Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Middle East Cybersecurity Efforts Catch Up After Late Start

Despite having only a scant focus on cybersecurity regulations a decade ago, countries in the Middle East — led by Saudi Arabia and other Gulf nations — have adopted mature frameworks and regulations amid escalating volumes of attacks.

4 Min Read
Middle East purple lights
Source: KamilSD via Alamy Stock Photo

The increase in cyber operations, disruptive attacks, and hacktivism in the Middle East has led the region's largest nations to pursue more sophisticated cybersecurity laws and frameworks over the past decade, leading to a dynamic regulatory landscape that companies need to navigate moving forward, according to regional experts.

Efforts to move their nations beyond the traditional petrochemical-based economies to a knowledge-based future have led Middle East nations to invest heavily in digital and cloud technologies over the past two decades. The result: Cyberattacks and cybercriminal operations have increased in the region. In reaction, countries such as Qatar, Saudi Arabia, and Oman all have developed mature regulatory regimes based on international standards, Cisco stated in a recent analysis of Middle East regulatory frameworks.

The goal of the effort is for countries to protect their valuable investments in the future from the dangers highlighted by destructive attacks and geopolitical tensions, says Yuri Kramarz, a principal engineer leading the global Incident response practice at Cisco's Talos threat intelligence group.

_____________________________________

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Southeast Asian Cybercrime Profits Fuel Shadow Economy

_____________________________________

"As various states started to diversify from traditional sources of income to a digital economy, they realized that technology adoption plays a crucial role in their economies as both a source of revenue and employment," he says. "It was not until the late 2000s and early 2010, when attacks became increasingly sophisticated, that countries began to take notice."

Yet, once the cyber danger was identified, the regional governments swung into action, with Saudi Arabia and the United Arab Emirates (UAE) leading the way, according to business consultancy Oliver Wyman. While Middle East nations have made significant strides, they do have to overcome a variety of factors, including uneven enforcement and the migration of talent away from the region, Souheil Moukaddem, global head of cyber risk at Oliver Wyman, stated in a video interview.

Related:Ransomware Gangs Pummel Southeast Asia

"A global problem, [which is] particularly exacerbated in the Middle East, [is] the shortage of cyber talent," he said. "And what you see really is, as the professionals become more experienced, they tend to migrate to other geographies where the pay is better, and the jobs are better."

Mideast Plays Catch Up

In 2014, nations in the Middle East began establishing cybersecurity and data-protection frameworks following a series of critical cybersecurity attacks, such as the Stuxnet attack and the Shamoon wiper. Recent tensions in the Middle East have driven even more advanced hacktivism, denial-of-service attacks, and supply chain compromises, including Israel's cyber-physical attack using exploding pagers.

Cisco's Kramarz points to the Shamoon wiper attacks as an example of the type of threats that have driven the change in perceptions of cybersecurity in the Middle East. Despite its lack of sophistication, the Shamoon wiper virus crashed more than 30,000 workstations at Saudi Arabia's state-owned oil giant, Saudi Aramco.

"As we have seen, the economy of an entire country can be impacted by a cybersecurity attack," he says.

As international tensions in the region have escalated, many countries in the Gulf Cooperative Council (GCC) have developed national cybersecurity strategies using international regulatory frameworks and standards and establishing a minimum set of security controls — especially in critical sectors, says Koroush Tajbakhsh, a director in the cybersecurity practice at FTI Consulting, based in Dubai.

Related:India's Critical Infrastructure Suffers Spike in Cyberattacks

"In the face of increasing cyber warfare, GCC countries have responded by bolstering regional cyber alliances, conducting joint cybersecurity drills, and fostering intelligence-sharing initiatives, though political tensions can complicate cooperation," he says.

Standardized Approach Pays Off

Companies that already use standards from the United States' National Institute of Standards and Technology, the European Union's General Data Protection Directive, or the global International Organization for Standardization are already well along in meeting most of the cybersecurity controls required by nations in the Middle East, Cisco's Kramarz says.

"Most country-level standards and frameworks are built on top of these well-known standards," he says. "However, companies must also pay attention to the specific requirements in each country, particularly around data localization, incident reporting, and compliance with sector-specific regulations that might often be only available through regulatory bodies who add additional frameworks on top of existing country-level regulations and laws."

However, enforcement of the regulations can be uneven — often due to a lack of expertise about newly passed laws or a failure to establish offices for data authorities — which poses problems for companies looking to prioritize their efforts. In addition, the lack of enforcement contributes to sometimes spotty responses to data breaches, says FTI Consulting's Tajbakhsh.

"Effectively responding to cybercrime and data breaches is not as much about gaps in local data protection legislation as it is about their effective enforcement," he says. "While laws exist, cross-border enforcement will remain a challenge when looking to prosecute foreign agents or international crime syndicates, as this would require local data offices responsible for enforcing laws locally to reach a level of operational maturity that also includes cross-border data sharing."

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights