Representatives from Brazil and the United States concluded a two-day exchange on cybersecurity best practices hosted by the Digi Americas Alliance on Aug. 8-9 in Washington D.C. High-level government officials and key stakeholders from both countries came together to share knowledge, strategies, and innovations in the field of cybersecurity.

The first day’s events commenced with remarks from Paula Acosta, Division Chief of Innovation in Citizen Services at the Inter-American Development Bank (IDB), and Santiago Paz, Senior Cybersecurity Specialist at the IDB. Acosta highlighted the critical role of public-private partnerships in addressing the ever-evolving challenges of cybersecurity.

She emphasized that the IDB is promoting digital transformation within governments and acknowledged the importance of diverse expertise. According to Acosta, collaboration among stakeholders is key to making meaningful progress in the fight against cyber threats, which have far-reaching social and economic consequences. She also pointed out that while Brazil is leading in digital transformation, this leadership position also increases its exposure to cyber risks.

Paz followed by underscoring the broader social impacts of cybersecurity incidents, noting that such events can disrupt citizens' access to essential services, thereby affecting their quality of life. He stressed the need for implementing mature cybersecurity projects, particularly those that leverage automation to enhance efficiency and effectiveness. Paz also expressed the IDB's commitment to continuing its collaboration with Brazil, aiming to further advance cybersecurity initiatives and strengthen resilience against cyber threats.

Jennifer Bachus, Principal Deputy Assistant Secretary at the Bureau of Cyberspace and Digital Policy at the U.S. State Department, provided an overview of the U.S. International Cyberspace and Digital Policy Strategy, which lays out a forward-looking vision for technology's role in society. She emphasized that international collaboration and collaborating with global partners are crucial to harnessing the positive potential of technology while addressing its challenges.

Following Bachus, Patricia Soler, Section Chief of the Joint Cyber Defense Collaborative (JCDC) at Cybersecurity and Infrastructure Security Agency (CISA), provided an in-depth overview of the JCDC and its critical role within the CISA. She highlighted the importance of collaboration between the private sector and CISA, given that most critical infrastructure (CI) is privately owned. 

Soler discussed the ongoing development of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), emphasizing that the goal is to collect essential data without overburdening CI partners. She also detailed CISA's workforce structure, regional outreach, and international collaborations, particularly through the JCDC, which unites global cyber defense efforts. Soler addressed the balance between voluntary information sharing and mandatory reporting, noting that CISA is expanding to meet new cybersecurity demands and priorities, while maintaining its focus on improving national security through collaboration and advanced data systems.

Next up was a panel on artificial intelligence (AI) featuring speakers from the National Institute of Standards and Technology (NIST) and the U.S. Department of Commerce.

Jesse Dunietz presented on NIST’s AI Risk Management Framework (RMF), designed to foster trustworthy AI systems through four key functions and highlighted the RMF playbook, which provides detailed guidance for organizations to effectively implement the framework. Recent executive orders have tasked NIST with various responsibilities, including creating test environments, AI red teaming, and evaluating AI capabilities.

Amy Mahn discussed updates to the NIST Cybersecurity Framework (CSF), now at version 2.0. She elaborated on the update process involving extensive international collaboration, including public workshops and feedback solicitation. Mahn noted that version 2.0 has been translated into Portuguese, expanding its accessibility.

Adam Sedgewick explored the intersection of cybersecurity and privacy, emphasizing that we must move beyond looking at privacy solely in the context of compliance and understand how technology can enhance privacy protection. Sedgewick gave an overview of the NIST Privacy Framework and highlighted the resources available for organizations, including translations, videos, and quick start guides.

Regarding adoption of these frameworks in Brazil, both Mahn and Sedgewick affirmed NIST's willingness to assist both formally and informally. They noted that NIST collaborates with countries and organizations globally, including through ISO standards, to help countries adapt these frameworks to their specific needs.

The collaboration continued on the second day at Venable LLP, where representatives from the World Economic Forum (WEF), the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Health Information Sharing and Analysis Center (H-ISAC), the Institute for Security and Technology (IST), and the U.S. Chamber of Commerce led further discussions. These sessions fostered robust dialogues, providing actionable insights to enhance cybersecurity policies and frameworks.

Joanna Bouckaert, Lead at the Center for Cybersecurity (C4C) highlighted that cybersecurity remains a top global risk, exacerbating existing crises and jeopardizing democratic principles. Key concerns for 2023 include misinformation and disinformation, alongside a rising global inequality in cybersecurity. There has been a 30% decline in organizations maintaining viable cyber resilience, particularly affecting small and medium-sized enterprises. The shortage of cybersecurity professionals is severe, with a four million gap in the global workforce, and there is limited optimism for improvement in the next two years.

The perception of cyber and privacy regulations is shifting positively, with 60% of executives acknowledging their effectiveness in risk reduction, though challenges with conflicting regulations persist. There is increasing openness to national regulations and agencies, driven by supply chain risks and the need for better control over third-party security. Efforts are underway to build cybersecurity talent pipelines globally, and ongoing discussions focus on adapting regulations to address new challenges posed by AI technologies.

