Access to Gov.br without encryption and concentration of several services in a single portal is a concern in the face of hacker attacks on public bodies
One of the Federal Government's initiatives to reduce bureaucracy and digitize the public services offered to citizens was the creation of the Gov.br portal, instituted by the Decree No. 9,756, of April 11, 2019, by the Special Secretariat for Debureaucratization, Management and Digital Government of the Ministry of Economy. Since the publication of the act, new services and differentiated access levels have been implemented.
THE Law 14,063, of September 23, 2020, regulated the use of electronic signatures in interactions with public entities, in acts of legal entities and in health matters and established three types of digital signatures: simple, advanced and qualified.
The simple electronic signature allows you to identify who is signing and attach or associate your data with other data in electronic format. The advanced electronic signature uses certificates not issued by the Brazilian Public Key Infrastructure - ICP-Brasil or other means of proving the authorship and integrity of documents in electronic form, provided that they are accepted by the parties as valid or accepted by the person to whom the document is opposed. document. This is the case of the signature Gov.br. The qualified electronic signature uses the ICP-Brasil digital certificate, pursuant to § 1 of art. 10 am Provisional Measure No. 2,200-2, dated August 24, 2001.
Among the documents that can be signed at Gov.br are: service provision, purchase and sale contracts; reports, letters; benefit forms, such as: transportation allowance, health plan, life insurance; income, dependent, and retirement tax returns; work suspension contract; vacation notice and receipt; confidentiality terms, among others. It is also possible to access the São Paulo State Protest Center (Cenprot-SP), a platform that brings together the digital services of 420 notary offices in São Paulo.
Recently, on January 9th, a new package of applications integrated into the e-CAC Portal made available new ways of accessing digital services from the Federal Revenue Service with the Gov.br account, which were previously accessed exclusively through the use of a digital certificate. Now, individual micro-entrepreneurs, entrepreneurs and attorneys, once authenticated, can now access all information and use services on behalf of their companies and clients, regardless of the means of access (CPF and password, for example).
According to the executive president of the Association of Registration Authorities of Brazil (AARB), Edmar Araújo, there is a risk in the advanced electronic signature, such as the lack of mandatory clear processes and accreditation of certifying companies by the State. “Any company or even person can provide a system of advanced electronic signatures”, he says. “It is exactly the absence of the Brazilian state in this universe of advanced electronic signatures that jeopardizes the execution of complex legal transactions, such as the transfer of vehicles and the purchase and sale of real estate, often the only assets conquered with great difficulty by the citizen” .
Advanced signatures, despite their recognition by law, have limitations in relation to qualified ones, says the businessman and director of the Association, Bruno Linhares. “The strong legal and technical framework of qualified signatures is not used in the issuance of advanced signatures, reducing the level of security achieved”.
Another concern is the concentration of a large amount of sensitive information from thousands of people and companies. Hacker attacks demanding ransom of hijacked data (ransomware) are the most common.
In August 2022, the Federal Court of Auditors concluded, in a survey, that more than half of federal public bodies are vulnerable to cyberattacks. The investigation mentions the increase in ransomware attacks, due to the growing use of a commercial model in which criminals focus on obtaining and selling initial access to the networks to be attacked. Also highlighted in the report are indicators that point to an increase in botnet activity (which can be used to execute attacks, steal data, send spam and allow the attacker to access the device and its connection) to attack IoT (Internet of Things) devices. , which could get worse with the arrival of 5G technology. The outcome of the Court's investigation is in the Judgment 1768/22.
Report by Veja magazine in June 2020, he cited the vulnerability of public systems to hackers. According to a survey by the Institutional Security Office (GSI), in 2019 alone, 2,404 cases of invasion and attempted invasion of official computers were recorded — an average of six incidents per day.
In the opinion of experts consulted by the portal UOL, public bodies have become recent targets because they do not receive large investments in information security, they give access to a vast database, and this data can be monetized quickly.
Some important government bodies have already been victims of hackers, such as the Federal Regional Court of the 3rd Region (TRF-3), Superior Court of Justice, Federal Supreme Court, Federal Regional Court of the 1st Region (TRF-1) and the National Treasury. All actions prevented access to systems and processes or even went offline in 13 states plus the Federal District, as in the case of TRF-1.
The Ministry of Health was the most emblematic case. In 2021, issuing the vaccination certificate was unavailable for days, as ConectSUS was the main system affected.
“The press, with a few exceptions, has paid little attention to the vulnerability of government systems, especially for the services provided by Gov.br and the institutionalized collection of contracts, documents and important data from people and companies by the Brazilian government. The TCU survey and the cases that came to light should concern the authorities and information security specialists for what may happen not in the future, but at any time”, warns Bruno Linhares.
Even cyber terrorist attacks, which aim to destabilize the infrastructure of a given location or public body, should raise the alarm, he says. “Ransomware attacks are very worrying, but we cannot forget that the overthrow of a system also causes serious damage, considering that the dependence on centralized services in a single tool can make business and the lives of citizens unfeasible. may need a public document on an urgent basis. For example, in August 2022 the City Hall of Rio do Janeiro suffered a hacker attack. There were more than two months with 37 systems down. How do you calculate such damage to the population?”, recalls Linhares.
The Federal Government itself, through the Center for Prevention, Treatment and Response to Cybernetic Incidents, recommended, in this month of January, a series of actions to municipalities and public bodies to prevent leakage of credentials and passwords. Among the measures to mitigate risks is adherence to Serpro's single login project on the Gov.br portal.
“As the authors of the recommendation themselves recognize, systems based on login and password are insecure. So, they recommend the adoption of the same solution that they aim to combat. Except for access to the gold level, Gov.br maintains the same fragility and in cases of fraud in this system, we will have amplified effects”, says the AARB director.
“The World Bank rated Brazil as 2nd in the ranking of digital government maturity among 198 countries. There is no doubt that the ease of access to digital services brings gains to the economy and to the lives of the population, but this advance must be linked to security. Unfortunately, the virtual world has also become insecure, but we have effective, safe tools with legal validity and non-repudiation such as the ICP-Brasil digital certificate”, says Edmar Araújo.
According to him, the cost-benefit needs to be calculated in view of the losses resulting from the lack of investment in security. “It is not a criticism that we make, but an alert so that the public power, which concentrates the lives of thousands of citizens, is not taken by surprise. It is necessary to expand services safely and not expand access based on login and password, long outdated by new threats”, he concludes.