On November 14 of this year, the Ministry of Information Technology and Communication (MITIC) published the draft of the National Cybersecurity Strategy for public comment. This document aims to be Paraguay’s new public policy on cybersecurity and is the result of a series of consultations with various stakeholders that lasted only three weeks.
At TEDIC, we have been working in the field of cybersecurity since the approval of the first National Plan in 2017. At that time, we submitted comments on the draft that were not included or considered, despite pointing out structural issues and key aspects related to the strategic approach, in line with OECD standards.
In 2024, with the publication of a new draft, there has once again been no incorporation of a people-centered approach, which is essential to ensure that the strategy aligns with international standards, such as those proposed by the OECD. This is particularly important considering Paraguay’s aspiration to be part of that organization, as evidenced by the meeting held in December with OECD representatives and President Santiago Peña.
Within this framework, the main concerns identified by TEDIC, as expressed in the document sent to the Ministry, are the following:
1. Include a cross-cutting human rights perspective.
The strategy lists national and international regulations concerning fundamental rights. However, these are presented only in a declarative manner and do not offer solutions with a cross-cutting human rights perspective. The solutions merely address the defense of infrastructure. While the annexes mention certain policies for assisting vulnerable groups such as children and adolescents in the online environment, they do not adequately address the protection of other groups such as human rights defenders, women, journalists, activists, and political opponents.
The human rights perspective not only encompasses the protection of computer assets, but also the safeguarding of personal information circulating within these systems. We believe it is necessary to revisit the strategy in light of human rights standards and with a focus on vulnerable groups, in order to have a comprehensive public cybersecurity policy.
2. Greater emphasis on protecting communications and internet browsing
The development of this point in the strategy should include encryption policies to protect communications and internet browsing, ensuring users’ rights to privacy and intimacy. It is crucial to highlight that cryptography is an essential component of various systems, like banking and e-commerce. Therefore, it should not be limited to certain groups but should be accessible to the entire population. Unencrypted communication or browsing is not just “less secure,” but is also exposed to vulnerabilities and unauthorized access through “backdoors”.
3. Lack of a comprehensive personal data protection law
The strategy’s approach clearly prioritizes the ratification of the Second Additional Protocol to the Cybercrime Convention on enhanced co-operation and disclosure of electronic evidence, reflecting an emphasis on strengthening international legal measures against cybercrime. However, this approach appears to overlook the urgent need for national legislation to protect personal data, a crucial pillar for trust in digital infrastructure and the exercise of online privacy. Users not only need protection against cybercrimes but also guarantees that their personal data will be handled responsibly and securely.
4. Methodology for designing the Strategy
The methodology used to develop the strategy requires review. Although the document mentions holding consultations and working groups, the key topics and central themes were not defined collaboratively. It is worth noting that meetings were held separately, preventing interaction between the various stakeholders (government, academia, businesses, and civil society), which limited the diversity of perspectives and the exchange of ideas. In summary, the necessary standards for a truly inclusive and participatory process were not met. It is essential to adopt an open consultation methodology based on a multi-stakeholder approach that fosters direct dialogue among all parties, ensuring their voices are heard and fairly integrated into policy-making.
5. The negative perspective and crisis approach
Throughout the document, the strategy presents data on attacks identified within the country. However, it approaches security from a predominantly negative perspective, equating it with merely the absence of harm. In a broader and more substantial sense, security is a positive value: it involves an individual’s capacity to access and use critical resources according to their needs and preferences. Therefore, internet security policy should not be limited to a purely defensive role, but rather take on a facilitating role aimed at promoting the well-being of people as a central focus. The narrative of an imminent crisis, reinforced by the incident data presented in the strategy, creates an alarmist language that obscures the need for an objective approach to addressing actual risks. It is important to note that the crisis narrative was evident in the previous cybersecurity plan. We believe it is crucial to reframe this discourse towards a more positive, people-centered approach.
6. State surveillance of communications
Within the security issues, the strategy does not mention the risks associated with the acquisition of mass surveillance tools. This is even more alarming given the increasing accessibility of technologies for storing citizens’ data, not only for the government but also for private companies and criminal groups. In this regard, it should be noted that there have been instances of the Paraguayan state purchasing surveillance software, and therefore the strategy must address this issue with a two-way analysis. On the one hand, government agencies and dependencies should have tools for tracking crimes, as long as their use is strictly regulated by a legal framework that respects human rights. On the other hand, the plan should include a study of international best practices regarding the protection of human rights, privacy and personal data.
It is also crucial to incorporate notification mechanisms for affected parties when their information is compromised, allowing them to verify the facts and file complaints in cases of abuse, whether by state institutions or private companies.
7. Need for interdisciplinarity and investment in cybersecurity investigations
We consider it essential to incorporate an interdisciplinary approach in the strategy and thus address issues such as mental health, environmental impact, gender violence facilitated by technology, among others.These problems, which directly affect the digital environment, require a comprehensive view that addresses both data protection and the social well-being of citizens. Additionally, we highlight that the strategy would benefit from promoting research in cybersecurity. Currently, the document has a significant limitation, as it lacks an in-depth analysis of the perpetrators of cyber-attacks, their impacts on the population, and the specific needs of victims. It is essential that research in this field goes beyond protecting infrastructures to also focus on understanding the context of attackers—whether individuals or groups—their motivations, and the impact of their actions on people, particularly vulnerable groups.
