Running Head: THE BRAZILIAN FEDERAL DATA PROCESSING SERVICE

Case Study: The Brazilian Federal Data Processing Service

Vijaya Tanniru
Advanced System Analysis & Design.
Prof: - Sayed Hussein.
July 13th, 2014
THE BRAZILIAN FEDERAL DATA PROCESSING SERVICE
2

Business Ethical Problems Faced by Brazilian Federal Data Processing

Cyber security or online security has the potential to impose borderless challenges and

threats to any nation, while the responses remain overpoweringly national in scope (Smith,

Dinev & Xu, 2011). Hence, these cyber security breaches and threats can only be mitigated or at

least reduced by the confrontation provided by government and legislative bodies in terms of

technical as well as governance capabilities (Smith, Dinev & Xu, 2011). The first and foremost

business ethical problem faced by Brazilian Federal Data Processing Service is the electronic

espionage and electronic spying done by US National Security Agency.

Government related communications and critical information has been targeted by

various intelligence agencies, while breaching the International Security Law, which is purely an

illegal activity (Constant, 2013). Hence, the exchange of information through government

network need to be protected from security breaches and this was the most difficult challenge for

SERPRO (another name for Brazilian Federal Data Processing Service) (Smith, Dinev & Xu,

2011). In addition to NSA spying revelations, the Canadian Security Establishment (CSE)

tracked and targeted all the important emails and phone calls to and from Brazil’s Ministry mines

and energy.

This is the most critical ethical and legal problem faced by SERPRO, as they were

assigned a job to design and develop a robust emailing system to mitigate all types of security

breaches (Constant, 2013). In my opinion, all the above described issues should be ethically and

legally condemned as these activities are against the International Cyber Security Law and

Computer Fraud and Abuse Act of 1984 (Smith, Dinev & Xu, 2011). Hence, all these problems

are purely unethical, which should be corrected and resolved by strengthening Internet

governance and reliance on U.S. and other nations in terms of information exchange.
THE BRAZILIAN FEDERAL DATA PROCESSING SERVICE
3

Security Deficiencies in Brazilian Federal Data Processing Enterprise Architecture

Despite that Brazilian Federal Data Processing Service is the leading security firm in

Brazil which ensures robust security solutions; there are several security flaws or deficiencies in

their original systems and security architecture (Smith, Dinev & Xu, 2011). For instance, security

protocols were not adequate enough to provide comprehensive and long-term security (Constant,

2013). Information was easily accessible, open and transparent that allows offenders to commit

security breaches (Hornung, 2005). It was difficult for the agency to identify the offenders and

their current location (Constant, 2013). The original architecture need to be well-complied with

cyber security policy and regulations to provide better security.

Brazilian Federal Data Processing Service Proposed Architecture Plan

SERPRO suggested implementing an “anti-spoofing email system” against the US and

Canadian spying revelations (Smith, Dinev & Xu, 2011). This system will be locally hosted and

is aimed to protect government related and citizen’s critical data and information, as US

government has been targeting and tracking citizens’ data, including the Brazilian President

(Constant, 2013). The proposed plan for developing anti-spoofing and advanced emailing

services is a quality idea. The Brazilian Federal Data Processing Service is aimed to design an

emailing system for government use, online transactions, tax returns and citizens’ information,

which will use digital certificates and encryption to prevent information leakage by blocking the

access.

With this emailing system, no one can read the content and access information without

being digitally certified (Smith, Dinev & Xu, 2011). However, intended data and recipients will

be hosted in datacenters, located in Brazil (Constant, 2013). The other possible solutions that can

be adopted by SERPRO is the Secure Email Middleman which has been proposed for National
THE BRAZILIAN FEDERAL DATA PROCESSING SERVICE
4

Health of Institute (NIH) (Hornung, 2005). The method provides an alternative approach to PKI

based technologies, as they are impractical (Smith, Dinev & Xu, 2011). This secure email pattern

uses non-PKI S/MIME technologies and solutions to secure email exchange before transmitting

over the network. See appendix for the secure email pattern built for NIH.

