Technological factors affecting future resilience
There are four wider developments in internet technologies relevant to cyber resilience in the GCC.92 First, the development of a digital economy.93 E-commerce will continue to increase across the GCC, with online platforms such as Noon and Souq (acquired by Amazon) moving transactions online. App-enabled delivery and ride-hailing companies are now available in some areas of the GCC, with the most popular Middle East ride-hailing app, Careem, recently acquired by its competitor Uber. There are also payment innovations, especially in previously cash-dependent economies, for example, several mobile and quick card payment systems are gradually spreading in Saudi Arabia. There are many entrepreneurs in the region seeking to stimulate investment in the digital sector, such as the online investment platform Magnitt in Dubai. Many businesses in the GCC rely on cloud computing, with data on servers across the GCC and internationally. However, despite an ITU report in 2016 calling for an ‘Arab Safe Harbor’ agreement to regulate cloud storage and enable a cloud-based digital economy, this has not been implemented.94 Overall, an increasingly digital economy creates a wider range of cybersecurity risks, especially for identity fraud and theft, as areas of individuals’ lives and organizations’ activities are potentially affected by malicious activity on networks and devices.95
Second, the adoption of 5G telecoms networks will also have a significant impact on cybersecurity in the GCC. Within days of each other, GCC states, including the UAE, Qatar and Saudi Arabia, all claimed to be the first worldwide to implement ‘live’ 5G networks.96 Despite these claims, industry reports suggest a low level of 5G readiness more broadly, as 5G adoption depends on the development of appropriate devices and services as well as the networks themselves.97 Elsewhere, 5G cybersecurity has been framed around the risk of access by hostile governments: for example, US President Donald Trump has issued an executive order banning US companies from using information and communications technology from any provider considered a national security threat.98 This executive order was primarily targeted against Huawei due to concerns over its links to the Chinese state and potential espionage.99 While Chinese companies are investing in 5G in the GCC (through Huawei, OPPO, and other firms),100 there has been little public debate about the relative benefits of this involvement in a manner akin to that in Europe, Australia and the US, and so the cybersecurity risks are either not well captured or they are accepted as a trade-off for the competitive pricing of Chinese 5G infrastructure.
Industry reports suggest a low level of 5G readiness more broadly, as 5G adoption depends on the development of appropriate devices and services as well as the networks themselves
Third, the Internet of Things (IoT) also changes the cybersecurity landscape in the GCC. The IoT increases the attack surface for malicious cyber activities, as many more points of entry exist into home and corporate networks and IoT manufacturers have low incentives to secure their devices rather than prioritize market speed and flexibility.101 The IoT is still a future development for much of the GCC, although contracts have been signed to provide specific satellite infrastructure, and some market reports claim that up to half of hospitals in Qatar, the UAE, and Saudi Arabia use IoT solutions.102 Cybersecurity professionals in the GCC recognize these risks: for example, Ooredoo (in Oman and Qatar) has joined a not-for-profit aiming to increase awareness of cybersecurity risks in IoT and encourage secure standards.103 The UAE’s Telecommunication Regulatory Authority (TRA) has published a new policy aimed at regulating the services and devices associated with IoT.104
Fourth, and finally, artificial intelligence (AI) and machine learning are technological fields with deep implications for cyber resilience in the GCC. The importance of big data for AI exacerbates existing cybersecurity risks to individuals, businesses and governments from the deletion, manipulation, and theft of valuable data. On the other hand, AI itself provides an exciting new avenue for research and product development in cybersecurity, offering the promise of scalable real-time threat detection and increasingly automated responses. In October 2017, the UAE adopted a minister for AI to signal its commitment to the adoption of these technologies, especially in the planned smart cities of Dubai and Abu Dhabi.105 Saudi Arabia has made AI a cornerstone of its announcements in a range of technological plans, including the new city NEOM and the Future Investment Initiative.106 However, so far there is no evidence of a substantial technological shift with cybersecurity implications over and above these announcements.107
These technological changes will have as yet unknown implications for cyber resilience, especially in the context of extensive international competition between global powers such as the US and China for control of resources and knowledge in most of these areas. However, these changes can be grouped into three main areas.
AI itself provides an exciting new avenue for research and product development in cybersecurity
First, will AI or IoT leadership lead to new privacy demands or violations, especially in GCC-led adoption of smart cities? Will data be the new oil in the GCC and what approach to data governance, storage and use will the region adopt? How will ownership of the region-specific and global datasets required for training competent AI algorithms affect state power and private-sector relationships?
Second, will the trade-off between economic benefit and risks of espionage in 5G and AI, exemplified by current US pressure on its European allies, apply to the GCC states in the future? If required to choose, will they remain under its security umbrella and continue investing in US companies, or will they embrace China in a ‘pivot’ that may be both ideologically aligned and economically beneficial?
Third, and finally, if the GCC states become leaders in these technologies, as intended, what are the implications for cyber risks? How will this change regional competition, both intra-GCC and regarding Iran, especially as the latter already seeks to circumvent US sanctions through cyberespionage, and tensions between Iran and the US increase?
