What are the important cybersecurity trends in Latin America? Are governments and businesses concerned about data breaches, identity theft or critical infrastructure protection? What is being done to address these security concerns? How about budgets and priorities to address cyberthreats? Are citizens concerned about the privacy of their data?
These are just a few of the questions that I recently directed to Mr. Carter Schoenberg, who is the president and CEO of Hemisphere Cyber Risk Management, which is a new company addressing cyberthreats and available solutions in the country of Panama as well as other Latin American countries.
Carter Schonberg is a cybersecurity expert with extensive experience running security consulting programs in the public and private sectors in the U.S.A.
I have known Carter for more than a decade, and I often turn to him for specific information industry expertise on a wide variety of security topics. Mr. Schoenberg’s background includes cybersecurity leadership stints with Motorola and Calibre Systems. He also served as a co-chair on the Cybersecurity and Privacy Committee for the Northern Virginia Technology Council. Mr. Schoenberg also has experience teaching security and business courses with several college programs.
Here’s the interview on cyber in Latin America:
Dan Lohrmann: What are the biggest cybersecurity challenges that Latin American countries face? How are these challenges different or the same as in the U.S.A. and Europe?
Carter Schoenberg, President and CEO at Hemisphere Cyber Risk Management: First, I would like to thank you for this important interview.
Latin America has a threat landscape that has some similarities to the United States, but it is where they are different that warrants further review. Latin America consists of Central and South America, the Caribbean, and Cuba. So it’s a pretty big area to cover.
So let’s first discuss where they are similar. Today, Latin America is very similar to the United States back in 2007. “I have a firewall and anti-virus. I’m good.” Or the “nobody is interested in me” mentality that has plagued small and medium businesses here in the States with disastrous results. I am reluctant to compare against Europe because countries like Germany, UK, Finland, etc., have generally been more proactive.
Latin America has significant banking, services, telco and hospitality verticals that make attractive targets to China, Russia, and cartels in Mexico and Colombia. On October 21st, Hemisphere had its first inaugural Cyber Risk Dinner in Panama. We had the FBI fly in a specialist in their computer crimes squad and this event was co-hosted by FireEye. Data from FireEye supports that in Latin America, a large percentage of attacks stem from other Latin America countries.
Recently I was interviewed by a Panamanian reporter who asked me to rate Panama’s cybermaturity. My response was, “On a scale of 1-10, it’s about a 3, and that is generous.” This is because most stakeholders favor mistakes made by Americans rather than learning from them. Cybersecurity is not an “IT” issue yet the maturity of these countries lend themselves to thinking like we do here in the States that it is versus being a core competency of risk management. I find this odd because in so many ways they are behind us but in other ways, I am really impressed.
As an example, have you ever observed an armored car delivery with the security guard? Most people reading this will at one point have had the thought, “I could take that guy and get away with the money.” Not in Panama. Each guard is on very high alert, hand on their sidearm at all times. This scenario was recently demonstrated with a robbery at a casino in Michigan a few days ago. Another example, in numerous offices I have observed -- each has biometric controls. I do not mean at the main point of ingress, but what we may consider enclosed cubicles.
You cannot make a purchase in a department store without having your bag stapled shut with receipt clearly visible. You also cannot walk into a bank without being searched and wanded by the armed front guard. (There are two-man teams) Or motorcycle officers with two-man teams on each bike (with fully automatic weapons).
I hate to use the cliché narrative of “it’s a cultural thing” but the simple fact is, “it is.” I have been researching Latin America for over two years. Colombia, Brazil and Panama have unique characteristics that are translating to exceptional economic growth and development. Only a handful of people understand the real risks that are out there. So Hemisphere is really focusing on raising awareness of these threats.
Dan: Are governments and/or businesses concerned about cybersecurity and data breaches in Latin America? Is this an issue for the average citizens?
Carter: The short answer is, “no.” The majority of the population is indigent and has very little education past 8th grade. Those that attend college do not focus on STEM. It is hard to explain threat scenarios regarding privacy when these countries give very little concern to privacy. I posted multiple jobs recently and the resumes made me cringe. They have everything you would expect from a resume plus marital status, date of birth and federal identification number. It is very perplexing to me as an American and professional in the field of cyber-risk management. However there, it’s normal.
In the United States, we have Global Entry to enable fast track access through customs when you return to the country from abroad. Panama is launching a similar program. I got past my name before seeing the website wasn’t even using HTTPS. So here you have a national security program to enable trusted travelers and you don’t even protect the website transaction to register?
Panama is currently drafting new legislation focusing on privacy laws but to date, there are no laws on the books or law enforcement capability to effective investigate and prosecute hacking cases or identity theft. Don’t get me wrong, they have cops specializing in this area, but they are like the red-headed stepchildren.
Back in the 1980s being a geek was ... well … ”bad.” Now being a geek is kind of cool in the Gen Y and millennial generations here in the States. In Latin America, being technically proficient is not revered as “desirable” so they are in a cultural cycle like we were back before computers became cool.
Dan: Are the budgets and technology priorities similar or different to your experiences in Washington, D.C.? What are most organizations trying to accomplish now?
Carter: It depends on the organization. In banking, I am seeing some very mature views on protecting their data and networking resources. In retail and government, budgets are pretty slim as most of the investment strategy focuses purely on IT. However, I have also been engaged in discussions with Panama Canal and Tocumen Airport (Panama’s primary airport) that demonstrate a more mature understanding of the threat landscape and they are trying to evolve the thought leadership in these entities to invest more in cybersecurity.
