Cairo – Decypha: As governments, companies and individuals continue to rely more on devices that receive and transmit data digitally, finding ways to protect this transmitted data from unwanted viewing and tampering is vital. This is especially important, given that initiatives such as Smart Dubai aim to make the emirate a “smart city” where all of its facilities are controlled by computers communicating with each other, mostly using the internet.
Reaching sufficient security levels will require a lot of work because the GCC has the highest growth rate in cyber crime in the world, according to the 2016/17 Kroll Annual Global Fraud and Risk Report. “The GCC region is witnessing some very sophisticated cyber-attacks,” said Ron Moultrie, Chairman of C5, an investment firm investing in cyber security, to Zwaya in March. To combat this threat, GCC members need to start sharing relevant information among each other. “If we cooperate we will be able to protect all sectors,” said Saleh Almotairi, director general of the Saudi National Cyber Security Center to The National late February.
GCC’s Cyber-threat Overview
The GCC, with its fast-paced economic development, is an increasingly attractive target for cyber criminals looking to make money. Worryingly, companies are not giving cyber-security enough attention or resources given the scale of the risk. “It’s the last thing to think about.” said Khalid Al Razooqi, Dubai Police Director General of Smart Services, to The National in May. Accordingly, 71% of GCC-based firms are either maintaining or decreasing their cyber security budgets in 2017 compared to 2016, according to the 2016 GBM Annual Security Survey.
Meanwhile, around 40% of GCC-based organizations said they don’t have a dedicated department to monitor cyber attacks, identify risks and monitor compliance of employees. Around 50% don’t conduct third party assessments of their cyber security systems, according to the GBM survey. On the other hand, 70% of those who have dedicated cyber security operations rely on in-house resources instead of specialized firms. Of them, 85% are saying they will unlikely us such firms in the coming year.
As a result, 49% of executives say that their organizations can’t predict a cyber attack, according to the GBM survey. As a result, GCC cyber security statistics are all worse than global averages, according to the most recent Cisco Annual Security Report. For example, only 75% of GCC-based firms hiring over 1000 employees have a dedicated department to tackle cyber risk, which is significantly lower than the global average of 92%. Meanwhile, 56% of GCC-based companies lost more than $500,000 due to cyber attacks compared to the global average of 33%, according to a 2016 PwC survey.
Combating these cyber attacks, the GCC is estimated to have spent around $340 million in 2012, as reported by Khaleej Times in March 2016. This spending is forecast to reach $1 billion in 2018, as reported by Cyber Defense Magazine in May. There are no official stats on how much cyber crimes cost the GCC nor are protection budgets officially disclosed.
Saudi Arabia: The Biggest Target
In the Middle East, Saudi Arabia is the most targeted country when it comes to cyber attacks, according to the 2017 Internet Security Threat Report produced by Symantec Corp. The first publicized attack was the Shamoon virus, which completely wiped data from at least 30,000 computers at Aramco in 2012. At the time, it was called “the most destructive,” attack on a private business by Former US Defense Secretary, Leon Panetta. “There is no way you can prevent the attack,” said Almotairi to The National in February 2017 referring to the 2012 attack. The cost of damages was not disclosed because Aramco is a privately-held firm.
The Shamoon virus reappeared between November 2016 and January 2017, infecting at least 22 Saudi organizations including the labor ministry and civil aviation agency, according to news reports. And just like in 2012, the financial and data cost of the hack was not disclosed. “We cannot definitely determine the financial costs of such breaches yet as it depends on each institution's platform. Websites which sell and buy will obviously be affected the most,” said Abdulrahman al-Friah, General Manager of Saudi Arabia Computer Emergency Response Team (CERT-CA) to Zawya in March.
CERT-SA was created in 2009 as a not-for-profit center that combats cyber attacks. It also organizes training and awareness programs. Meanwhile, the Saudi National Cyber Security Center, under the Ministry of Communication and Information Technology, protects the Saudi government from cyber attacks as well as set national policies and defense strategies. The country also has an Anti-Cyber Crime Law (Royal Decree No. M/17) which came to light in March 2007.
UAE: Where the Money is
The UAE is the second most targeted company in the MIddle East, according to the Symantec report. Last year, 5% of world’s cyber attacks were directed at the UAE, according to the country’s Minister of State for Foreign Affairs, Anwar Din Mohammed Gargash, who was speaking at the International Conference for the Criminalisation of Cyber Terrorism (ICCCT) in Abu Dhabi. The reasons behind these attacks are the UAE’s “thriving economy and important logistical infrastructure,” said Gargash.
In 2016, the UAE was hit by three major attacks. The first was in May when malicious software targeted ATMs nationwide, putting them out of service. In June 2016, Operation-Ghoul breached computers of several engineering, industrial and shipping companies in the UAE. The third was the Adwind malware attack, which started in August 2015 and ended in January 2016. It hacked user data and activity to sell it. At a fee, Adwind also allows other hackers to use it as a base to launch their own attacks.
These attacks came despite the UAE having the strictest and clearest anti-cyber crimes laws (Law No. 5 of 2012) in the GCC. Its fines can reach Dh 3 million along with prison time, based on the nature of the offense. The law divides the offences into minor hacks where hacking is for fun. The second is when hacks are done for financial gains. The third, and most severe, are hacks with the intent of extracting revenge. Implementing this law is the National Electronic Security Authority, founded in 2012 as a federal authority under the UAE Supreme Council for National Security.
Oman: The GCC’s Cyber Safe House
Globally, Oman is the third most protected country from cyber attacks, according to the Global Cybersecurity Index which was created by the International Telecommunications Union and ABI Research. It comes after Canada and the USA, and shares this rank with Australia and Malaysia. “Its strengths include, organizational structure, legal measures, capacity building, technical and procedural measures, and regional and international cooperation,” said the report.
Oman has an Information Technology Authority, which is responsible for investing in cyber security. Under it is the Oman National Computer Emergency Readiness Team (OCERT), which was launched in 2010 to handle cyber threats directed at government and individuals. Meanwhile, Ernst and Young periodically run nationwide cyber security benchmark tests to keep the network updated. Oman has also signed 10 agreements to share cyber security assets with other countries. Lastly, OCERT is working with the Omani Ministry of Education to introduce information security subjects in schools.
The Omani government has been traditionally too cautious whenever there is a global cyber-attack outbreak such as WannaCry in May. During that attack the government shut down four ministries, consumer protection authority, Muscat principality and Qaboos University. So far in 2017, Oman handled 16,000 cyber attacks, according to Badr Al Salehi, director general of OCERT, in May speaking to Times of Oman. “The reason cyber-attacks will intensify is because the attackers tend to underestimate countries in the Middle East,” said Saqib Ali, an associate professor at the Sultan Qaboos University’s Information Systems Department, talking to Times of Oman in May. “Oman’s prevention mechanisms are pretty good, so I don’t think there are going to be many problems.”
Smaller Targets
Qatar has made positive strides in combating cybercrime. In 2014, the government passed the anti-cybercrime law, and in 2016 Qatar’s ministry of interior created a dedicated department to monitor cyber attacks and deal with them. “We need more attention to cyber security and we need to add more professionals to the field of cyber security,” said Saudi prince Bandar Al Mishari, assistant interior minister for technology affairs as reported by Khaleej Times in February. This strategy allowed Qatar to rank 8th in the ITU index, after Oman.
Bahrain’s cybercrimes law was passed in 2014 (Decree No. 60 of year 2014). Yet the country doesn’t have a specialized authority to handle cyber incidents. One of the more public attacks was in February when Bahrain’s interior ministry was almost hacked, according to The National. Meanwhile, Bahraini-based C5 founded Cyber security Laboratory in March. It is MENA’s first, and so far only, R&D center that develops new cyber security solutions. It also conducts trainings and organizes events to raise awareness and skills of participants.
Kuwait is increasingly looking like the most vulnerable of the GCC nations. For one, it’s cybercrimes law (Law no. 63), passed in 2016, seems to focus more on limiting freedom of expression than being a law to stop cyber crimes. It also has no specialized agency to combat such crimes. So far cyber attacks are limited. In February, a number of ATMs nationwide were shut down by a hack. The other attack was in November 2016, when Parliament's website was hacked to stop the voting on a draft law affecting the status of bidoons as fully-fledged Kuwaiti citizens.
Working Together
No matter how well regulated a country is, it is still vulnerable to cyber attacks as cyber criminals can still attack it from another, less regulated, country. “Once we start investigations, we realize it’s cross borders and that we cannot work alone,” said Ibrahim Alshamrani, executive director of operations at Saudi Arabia’s National Cyber Security Centre to The National in May.
Interestingly, despite strong economic, social and political ties among GCC members yet there has never been any significant cooperation among them when it comes to cyber security. All, except Oman, have no cooperation agreements with foreign governments or companies to combat cyber crime.
Sharing data and resources coupled with integrating legislations can help the GCC to become more effective at collectively combating cyber threats from outside the region, and mostly eliminate threats from within. This will be the role of governments as they negotiate how to create harmonious regulatory frameworks and enforce policies of sharing information with each other. “The challenge is on us,” said Alshamrani.
By Tamer Mahfouz
