Colombia. The Colombian government issued Decree 338 that establishes the general guidelines for digital security governance, with which it seeks to combine and boost legal development, technical advances, as well as state and private knowledge to strengthen the country's cybersecurity.
This decree strengthens the line of work of digital security in the country, which is especially necessary for the protection of critical industrial infrastructures, especially with the current context, characterized by the increase in malware and ransomware attacks globally.
According to the Internet Security Report - Q4 2021, from watchGuard's Threat Lab, during the fourth quarter of 2021 zero-day threats reached their all-time high. The results detailed that Europe, the Middle East and Africa quadrupled the detection of attacks on their network, while in the rest of the globe malware increased to almost double.
For its part, the most recent report of the World Economic Forum, WEF The Global Risk Report 2022, pointed out that ransomware had an increase of 435% in 2020.
Thus, Decree 338 of 2022 establishes the general guidelines to strengthen the governance of digital security, while creating the model to be applied to make it possible and the instances of said model. So, to understand the scope of this new regulation we attended the webinar organized by the Center for Industrial Cybersecurity (CCI), Impacts of Decree 338 of 2022 of the Presidency of Colombia "Governance of Digital Security" in Infrastructures.
Developments in Colombian legislation
As explained by Ángela Cortés, ColCERT coordinator of the Ministry of ICT of Colombia, Decree 338 is the result of an evolution in legislation aimed at improving cybersecurity in the country, which as such began in 2011 with CONPES 3701.
One of the fundamental points of Decree 338 describes the definition of Digital Security Governance for Colombia as "the set of interactions and approaches between multiple stakeholders to identify, frame, propose, and coordinate proactive and reactive responses to possible threats to the confidentiality, integrity or availability of technological services, information systems, technological infrastructure, networks and information that together constitute the digital environment".
However, the main objective of this governance is to facilitate the participation, articulation and interaction of multiple stakeholders, to strengthen capacities in the management of digital security risks in the country.
Another novelty of this decree is that it commits the Ministry of Information and Communications Technologies (ICT) to raise the inventory of national cyber public critical infrastructures and essential services in cyberspace, which should be ready in 2023 and will be updated at the rate of every two years.
"To do this, it must identify the sectors and subsectors that have critical cyber infrastructures or provide essential services for the maintenance of economic and social activities." With this, the sectoral CSIRTs (Computer Security Incident & Response Team) will be created, as well as the National Digital Security Committee and a National Platform for Notification and Monitoring of Digital Security Incidents, a space that will serve for the notification and management of cybersecurity incidents.
In general, the greatest advance with this decree, in terms of cybersecurity, is the search to identify and prevent attacks or incidents in networks and information systems, which would result in significant effects on the provision of essential services of the state. An example of this type of mishaps is the current conflict facing Costa Rica, due to cyberattacks by the Conti group.
The antecedent of this norm, as mentioned in the webinar, is to strengthen citizen trust to maximize the generation of socioeconomic value through the internet. Ángela Cortés commented that Colombia lacked a framework that coordinated cybersecurity policies, so Decree 338 also filled a legal gap, but it is undoubtedly the result of the regulatory progress of the last 11 years.
Implications of Decree 338
In short, the decree seeks to identify best practices and lessons learned that help identify guidelines, write guidelines and generate their own activities. But this is not a work of a single entity, it is an intersectional and interdisciplinary assembly.
In the words of Cristian Isaza, member of the Board of Directors CCI Colombia Chapter, since this mandate has implications for agents that have critical infrastructure, it helps the obliged (public sector) and the unconquisitive (private sector) to articulate. An issue of vital importance in the current conjuncture, marked by a national and international reality, in which it is imperative to strengthen cyber resilience, especially for critical sectors with recurrent incidents.
As conclusions of the webinar, the classification guide of critical infrastructures could change in 12 months, depending on the result of the work that the Government of Colombia has.
It should be borne in mind that the importance of the implementation of Decree 338 in private organizations is in the reduction of the impacts of incidents, by having better elements of support for practices in organizations, since the decree implies a national and systematic review of the standards, with traceability and guarantee of relevance.
Finally, and according to the speakers of the webinar, since a cybersecurity event is not isolated, contributing to the registration of information at the national level, from the use of the National platform and participation in the Digital Security Working Groups (contemplated in Decree 338), results in obtaining information and more tools. In that sense, Ángela Cortés said that the gain of taking part in the co-creation in these spaces is to be able to promote the most accurate information tools and strategies at the national level.