Conflict over a controversial cyberattack in the Aerospace Manufacturing Plant in Brazil

The Scenario

On 25th November 2020, a significant Cyberattack was detected on the Brazilian airplane maker Embraer. The company's IT system was breached as a part of the attack, and the data was leaked on a leak site in exchange for a Ransome. The data leaked were worth Billions of Dollars, and the impact was also reputational. It is important to note that Embraer manufactures commercial, executive, military, and agricultural aircraft OEMs and is the third-largest commercial jet maker with more than 8000 airplanes globally. The risk of the Cyberattack was therefore intensive, also impacting the reputation of the company.

In Brazil, aviation-manufacturing efforts date back to the early 1930s throughout the growth of Brazilian industrialization. For this, civil and military initiatives have been known to flourish for manufacturing aircraft in series for the first ten years. These efforts were not only for companies that assembled airplanes but also for those in the supply chain, except for aircraft engines. The military Government identified the strategic need for an aeronautical industry in Brazil from 1964 to 1985. As a result, Embraer, which was born out of a Government initiative and was privatized in 1994. Today is the third-largest aerospace company globally.

As a result of the cyber-attack, the incident response procedures were temporarily disrupted. In some operations, there was a need to isolate some systems that were infected by malware. In addition, the outage also bought disruption access to the company's procedures for employees working from home due to the COVID lockdown. The Embraer files were shared on a leaked website hosted on the dark web. Many confidential information and source code was uploaded. There were also employee details, business contracts, photos of flight simulations, and source code, leaked on the website.

Brazilian Diplomacy has made way for Embraer, who also won regulatory approval for its most enormous regional jets to fly in Russia through Diplomatic ties with Russia. The certification opens a new frontier for the E-190 and E-195 commercial jets as demand dries up in Western Europe amid the continent's debt woes. Embraer waited months for the regulator's approval only after Brazil's President Dilma Rousseff met with Russian Prime Minister Dmitry Medvedev. Russia also certified Embraer's ultra-large Lineage 1000 private jet. Diplomacy has long played a role in the big, cross-border business for aircraft, defense contracts, and related deals. A similar situation describes Embraer supplies with China.

Although the V.P. of finance and investor relation mentioned no material disruption through this attack in a press release, it was later confirmed that a security breach had the supervisory data of control systems also leaked. The data was that of the operations and monitoring control breaching aviation security. The online leak of classified information also facilitated this SCADA hack.

It is important to note that China is also having a state-owned aeroplane manufacturing plant specialising in OEM Manufacturing. This is the state-owned COMOC. China's cybersecurity policy and cyber-sovereignty principle create an asymmetrical landscape, especially in the Information Warfare domain. Therefore, this validates any involvement of Chinese state-sponsored hackers to access and leak the data and credentials on the dark web.

However, other hacker groups such as George Razvan Eugen believe that it is not too difficult to cause enormous disruption in the industry. This is because the internet protocol addresses for many SCADA devices are easily found online. Although some devices are password-protected, others are not. At least 250 Brazilian devices across multiple critical sectors were visible within seconds by using a publicly available search engine such as Shodan. It is important to consider that SCADA was never created with security in mind.

When considering the emergence of cyber-diplomacy in Brazil, it is essential first to understand the underlying logic of cooperation in this policy domain, especially in the context of the aviation industry. Cyberspace cumulates several characteristics that frame diplomatic engagement among stakeholders. To begin with, it is a global domain connecting nations and citizens worldwide in a variety of manners, generating interactions and friction between them. Furthermore, cyberspace is usually considered a "global commons," defined as a "resource domain to which all nations have legal access.”

The aviation industry of Brazil has gained momentum because of Brazilian Diplomacy. Embraer and Brazilian diplomats lobbied heavily to allow the company to start producing its famous E-Jet family of regional planes in China. Still, that approval never came because China is developing a similar regional aircraft. The company also reached a deal to start assembling smaller business jets in China and inked an agreement with China Minsheng Banking Co to sell as many as 20 executive jets.

For the purpose of this research, the focus is on encryption technology used in the aviation sector. The aviation sector uses security features, processes, and technology. Yet, there is a breach in security, in this case, due to a breach in encryption. It is important to bring into account that Kryptos, a cybersecurity company funded by Embraer, has been pushing to expand its encryption business in Europe, the Middle East, and Africa. However, the company has also highlighted a lack of encryption backdoor laws to make it a safe and neutral provider of secure software. The firm notes that “China, Russia, the U.K., and the USA have various legal justifications for snooping on supposedly secure communications”.

