https://arab.news/ndajn
Over the past decade, countries in the Middle East have sharply increased investment in information and communication technologies (ICT). Regardless of whether this was out of necessity or just part of natural evolution, ICT is arguably the most critical component in the region’s transition toward modern, competitive, and technology-driven economies in the post-crisis phase, which will prize economic self-reliance and strategic resilience.
The Gulf states are leading the charge in the rapid digitization of social infrastructure, financial services, education, healthcare and government services, to list a few. All sectors now depend on unprecedented levels of interconnectivity and uninterrupted access to the internet made possible by this rapid pace of digitization.
Unfortunately, as welcome as these transformations are, they also come with the increased risks of cyberattacks from ransomware, malware, and malicious URLs, among many threats. Last year alone, in the UAE there was a nearly 200 percent increase in distributed denial of service (DDoS) attacks targeting both the public and private sectors. DDoS attacks make online services unavailable by flooding their servers with simultaneous requests for information. Such attacks are increasing in scale and complexity, and without proper mitigation could cripple operations of critical sectors suchtelecommunications, oil and gas, healthcare, and e-government services.
Ransomware attacks are also on the rise. In the UAE, Kuwait, Oman, and Bahrain there were 6 million in a single year. These were followed closely by malware attacks, mostly targeting users of online banking services, and VPN attacks seeking to capitalize on the cybersecurity vulnerabilities of a distributed workforce.
Ransomware attacks are especially dangerous given their relative simplicity and immediate, disruptive impact on businesses and organizations. Additionally, most victims tend to pay the ransom, often through insurance, which only encourages malicious actors to persist. Increasingly, DDoS attacks are paired with ransomware — the former to distract cybersecurity teams, while the latter is the true goal for the attackers.
State-sponsored cyberterrorism adds yet another layer in the complex dynamics of a region rife with political tensions. Cyberattacks by state-sponsored actors can be devastating, especially in countries already struggling with other socioeconomic challenges. Worse yet, it can be difficult — almost impossible — to find the perpetrators, since attacks on that level tend to use infrastructure located in other countries as well as unaffiliated groups for both espionage and nefarious attacks.
Experts warn that in the future digital economies of the region, governments must be especially wary of “cyber mercenaries” and hackers for hire.
If the future lies in digitization, then the protection of cyberspace is key.
Hafed Al-Ghwell
After all, the region’s cybersphere is complex, since no single actor can claim preeminence over the wide variety of players, motivations, capabilities, and targets for cyberattacks.
Longstanding regional tensions continue to make the Arab world’s cyberspace busy, volatile, and constantly evolving as players sharpen their capabilities and seek to shore up potential vulnerabilities. State-sponsored cyberterrorism is now a potent tool in the pursuit of strategic geopolitical advantages and regional hegemony. The difficulties with attribution, ease of use, potential devastation, and plausible deniability offered by cyberterrorism all fit well within Iran’s quest for political and military supremacy in the region via asymmetrical warfare.
As countries in the Middle East undergo digital revolutions, the region’s cyberspace has become a hotbed of activity. For state-sponsored cyberattacks, Saudi Arabia is by far the preeminent target, for its size, rapid digitization, and large-scale Vision 2030 infrastructure projects.
However, other economies with ambitious economic transformation plans are also vulnerable, partly because of people’s reduced popular trust and confidence in the futures envisioned by their governments. It is a fruitless endeavor to invest billions of dollars in smart villages, agritech, logistics hubs, and smart industries when the public is not convinced their data and activities in cyberspace are secure. Private sectors will also be reluctant to invest in technological leaps when governments lack coherent strategies to fend off threats and deal with them decisively.
It is therefore imperative for governments to enhance the security and resilience of their cyberspace. At stake is the estimated 10-12 percent annual growth of the region’s digital markets, which could add more than $800 billion to the region’s GDP and create more than 4 million jobs in a part of the world with rampant unemployment.
In addition, it is almost an existential imperative for the Arab world to accelerate plans for building sustainable and resilient low-carbon economies of the future.
However, such efforts must go hand-in-hand with governments (and the private sector) committing to safeguarding the digital space from attacks, espionage, and violations of privacy. There are numerous blueprints and experiences from advanced economies on the best strategies for enhancing cybersecurity and ensuring maximum private sector participation.
However, without any meaningful efforts and well-resourced leading agencies, abuses in the digital space and reactionary attempts to stem them by governments could lead to the worst scenario. The rising costs of cybercrime and the inevitable response of greater government control of the digital space could end up leading to reduced internet use by citizens and organizations.
If the future lies in digitization, then the protection of cyberspace is key. Governments can promote the uptake of cybersecurity knowledge, skills, and competencies by incentivizing the study of information management and governance in the digital age at tertiary learning institutions, for example. Targeting universities helps train and induct youths, while professional training will target those already employed via on-the-job training schemes, both in the public and private sectors.
Ultimately, the region must create a culture of cybersecurity by raising awareness of the risks posed by ineffectual cybersecurity infrastructure. Public and private sectors should also enhance information management systems to prevent, or at least identify, breaches and attempts to tamper with critical networks. This is especially important in sectors that use industrial control systems, such as oil, gas, water, and power. Overall, cybersecurity awareness and capacities building must become a permanent feature of national strategies and budgets.
- Hafed Al-Ghwell is a senior fellow with the Foreign Policy Institute at the John Hopkins University School of AdvancedInternational Studies. Twitter: @HafedAlGhwell