A group of 29 areas that represent a high risk in terms of vulnerability, abuse of power, mismanagement, or need for drastic changes was analyzed in the report, which is in its first edition. Regarding cybersecurity, the report has found that the federal government setup is “active, but inadequate”. According to the report, the federal administration cannot respond to and treat cybersecurity incidents adequately, and there are several vulnerabilities in both information security and cybersecurity across most central government bodies.
Among the report’s findings, the TCU noted that 74.6% of organizations do not have a formally approved backup policy negotiated between the business areas and the organization’s IT. Moreover, 71% of the organizations that host their systems on their own servers do not have a specific backup plan for their main system. In addition, the TCU found that 66% of the federal government bodies that carry out backups do not use encryption. Over 80% of the organizations are in the early stages of building capacity in terms of IT business continuity. The report has found that 60.2% of organizations within the federal administration do not keep their copies in at least one non-remotely accessible destination. It added this carries a risk that the backup files themselves can end up being corrupted, deleted and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process ineffective in the event of a cyberattack. The report cited numbers around the ongoing digitization of public services in Brazil, which so far has covered 73.1% of services provided by the federal government. The TCU report noted that the digital transformation in public services provision had increased reliance on IT services and, therefore, the risks and damage that security failures and unavailability of services can cause. Among the recent examples of incidents cited in the report, the TCU highlighted the cyberattack against the Ministry of Health, whereby COVID-19 vaccination data vanished, as well as the attack against the Superior Court of Justice, described as “the worst cyberattack ever undertaken against a Brazilian public institution, in terms of size and complexity”. In terms of what needs to be done to address the shortcomings in the federal administration in Brazil, the TCU noted that basic measures must be taken to ensure the continuity of business processes and service provision in the event of an information security incidents. This includes the “implementation of general policies and continuity plans, as well as the maintenance of effective internal controls, such as those related to the implementation of backup procedures.” The TCU also noted that it had approved its own information and cyber security strategy. In addition, the Court of Auditors has planned specific actions and initiatives, including agile monitoring of critical cybersecurity controls, to raise awareness of the bodies on the importance of these issues and improve the current state of affairs in the federal administration around cybersecurity. According to the TCU, the idea behind the strategy is to promote a culture of information security in the federal public administration bodies and help them maintain well-defined processes of governance and management of information and cyber security. “The objective is to minimize risks and possible impacts of attacks and incidents”, the report noted.