Recent years have witnessed a series of increasingly audacious and unprecedented cyber attacks, leading up to the recent accusations of Russian hacking throughout last year’s U.S. presidential election season.
In the Middle East, the Gulf region has also experienced its fair share of the threat from cyberspace. In fact, proportional to its population and attack surface, the Gulf faces more cyber attacks than any other region in the world.
The Middle East’s rising cyber problem
Gulf states are dealing with a cybersecurity landscape that is among the most challenging in the world. Cyber attacks in the region increased by 15 percent in the first quarter of 2016 in comparison to the previous year. Five percent of all global cyber attacks are targeted against the United Arab Emirates alone, a country home to only 0.13 percent of the world’s population.
The primary targets of cyber attacks in the Gulf are financial centers—particularly Dubai’s financial district—followed by oil and gas infrastructure. In addition, rising digitization in services, transport, infrastructure and communications is increasing cybersecurity challenges. The largest bank in the Middle East, the Qatar National Bank, was recently hacked, leading to significant data damage and financial loss.
In 2012, Saudi Arabia’s state-owned company Aramco was subjected to a massive hack destroying 35,000 computers. A few months later, Qatar’s RasGas company was attacked with the same virus, leading to significant damage to its servers. In December 2016, Saudi Arabia was again significantly attacked. Hackers used the same Shamoon virus that was used against Aramco in 2012. This attack removed all files on infected hard drives with the infamous image of drowned Syrian toddler Aylan Kurdi and then took over the boot record to prevent the computers from being turned on again. The brunt of the attack was against the Saudi General Authority of Civil Aviation but other companies in the energy, manufacturing, and transportation sectors were also harmed by the attack.
According to a recent Price Waterhouse Coopers report, the region’s dramatic strides toward digitization—expected to add over $800 billion to GDP and over 4 million jobs by 2020—is making the Gulf a major target for fast evolving cyber threats.
So how does the Gulf region and wider Islamic world address a challenge that in nature and scale is unprecedented?
That was an issue the Organization of Islamic Cooperation (OIC) focused on at its annual cybersecurity conference last month. There, several possible responses to cybersecurity challenges across the Gulf region and wider Islamic world were discussed.
Deterrents and the criminal justice system
Some proposed responses focused on using deterrents and the criminal justice system. The use of deterrents requires the cost of a cyber attack to outweigh the benefits. This can be either the cost of starting an attack or of being caught.
However, to be effective, this approach faces many jurisdictional issues. There was an attempt to overcome this through the Convention on Cybersecurity, colloquially known as the Budapest Convention, with the hope of mitigating the threat of cybercrime. However, no Gulf nation has signed the Convention. Therefore, they do not have harmonized cybersecurity laws, and there is no obligation on foreign nations to deport suspects to the Middle East.
The other glaring issue with the criminal justice system is that cyber crime can be very difficult to attribute. The most common known attack vector is using SQL injection, which manipulates unsecured code to inject harmful malware into data-driven applications. These injections can be very difficult to trace and therefore nations are often at a loss as to who is behind the attack. Other attack vectors, such as DDoS attacks, use hundreds of IP addresses to mask the addresses belonging to the attackers. All of this makes it very difficult to determine who to prosecute.
Harmonizing laws across legal jurisdictions
There have been attempts to build a common cybersecurity framework in the Gulf region, though this is complicated by different legal systems and “free zones” that have distinct legal structures. Nevertheless, progress is still being made in collaboration with Western cyber and defense experts.
Cross-border cooperation and common cybersecurity structures could prove to be a game-changing advantage in the fight against cybercrime.
In this area, the Organization of Islamic Cooperation has been working extensively during the past few years to establish a collective Computer Emergency Response Teams (CERT) network—a team of different national IT experts who assist in cybersecurity emergencies—in the Islamic world. Since 2006, there have been annual meetings in member states to meet with OIC-CERTs, national-CERTS, and commercial CERTS. The OIC-CERTs are also partnered with Africa-CERT and Asia Pacific-CERT.
This initiative allows the OIC to easily tap into its 57 member states’ human talent.
The elephant in the room, however, is the issue of state-sponsored hacking, in which case harmonized laws are unlikely to make a difference. Ultimately, a UN agreement on state-sponsored hacking will likely be needed, and without majority international support, such attacks will only escalate.
Balancing privacy and security
As the drive towards digitization continues, how the region balances its privacy laws and its security priorities will be another critical detail in setting the tone for the fight against cyber threats. Increasing digitization makes potential damage from cyber attacks significantly more dangerous.
Kaspersky Lab recently warned that the region’s heavy dependence on oil and gas—as well as the oil and gas-powered desalination plants that provide much of the region’s fresh water—is a source of cyber vulnerability. Any cyber attack on these installations could prove catastrophic and might result in a humanitarian disaster.
One successful method to maintain this balance has been adoption of data protection laws in Dubai’s International Financial Center. These laws have required the same level of encryption and security as data protection laws in the UK and EU. Similar laws in other Gulf nations will be a major step forward in data protection.
Building a common cybersecurity program
Middle Eastern governments and the private sector have launched a series of measures to tackle cyber threats, including prevention techniques, cyber education, and emergency response. The cyber market in the region is expected to be worth $10 billion by 2019, while the private sector alone spends $1 billion on cyber security annually.
In recent years, there have been more conferences and events bringing together industry experts, aimed at establishing a robust cyber security program that can face a wide array of cyber threats. One took place at the OIC-CERT conference last month with participation by experts from over 20 countries and six continents and included prominent cybersecurity firms like BAE Systems and FireEye.
Public education to enhance cybersecurity
Cyber education is one area where the Gulf has taken a lead. In a 2016 survey, it was revealed that two-thirds of 18- to 26-year-olds globally have never been taught about cybersecurity, while in the Gulf region, the number reaches around 40 percent. Moreover, only 16 percent of Gulf students have never attended a cybersecurity class, while the global number is 45 percent.
In 2013, the UAE introduced cybersecurity curricula for primary schools aimed at educating people against cyber threats and building a solid prevention scheme from the bottom up. Similar awareness programs are also being rolled out in other Gulf countries.
Such developments could prove to be effective in the long term, since strong preventative controls are far more successful compared to reactive measures.