Backlogs in the global intermodal supply may precipitate a return to North America of over 40 years of outsourced manufacturing.  So too, for reasons of national security and regional competitive advantage, global IT supply chain disruptions (ransomware, semiconductor shortages) necessitate business leaders and policymakers to take a fresh look at the Information Communications Technology (ICT) and Cybersecurity Strategy for North America.  Did NAFTA even have a robust ICT commitment? How do business leaders and policymakers do a post-mortem on NAFTA, from an ICT perspective, to assess lessons learned and formulate forward-thinking strategies and innovative ICT-based trade initiatives? What is the broad ICT regulatory environment like in North America?

More importantly, do the Central America Free Trade Agreement (CAFTA) or the United States-Mexico-Canada Agreement (USMCA) have a robust ICT strategy, with specific partner country agreements and commitments?  What are the ICT innovation and investment climates in Mexico and Canada?  Is ICT investment part of the solution for the creation of regional economic development initiatives in partnership with the Northern Triangle countries in Central America, to assuage the waves of refugees heading to the U.S. due to climate migration and asylum-seeking status based on gang violence?

Policymakers need to keep front of mind that refugees are just that:  refugees are in a forced migration pattern, as most people do now want to leave their country of origin if they had the choice. Mothers and fathers do not want to send a child alone on a dangerous journey North in the nefarious hands of “Coyotes” (human smugglers).  How does the U.S. create incentive systems to stay home and work opportunities based on ICT innovation in these countries?  Where are Panama and Costa Rica in this mix of concerns?

The ICT Landscape In Mexico

Much to consider.  What is clear is that ICT and Cybersecurity “trade” agreements need to be as robust as any of the traditional trade agreements to date and, arguably, need to take center stage in all multilateral policy interactions in the hemisphere in the next few years.  Ryan C. Berg is a senior fellow in the Americas Program and head of the Future of Venezuela Initiative at the Center for Strategic and International Studies (CSIS).  His recent report, “The Development of the ICT Landscape in Mexico: Cybersecurity and Opportunities for Investment“, is a place to start in sorting out the ICT terrain in North America writ large.

The report is organized into three sections:

Competitive North America assesses how to improve technological innovation, expand internet access, and promote competition.

Secure North America highlights how to improve cybersecurity within the region as digitalization increases.

Competitive North America focuses on the regulation of supply chains, innovation, and technology.

Berg provides the following context in the introduction to the report:

• Mexico’s information and communications technology (ICT) sector has witnessed increased competition and investment since 2013’s landmark regulatory reform, which created the Federal Institute of Telecommunications (IFT). However, to an extent under President Enrique Peña Nieto and especially since President Andrés Manuel López Obrador was inaugurated in 2018, the direction of the ICT sector has become heavily contested.
• The Mexican government has failed to create a national digital strategy or a clear roadmap for ICT public policy while at the same time constraining the IFT’s regulatory agenda. This paper examines the current state of Mexico’s ICT sector.
• Free trade agreements such as the North American Free Trade Agreement (NAFTA) and its successor, the United States-Mexico-Canada Agreement (USMCA), have contributed to Mexico’s economic success and helped it become the United States’ second-largest trade partner.
• However, the Covid-19 pandemic has drastically slowed Mexico’s economic growth while also catalyzing the country’s transition to a more digital world, economy, and workplace. This has elevated concerns over new ICT rollout and regulation. With several extra-hemispheric telecommunications suppliers increasingly eager to enter the Latin American market, strengthening supply chains and economic ties within the Western Hemisphere has become even more crucial.
• One key obstacle to better regulation is the current López Obrador administration, which has actively pursued a strategy of weakening non-executive regulatory agencies, including the IFT. Besides implementing budget cuts to these agencies, President López Obrador has not replaced IFT commissioners who leave or retire. The Mexican Senate has little power to remedy the issue, as they
  only can approve candidates presented by the president, who has yet to submit any replacements for these positions.
• Mexico’s ICT future depends on growth in several key areas: physical capital, human capital, and technological innovation. The first, physical capital, involves addressing the critical issue of connecting people to the internet. There were 92.01 million internet users in Mexico in January 2021 (71 percent of the population) but millions more remain without affordable or stable internet access.  Second is human capital, which includes training workers in cybersecurity and promoting a broader digital mindset within companies. Third, to compete in an ever-more digital economy, Mexico needs technological innovation to grow and scale initiatives in cloud computing and data, especially in academia and the private sector. Future policies and strategies for Mexican ICT regulation must be data-driven if they are to bring about a more competitive North America.

