In August 2020, the US and Mexico established a working group and conducted a first-of-its-kind dialogue regarding mutual cybersecurity concerns. While the two countries have been partnering to counter illicit drug trafficking for decades, only recently has real progress been made related to cybersecurity, as described in the State Department's recent joint statement. Given the evolving threat landscape in recent years, it is remarkable it has taken so long for this partnership to mature. What may be quicker to evolve is the private sector's reaction to this new partnership as cybersecurity service providers recognize this bilateral cooperation as a lucrative commercial opportunity.
Reliance on Cross-Border Critical Infrastructure
Perhaps the most significant strategic focus of this collaboration is the commitment to strengthening coordination and response to cyber incidents affecting critical infrastructures. Mexico and the US share interdependent economies, as well as the risk of closely related critical infrastructure. Mexico consistently ranks among the top trade partners for the US and in 2021 supplied 8% of US oil (by comparison, Saudi Arabia provided 5%), according to the US Energy Information Administration. US dependency on Mexican oil would thus, naturally, justify the protection and security of that resource as a US national security interest.
Similar to the US's own Colonial Pipeline compromise in 2021, Pemex (Mexico's state-owned petroleum company) experienced a ransom event in 2019. Fortunately, the Pemex incident did not result in the same disruption to services as the Colonial matter did. Pemex's incident does highlight that Mexico's infrastructure is a target and that it is also vulnerable. Though the Pemex incident did not make significant waves for the US, a more significant incident could cause far greater economic consequences for Mexico and the US alike.
Benefits of Closing Vulnerabilities as Trade Partners
As one of the US's premier trade partners and boundary sharing geographic neighbors, what is bad for Mexico is bad for the US. Be it in telecom, the financial sector, or any aspect of critical infrastructure and key resources, a disruption in Mexico would likely cross over and impact the US. One of the most effective and self-beneficial ways for the US to protect against this is to invest in Mexico's cybersecurity capabilities. In many cases, nation-state offensive operations view Mexico as a less secure technological gateway into targeting the US. The relatively weak cybersecurity posture in Mexico enables criminals to either exploit entities there or use compromised systems as proxies to target US entities.
Mexico is also seeing an increase in overseas factories relocating and setting up production within its borders. The Chinese in particular view this as a strategic advantage as it reduces their overall cost in shipping expenses as well as export tariffs. Chinese investment in this way will undoubtedly require additional bandwidth, expansion of IT related infrastructure, and efficient connectivity back to China. Aside from its implications to US national security, Mexico's cybersecurity capabilities and related infrastructure will need to mature to keep pace with this industrial and economic development.
With growing, increasingly complex internal cyber demands, Mexico is likely incapable of meeting these needs on its own and would benefit from able and experienced partners. US investment, both from the government and private sector, in Mexico is more a matter of investing in US interests, yielding benefits both economically and security-wise.
The US would be served well if it benchmarked the mission and vision of the Cybersecurity and Infrastructure Security Agency (CISA) and invested in Mexico's ability to "understand, manage, and reduce risk" to Mexico’s cyber and physical infrastructure. The near-term security priorities investment should be maturing capability delivery, vulnerability management, and cyber-defense education, and training.
Additionally, forward-thinking cybersecurity vendors will undoubtedly see this opportunity as a chance to capitalize on private sector demand, and possibly government contracts as well. It should come as no surprise if the industry sees a flurry of activity around establishing capabilities and resources to serve the market in Mexico. And by treating Mexico's cybersecurity posture as important as countering illicit drugs, the US will enhance its own security in the long run.