Brian Tishuk, General Counsel at the Financial Services ISAC, explored the crucial role of the FS-ISAC in enhancing global financial cybersecurity and resilience. As a member-driven, non-profit organization, FS-ISAC provides a real-time information sharing network that strengthens collective defense by amplifying intelligence and practices across the financial sector.

FS-ISAC is expanding its presence in APAC and LATAM, with 95% of Brazil’s systemically important financial entities being members. The organization engages in several key initiatives, such as collaborations on cloud risk management and global public-private partnerships. Tishuk also addressed the challenges and benefits of interacting with other Information Sharing and Analysis Centers (ISACs), emphasizing the advantages of a national council of ISACs for coordination.

The FS-ISAC maintains strong relationships with sector risk management agencies, including the U.S. Treasury Department, to enhance sector-wide security and resilience. Tishuk also shared that in regard to a sectoral vs. regional ISAC, it is best to start where there is a willingness to participate and build out from there, acknowledging that sectoral separation allows you to access the bespoke knowledge of subject matter experts within that sector. 

Denise Anderson, President of the Health Information Sharing and Analysis Center (Health-ISAC) emphasized the critical role ISACs have in enhancing cybersecurity across sectors. Health-ISAC, serving a community of over 10,000 global security analysts, focuses on trust and anonymity in information sharing.

In the first quarter of 2024, Health-ISAC issued 289 alerts — a 175% increase from the previous quarter. Key statistics include IBM's report of a global average data breach cost of $4.88 million and over one billion breach victims in 2024. Phishing remains the leading attack vector, responsible for 90% of data breaches. Health-ISAC employs a Traffic Light Protocol (TLP) for information sharing, where members voluntarily adhere to information sharing guidelines.

With over 40 employees, including a European presence, Health-ISAC is expanding its regional and sectoral focus. Anderson highlighted the need for leveraging existing structures to avoid silos and enhance effective sharing, advocating for the establishment of a LATAM council within the National Council of ISACs. She also discussed the challenges of HIPAA on data handling and the importance of collaboration between healthcare delivery organizations and manufacturers to address emerging threats.

Taylor Grossman, Deputy Director for Digital Security at the Institute for Security and Technology (IST) highlighted that ransomware has evolved into a significant threat, with extortion reaching $1 billion in 2023 and numerous sectors, including healthcare and finance, being heavily targeted.

Grossman stressed the challenge of inconsistent reporting, which impedes trend analysis and response strategies. The Ransomware Task Force, composed of over 60 experts from various sectors, advocates a multi-stakeholder approach to address the issue. This approach involves technical fixes from software companies, insights from civil society, and regulatory efforts from governments.

While the idea of banning ransom payments was debated, the consensus is that greater transparency and regulation, like the proposed 24-hour notice for ransom payments under the CIRCIA, are more practical steps to take first, as a complete ban would not be practical at this time. The Task Force's framework aims to deter attacks, disrupt the ransomware business model, and enhance organizational preparedness. Ongoing initiatives include improving international collaboration, developing a blueprint for ransomware defense, and increasing voluntary information sharing. The panel also discussed the importance of "secure by design" practices and the need for more effective preparation and response mechanisms before considering any bans on ransomware payments.

Michael Richards, Senior Director of Policy, the U.S. Chamber of Commerce Technology Engagement Center (C_TEC), presented on the evolving landscape of AI policy and its implications for businesses. Leading the AI working group in the U.S. Chamber of Commerce, which encompasses over 200 companies across 33 sectors, Richards outlined their role in shaping AI policy both domestically and internationally.

Richards emphasized the importance of public-private partnerships in AI governance, advocating for a risk-based approach and the need for a well-prepared AI-ready workforce. He highlighted the Chamber's policy principles for AI, which stress the significance of balancing innovation with robust privacy frameworks and intellectual property protections. As the U.S. continues to advance in AI development, Richards noted that while the country leads in AI research, it must also address potential risks and collaborate with governments to ensure responsible investment and development. The Chamber is in the process of updating its principles to reflect these priorities and emerging cybersecurity concerns.

During the event, it was announced that the LATAM CISO Summit 2025 will be held in Brazil. This decision highlights Brazil’s growing prominence in the global cybersecurity landscape. It reflects a commitment to continuing the dialogue and cooperation initiated in D.C. This event strengthened the cybersecurity partnership between Brazil and the U.S. and set a precedent for future international cooperation between stakeholders from both countries.

 

Belisario Contreras

Read Next

The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)

For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.

The U.S. and UN Cybercrime Convention: Progress, Concerns, and Uncertain Commitments

The U.S. issued an updated position seeking to move forward the UN Convention Against Cybercrime, a treaty intended to improve the global community’s ability to combat evolving cybercrime threats.

The Counter Ransomware Initiative with Hamish Hansford (DCP S2 E8)

In the latest Distilling Cyber Policy, Alex Botting and Jen Ellis are joined by our second-ever Australian guest: Hamish Hansford, the Deputy Secretary of Cyber and Infrastructure Security Group at the Australian Department of Home Affairs.