Security and Cybersecurity: The Current State and Opportunities in Mexico

Following are some of the takeaways from Section Two, Secure North America, of the report:

• Even as the sector becomes more competitive, Mexico’s cybersecurity infrastructure and practices are simply not modern enough to ensure it is robust and secure.
• As it stands, Mexico’s domestic criminal organizations and cartels are taking advantage of the inadequate cybersecurity infrastructure to further their illicit operations, simultaneously facilitating the entrance of foreign hackers into the Mexican ICT industry.  Recently the perpetrators of a high-profile ATM hack were subsequently linked to both Venezuelan criminal enterprises and the Romanian mafia.
• Creating a strong ICT sector with well-developed cybersecurity infrastructure will not only benefit Mexico and its citizens, but it could also prove to be a crucial component of the relationship between the United States and Mexico and of North America’s wellbeing and security.
• In the first quarter of 2020, the country suffered an estimated 800 million attempted cyberattacks, making it the fourth-largest cybercrime target in the Western Hemisphere, after the United States, Canada, and Brazil. Meanwhile, the cost of cybercrime and cyber fraud to the Mexican economy has been reported to be as high as $7.7 billion a year.
• Integrated electrical grids, which are expanding across the U.S.- Mexico border, are especially vulnerable targets.
• election tampering by hostile actors using digital methods has been reported throughout North America. As cyberspace grows in importance as an area for geopolitical competition, regional dialogues and coordinated policy will become essential for Mexico to protect its critical infrastructure.
• Mexico adopted a National Cybersecurity Strategy in 2017 Based on the principles of human rights, risk management, and multidisciplinary cooperation.  However, this framework has been criticized for its failure to suggest actionable steps for centralizing the government’s response to cyber threats.
• Mexico currently has no dedicated cybersecurity agency like the U.S.Cybersecurity and Infrastructure Security Agency (CISA).

For business leaders strategizing cybersecurity through a “North America First” prism due to supply chain disruptions, Berg offers this vital assessment:

“Insecurity in the digital realm will pose an increasingly difficult challenge for Mexican ICT companies, especially when it comes to obtaining foreign partnerships. Outside investors will be reluctant to consider Mexico a reliable partner if companies remain vulnerable to hacks. The same can be said for government actors, who will be reluctant to share secrets or potentially compromising information with their Mexican
counterparts unless they adopt stricter cybersecurity measures. Creating a strong ICT sector with well-developed cybersecurity infrastructure is therefore vital to the bilateral relationship between the United States and Mexico, as well as broader North American interests in securing critical infrastructure.”

From the Report – Current Cybersecurity Trends

1. USMCA’s Digital Trade Chapter – The USMCA is one of the most forward-thinking multilateral trade agreements in terms of ICT provisions. Most notably, the agreement contains a chapter specifically pertaining to the digital economy, including how to encourage safe digital trade between the member countries. This chapter introduced provisions for digital intellectual-property protection, as well as bans on customs duties for digital goods. Crucially, the agreement took a firm stance against data localization, a form of digital protectionism that requires foreign companies to store data collected from a country within physical infrastructure inside that country. These provisions help lay the groundwork for combating financial crimes and upholding copyright protections in cyberspace.

2. U.S.-Mexico Cybersecurity Cooperation – Increased security cooperation between the United States and Mexico can be mutually beneficial to common and North America-wide cybersecurity infrastructure and practices. This is already a priority in the U.S. defense establishment, which has increasingly focused on cybersecurity as a major national-security priority. The Department of Defense (DOD) has also made developing Mexico’s cybersecurity capacity a strategic priority, working with the Mexican Ministries of National Defense (SEDENA) and the Navy (SEMAR).