At TEDIC, we published research on how technology-related attacks affect human rights defenders, who are frequent targets of digital threats, harassment, and disinformation campaigns. This research underscores the urgent need for the State, along with cybersecurity policies, to address the problem from a human rights perspective, ensuring the protection of activists, journalists and defenders working in highly vulnerable environments. The lack of an approach that considers the impact of these crimes on individuals and their social environment hinders the creation of effective, evidence-based solutions.
8. Outdated governance model
Governance in a public cybersecurity policy should prioritize digital risk management.We find it necessary to clearly define what is being protected, how it is protected, and how it coordinates with key actors from both the private sector and civil society within the strategy. We also mention that the intergovernmental mechanism established in the strategy must include spaces for participation and collaboration with the various stakeholders at all levels. According to the OECD, all frameworks must fulfill three key functions: the definition of the overarching policy framework or strategy, the implementation of the framework in each sector and the operational capacity. A key challenge is to ensure that the responsible agencies have sufficient capacity to accomplish their tasks, including funding, resources, and digital security expertise, which is scarce in most countries and difficult to retain in the public sector. Therefore, it may be more effective to pool digital security expertise through a central agency, given that the technical challenges are common to all sectors. However, each approach has its pros and cons, and it is critical to find the right balance for effective governance tailored to national realities.
9. Conceptual errors, vague and broad terms
In the drafting of the strategy we identified errors that could generate confusion in both the reading and implementation of the document due to ambiguity in the use of terms such as “computer crimes”, “cybercrimes” and “cyber offenses”. In this regard, we recommend clarifying and unifying these terms to avoid misinterpretation. For example, child sexual abuse (wrongly referred to as child pornography) should not be considered a computer crime but a serious crime in its own right. Similarly, scams through social media or phishing1 do not fit within the category of “computer crimes”. However, unauthorized remote access to a computer system should indeed be classified as a cybercrime.
Regarding the vague and broad definition of “essential services” used in the strategy, we argue that the focus should extend beyond critical infrastructure. While it acknowledges the importance of economic and social prosperity, it does not delve into this aspect in depth.The strategy should clarify the distinction between critical infrastructure and the information domain, which is currently aligned with the concept of critical activities or essential services. According to the OECD: “The notion of critical activity focuses on the risk to the delivery of the service rather than to the assets on which the delivery of the service relies. A critical activity is one whose interruption or disruption would have serious consequences on the health, safety, and security of citizens; the effective functioning of essential services; or economic and social prosperity”. It is crucial to replace the term “critical infrastructure” with “critical activity”, as suggested by the OECD. This includes activities that, although not essential to the immediate functioning of the economy, are fundamental to social and economic prosperity, such as automobile manufacturing or mining in countries where these activities represent a significant share of GDP.
10. Security by design
The strategy should prioritize security by design, ensuring that certification standards are established in collaboration with the state, civil society, and academia, rather than exclusively through companies with ISO certifications. Cybersecurity not only faces threats such as international terrorism, state espionage or cybercrime, but also risks inherent in the source code of software and hardware such as operating systems and applications. Therefore, the strategy must include mechanisms to ensure information security that go beyond basic solutions such as antivirus software.
11. Comments on the style of the document
We believe it is important to support the claim in the strategy regarding the increase in the percentage of Internet users from 74.7% in 2022 to 78.1% in 2023 with verifiable sources. Furthermore, there should be a limitation on the sample used, as it does not specify whether users are connecting through a flat-rate Internet connection or only through free access to applications like WhatsApp. This omission is relevant since limitations in Internet access can impact the development of digital skills. As a result, MITIC’s policies and plans will not effectively reach the most vulnerable population, who do not have access to adequate data packages. It is essential to address barriers related to purchasing power and technological skills, even if these are not considered in this measurement.
We also suggest replacing the word “signed” with “ratified” in relation to Paraguay’s engagement with international treaties. It is important to note that the signature is only the first step in the adoption process of an international instrument, which is finalized through ratification by the National Congress. Therefore, the term “ratified” is more accurate to indicate that an instrument is in force and has legal effects. Finally, it is worth mentioning that in the section on personal data, there is a reference to a law that was repealed in 2021 (Law No. 1682/2001, which regulated private information). Therefore, it is suggested to remove that reference.
Conclusion
The National Cybersecurity Strategy 2024-2028 is a significant step towards ensuring that Paraguay remains at the forefront of cyberspace protection, with a strong emphasis on human rights. In this regard, collaboration and coordinated efforts among the government, civil society organizations, academia, and the private sector will strengthen the development of public cybersecurity policies.
To read TEDIC’s full comments on the strategy click here.
- It is a common type of cyberattack that targets people through e-mail, text messages, phone calls and other forms of communication. A phishing attack aims to trick the recipient into performing the attacker’s desired action, such as revealing financial information, system access credentials or other sensitive information. ↩︎
Blue Team Tools: A Resource to Protect Our Activisms