Skip to main content

Cybersecurity Strategy Advice for the Trump Administration: US-Mexico Relations

January 17, 2017


Stacia Lee

Feature Series

Cybersecurity and the Trump Administration Series

Regional Recommendations for U.S. Cybersecurity Policy in the World

Central Challenge

Because of proximity, Mexico’s cybersecurity challenges impact the United States. However, Mexico’s poor regulatory environment, lack of funding, and lack of coordination between different levels of government makes it unable to effectively tackle cybersecurity.


  1. Bolster local cybersecurity capacities and resilience by maintaining and promoting productive relationships between American ICT companies, Mexican ICT companies, and government agencies.
  2. Strengthen rule of law, an independent judiciary, human rights protections, and institutional capabilities to fight cybercrime through a reformed Merida Initiative.
  3. Continue to engage the Mexican Government directly using the Trilateral Cyber Experts Group.


Mexico is one of the United States’ most important partners. The two countries share a 2,000 mile-long border and bilateral relations have a significant impact on the well-being of individuals in each country.[1] In 2015, Mexico-US trade was valued at over $583 billion.[2] Similarly, the United States is Mexico’s largest investor, accounting for 50% of all foreign investment in the country,[3] and 22 American states count Mexico as the biggest destination for their exports.[4]  Additionally, the Mexico-US partnership is essential to combatting international crime, particularly relating to drug trafficking.[5] Mexico and the United States also share important cultural ties, as migration between the nations has fostered transnational connections for hundreds of years.

Although President Peña Nieto has stressed an interest to bolster cybersecurity in his 2014-2018 National Security Program, Mexico currently does not have a national cybersecurity strategy.[6] Instead, the majority of legislation relating to cybersecurity is found in ordinary laws meant to address fraud and consumer protection.[7] The government has also created cybercrime task forces to identify and prevent cybercrime,[8] but ultimately laws and agencies are ineffective due to Mexico’s poor regulatory quality, lack of funding, and lack of coordination between different levels of government.[9] Further complicating the legal landscape in Mexico is the influence of criminal organizations,[10] which often bypass the law to achieve their financial and political goals through violence. And, corruption plagues Mexican government institutions at every level.

As a result, Mexico is vulnerable to cyberattack. In 2014, over ten million individuals were affected by cybercrime that cost the country over $5 billion.[11] Cyberattacks have disproportionately impacted the growing financial sector[12] and the media, where journalists are attacked by criminal organizations and corrupt politicians who seek to censor their reporting.[13] Such attacks make the Mexican cyberspace less secure for ordinary citizens, threaten free speech, and ultimately cost businesses significant amounts of capital.

It is in the United States’ financial and political interests to help Mexico improve its cybersecurity capabilities and develop a strong national cybersecurity strategy. Cybersecurity challenges in Mexico cross its northern border and have profound effects in the United States. Cyberattacks on Mexican companies have financial ramifications for their American investors, owners, and negatively impact the Mexico-US trade relationship, preventing each country from realizing the great potential of their economic relationship.

With Mexico’s considerable influence in both North and South America, the United States needs Mexico now more than ever as a strong security partner to combat human trafficking, drug trafficking, and to promote democratic principles respectful of human rights in an increasingly autocratic global community. The proliferation of cybercrime throughout the country strains the government’s resources, and, thus, precludes the Mexico-US political partnership from the efficacy needed in today’s turbulent global political climate.

Recommendation 1: Promote Relationships Between American and Mexican ICT Companies and Government Agencies

The Microsoft-Mexico relationship epitomizes the type of private sector collaboration that is needed in Mexico. In 2014, Microsoft signed an agreement with the Mexican Interior Ministry to fight cybercrime and collaborate on investigations.[14] Through this agreement, Microsoft also helps to promote greater password protection and spread awareness about common electronic fraud schemes, thus, improving the ability of average citizens to protect themselves against common cyberthreats.[15]

While citizens may not always trust or listen to their government, they may listen to the security advice of their favorite companies. In essence, private sector dissemination of important cybersecurity practices increases the likelihood that average citizens will adhere to stronger protections on the Internet.

The United States should encourage other popular ICT companies such as Apple and Google to engage in similar awareness campaigns, which would increase cybersecurity capacity at an individual level, while the resource of large, multinational ICT companies could help the Mexican government implement best practices in combatting cybercrime. When Mexican citizens and their government better understand the types of threats they face online, they are able to reduce the costly effect of crime on their finances and politics.

Recommendation 2: Strengthen Capabilities to Fight Cybercrime Through a Reformed Merida Initiative

Cybersecurity problems often flourish in contexts where governments are struggling with a broader set of challenges — and this is the case for the Mexican government. Reform of the Merida Initiative would provide the Mexican government with resources to tackler larger systemic problems in ways that would have a positive impact on U.S. and Mexican cybersecurity outcomes as well.

