Against Terrorism Resolution 1/17, establishing a Working Group on Cooperation and Confidence-Building Measures in Cyberspace. This resolution signifies regional governments’ collective commitment to reducing the risks of misperception, escalation and conflict arising from the utilization of ICTs. These commitments signal robust political will over the past decade, underscoring cybersecurity as an area of shared interest.
Globally, democratic-leaning countries largely agree on the need for international cooperation around cybersecurity. The 2013 Seoul Framework for and Commitment to Open and Secure Cyberspace continuously highlights the necessity for collective action against ICT threats. The 2015 Hague Declaration of the Global Forum on Cyber Expertise (GFCE) emphasized cooperation among governments and the importance of involving the private sector, the technical community, civil society and academia in capacity-building efforts. More recently, in November 2022, the first committee of the United Nations General Assembly passed a resolution on the Program of Action (PoA) on Cybersecurity. This PoA aims to guide state behavior regarding ICT usage in international security contexts. All LAC countries except Nicaragua supported this effort. The PoA is expected to provide action-oriented discussion following the end of the mandate of the UN Open-Ended Working Group (OEWG) in 2025, becoming a permanent mechanism for discussing existing ICT threats, supporting national capacities, and fostering engagement and cooperation.
These and other initiatives have motivated global leaders to advocate for coalition-based efforts to support the region. For instance, after conducting a series of national assessments globally in 2017, Interpol launched training activities and public awareness campaigns to investigate cybercrime. Funded by Global Affairs Canada, the European Union and the Council of Europe, these endeavors aimed to enhance regional cooperation among 35 LAC nations. Training courses included digital forensics, open-source intelligence and dark web investigations, among others. In 2018, the United Kingdom sponsored the Commonwealth Cyber Security Incident Response Team Workshops to improve information sharing and incident response strategies. This program in partnership with Singapore has since expanded to include training, mentoring, and peer-to-peer learning across the Commonwealth nations — 11 of which are in the Caribbean.
Washington’s possible role
Despite China’s recent expansion in Latin America and the Caribbean, the U.S. maintains substantial historical, cultural and economic ties, and is still seen by many as the preferred partner in the region. This relationship is particularly salient in the realm of cybersecurity, where mutual interests align among hemispheric partners.
The U.S. boasts state-of-the-art infrastructure and houses the most cybersecurity companies globally. It engages closely with the private sector to safeguard critical infrastructure and has an organizational structure conducive to bolstering capacity across the region. Furthermore, several U.S.-based or -supported entities, including the OAS, the IDB and Inter-American Defense Board, play crucial roles in enhancing the region’s resilience against cyberattacks. Additionally, the U.S.’s capacity to rally international partners like Canada and the United Kingdom remains unparalleled, as seen in USAID’s Critical Infrastructure Digitalization and Resilience effort in the Western Balkans.
A prime illustration of the U.S.’s ability to assist regional partners is its response to the Conti ransomware attack on Costa Rica in April 2022. This attack incapacitated the ministries of finance, labor and social security, prompting Costa Rican President Rodrigo Chaves Robles to declare a national emergency and mobilize national resources to restore the affected ministries. The U.S. promptly extended support, including announcing a reward of up to $10 million for information leading to the identification and location of key individuals in the Conti ransomware transnational crime group. An additional $5 million was offered for information resulting in an arrest or conviction. More recently, in March 2023, the U.S. committed $25 million in cybersecurity assistance to help Costa Rica fortify its digital infrastructure. This gesture followed a $50 million aid package to Albania in response to a similar, albeit Iranian-linked, ransomware attack.
On the U.S. side, there are a range of cost-effective, high-impact measures that would make it easier to help its LAC partners.
First, there is a need to streamline information sharing mechanisms. Currently, the U.S. is restrained in its ability to provide real-time information during cyber-attacks due to the so-called NOFORN (Not Releasable to Foreign Nationals) restrictions on intelligence sharing. These limitations curtail sharing of often open-source information with friendly nations, instead forcing reliance on private sector entities for immediate support or resulting in delayed responses during time-sensitive cyberattacks. This illustrates a broader over-classification issue within the U.S., but addressing specific constraints on entities like the Cybersecurity Infrastructure and Security Agency could significantly enhance emergency support capacities.
International cooperation can also provide legal and regulatory help. Not only sharing successful models and best practices, but also deploying legal experts to the region to offer counsel, can have an important impact.
U.S. investments in helping educate and train military personnel on cyber issues have been well received throughout the hemisphere. However, funding for these efforts has remained largely unchanged, increasing only marginally from $13.1 million in 2020 to $13.9 million in 2022. For the U.S. Department of Defense, this nominal increase falls short, particularly in the face of rising Chinese security investments. The silver lining is that other players, such as Canada, Israel, and the United Kingdom, have stepped up their investments either directly or through partner institutions like the OAS. Investing in the human element, both from a cybersecurity workforce and citizenry awareness perspective, is always valuable to ensure earned goodwill.
A critical moment
As our world becomes more digitally interwoven, the significance of international collaboration in backing developing nations becomes paramount in countering cyber threats and opportunistic entities in cyberspace. The United States and leading democratic countries should help maintain a strong focus on digital resilience among its regional partners. This approach not only equips LAC with robust defenses that catalyze economic prosperity, but also solidifies the U.S.’s standing as the partner of choice in this vital domain of security, thereby reinforcing regional stability. While LAC countries are making commendable strides in internal investment, the support from the U.S. and the larger international community can serve as a critical catalyst in their journey toward achieving digital resilience.
The Dramatic Cyberattack That Put Latin America on Alert
The region is the world’s most vulnerable to cyberattacks—and essential state services aren’t safe. What can be done?
Why Is Latin America So Vulnerable to Cyberattacks? We Ran the Numbers.
The region’s digital adoption is high, but security measures are lacking, AQ’s rundown of key cyber indicators reveals.
