The former presidential advisor for cybersecurity issues in the second government of Sebastián Piñera, Jorge Atton, and the defense expert and vice president of AthenaLab, Richard Kouyoumdjian, addressed the country’s computer weaknesses, once again evidenced after the leak of emails from the Joint Chiefs of Staff (EMCO ) and the cyberattack suffered by the Judiciary. In a new chapter of The Political Week of El MostradorBoth agreed that “today the vulnerability that Chile presents in terms of cybersecurity has to do with critical infrastructure and the strength of digital security.”
Kouyoumdjian, also director of the Chilean Maritime League, was concerned about the breach of EMCO’s security, beyond the details of the information that was leaked. In addition, pending the results of the summary issued by the Ministry of Defense led by Maya Fernández after the violation of the servers of the coordination of the Armed Forces, he maintained that the investigation should not only be carried out by the corresponding authorities but should also do so by the Comptroller General of the Republic (CGR).
In his opinion, although Minister Fernández “has taken the bull by the horns” and has guided the process as political leader, this is a country issue and the great internal auditor is the Comptroller’s Office “which has resources and specialists in this matter” . And it is that, for Kouyoumdjian, “the point is that what may have also failed is the corporate governance of the Ministry of Defense.”
“We focused a lot on the failure itself that happened that day and what worries me is that public departments of this nature should have corporate governance reinforced with strong internal control and authorship functions,” he said, arguing that the main risk is “that the digital infrastructure of the Ministry of Defense is violated”. Therefore, he added, “leaving the audit in charge of the Army is not correct. She (Minister Fernández) did it with very good intentions, but if we want to have the complete conclusions and ensure that the investigation is transparent, clear and precise, It should be the Comptroller’s Office that audits this issue”.
For his part, Jorge Atton, focused on the fact that there is such a slow bureaucracy in Chile that there is no framework project that protects us in the defense of these vulnerabilities. “It is an issue of institutional responsibilities and I am not referring only to the Ministry of Defense. This is a state issue and even in the private world you find that one of the fundamental concerns is the responsibility of corporate governance,” agreed the former Undersecretary of Telecommunications during Piñera’s first term.
“This is not a computer issue, it is a risk issue,” Atton added, noting that “we have a structural weakness that dates back to at least 2008.” He recalled that the personal data bill has been in Congress for five years and “the issue is still pending.” In addition, he explained the importance of speeding up the Framework Law on Cybersecurity and Critical Information Infrastructure; currently under discussion in Congress. “We have spent six or eight years with a national policy that has not been implemented,” Jorge Atton lashed out, assuring —without alarmist spirits— that “there is an issue of generalized institutional weakness.”
Regarding the hacking of the Judiciary, he reviewed that in the corporation there is “an obsolescence of the software that has been there for years.” Likewise, he stressed that with the arrival of 5G technology, which will allow the interconnectivity of things, “there will be a greater number of gateways.” Therefore, “we urgently need a personal data law,” since “we have very relevant weaknesses,” he reiterated.
“Hopefully it is a lesson learned and it is given the importance it requires and we do not forget the issue of cybersecurity,” said Jorge Atton.
For Richard Kouyoumdjian the problem is that “we are still thinking about physical security and not about digital security”.
He explained that “when we talked about the critical infrastructure protection law, we were worried about putting soldiers outside electrical installations. But a virus is enough to render the matrix useless.” The point, he said, “is that bank robberies today are not physical. There is a hack and they ask for cryptocurrencies in exchange. Here what we protect is critical digital infrastructure and that is within national security.”
Regarding the EMCO case, Kouyoumdjian appreciates that it was the mail server, because if it had been something more complex “we could be talking about another level of critical damage.”
In this sense, the expert focused on the budget for cybersecurity in the advisory body of the Ministry of Defense. For Kouyoumdjian, the EMCO is “the poor brother” of the portfolio, since “probably the budget assigned to it by the Budget Directorate of the Ministry of Finance is not much.” And that “is part of the problem.”
“The issue is that there is learning that allows at the end of the day to have a more solid digital infrastructure not only of the Ministry of Defense but that it is replicated to the rest of the state apparatus,” he specified.
Jorge Atton agreed on the budget issue and stated that “if the President and the ministers do not understand the risks, effectively there will be no pressure on the Budget Directorate and it will not deliver the resources.” In addition, he pointed out that this “is not a military issue, it is an information systems issue. And that will give responsibility to both the civil and military worlds.”
“It is also important in the case of the EMCO to see what comes out of the summary because it could be that it requested the resources and Dipres said no or released them late and they did not manage to do the software update. You have to see the entire process and where it is failing Kouyoumdjian added.
“The task is to continue insisting and bring to the board those who have the responsibility and that the issue is not diluted,” they concluded.