When Westerners think of the Middle East and information security, they tend to focus on two areas: the widespread Arab Spring uprisings that began at the end of 2010; and concerns about censorship, surveillance, human rights, and the free flow of information. Information security professionals providing consultancy services to or working in those countries, however, talk more about the same issues that concern Westerners at home: hacking attacks, scams, phishing, and malware.
“Every region has its own context”, says Nawaf Abdulrahman, president of the Bahrain Internet Society. He adds, however, “Hacking is a business. In my region, if I don’t have the knowledge and skills I need to attack a company, I will try to hire other expertise from other regions. It’s not a matter of being American or British or Bahraini, but from where I can get that kind of knowledge and expertise to reach my goal and objective. I don’t think hackers care about nationality.”
Talking about cybersecurity in the Middle East, which traditionally includes countries and cultural contexts as varied as Turkey, Egypt, Syria, Saudi Arabia, Iran, Israel, and Qatar, has the added difficulty that the level of skills, laws, and awareness of information security varies just as widely. Israel has long been home to some of the most skilled practitioners and researchers in the world; other countries are scrambling to get started.
One Region, Two Worlds
Katherine Maher, director of strategy and communications for the New York-based NGO Access Now and a former Middle East policy fellow, tends to divide the region into two: the Gulf States, which she says are more sophisticated with respect to policy and legislative regimes around information security, and the African countries, where policy and legislation are much less developed.
In some cases, heavy-handed government regulation has pushed activists on the ground to develop surprisingly sophisticated expertise. In Tunisia, for example, years of government efforts to block access to content published by the political opposition, using techniques such as DNS poisoning and IP blocking, meant that activists had, Maher says, “developed into a sophisticated online community that was able to circumvent a lot of these restrictions.”
Tools that in the West appeal primarily to the digerati – GPG encryption software, the anonymizing network software Tor – are well understood and commonly used by a “small group of highly dedicated, skilled, self-taught activists that then mobilized an active population”. According to Maher, the role of social media in the Arab Spring was largely overstated in the West. Instead, the uprisings relied on existing networks that had been built up for many years; social media did help otherwise isolated activists find each other.
In most countries, however, she says that governments wishing to block or disrupt opposition found it easier to use more traditional tools like co-option, intimidation, and blocking access to capital. “There are other mechanisms of imposing control than technology ones.”
A Prime Target
It’s easy to forget that some of the most highly sophisticated malware attacks – Stuxnet, Flame, Gauss, Duqu – all targeted Middle Eastern installations. Stuxnet was directed at Iran’s nuclear facilities. Flame was seemingly targeted at PCs in Iran, spreading out from there. Gauss aimed to collect transaction data from (primarily) Lebanese financial institutions and digital payment providers. Duqu’s targeting is less clear, but this malware seems to have come from the creators of Stuxnet, and collects intelligence about its targets.
Another wake-up call, if one were needed, came from the October 2012 attack on the Saudi oil company Aramco, which saw the Shamoon malware compromise more than 30,000 of the company’s workstations. That attack took an historic step forward by targeting the company’s IT systems only as a stepping stone to the attackers’ real-world goal: to disrupt oil production.
These events have turned cybersecurity into a matter of widespread concern. “After what the region has gone through in the past two years”, says Abdulrahman, “people became more cautious and started to seek awareness when it comes to the field of infosecurity”. Many countries are now setting up Computer Emergency Response Teams (CERTs), considering legislation, and looking for technical solutions.
An Emerging Market
Ian Lowe, senior manager for enterprise solutions and identity awareness at HID Global, says the Middle East is “a key region for us”, adding that, “They’re quite technology-savvy and keen on adopting new security-type technologies.”
HID Global began as a provider of physical access solutions: smart cards and readers for doors. Its newer offerings are beginning to converge so that one card opens the door to an office, the office building and logs the staffer onto their computer. In the Middle East, where many countries already have national ID cards, he notes, many states are looking at how to use those cards for other applications, including tying them in with mobile phones.
“Culturally”, he adds, “one of the trends in the Middle East is that a lot of organizations there don’t really have many legacy systems in place, so they will take a new system. For a technology vendor it’s great, because you don’t have to worry about migration.”
James Tarala, a senior instruction with the SANS Institute who works with groups in the Middle East – including CERTs – says: “People are having to learn what they need to do to protect themselves. The know-how, where to begin and how best to defend themselves are still being worked through.” It’s not just that every country’s CERT is less than five years old; it’s that some of the countries themselves barely existed as recently as the 1990s. “Qatar was desert. Doha was a location but not nearly what it is today”, he observes. “Now throw in technology and the country as a whole will spend time learning that technology and integrating it into the culture. The next phase is securing what you have put in place.”
After consideration of the various alternatives, Tarala says, often consultants advise that the simplest method is to follow the guidelines provided by the US National Institute of Standards and Technology (NIST). “We came in and had problems with the NIST system – it’s filing for compliance more than building security into the system; the same problems the US government had when implementing NIST. Kenya is about to go through the same thing – it’s replicating all over the world.”
Seven countries make up the United Arab Emirates, each with its own ruling family; Abu Dhabi is the biggest. As a former British protectorate – the UAE’s federal council is only 42 years old – the country is fairly Westernized. Well aware that the oil currently making the country rich will eventually run out, the government is investing heavily in educating the country’s youth within its own borders rather than sending them overseas. This includes efforts to train up native experts in cybersecurity. Britain’s Andrew Jones, whose past includes a stint as head of security research for BT and who now chairs the MSc program at Khalifa University, notes that the quality of Emirati students he encounters is excellent. “They are a pleasure to teach”, he says, “and they learn quickly and are highly motivated”. More than half, he adds, are women, in contrast to the West, where the number of women in cybersecurity is small. In general, there are three categories of residents in the UAE: native Emiratis, who make up at most 20% of the population; expatriates from countries such as the Indian subcontinent and the Philippines, who make up 60% to 70% of the non-natives; and Westerners. While at present, skilled native security people are thin on the ground, Jones says, “In the UAE, in security posts there is a drive to have Emiratis in charge”. Over the next ten years, he continues, the country wants to replace expats with natives. “They want to be responsible for their own security. All countries would want that in security leadership jobs.” |
In Bahrain as in other states in the region, Nawaf Abdulrahman reports that the country suffers from a shortage of skilled security experts. “Finding an expert is really difficult at this stage”, he admits. Companies and other organizations try to compensate by outsourcing to experienced countries, often internationally, or by hiring expatriates. “It is challenging”, he says, “especially with the increase of attacks now”. He means not only the number of attacks and the variety of motives – from hacktivist groups like Anonymous to financial criminals – but their increasing sophistication. Stealth attacks, where viruses are planted for the purpose of collecting information over a long period of time, perhaps in order to shut down a plant or system at a later date, require a new approach compared to the older, more obvious intrusions. “We need sophisticated security systems and normally they’re not available – they’re not easy to implement for one company”, Abdulrahman observes. For now, he says, legislation regarding information security and information more generally is still developing outside the financial sector, which is better developed. PCI compliance is voluntary rather than mandatory, but is necessary in any case for a bank to gain the respect of customers and other banks. The Internet Society and ISACA are actively working to raise awareness among both the public and those in business, academia, and government. Says Khalifa Y. Al-Jowder, president of ISACA’s Bahrain chapter: “We regularly meet with officers in the public and private sectors to highlight the need for information security.” |