Search form

Last updated: 10 min 22 sec ago

You are here

Time to be worried about cyber warfare in the Gulf

DUBAI: I used to think that the threat of cyber-warfare was a scare-mongering tactic designed to further the financial ambitions of lawyers, insurers and security firms, but a recent event in Dubai has changed my way of thinking. Now, I am scared, very scared.
From state-sponsored attacks on the political structures of rival governments, to the fraud and ransom assaults by pimply teenagers in their web-intensive basements, the threat is growing daily. The Dubai event brought all the strands together, and convinced me that the cyber issue is one of the biggest businesses, and governments, face.
On a political level, we have seen a barrage of allegations recently that sovereign states have been interfering in the domestic affairs of others, and the “fake news” debate that has taken center stage in media matters.
Those issues are so big and complex that any discussion in Dubai was inappropriate. But the implications for the business community were obvious enough.
The corporate world has been the victim of increasingly serious assaults in recent years. Some of this has been straightforward fraud, with hackers using the Internet to get financial information for their own personal gain, or for ransom.
There have been some spectaculars. In 2013, Yahoo was victim of an attack that compromised 3 billion accounts and eventually knocked $350m off its valuation when the time came to sell it. That’s perhaps the most tangible quantified effect yet of the direct financial effect of a cyber-attack.
There have been several others, with banks from India to the US all reporting a surge in online crime. One of the participants in the Dubai event made the very good point that the ones we know about could just be the tip of a very big iceberg, because big institutions like banks, which rely on customer confidence, are reluctant to acknowledge all attacks.
There is a job to be done for the crisis communications industry in this respect. It would be better to come out openly in a case of cyberattack, acknowledging the fact and the extent of the damage, rather than letting the bad news filter out while customers — and the organization’s reputation — are suffering.
One of the speakers at the Dubai event was a smart young lawyer based in UAE but with responsibility for the region. She thought that the Middle East was especially prone to cyberattacks, mainly because the web criminals had spotted that it was not as prepared as others, and because of the large amounts of capital lying around in institutions here.
It was a bit like the response of the robber who was asked why he robbed banks. “Because that’s where the money is,” he replied.

New European data protection laws will have an effect on business in the Middle East. But policymakers must take action to counter the particular vulnerability of Gulf corporations.

Frank Kane

The rate of attacks had accelerated in recent months, the lawyer said, reeling off a list of victims in the UAE and elsewhere.
The region also has the dubious honor of being home to what has been described as “the biggest cyber attack in history.” In 2012, Saudi Aramco was the victim of a hugely destructive assault by the Shamoon virus, which caused some 35,000 computers at the oil company to malfunction.
The effects of the attack — likely caused by a foreign government, intelligence officials said at the time — took weeks to clear, but could have been even more serious if they had targeted oil production facilities, rather than head office.
The threat in Saudi Arabia has resurfaced from time to time since that mega-assault, showing that the perpetrators remain on alert for any opportunity to disrupt the Kingdom’s economy.
The region has plenty of enemies, and there is plenty of potential loot to attract them. But one of the main reasons Gulf countries and companies attract their attention is the state of unpreparedness of defenses against them.
Data protection laws are weak, there are no regulatory requirements to notify the public about breaches (outside some of the financial hubs), and there is little co-ordinated effort by the authorities to counter the threat. Some places have police units that deal with cyber fraud, but they are not adequately resourced to deal with big, globally-orchestrated attacks.
In addition, the region has been slow to adopt counter-cyber insurance, which — while it does not deter the criminals — would mitigate some of the worst effects. “The biggest incentive is to not lose money,” said an insurance expert on the Dubai panel.
New European data protection laws coming in soon will have an effect on business in the Middle East, as far as regional arms of European-based multinationals are concerned. But really policymakers should take action to counter the particular vulnerability of Gulf corporations. All the “smart city” projects in existence will be irrelevant if enemies or criminals can get round the region’s cyber defenses with such apparent ease.
• Frank Kane is an award-winning business journalist based in Dubai. He can be reached on Twitter @frankkanedubai