The effects of a recent cyberattack on the government of Costa Rica have already reached the country’s private companies, adding pressure to federal authorities and underlining the ever-growing risks of vulnerable government systems.
Several companies operating in Costa Rica were targeted by cybercriminals after the systems of the country’s Minister of Finance were compromised, revealed Andrés Casas, partner at cybersecurity firm Brakk, which has been working closely with private enterprise in Costa Rica to deal with the aftermath of the attack.
“That was part of the threat by this criminal group: attacking private companies, and in some cases they did,” Casas told NSAM. “We’ve known about companies that had to deal with these sort of attacks, but they managed to repel them successfully.”
Given the sensitive nature of the situation, Casas could not provide the names of the targeted companies, assuring only that they were local, not foreign. He added that Brakk tried to build a group of affected parties to work out a solution that would be shared publicly, but the companies refused.
“Private firms were more prepared”—Andrés Casas, partner at Brakk
Earlier in the year, Hacker group Conti hit the Costa Rican government with a massive ransomware attack which compromised hundreds of gigabytes worth of information from several public institutions. Chief among them was the Ministry of Finance, from which the hackers extracted tax information from individuals and private companies, plus data from the country’s foreign trade system, which was eventually published in the dark web after authorities refused to pay a US$10 million ransom.
These allowed the cybercriminals to map out and have a better understanding of the technologies the targeted companies use, opening them up for a strike. In spite of being targeted, the companies were able to fend off their attackers, according to Casas.
“Private firms were more prepared. They had an understanding of the possible threat, so they were able to prepare and avoid the problems that left government systems inoperable for several days,” he said.
A Wounded Reputation
Even though it’s been months since the cyberattack happened, the Costa Rican government is still dealing with its aftermath. Recently elected president Rodrigo Chaves had to declare a state of emergency, even stating that the country is “at war” with the hacker group.
The attack affected more than the government’s security systems. The reputation of Costa Rica received a tremendous blow, underscoring the vulnerability in the country’s systems and risking a loss of trust from foreign investors.
“What happened showed our fragility”—Paula Brenes, Director of Digital Governance, Costa Rica Ministry of Science, Tech and Telecom
This situation was pointed out recently by Paula Brenes, Director of Digital Governance in Costa Rica’s Ministry of Science, Technology and Telecommunications, who expects the attacks to continue and recognized that there are no fast and easy solutions at hand.
“What happened showed our fragility. It’ll be necessary to consider that the main challenges for the implementation of any cybersecurity strategy will go hand in hand with a betterment of political will and a consensus for regulation,” Brenes, who also worked at CINDE, Costa Rica’s foreign investment promoter, told the local press. “The attacks will continue. In that context, we need to attend the lessons learned and take action on account of this experience”.
Costa Rica is one of the rising stars of the Nearshore when it comes to outsourcing and export of information technology services. Despite being smaller than the big players of the region (Brasil, Mexico, Colombia, Argentina), the country has managed to carve a name for itself as a hub for tech investment in Latin America.
Government authorities and private enterprise are moving fast to keep that reputation afloat. Less than a month after the cyberattack was made public, Costa Rica’s only cybersecurity cluster was officially consolidated with the help of big players in tech, such as IBM, Amazon Web Services, Microsoft, Equifax and Cisco.
CR lanza su Cybersec Cluster, uniendo fuerzas con academia, sector público y multinacionales de ciberseguridad global. El objetivo es posicionar a 🇨🇷 como capital de ciberseguridad de LATAM y fortalecer el ecosistema de ciberseguridad.
— CINDE – Invest in Costa Rica (@invest_cr) May 20, 2022
This week, the cluster –alongside universities, government authorities and the local chapter of the Open Web Application Security Project (OWASP)– plans to launch “Costa Rica Secure By Design”. The initiative aims to turn the country into “a referent on the creation of safe software for internal consumption, for exports and for international firms that invest in our country”.
But the way ahead is a long one. Costa Rica usually finds itself in the middle of the road among other countries when ranked globally for cybersecurity. In the Americas, it tends to be ranked in the top 10. The country has some work to do on the protection of physical infrastructure, crisis management, cibernetic defense, cryptographic controls and compliance of security standards, according to an analysis by the Inter-American Development Bank (IDB).
Private businesses in the country seem to have a better understaning of cybersecurity concerns and protect themselves accordingly. About 7 out of 10 companies in Costa Rica invest in cybersecurity, according to a survey recently published by the country’s own export promotion organization (ProComer). Nevertheless, they focus mostly on protection (100%) and detection (85%) tools, tending to give less weight to governance (40%) and response strategies (38%).
The same survey points out that the three biggest obstacles for cybersecurity investment by companies in Costa Rica are a lack of proper budget (62%), funds being channeled towards higher priority technologies (62%) and being unable to find an adequate cybersecurity partner (27%).
In a response to a query by NSAM, CINDE pointed out that “we haven’t seen any change in regards to FDI interest or the free flow of international trade” and that “CINDE is maintaining constant communication with companies in order to advise them and walk them through their growth in Costa Rica”.
CINDE also stated that, even though the Costa Rican government is taking measures to protect its own data systems, “every company is responsible for their own protection systems and for guaranteeing the security of their private information”.
A Matter of Talent
Unsurprisingly, the main reason behind Costa Rica’s cybersecurity woes is talent. Though there are quality engineers in the country, high demand at a global level keeps their hands full. Costa Rica finds itself in a situation similar to that of many other nations: it has to compete for its own home-grown talent.
Facing a low availability of cybersecurity engineers, Costa Rican firms have been forced to hunt for talent in other territories. About 81% of companies hire local and imported cybersecurity, according to ProComer’s survey. Only 6% hire exclusively from abroad.
For government institutions, the matter is a bit more complicated. They have to change their approach to what constitutes good cybersecurity and do what’s necessary to close the gaps.
“There are some [public] institutions that require a heftier labor force or people who are specialized in the system. I would say that organizational structures should evolve to deal with cybersecurity issues,” Andrés Casas pointed out. “The first steps taken tend to rely only on CISOs [Chief Information Security Officers], thinking that will be enough. But once you go further and deeper, it’s clear that a CISO isn’t enough”.