Cyberwarfare is the new frontier in the Gulf
The Dutch government announced last Thursday that it had foiled a cyberattack by Russian agents against the Organization for the Prohibition of Chemical Weapons (OPCW) in The Hague. The OPCW is the primary UN agency monitoring compliance with the Chemical Weapons Convention and other international guidelines on the use of chemical weapons. Dutch officials identified four Russians behind the intended attack and showed evidence of the attempted espionage.
On the same day, the US announced charges against seven Russian agents for cybercrimes linked to the case. Justice officials also accused the seven, all members of Russia’s military intelligence agency, known as the GRU, of cyberattacks against a US nuclear facility. As in previous cases, Russia flatly denied the accusations.
News of cyberattacks and attempted hacks have become routine. They are increasing in sophistication and their numbers are growing at the breath-taking rate of about 40 percent annually. Some experts estimate that the majority of computer systems around the world are either compromised or can be easily penetrated by determined hackers with very few resources. Government-sponsored hackers can detect vulnerabilities in almost any computer network and do succeed in hacking into them.
Nothing has been safe from cyberattacks: Government agencies, international organizations, hospital records, financial institutions, computer systems for oil companies, and those for vital infrastructures. Personal information and state secrets are vulnerable to theft by cybercriminals or hostile governments. Political systems have been hacked, undermining government legitimacy in a number of countries, including the US.
Cyberwarfare has become the new frontier with very few rules. This is especially true across borders. Countries with limited resources, such as Iran and North Korea, have developed cyberwarfare capabilities to compensate for their lack of sophisticated weapons.
International efforts are afoot to establish globally agreed rules, just as we have in conventional warfare, but they are not there yet. It took humanity hundreds of years, many wars and millions of casualties before the four Geneva Conventions were adopted in 1949, representing the main, internationally accepted rules for the conduct of war. But no such rules exist for cyberwarfare.
The latest revelations in Europe and the Middle East are reminders that time is of the essence to develop cybersecurity defenses. The pooling of resources and expertise throughout the GCC is a cost-effective approach to meeting such challenges.
Abdel Aziz Aluwaisheg
Countries have to fend for themselves for now and the Gulf Cooperation Council (GCC) states are no exception. They have frequently been subjected to cyberattacks, and now they are pushing back against cyberwarfare. A lot of work is being accomplished in a short time, but more needs to be done.
In 2017, Saudi Arabia established the National Cybersecurity Authority (NCA), a high agency that reports to King Salman. The Kingdom has had cybersecurity capabilities in various government departments, especially in the security agencies and telecom regulatory framework, but the NCA has been mandated with overall authority to identify vulnerabilities, risks and threats, and develop defenses for the whole country across disciplines.
On Sunday, the NCA announced the Basic Safeguards for Cybersecurity — a manual to be used especially by government agencies, publicly-owned companies, and private companies that deal with vital infrastructures. In fact, the rules are useful for every network, personal computer, tablet or smartphone.
The new rules were adopted after surveying 260 national entities to understand their cybersecurity needs and vulnerabilities, and assess the threats they may face.
Similarly, the UAE has had cybersecurity capabilities in security agencies, the financial system and other government departments. It then established the National Electronic Security Authority (NESA) as a federal agency with primary responsibility for cybersecurity across the nation. To protect the computer network infrastructure in the country, NESA has produced the UAE Information Assurance Standards. Compliance with these standards is mandatory for all government organizations, semi-government organizations and business organizations that are identified as handling critical infrastructure.
Earlier this year, the UK and the GCC organized meetings to discuss how the two strategic partners could work together to strengthen defenses against cyber threats. They agreed on a set of measures, including sharing experiences and knowledge, and training personnel to meet a global shortage in cybersecurity experts.
Similarly, GCC and US cybersecurity experts started working together in 2015 to push back against cyberattacks, especially state-sponsored attacks aimed at critical infrastructures in the GCC region.
The GCC has drafted a cybersecurity strategy, to be adopted as a unified strategy for the region. GCC states face formidable cybersecurity challenges considering the bloc’s size, including cyberwarfare by state actors and cyberattacks by common criminals. Shortage of standards, strategies and cybersecurity experts are among those challenges. The pooling of resources and expertise throughout the GCC provides a cost-effective approach to meeting those challenges.
The latest revelations in Europe and the Middle East are reminders that time is of the essence to develop cybersecurity defenses. Saudi Arabia’s new safeguards, issued this week, are a step in the right direction.
- Abdel Aziz Aluwaisheg is the GCC Assistant Secretary-General for Political Affairs & Negotiation, and a columnist for Arab News. The views expressed in this piece are personal and do not necessarily represent GCC views. Twitter: @abuhamad1