The CNCS coordinator assured this Thursday, March 19, that the entity “never stated” that the April 28 blackout did not originate from a cyber attack, refusing the existence of any evidence and defending the containment of disinformation during the initial response.
In the Environment and Energy Committee, in the Assembly of the Republic, José Lino Alves dos Santos, stressed that the position of the National Cyber Security Center (CNCS) was always based on the absence of evidence and not on a categorical exclusion of scenarios, stating that the entity “never stated that it was not a cyber attack”.
The person responsible explained that, faced with an atypical event and without clear signs in the first hours, the priority was to cross-check information with operators, international partners and industry, with no technical signs, claims or preparatory activity that pointed to a malicious origin being identified.
“The main focus was to understand the origin of the problem”, he said, highlighting that, Despite media pressure and the circulation of rumors about a possible cyber attack, “there is no evidence” to support this hypothesis.
The CNCS coordinator highlighted misinformation as one of the main threats during the incident, citing the circulation of alleged fake news from CNN that attributed the blackout to a cyber attack and that generated “a lot of confusion” and massive contacts with the center.
In this way, the institutional response went through a double circuit of communication: first with technical communities and critical operators and, only later, with the media.
“We needed a strong degree of certainty to speak out”, he stated, implicitly admitting the tension between speed and rigor in a context of crisis.
José Lino Alves dos Santos also detailed that the CNCS activated international cooperation mechanisms, including European incident response networks, and maintained direct contacts with counterparts in Spain and France, and none of these entities reported signs of a coordinated attack.
Furthermore, Analysis of open sources and channels commonly used by cybercriminal groups revealed no preparatory signs or claims associated with the incident, reinforcing the preliminary conclusion.
The day after the blackout, the official revealed that low-impact attacks had occurred against Public Administration and Government websites, claimed by an activist group that sought to “take advantage of the ‘hype’”.
At the structural level, the coordinator admitted difficulties in fulfilling notification obligations, as only “half a dozen” entities reported incidents on the same day, leading the CNCS to subsequently notify around 395 organizations, with 174 recognizing qualifying occurrences.
The episode exposed, according to the person responsible, persistent challenges in the maturity of the system, in a context in which the increase in “digital density” expands the attack surface and makes uniform protection difficult.
Asked about the disclosure policy, José Lino Alves dos Santos defended a selective approach, based on the “need to know” principle, favoring communications directed at affected entities to the detriment of generalized alerts.
“There are vulnerabilities that it doesn’t make sense to disclose publicly if only two or three companies are affected”, he explained.
Leave a Reply