Another possible solution could be the utilization for DPL (Data Loss Prevention) to

secure email content and communications (Hornung, 2005). Many agencies, governments and

organizations like Trend Micro have been using this tool to secure emails from unauthorized

access (Hornung, 2005). Further, a robust password manager should be deployed to secure email

communications by asking for multiple passwords for robust authentication (Smith, Dinev & Xu,

2011). In my opinion, all these solutions can be considered by SERPRO to secure Brazil email

communications.

Precautions to Avoid Security Breaches

After analyzing different governments and intelligence agencies, it has been found that

United States government have taken many serious and effective precautions to mitigate

information leakage and security breaches and secure email privacy (Smith, Dinev & Xu, 2011).

U.S. government announced to deploy two factor authentications to secure email and other

accounts to prevent unauthorized access (Smith, Dinev & Xu, 2011). The users will log in

personal details in the same manner, but there is an additional step which calls or send message

to enter the security code.

Another agency working on the same issue is the Space Labs which has developed its

own solution and cracking tools (Embassy, 2012). These email cracking tools can help

governmental and non-government organizations to test the accessibility of their professional as

well as personal emails (Embassy, 2012). Further, with this cracking tool, it would become easier
THE BRAZILIAN FEDERAL DATA PROCESSING SERVICE
5

to track and test the emails of the vendors and associated which organizations serve (Embassy,

2012). This email cracking system not only helps detect the vulnerabilities of email servers and

account information, but this system also helps identify human as well as social threats.

These were some precautions taken by various government and agencies to take

precautions against the same event that was experienced by the British Federal Data Processing

Service (Embassy, 2012). If these precautions were not taken to secure against the email security

breach, then there are many other effective solutions to protect and sustain email privacy

(Embassy, 2012). New Delhi government announced to use static IP addresses, one time

passwords and virtual networks to secure government communications (Embassy, 2012). If any

user needs to access the email services, he or she has to undergo the above protective systems.

In my opinion, if these precautions are implemented, then governments and organizations

can effectively protect their email services and communications (Hornung, 2005). It is because

great financial losses have been reported due to security breaches and malware of critical

information and data (Hornung, 2005). It is therefore important for the government and

legislative bodies to take appropriate precautions to secure the private communications, most

businesses and government related operations are usually conducted through emails.
THE BRAZILIAN FEDERAL DATA PROCESSING SERVICE
6

References

Constant, L. (2013). Brazil to fortify government email system following NSA snooping

revelations. The country's Federal Data Processing Service has been tasked with the job.

Network World. Data retrieved from:

http://www.networkworld.com/article/2170810/security/brazil-to-fortify-

government-email-system-following-nsa-snooping-revelations.html

Embassy, U. S. (2012). Security Message: Election Security Precautions. Data retrieved from:

http://thejns.org/doi/abs/10.3171/jns.1974.41.3.0394

Hornung, M. S. (2005). Think before you type: A look at email privacy in the workplace.

Fordham J. Corp. & Fin. L., 11, 115. Data retrieved from:

http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1205&context=jcfl&sei-

redir=1&referer=http%3A%2F%2Fscholar.google.com.pk%2Fscholar%3Fq%3Demail

%2Bprivacy%26btnG%3D%26hl%3Den%26as_sdt%3D0%252C5#search=%22email

%20privacy%22

Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: an interdisciplinary

review. MIS quarterly, 35(4), 989-1016. Data retrieved from:

ftp://96.230.5.13/MotiShare/Luvai/Documents/Research/PrivacyValuation/ExtRsrch/SMI

TH,%20XU%20-%20INFORMATION%20PRIVACY%20RESEARCH%20AN

%20INTERDISCIPLINARY%20REVIEW%20MISQ.pdf