Mexico’s Cyber Crucible
The World Cup isn’t just about goals and glory. For Mexico, it’s the moment its National Cybersecurity Plan either proves it’s more than a PowerPoint deck — or collapses under the weight of its own ambition. There’s no dress rehearsal. No dry run. Just 104 matches across three cities, millions of digital interactions, and a threat landscape that’s been quietly sharpening its knives for months. If a ransomware attack shuts down ticketing systems during the opening ceremony, or if disinformation floods social feeds with fake match results, the public won’t care about your five-year roadmap. They’ll ask: why didn’t you stop this?
I’ve watched this play out before. Not in Mexico, but in Brazil during the 2014 World Cup. Back then, the government had a plan — shiny, well-funded, full of acronyms. But when the first phishing campaign hit, it was the IT guy at the local stadium concession stand who patched the hole with a USB stick and a prayer. That’s the reality: national plans don’t protect systems. People do. And Mexico’s plan? It’s still missing the people.
The Plan That Isn’t There
The National Cybersecurity Plan (2025–2030) sounds impressive on paper. It was signed in December, launched with fanfare, and has a fancy logo. But look closer. There’s no law behind it. No legal teeth. Just guidelines. The Agencia de Transformación Digital y Telecomunicaciones (ATDT) drafted it, sure — but Congress? They’ve been silent. Seven proposals have floated through the legislature since 2021. None passed. Not one. So what happens when a foreign actor breaches a federal database? Who gets fined? Who’s accountable? The answer is: nobody. Because there’s no law to enforce.
And that’s not an oversight. It’s a choice. Every time a legislator says "we need more study," they’re choosing delay over defense. Meanwhile, attackers aren’t studying. They’re deploying. According to Recorded Future, Mexican organizations now face nearly 3,150 cyberattacks per week — up 13% year-over-year. That’s not noise. That’s a siege.
Kukulkán: Tactical Fire, Strategic Void
The government’s response? The Kukulkán Plan. A name that nods to the feathered serpent god of the Maya — a clever touch, really. It’s the tactical shield: joint operations with the U.S. and Canada, real-time threat intel sharing, hardened perimeter defenses around stadiums, and special cyber units embedded in security forces.
It’s good. Really good. But it’s a bandage. It doesn’t fix the wound.
Kukulkán covers the tournament. It doesn’t touch the supply chains. It doesn’t secure the ticketing vendors who use outdated Windows XP systems. It doesn’t force cloud providers to publish Software Bills of Materials (SBOMs) so we know what’s actually in the software running our infrastructure. And it absolutely doesn’t address the 92% of Mexican businesses that are SMEs — the small shops, the local clinics, the family-run logistics firms — all of them connected to the same networks as the government, all of them unprepared, all of them potential backdoors.
I spoke to a systems admin in Monterrey last week. His company handles payroll for 200 local vendors. They use a third-party SaaS tool — no idea what’s underneath it. No audits. No compliance checks. Just a login and a prayer. That’s not negligence. That’s the norm.
The Silent Gaps: OT, SMEs, and the Supply Chain
Here’s the truth no one wants to say: Mexico doesn’t have a cybersecurity problem. It has a digital infrastructure problem.
The National Plan mentions "interdependencies" — a bureaucratic way of saying "we don’t know what’s connected to what." But it doesn’t mandate SBOMs. Doesn’t require vendors to prove their code is clean. Doesn’t even ask for basic patching schedules. And for operational technology (OT)? The systems that run water pumps, traffic lights, and stadium lighting? Those are treated like relics. Forgotten. Unmonitored. A hacker doesn’t need to breach the Ministry of Finance to shut down a city. They just need to find a forgotten PLC in a maintenance closet.
And SMEs? They’re the backbone of Mexico’s economy. They employ 70% of the workforce. But the Plan gives them a pamphlet. Not a playbook. Not training. Not funding. Just a link to a government portal that hasn’t been updated since 2022.
I’ve seen this before. In 2017, when the U.S. government rolled out its own cybersecurity framework, it included a $100 million grant program for small businesses. Mexico? Zero. Nada. No funding. No outreach. Just silence.
The Legal Void
Let’s be blunt: Mexico has no cybersecurity law.
Not one.
Not even a draft that’s close to passage. The closest thing is a 2018 proposal that died in committee. Since then, we’ve had seven more. All stalled. All vague. All silent on liability, data breach reporting, or international cooperation.
Compare that to Chile, which passed a comprehensive cyber law in 2023. Or Colombia, which now requires all public institutions to report breaches within 72 hours. Mexico? You report a breach, and they’ll send you a PDF.
This isn’t about capacity. It’s about political will. The same politicians who tweet about digital sovereignty won’t vote for a law that might cost them campaign donations from telecom lobbies. So the plan remains a wish list. And the threat actors? They’re reading it too.
The Regional Tide
This isn’t just Mexico’s problem. It’s Latin America’s.
From Argentina to Peru, cyberattacks are climbing. In May 2026, the region saw an average of 3,150 attacks per organization per week. That’s not a spike. It’s a baseline. And Mexico? It’s right in the middle.
We’ve seen AI-driven phishing campaigns targeting government emails. We’ve seen recycled data leaks — the same 12 million records re-published under new headlines every month. And yes, there was that attack on nine federal agencies last month. The one that failed? Good. But why did it fail? Not because we were ready. Because the attackers botched the payload.
The regional threat is real. But the regional response? Still a whisper.
A Test Beyond the Final Whistle
The World Cup ends in July. The headlines fade by August. But the damage? That lingers.
If Mexico survives this test, it won’t be because of Kukulkán. It’ll be because someone, somewhere, in a small office in Guadalajara, noticed a weird login attempt and changed a password before it was too late.
That’s the real cybersecurity plan.
Not the one on the website.
Not the one in the press release.
The one that lives in the hands of the people who show up every day — and still don’t know they’re the front line.
We don’t need more plans.
We need more people who know they matter.
And right now? Mexico’s still waiting for them to show up.