Every day, at every moment, it is possible to verify the occurrence of cyber threats such as ransomware, malware, phishing and spoofing attacks, DDoS, among other malicious conducts carried out on the web, which intend to make its users vulnerable to obtain undue advantages or other malicious objectives. In view of the exponential increase in devices connected to the network, the lack of a culture of privacy and digital security, as well as the lack of cross-border regulation on aspects of cybersecurity, contribute to an inevitable increase in cybercrimes, capable of making the telecommunication infrastructure and the global society vulnerable.
The importance of cybersecurity arises to try to combat this scenario of uncertainties, offering means to detect, identify, protect, recover and manage the risk of cyber threats in organizations, including those providers of critical infrastructure that, for providing essential services to society, have high criticality level. By promoting the need for appropriate security measures to prevent risks and create repressive cyber governance tools to preserve the information involved, cybersecurity allows a greater awareness on privacy, the protection of telecommunication infrastructures and the safeguard of private and public interests.
The international scenario has shown great concern on the topic, especially with regard to the security of 5th generation (5G) network structures. This is because the technology will significantly increase the volume of data circulating on devices, creating a more complex digital environment and more susceptible to cyber attacks. Mobile operators, in fact, tend to be the most desired targets for malicious agents, in view of the increased use of mobile networks, requiring the development of robust action plans to avoid interruptions in their services and maintenance of the infrastructure.
In addition, there are fears that telecommunication operators may present security breaches, causing international movement through the establishment of minimum cybersecurity requirements, in order to maintain the competitiveness of companies. In this regard, the attitude of the current Government of the United States of America for the ban of 5G infrastructure equipment originating from a certain supplier, under the justification that they would be vulnerable to espionage, invasions and data theft, for example, generated a mobilization on the part of many countries for more or less restrictive rules to the entry of such company into their territories.
In Brazil, the initial trend was towards the creation of market-share limits to vendors within the scope of 5G, following the path of the European Union in restricting the presence of equipment from a certain supplier in certain parts of the network. This alignment with respect to 5G security was also positively seen by the European Union, especially taking into account the European Commissions toolbox on cybersecurity in 5G networks. However, it was also conjectured a possibility of total restriction of a certain infrastructure provider for 5G in Brazil, mainly due to the proximity of relations between Brazil and the USA.
In response to the concerns arising from cybersecurity issues in 5G networks, the Office of Institutional Security of the Presidency of the Republic published the Normative Instruction No. 4, of March 26, 2020, which provides for the minimum cybersecurity requirements that must be adopted in the establishment of the 5th generation (5G) mobile telephony networks, of mandatory compliance by federal public administration bodies and entities in charge of implementing 5G networks. However, the rule was dedicated to guide good cybersecurity practices, not creating specific vetoes for suppliers of 5G infrastructure equipment.
In addition to the aforementioned rule, Brazil also has other initiatives to strengthen cybersecurity in 5G networks, such as Decree No. 9.573/2018, which approved the National Policy for the Safety of Critical Infrastructures (“PNSIC”) in Brazilian territory, with the purpose of guaranteeing safety, resilience and continuity in the provision of the services. Critical infrastructures are installations, services, goods and systems whose interruption or destruction, in whole or in part, causes a serious social, environmental, economic, political, international impact or affects the security of the State and society – from which it is possible to conclude that the Brazilian telecommunication infrastructure is included in this protective Policy.
In this same regard, Decree No. 10.222/2020, which approves the National Cybersecurity Strategy (“E-Ciber”), is an orientation of the Federal Government to the Brazilian society on the main intended actions, in national and international terms, in the area of cybersecurity, valid for the 2020-2023 quadrennium. Furthermore, item 7 of the ANATEL’s Regulatory Agenda, for the 2019-2020 biennium, provides for the regulation of aspects associated with network security and the provision of services, covering general aspects of cybersecurity within the scope of telecommunication networks.
Finally, ANATELs Public Consultation No. 13, already ended, proposed the establishment of minimum cybersecurity requirements for terminal equipment that connect to the Internet and for telecommunication network infrastructure equipment, in order to minimize vulnerabilities through software/firmware updates or through recommendations on configurations and their remote management mechanisms. The proposal addresses important requirements for suppliers of telecommunication equipment and commitments to fix vulnerabilities by manufacturers.
In the current scenario, it will be up to the President of the Republic to decide on possible restrictions on equipment suppliers for local operators. However, the Special Office of the Investment Partnership Program (“PPI”) understands as harmful a possible ban of suppliers to operators that win the Brazilian 5G auction, arguing that this conduct would generate potential technological increase of costs and the delay in the development of 5G in Brazil.
The whole legislative panorama and discussions mentioned above contribute to the development of a protected and effective ecosystem in the new times of the digital economy, congruent with the technological advances brought by 5G. The construction of a robust national regulation on the certification of equipment and digital security specifications proves to be a viable solution to ensure the security of telecommunication networks in the context of 5G infrastructures and the international relations and policies involved.