In the realm of aviation, encryption is increasingly essential for various applications, including secure identification friend-or-foe systems used to coordinate combat aircraft missions. Those systems are vital because aircraft now carry beyond-visual-range missiles and need a way to distinguish between friendly or enemy aircraft. After this Cyberattack, the Brazilian air force contracted Kryptos to develop an identification “friend-or-foe system” for its fleet of 36 Saab F-39 Gripen E/F fighters.

There is also no provision for data localization in Brazilian federal law, in addition to a well-defined encryption export-import regulation, supported by effect cyber diplomacy that negotiates symmetrical standards in encryption for the avaition industry. The only legal provision for data localization is found in the norms for the Ministry of Planning and government contracts related to information and communications, which may include encryption methods, firewalls, and other measures.

Analysis and Assessment

Considering Encryption in Brazil, it is important to consider that there is no right or regulation to cryptography or encryption technology in the country's legal code. There are legal provisions on privacy and data security, such as an end to end encryption for civilian use. Brazil is not a part of the Wassenaar Agreement that defines and standardizes the encryption control regime internationally. Brazilian diplomacy has overseen the key elements of encryption technology and security measures, especially those that which is applicable in the public sector. The Brazilian Internet Steering Committee only promotes the use of cryptography from a human rights standpoint.

Currently, the relevant legislation in the domain of encryption and data protection only includes the Access to Information Act (LAI) 2011, the Internet Bill of Rights (MCI) 2014, and the General Data Protection Law (LGPD). The MCI legislation was greatly influenced by the revelations that former U.S. national security contractor Edward Snowden made in 2013 concerning U.S.-led worldwide electronic surveillance efforts, especially because then Brazilian president Dilma Rousseff was found to be one of the world leaders under NSA surveillance.

The key institution involved in the technical dimensions of cryptography is the Brazilian Computer Emergency Response Team (CERT), which is responsible for promoting the adoption of encryption to enhance cybersecurity. In addition, the National Communications Regulatory Agency (ANATEL) issued a resolution that requires telecommunications companies to incorporate encryption into their services. Another notable factor is that the National Institute of Information Technology coordinates the development and management of cryptographic key certificates. These include ICP Brazil, a software for certifying digital signatures.

Cyberdiplomacy over encryption export /import - Recommendation for Brazil

"To make your app available on the App Store, you must submit a copy of your U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS)."

All the software is subjected to the imposition of export control regulations. In addition, there are national authorities in all developed nations that monitor encryption control. This encryption control regime is essential to prevent cybercrime. Due to these export control regimes, we see constant new challenges from cybercriminals, who seek to discover new ways and means to circumvent controls. However, the inherently global nature of information and communication networks makes export control enforcement quite tricky, and the difficulties of defining and enforcing jurisdictional boundaries in the international environment become more evident.

Considering these terms, it is clear that the development and widespread deployment of cryptography that can be used to deny government access to information represents a challenge to the balance of power between the Government and the individual. Encryption functions can be both hardware and software-based. Usually, the same rules apply to hardware and software because, in Wassenaar Arrangement, which is the principal foundation of all encryption software export control regimes around the world, controlled information security products are contained or relaxed from controls principally on the method used.

Several countries, including China, Israel, and Russia, have import restrictions on cryptography. However, Brazil is some countries require vendors to obtain a license before importing cryptographic products. Many governments use such import licenses to pursue domestic policy goals. In some instances, governments require foreign vendors to provide technical information to obtain an import license. This information is then used to steer business toward local companies. However, there have been cases where governments have been accused of using this same information for outright industrial espionage.

International Regulation on Export/Import of Encryption — Role of the Wassenaar Arrangement

Internationally, export controls are the most vital tool governments use to limit the development of encryption products. But, increasingly, they have generated controversy because they pit the needs of national security to conduct signals intelligence against the information security needs of legitimate businesses and the markets of manufacturers whose products might meet these needs. Some countries take advantage of the lack of controls in their countries. One result has been the emergence of small companies in many countries without restrictions that produce encryption products. Another result has been companies moving their encryption production divisions overseas to countries with fewer controls, such as Switzerland or Anguilla, a British self-governing territory in the Caribbean.

"Switzerland will keep its efficient export permit process for cryptographic goods to encourage Swiss exports to increase their sales and share worldwide while being mindful of national security interests." — Switzerland officials have stated, according to Cryptography and Liberty 1999.

Although Switzerland is a member of Wassenaar Arrangement (W.A.), it is pursuing a very liberal crypto policy, fully complying with its provisions. However, it must be recognized that all the other W.A. member countries also had their national economic interests in mind when they joined it. Therefore, they probably would not have joined if it was detrimental to their national interests.

Also, bringing into perspective the initial elements, the W.A. is established to" prevent the acquisition of … sensitive dual-use items for military end-uses, if the situation in a region or the behavior of a State is, or becomes, a cause for serious concern to the participating States." Encryption technology is subjected to this provision as it is a dual-use item. It is essential to keep in mind that the ultimate goal of export controls on cryptography is to keep strong cryptography out of the hands of potential targets of signals intelligence. Some WA participating States have compelling SIGINT bodies capable of eavesdropping on large amounts of communication worldwide.