3 – Fiscal Austerity and Digital Transformation – While USMCA and certain defense-sector developments look promising for the development of a budding U.S.-Mexico cybersecurity paradigm, the Mexican government has largely deprioritized the issue in policymaking. President López Obrador’s commitment to fiscal austerity is hampering investment flows into necessary cybersecurity infrastructure and tools for technological transformation.

4. The Data-Privacy and Cybersecurity Gap  – Mexico’s efforts to legislate new digital protections have also struggled to balance individual rights and security interests. Indeed, the Peña Nieto administration was criticized for its use of spyware to monitor journalists, civil society members, and opposition leaders. In an attempt to increase data security against cyber threats, Mexico passed an amendment to the Federal Telecommunications and Broadcasting Law in April 2021. This amendment ordered telecommunications carriers, such as América Móvil and AT&T, to collect customers’ biometric, fingerprint, and personal data and file it with the IFT, effectively creating a national registry of mobile telephone users. While the bill was intended to curb kidnapping and telephone extortion, it has been criticized for violating the privacy rights of Mexican citizens; this led the bill to be passed narrowly, with 54 votes in favor, 49 against, and 10 abstentions.

5. Lack of a Digital Mindset – Mexico’s struggle to educate citizens on cyber threats speaks to a deeper challenge in convincing Mexican companies—particularly small and medium-sized enterprises (SMEs)—to adopt a fully digital mindset. Put differently, Mexican private-sector companies by and large continue to view ICT as only one aspect of their work, rather than a vehicle for transforming workforce dynamics. Without this digital mindset, a large percentage of Mexican SMEs continue to neglect cybersecurity.

Opportunities for Cyber Innovation and Policy Recommendations 

Cyber innovation opportunities itemized by the report include: Expansion of digital training and cybersecurity education; Partnerships with academia should be reestablished to bring in a wider array of expertise; The continued advancement of the Program for the Development of the Software Industry (PROSOFT), an initiative which promotes the creation of industrial innovation centers that provide training, develop human capital and encourage the adoption of new technologies for digital security; and developing ICT supply chains and relevant frameworks from the International Standards Organization (ISO).  For instance, ISO 28000 and 28001 outlines the critical requirements for supply-chain security and how to fully implement these protections. Meanwhile, ISO/IEC 16085 describes how to safely manage the life cycle of software given that aging systems present increased security risks.

Of course, further questions stateside abound.  Based on our recent analysis of cybersecurity efforts at the U.S. NIST, how best do these ISO-based standards recommended by Berg align with the NIST Cybersecurity Framework?  Does it behoove the NIST to work with the State Department to make the Framework a treaty-bound international cybersecurity standard? How much is NIST coordinating with the State Department in the creation of their Bureau of Cyberspace Security and Emerging Technologies (CSET)?  How can multilateral talks be used to synthesize these regulatory and standardization efforts in the U.S., Canada, and Mexico into a regional standard that reduces regulatory friction and enhances the landscape for scalable, efficient, cross-border ICT and Cyber innovation?

On the economic policy front to enhance regional economic advantage, Berg suggests that “Mexico could offer targeted assistance to small and mid-sized ICT companies as it begins its slow economic recovery from the Covid-19 pandemic. Although such measures will be difficult given President López Obrador’s penchant for fiscal austerity, the digital sector is likely to lead the way in post-pandemic growth, meaning early support can serve as an impetus for future investment.”

In his concluding statements, Berg confirms that ICT will have to be center stage and strategic in nature in order to spawn a climate for innovation: “Mexico should recognize that sound digital policy cannot be achieved with an atomized approach. It requires far-reaching cooperation with allies, private entities, various government agencies, and more. It is therefore essential for Mexico to adopt a more strategic outlook to capitalize on its progress in the ICT realm.”

Mexico’s counterparts North of the Border, as far up as Ottawa and due Northeast in Washington D.C., will have to make the same realization.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast