As the WannaCry ransomware spread across 150 countries last month, the Middle East held its breath. While Saudi Telecom Co. (STC) denied that the virus had affected its systems, it was another stark reminder of cyber security risks that loom large over the region, and the GCC in particular.
After all, the GCC represents an emerging information environment with accompanying economic, social, and security promises and challenges. With cyberattacks being increasingly wielded as asymmetric weapons of war, robust and proactive cybersecurity structures will undoubtedly be an essential component for securing both regional influence and stability.
Bullets in cyberspace
The Gulf is a lively cyber conflict zone. According to Symantec's annual Internet Security Threat Report, Saudi Arabia and the UAE are the two most targeted MENA countries for ransomware attacks – in which cyber criminals steal and encrypt files until a ransom is paid.
Consequently, in 2016 the global average ransom spiked 266 percent with criminals demanding an average of $1,077 per victim, up from $294 as reported for the previous year.
The report identifies resurgence in sabotage attacks during 2016, notably the reemergence of the Shamoon disk-wiping malware after a five-year absence. First used in attacks against Saudi Aramco and Qatar's RasGas in 2012, a new variant was used against targets in the kingdom in November 2016 and January 2017, infecting networks in at least 22 organisations.
With a wide range of targeted attack groups in operation, specific nation states are increasingly doubling down on political manipulation and sabotage. Regional powers have moved into cyberspace with their own cyber espionage operations directed at foreign adversaries and internal opposition groups.
The November 2016 and January 2017 Shamoon attacks have been linked to two cyber-espionage groups, "Greenbug" and "Timberworm". Although apparently distinct units, by spreading the Trojan they are likely to be at the direction of a single entity, allegedly Iran.
The attacks appear to be imbued with political motivation. When Iranian hacking group called "Cutting Sword of Justice" attacked Saudi Aramco using Shamoon in 2012, the compromised processors had their master boot records wiped and substituted with an image of a burning US flag.
The recent attacks used a photo of the drowned three-year-old Syrian refugee Alan Kurdi.
Iran itself has been the victim of cyber warfare. The US and Israel were jointly behind Stuxnet, a malicious worm that was responsible for causing substantial damage to Iran's nuclear program in 2010. Despite years of international sanctions, Iran has dramatically outpaced the GCC in expanding its cyberpower in the region, dedicating its capabilities from monitoring domestic dissent to attacking foreign rivals.
Given the current tension between Saudi Arabia and Iran, the Shamoon attacks continue to highlight both the increase in Iranian-sponsored cyber activity and the GCC's lack of an effective cyberdefense strategy.
Vulnerabilities and challenges
The process of cyber security is complicated by the fact that the internet is fundamentally insecure. The challenge in protecting and responding to cyber attacks stems from the domain's anonymous, intangible, and unquantifiable landscape. This makes it harder for states to effectively mitigate belligerent cybernetic actors - both state and non-state - given that conventional limitations (whether physical or financial) are not as instrumental in the battlefield of cyberspace.
As a result, policymakers struggle to define the scope of cyber incidents and face impediments in preparing and budgeting for them. It is no surprise, then, that cyber threats are viewed as a major business risk, or that cybersecurity has become a top priority for businesses, law enforcement, and governments.
A 2016 PwC survey on Cybersecurity in the Middle East reported that businesses in the MENA region are more likely to have suffered costly cyber incidents compared to the rest of the world. Of the companies surveyed, 56 percent lost more than $500,000 compared to 33 percent globally, and 13 percent lost at least three working days, compared to 9 percent globally.
The report that that one of the reasons for the high rate of cyber attacks is "the greater prevalence of malware in the region, and there are also more fax-based scams than is typical elsewhere, which can be hard for business to track centrally".
The disproportionate level of attacks has led to a sharp rise on spending in security technology by firms in the Middle East, though this has failed to counteract the increase in malicious cyber incident. Without supporting investment to enhance cyber-awareness, governance, and procedures, a comprehensive cybersecurity plan is bound to come up short.
Beyond the 'technological fix'
Like any other business issue, cybersecurity is multi-dimensional. The tendency to believe cyber issues can be assuaged using a 'technological fix' is widespread in the region, with firms seldom possessing appropriate security training or awareness programmes.
Furthermore, without the right governance architecture in place, cyber stratagems tend to be delegated vertically within IT silos, rather than executed laterally across all departments. Instead, cybersecurity has to be envisioned as an end-to-end challenge necessitating an end-to-end response.
This means detailed planning, scenario exercises, response management, and crisis preparedness, involving a broad range of functionality (HR, legal, risk, forensics, and communications).
The region's distinctive business culture is a factor to be considered. A large proportion of companies in the Middle East are family-owned with no external shareholders, which accentuates a focus on profits opposed to any form of regulatory constraint. Reputation and trust are especially important; a chunk of business is based on personal networks and relationships that can in many cases go back generations.
Additionally, companies in the region are concerned with maintaining commercial activity, confidentiality and privacy protection, which can impede effective information-sharing of security threats making their proliferation and impact much more severe.
A major obstacle to the effective control of cyber crime is its transnational nature. Attacks transpire across borders, and offenders have taken advantage of safe haven states that lack stringent cyber legislation and enforcement capabilities.
One approach to curbing malevolent cyber activity has been through international frameworks. The Council of Europe Convention on Cybercrime, otherwise known as the Budapest Convention, is the first international treaty that provides a comprehensive international approach to cybernetic criminality.
Signed in 2001, it seeks to address this by harmonising national laws, improving investigative techniques, and increasing cooperation among nations.
Cyber Attacks Are Changing Job Requirements: Experts
At present, 52 states have ratified the convention, but GCC member states are conspicuously absent. Nor is there any inter-state collaboration on cybercrime.
While the premises for policy-making and regulatory action in the region are functionally similar to others, the Gulf States are inclined to favour strong sovereign and territorial control of their information infrastructure. Regulatory approaches to cybersecurity are still embryonic, and the GCC is yet to nurture a culture of regional and international cooperation.
As nations find it tough to cooperate on the issue of cybersecurity, Microsoft is leading the charge in pushing for more global cooperation by proposing a "Digital Geneva Convention" to restrict the acceleration of cyberwarfare, and to build consumer trust through what it calls a "Tech Accord". Commendable actions they might be, however, transnational deals alone will not overcome cyber vulnerability.
Securing digital borders
Despite significant funding, the Gulf's cyber security measures have ended up playing second fiddle. The primary defense focus remains confined to conventional threats; explicitly Iran and its ballistic missile programme. The costs associated with cyberattacks will only expand, and further Shamoon-style offensives could have devastating financial consequences.
Public cybersecurity awareness and educational initiatives would go a long way to addressing the lack of a cyber-skilled labour force. Data-sharing efforts between public and private sector entities can assist in combating the evolving nature of cyber challenges, as observed by the Organisation of Islamic Cooperation CERT, along with the Joint US-Gulf Cyber Working Group.
The possibility of a more rigorous regulatory environment in GCC markets will have to eventually become tied to a consolidation of international resolutions that demand the establishment of recognised security provisions.
The harmonisation of industry standards through a set of national and regional guidelines then becomes a necessary element of any GCC cybersecurity framework in the future.