The Merida Initiative was created by the United States government to combat drug trafficking, organized crime, money laundering, and strengthen rule of law and institutional capacity through funding, training, and equipment deliveries in Mexico.[16] Since 2008, the United States Congress has allocated over $2.5 billion to the Mexican government through the Merida Initiative,[17] although only $73 million (or 3%) has gone to improving Mexican regulatory quality. The rest of funds have gone to increasing the power of the Mexican military, which has historically suppressed social movements and impeded the free speech of activists who disagreed with the government.[18]

Further yet, many of the weapons provided to the Mexican government through the Merida Initiative have ended up in the hands of organized criminals,[19] and other sources suggest that Merida funding has not reduced the amount of drugs crossing the Mexico-US border.[20] Ultimately, American funding through the Merida Initiative has not been successful in greatly improving national regulatory quality, and may indirectly contribute to weak cybersecurity in the form of limiting individual freedoms of expression by empowering criminal organizations and the repressive capacity of the state.

In order to strengthen its national resilience, the Mexican government needs to enhance and protect the rights of its citizens on the Internet, not contribute to an environment where cybercrime is rampant and organized criminals have the power to censor the media. Mexico can achieve this result by strengthening its judiciary and its power to prosecute and hold criminals accountable, and increasing coordination between local, regional, and national officials. In an enhanced regulatory environment, the Mexican government can take a tough stance on cybercrime and organized crime, thereby reducing their threats to society.

The United States government can aid this process by reforming funding through the Merida Initiative. Instead of spending millions on weaponry that has yielded limited results combating drug trafficking and organized crime, the United States could fund training for Mexican judges, police officers, and other government officials, including partnerships between American and Mexican officials in similar professions. Such work could help to tackle the corruption that is endemic to every level of Mexican government. A reformed Merida Initiative has the potential to enhance the Mexican government’s regulatory power in an impactful way that fundamentally respects principles of democracy and human rights, and successfully limits the spread of cybercrime and censorship throughout the country.

Recommendation 3: Continue to Engage the Mexican Government Directly Using the Trilateral Cyber Experts Group 

Building and expanding ICT partnerships and reforming the Merida Initiative are both important steps that will ameliorate the Mexican cybersecurity environment. However, each initiative will take quite some time to affect change. In the meantime, the United States government must engage directly with the Mexican government through the existing Trilateral Cyber Experts Group, which contains the United States, Mexico, and Canada.[21] The use of the Trilateral Cyber Experts Group will enable working directly with the Mexican government through a dialogue group that engages its leadership in a manner that encourages direct policy change and helps the government to think critically about the importance of developing a long-term cybersecurity strategy.

At the 2016 North American Leaders Summit, the United States pledged to cooperate with the other members of the Trilateral Cyber Experts Group, plan summits on infrastructure protection, and promote greater regional cybersecurity awareness.[22] However, the United States can and must do more to promote greater Mexican cybersecurity resilience by expanding the scope of the Trilateral Cyber Experts Group to include joint CERT exercises and a pledge to share information relating to cyberattacks. When the United States, Mexico, and Canada work together to grow their interoperability, the Northern Hemisphere will become fundamentally better defended. Furthermore, joint exercises between national CERTs and information sharing will deepen the Mexico-US relationship, leaving room for the United States to influence cybersecurity policy in Mexico, and perhaps encourage greater governmental cybersecurity planning.


[1]U.S. Relations with Mexico.” United States Department of State, July 12, 2016.

[2] “Mexico.” United States Trade Representative, 2016.

[3]U.S.-Mexico: Trade and Investment at a Glance.” United States Department of State, 2010.

[4] Ibid.

[5] Beittel, June S. “Mexico: Organized Crime and Drug Trafficking Organizations.” Congressional Research Service. United States Congress, 2015. 

[6] “Country Report: Mexico.” Business Software Alliance, n.d. 

[7] Ibid.

[8] Ibid.

[9] “Doing Business 2016.” The World Bank, October 27, 2015.

[10] “Mexico: Organized Crime and Drug Trafficking Organizations.”

[11] “Global Comparisons.” Norton Cybersecurity Insights Report. Norton, 2015.

[12] “Cyber Threats to the Mexican Financial Sector.” ControlRisks, n.d.

[13] “Mexico Country Profile.” Freedom on the Net 2016. Freedom House, n.d. 

[14] “Cybersecurity Latin American Market Report.” Cybersecurity Ventures, October 9, 2015. 

[15] Ibid.

[16] Ribando Seelke, Clare, and Kristin Finklea. “U.S.-Mexican Security Cooperation: The Mérida Initiative and Beyond.” United States Congress: Congressional Research Service, February 22, 2016.

[17] “Merida Initiative.” Diplomacy in Action. United States Department of State, n.d. 

[18] “FACT SHEET: The Mérida Initiative/Plan Mexico.” Witness for Peace, n.d. 

[19] Ibid.

[20] “Why Is the US Still Spending Billions to Fund Mexico’s Corrupt Drug War?” The Nation. Accessed December 13, 2016. 

[21] “FACT SHEET: United States Key Deliverables for the 2016 North American Leaders’ Summit.”, June 29, 2016. 

[22] Ibid.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.