Created in 2014, Brazil’s Interministerial Ordinance 141 demands that all IT equipment – and particularly network and communication systems – sold to the government and public enterprises should be checked and certified to be clear of backdoors and security vulnerabilities.
The federal government is pushing for this certification and wants companies to deliver the firmware and source code of their software to prove it is not compromised. International suppliers hear the demands, but they want Brazil to adopt international standards and not have its own certification system.
Responding to Snowden
Ordinance 141/2014 was born from Decree 8,135/2013 which established a cybersecurity policy in response to the allegations of spying by the US National Security Administration (NSA), as revealed by former security analyst Edward Snowden in 2013. The ordinance, signed by several government ministries, demands that any public networks and hired equipment carrying government communications must go through a specific certification process.
According to Cristiano Heckert, the secretary of logistics and information technology at the Ministry of Planning, Budget and Management, implementing the Interministerial Ordinance 141/2014 will not eliminate any vulnerability in Brazil’s communications. He says it is never possible to say that all vulnerabilities have been eliminated. He believes all that can be done is to identify and mitigate the possible risks that could compromise information assets.
The ordinance has been in effect since May 5, 2014, and since then the Ministry of Planning, Budget and Management has been working to define the audit criteria for software and equipment, and considering how to regulate state-provided IT services.
“It is important to note that the focus of Decree No. 8135 of November 4, 2013 is only in data communications that could compromise national security,” says Heckert. “It is expected to mitigate the risks of communications through standardization and establishing rules for activities related to government data communications.”
There is also a Normative Ruling of Logistics and Information Technology (SLTI / EO No. 4/2014, as amended by SLTI IN/MP No. 2/2015), which aims to improve the efficiency of procurement, keeping the planning elements introduced by previous rulings (SLTI/EO No. 4/2010 and its updates) for procurement of IT solutions for the federal public administration. This encourages the use of IT resources to improve quality and productivity.
Heckert says that SLTI/EO No. 4/2014 has brought improvements, namely contract management and cutting out unnecessary paperwork in the procurement process.
The Secretariat of Logistics and Information Technology (SLTI) is responsible for procurement and public logistics activities, including transport services, vehicle fleet management and administrative support services. Heckert says the Ministry of Planning, Budget and Management always seeks to interact with the different stakeholders prior to publication of a standard, or through public hearings, consultations and meetings. The regulation of program audit criteria and equipment is being produced based on international standards, such as ISO/IEC 15408 (information technology – security techniques – evaluation criteria for IT security).
He says it is never possible to say that all vulnerabilities have been eliminated. He believes all that can be done is to identify and mitigate the possible risks that could compromise information assets.
Some feared the ordinance would reduce competitiveness and increase development costs in Brazil’s public sector by making it impossible to use foreign software, but Heckert says the Ministry of Planning, Budget and Management is aware of this danger, and Ordinance 141/2014 shall not preclude the use of foreign programs and equipment, provided these can be audited as required by the document. This issue is open for discussion.
In the implementation of the ordinance, the protection of data centers is a prerequisite, the secretary says. In this process, the federal government will deal with the issue of ‘data protection’ judiciously, adopting solutions with specific dedicated infrastructure hardware, as well as addressing specific software with an impact on data security.
Ordinance No. 141/2014 is also applied to state-owned enterprises, so the legislation will affect a wider range of bodies than just government departments, and there must be a transition period to adapt the rules.
The Brazilian government has been working on a digital governance strategy this year, using a study of five other countries as a reference: the UK, New Zealand, Estonia, Israel and South Korea. This strategy aims to simplify the provision of digital services, so they can be accessed by any device – fixed or mobile. “All this work should also focus on the security and privacy of Brazilian people,” says Heckert.