For anyone paying attention to the cyberattacks in Costa Rica, ransomware collectives breached the country’s health information systems. This came after weeks of attacks on the country’s tax, trade, payroll, pension, and other systems from across 30 affected agencies. The attackers’ stated goal is to overthrow the Costa Rican government. The country’s new president, Rodrigo Chaves, has responded by declaring a national emergency, reiterating that the country will not pay the ransom (now totaling USD $25 million), and bringing in hundreds of cybersecurity experts to address the problem. In the meantime, affected agencies revert to paper systems, tax deadlines have been extended, and the country scrambles to find ways to work around this massive disruption.
It’s unclear what the final economic impact of these attacks will be in Costa Rica. One estimate pegged trade losses at $125 million in the first two days alone. What is clear is that Costa Rica has struggled to respond to and manage the crisis, despite having a National Cybersecurity Strategy in place since 2017. Furthermore, by going back to paper, the attacks roll back some of the progress the Costa Rican government made on its digital systems since the start of the COVID-19 pandemic. Costa Rica is certainly not alone in being affected by ransomware. Attacks have increased globally in recent months, particularly in Latin America where preparedness is low and ability to pay ransom is considered high. A 2020 IADB study stated that only 7 of the 32 countries studied in the Latin American and Caribbean region “have a critical infrastructure protection plan, while 20 have established cybersecurity incident response teams, often called CERTs or CSIRTs.”
Yet, attackers appear to be using Costa Rica as a “demo” of what can be achieved in one country, and anyone working on digital systems in low- and middle-income countries may want to pay attention to what plays out. Governments would do well to immediately evaluate and address vulnerabilities in critical infrastructure, ensure agencies and workforce are truly prepared to respond to a cybersecurity attack, harmonize legal frameworks with international best practices, and actively collaborate with the international community on cybersecurity.
June 16, 2022
