Introduction
How would the states of the Gulf Cooperation Council (GCC) respond to a serious cyber incident? This could be a global ransomware event, a critical infrastructure incident targeted at the energy sector, or a significant denial of service attack on key government departments. Alternatively, it could be the manipulation of public opinion from within the region or without. These cyber incidents could occur together, involving leaked information gained through hacking and publicized through social media. The high likelihood of such events means that cyber resilience (the ability to withstand and rapidly recover from disruption) is at least as important as cybersecurity (protection against those threats). This paper examines cyber resilience in the states of the GCC: Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates (UAE). The national cybersecurity strategies of these states explicitly link cybersecurity with the concept of resilience (in Arabic: murūna), for example in ensuring the continuity of IT systems (Dubai), the functioning of infrastructure (Bahrain), and preserving wider social and cultural aspects of cyberspace (Qatar, Saudi Arabia).1 Given these aims, this paper seeks to support GCC states in their efforts to improve cyber resilience in a sustainable and coherent manner.
Recently, the landscape of cyberthreats has expanded from issues like denial of service, malware and digital sabotage to include online influence operations, highlighting vulnerabilities in social as well as technological information systems.2 In the GCC, threats to information security have been the focus of cybersecurity efforts since the 2011 ‘Arab Spring’, which governments perceived as a demonstration of the new social dangers stemming from digital communications technologies.3 Information threats have attracted renewed attention due to internal divisions within the GCC following the Qatar split in 2017. This paper employs a broad approach to cyber resilience, taking into account both resilience to ‘traditional’ cyberattacks and strategic control of the information environment.
This paper conceptualizes approaches to cyber resilience along a scale from centralized to distributed: centralized approaches to resilience maintain decision-making power and processes in a single location or body, while distributed approaches disperse power and processes over many sites. As suggested in the following section, the former is more able to counter strategic information threats, while the latter is better suited to countering more frequent but disparate intrusions into networks. Research for this paper shows that cybersecurity measures in the GCC are overly centralized, designed to control the information environment rather than recover from damaging cyberattacks. Consequently, this paper argues that these countries should take a balanced approach to cyber resilience that recognizes limited cybersecurity resources and includes international engagement with other states, multinational companies and international organizations, as well as an early government appraisal of the opportunities and risks presented by new technologies.
The methodology of this study is inductive and qualitative, drawing on a range of evidence in relation to different areas of cyber resilience, including laws, regulations, strategies and policies, and limited available data about the cybersecurity practices of GCC governments and private organizations in the region. The paper focusses on overall trends and uses individual case studies to illustrate these trends rather than individually examining each GCC state. The aim is to stay at a high level of analysis across the GCC, dipping into empirical detail briefly while taking into account internal differences. This paper follows two earlier research papers in this series on cybersecurity in the GCC: the first on the digital economy, and the second on cybercrime legislation and human rights.4
The paper is structured in five sections. The first section provides the theoretical basis for the analysis, introducing the distinction between centralized and distributed approaches to cyber resilience. The second section outlines the double threat perception of the GCC states, including both information-based and ‘traditional’ cyberthreats. The third section provides an overall picture of cyber resilience in the GCC, while the fourth examines the relationship between centralized and distributed approaches to cyber resilience in the region. The fifth and final section examines new technologies and their implications for cyber resilience in the GCC.