The stated goal of the Wassenaar Arrangement was "to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies." Cryptography is classified as dual-use good. The Wassenaar Arrangement makes symmetric cryptography products of up to 56-bit key length and asymmetric cryptography products of up to 512-bit key length free from export restriction.

Furthermore, the Wassenaar Arrangement includes a personal-use exemption, allowing individuals who travel abroad to carry cryptography devices for personal use. However, cryptography products that do not fall into these exemptions are still eligible for restriction. The Wassenaar Arrangement sets general parameters for import and export control to which member states largely adhere; however, the Wassenaar controls are not binding on member states and are implemented at the discretion of member governments.

National Export/Import Control Regulation Worldwide

Most significant countries regulate encryption to varying degrees. Encryption is handled because it is a "dual-use" technology; it has both commercial and military value. The United States pioneered the efforts to control encryption during the Cold War. Since then, U.S. encryption regulation has been driven by two competing concerns:"(1) the ability of American high-tech industries to compete in foreign markets; and (2) the ability of criminals and terrorists to threaten national security through strong encryption.” However, other countries' encryption regulations may be meant to serve other ends, e.g., the monitoring and restriction of domestic speech. This regulatory patchwork creates substantial challenges and risks to firms operating internationally. To harmonize regulations, especially in the context of SCADA integration, on the export and import of dual-use technologies, many countries have agreed to a set of principles known as the Wassenaar Arrangement.

The United States of America, in addition to being the current primary producer of information technology and security products today, also has among the most well-developed and documented laws regarding encryption. Hence, American encryption regulation is a valuable place to begin an inquiry into the global framework of encryption regulation. Furthermore, the United States does not restrict the domestic use, creation, or sale of encryption products domestically. Furthermore, there is no restriction on the importation of cryptography systems. The exportation of encryption products, however, has historically been heavily restricted. Although the conditions have been eased in recent years in many respects, the regulations still present obstacles and risks to U.S. businesses operating overseas. Cryptography in the European Union (E.U.), like in the U.S., is free to use domestically but faces restrictions on its export. Council Regulation (E.C.) No. Regulates export of dual-use goods — which includes cryptography — 1334–2000. These regulations follow the Wassenaar Arrangement. Export within the European Union is fully liberalized. Exports to a select group of non-EU countries are lightly regulated, and exports to remaining countries are more heavily regulated.

The European Union has been a long-time advocate of strong cryptography-free domestic use. In the 1990s, the Clinton Administration pursued several international initiatives to encourage — or even mandate — key escrow. Through the European Commission took a stance against those proposals. The Commission "stressed the economic and societal importance of cryptography." It noted that "key escrow or key recovery raises several practical and complex questions that policymakers need to solve, particularly privacy, vulnerability, effectiveness, and costs." Hence, European support for the unrestricted use of encryption and opposition to mandatory key escrow proved critical to strong cryptography development.

China is one of the most challenging environments for cryptography use and regulation. The importation and exportation of cryptography products are both highly regulated. Import and export of encryption products require a license from the State Encryption Management Commission. Primarily the National Commission on Encryption Code Regulations (NCECR) regulates encryption. Encryption products cannot be sold or imported into China without prior approval by NCECR. Furthermore, individuals and firms in China can only use cryptography products approved by the NCECR. This also applies to foreign individuals and firms operating in China, who must report details of their encryption systems to, and receive approval to use those products from the NCR. Also, China's Cybersecurity Law gives provision for the regulation of encryption technology.

Lack of Standardisation in practices of encryption and export-import regulation has been a vulnerability for Brazil and the Diplomats, as well as the Government must take necessary action to maintain a cyber-friendly landscape for their country. Although Brazil has one of the best cyberdiplomacy, the lack of dialogue on the encryption debate, especially in the context of import and export control regulation makes it vulnerable. Additionally, critical infrastructure is highly also facilitating the use of encryption technology. SCADA security must be considered while regulating the sector.

Stakeholders

ABIDE – Brazilian Defense and Security Industries Association, AIAB – Aerospace Industries Association of Brazil, COMDEFESA/ FIESP – Department of Defense and Security / State of Sao Paulo Industry Federation, ABAG – Brazilian Association of General Aviation, ABEAR – Brazilian Airlines Association, IBA – Brazilian Aviation Institut, ABESE - Brazilian Association of Electronic Security Equipment, ABSEG – Brazilian Association of Security Professionals, FENAVIST – National Federation of Security Companies, Brazilian National Bank for Economic and Social Development (BNDES).