These questions are essential for understanding not just the current state of cyber resilience in the GCC, but its future trajectory in the coming decades. Consequently, GCC governments should examine the impact of relevant new technologies on cyber resilience, discussing openly the risks of these technologies and appropriate solutions.
92 Although this section focuses on technological change, we recognize that social factors influence technological adoption and seek to avoid a simple technological determinism.
93 For further discussion, see Mogielnicki, R. (2019), ‘Add to Cart: E-Commerce Development in the Gulf’, Arab Gulf States Institute in Washington (blog), 18 December 2019, https://agsiw.org/add-to-cart-e-commerce-development-in-the-gulf/ (accessed 21 Feb. 2020).
94 Alamir Ali, R. (2016), Cloud Computing in Arab States: Legal Aspect, Facts and Horizons, ITU Arab Regional Office.
95 Benni, E., Elmasry, T., Patel, J. and aus dem Moore, J. P. (2016), ‘Digital Middle East: Transforming the Region into a Leading Digital Economy’, McKinsey & Company.
96 Ooredoo (2018), ‘Ooredoo First In The World to Launch 5G Commercial Network’, CISTON PR Newswire, 14 May 2018, https://perma.cc/73D6-7X3L; Langton, J. (2018), ‘Etisalat Prepares to Offer Customers Ultra-Fast 5G Network’, The National, 14 May 2018, https://perma.cc/W4QS-PTMG; Debusmann Jr, B. (2018), ‘Saudi Arabia’s Al Khobar Becomes First Middle East City to Test 5G’, ArabianBusiness.com, 27 May 2018, https://perma.cc/Q6T4-ZMD4.
97 Iacopino, P., Robinson, J. and Meloan, M. (2018), ‘5G in MENA: GCC Operators Set for Global Leadership’, GSMA Intelligence, https://www.gsmaintelligence.com/research/2018/11/5g-in-mena-gcc-operators-set-for-global-leadership/709/ (accessed 21 Feb. 2020).
98 Liu, N., Sevastopulo, D. and Stacey, K. (2019), ‘Donald Trump Issues Executive Order Laying Ground for Huawei Ban’, Financial Times, 15 May 2019, https://www.ft.com/content/c8d6ca6a-76ab-11e9-be7d-6d846537acab (accessed 21 Feb. 2020).
99 Mueller, M. (2019), ‘Let’s Have an Honest Conversation about Huawei’, Internet Governance Project (blog), 16 October 2019, https://www.internetgovernance.org/2019/10/16/lets-have-an-honest-conversation-about-huawei/ (accessed 31 Jan. 2020).
100 Telecom Review (2019), ‘Chinese Firm Announces 5G Investment Plans in GCC’, 16 January 2019, https://perma.cc/KRE5-CU4X.
101 Bryce, H. (2017), ‘The Internet of Things Will Be Even More Vulnerable to Cyber Attacks’, Chatham House Expert Comment, 18 May 2017, https://www.chathamhouse.org/expert/comment/internet-things-will-be-even-more-vulnerable-cyber-attacks (accessed 24 Feb. 2020).
102 ORBCOMM (2016), ‘ORBCOMM and Machinestalk Deliver IoT Solutions in Saudi Arabia and The GCC Region’, ORBCOMM, 18 May 2017, https://perma.cc/75MB-CNL4; Fernando, C. (2016), ‘Internet of Things Set to Go Mainstream in GCC Hospitals’, ChannelPostMEA, 26 December 2016, http://www.channelpostmea.com/2016/12/26/internet-of-things-set-to-go-mainstream-in-gcc/ (accessed 21 Feb. 2020).
103 CommsMEA Staff Writer (2018), ‘Ooredoo Oman Joins LoRa Alliance to Drive IoT’, CommsMEA, 2 April 2018, https://perma.cc/3B3X-G43B.
104 Telecommunications Regulatory Authority (UAE) (2018), ‘Regulatory Policy: Internet of Things (IoT)’, 22 March 2018, https://www.tra.gov.ae/assets/8oQGhqPt.pdf.aspx (accessed 21 Feb. 2020).
105 UAE Government (2017), ‘UAE Strategy for Artificial Intelligence’, Government.ae, https://perma.cc/TJ5G-EDT8; Zakaria, S. (2017), ‘Dubai’s Smart Lab Accelerates AI Move’, Khaleej Times, 27 March 2017, https://perma.cc/J3LA-LGH9.
106 Sharma, A. (2018), ‘Why AI Is Central to Saudi Vision 2030’, AMEinfo, 14 February 2018, https://www.ameinfo.com/industry/technology/ai-central-saudi-vision-2030; Economist (2018), ‘Saudi Arabia Plans for an AI Future’, Economist Intelligence Unit, 27 July 2018, https://perma.cc/4LMS-U5J7.
107 Shires, J. (2019), ‘Artificial Intelligence and Security in the Gulf’, in Artificial Intelligence in the Gulf, Gulf Research Meeting, Cambridge, UK: GRM.