WASHINGTON — Making a cybersecurity policy for just one nation is difficult. Developing a joint agreement between two nations on digital issues represents a raging headache. Finding common ground about 33 nations? That’s essentially impossible.
And yet, according to Brig. Gen. S.M. Lacroix, a Canadian officer serving as director general of the Secretariat of the Inter-American Defense Board, some sort of unified cybersecurity agreement among the countries in the Americas needs to be reached in the future.
Currently, only eight of the 27 member nations on his board have a formal cyber strategy, and the majority of those have only recently developed strategies.
Getting those nations to agree to spend on cyber defense, let alone agree to work together on projects, is a major challenge.
“It’s hard,” Lacroix said. “It’s not easy, and what I would say to that is that our organization essentially only provides technical advice based on requests from either the Organization of American States or member states themselves. There is no mechanism for us, really, to force a country to get interested in cybersecurity and have it play some higher priority list for their domestic issues.”
Lacroix is hoping to see smaller countries in Latin America look at what the larger economies are doing and take cues from those nations.
“I think when they see a Brazil and Columbia and Mexico jump on board and develop fairly robust cybersecurity policies, other countries will jump in,” he said, before acknowledging the hard reality that “whether they have the resources and expertise to do so is a separate conversation.”
Indeed, it’s hard for a nation with a fairly small budget for defense to prioritize cyber spending when they may not be a target. And while a major incident, such as widespread hacking of a banking system or a cyberattack on the military, would likely cause those nations to get active, until then, there isn’t a huge incentive for them to preemptively take action.
Lacroix is hopeful the nations in South America that are investing in cyber will be able to encourage their neighbors to start thinking through potential risks before an incident occurs.
He points to Brazil, who is investing heavily in information technology. But even there, economic realities come to the fore, with Brazil’s budget falling due to decreasing oil prices. To try and mitigate that, Lacroix is looking at potential public-private partnerships, with an emphasis on education about why cyber is an area worth investing in.
“We are educating the leaders of today and tomorrow so they can make the right decisions in terms of acquiring whatever infrastructure they would require to implement their own cybersecurity policies,” he said.
A potential point of concern for the U.S. and Canada, whose militaries naturally play an outsized role in such discussions, comes in the form of China and, to a lesser extent, Russia.
Both nations are investing in Latin America, with Chinese firms in particular taking an active role in building the digital infrastructure many nations need. The U.S. is constantly wary of letting Chinese or Russian technology into even slightly sensitive areas; imagine what it means for a U.S. ally to be connecting to American networks and military files on a Chinese-built cyber infrastructure.
Lacroix acknowledged that could be a concern for the northern American countries, but said that there is no real way to stop it.
“I think that we can have all sorts of nefarious ideas as to what China and others are doing in the region, but I think what they are mainly doing is filling a gap or filling a void,” he said. And while he “suspects” there are various defense organizations looking at the implications, it wasn’t something his organization directly tackles.
Aaron Mehta was deputy editor and senior Pentagon correspondent for Defense News, covering policy, strategy and acquisition at the highest levels of the Defense Department and its international partners.