Dan: How is the cybersecurity skill set in Latin America? Are the shortages of technology and cybersecurity skills the same or worse?
Carter: There are significant shortages. The banks are clamoring for cyberspecialists with no supply in sight outside of foreign national involvement. This is why my company created a new degree program in cyber that we are engaged in with multiple Universities in Panama.
We are taking a different approach. Recently I published an article on the gaps in the marketplace and we are tackling this issue head on with support from Latin America stakeholders. Our curriculum was constructed to meet the goals and objectives of the NIST NICE Framework [National Institute of Standards and Technology's National Initiative for Cybersecurity Education] hitting on all seven focus areas. So we are very excited to leverage a model designed in the U.S. for the U.S. but may be first released in Panama.
Dan: What about information sharing? Is the U.S. cybersecurity framework getting much attention?
Carter: Americans have some beliefs that Latin American countries are plagued with corruption, and this was recently validated in Panama with the former President (Ricardo Martinelli) being implicated in a wire-tapping scheme with an Israeli firm to monitor citizens communications without their consent and only adversaries of the administration and its business partners were targeted. This has left a real bad taste in their mouths, and we even had to retool our messaging to get away from “public-private partnerships” to overcome stigmas.
There are great opportunities to leverage an FBI Infragard or DHS ISAO [information sharing and analysis organization] model and we are currently engaging with stakeholders in Latin America and the United States on this matter.
The current president of Panama, Juan Carlos Varela, is actually a Georgia Tech graduate and is promoting very dramatic changes regarding transparency and moving the progress needle towards the green to promote a 21st-century Panama to the world.
Dan: Is critical infrastructure protection much of an issue in Panama? Can you give any examples?
Carter: So in the United States and Europe we think of critical infrastructure (CI) as power, chemical, water, etc. In Panama, you really don’t get any more CI than the Panama Canal. About 35 ships traverse it each day bringing in tolls exceeding $11M (US) daily! The original design from 1904 has been upgraded to have what we now consider legacy SCADA [supervisory control and data acquisition] applications. The canal is being expanded with new channel locks that will be controlled by next-generation SCADA systems (meaning inherent dependencies on core enterprise networks and IoT).
Canal stakeholders are very concerned about ISIS right now as well as what are being called Ghost Ships (completely unmanned drone ships). These ships will be larger as the canal is widened to change the shipbuilding industry altogether. Over 69 percent of all freight leaving the U.S. (East of the Mississippi) comes through the canal so if you want to hurt American interests, the canal is a great target.
If you have malicious interest and access via proximity, insider, satellite or other vector of attack, you can easily cause havoc by running a ship aground, blocking international shipping channels. Or causing damage to a specific ship by taking remote command and control of the new locks.
The FAA has a cool website where you can see all flight traffic. So does the Panama Canal. You can click an icon, see a picture of the ship, where it is coming from, where it’s heading, etc. So if you are able to access a specific ship with remote command and control and now you know exactly where it is by GPS, you do not even need a warm body to act as a spotter drawing attention to him/herself.
At our dinner, a canal stakeholder asked numerous questions on the threat landscape and demonstrated a very mature understanding of risks he desires to mitigate if possible.
Dan: What do you hope to achieve as a new and growing company in Latin America over the next 2-3 years?
Carter: With regards to where I see Hemisphere in the next 2-3 years, I defer to the 1970s Calgon commercial, “that’s an ancient Chinese secret.” In all seriousness, I greatly look forward to helping Panama at a national level and building out from there. A friend at DHS had a nice interpretation. He said, “You’re nation-building with cyber!”
While that is true, I also look to support my fellow Americans. There are numerous U.S. businesses there like Proctor and Gamble, Caterpillar, Pfizer – and also note there are over 40,000 Americans there right now – all of which have an inherent need to protect their information and resources. By 2020, over 65,000 Americans will reside in Panama alone! Part of our strategic growth focuses on these factors.
Dan: Is there anything else you’d like to share with us about the cybersecurity situation in Latin America?
Carter: Bouncing back and forth between Latin America and Washington, D.C., I have engaged in discussions where large consulting firms advertise how Latin America is on their radar as an even larger market than Asia Pacific.
Who you know is really critical. I hate saying that but opening a business in Panama and Colombia is easy in some ways but as an American, very challenging. Simply having a big-four consulting name will not address the challenges of corruption or lack of technical proficiency. The Foreign Corrupt Practices Act creates significant obstacles for Americans that desire to conduct commerce because they are held to a much higher standard and our government makes no bones about prosecuting violators.
You may recall Panama and Colombia were hotbeds for money laundering, and narcotic distribution. Because of the Noriegas of the former world, the U.S. has put great pressure on Panama specifically to monitor American citizens. Significant numbers of DoJ, IRS and other stakeholders are in Panama.
Heck, it took me over 30 days to simply get a basic savings account and much longer to get a business account. I am not saying it is not justified, it's just that you have to be in it for the long haul and most Americans think the long haul is two weeks.
I have been very fortunate leveraging trusted resources and continuing to build a level of trust helping national interests with clear strategic guidance that enables self-reliance and positions cyber as an economic growth enabler.
Dan: Thank you Carter, for your intriguing answers about cybersecurity in Latin America, with special emphasis on the country of Panama.