Technological factors affecting future resilience
There are four wider developments in internet technologies relevant to cyber resilience in the GCC.92 First, the development of a digital economy.93 E-commerce will continue to increase across the GCC, with online platforms such as Noon and Souq (acquired by Amazon) moving transactions online. App-enabled delivery and ride-hailing companies are now available in some areas of the GCC, with the most popular Middle East ride-hailing app, Careem, recently acquired by its competitor Uber. There are also payment innovations, especially in previously cash-dependent economies, for example, several mobile and quick card payment systems are gradually spreading in Saudi Arabia. There are many entrepreneurs in the region seeking to stimulate investment in the digital sector, such as the online investment platform Magnitt in Dubai. Many businesses in the GCC rely on cloud computing, with data on servers across the GCC and internationally. However, despite an ITU report in 2016 calling for an ‘Arab Safe Harbor’ agreement to regulate cloud storage and enable a cloud-based digital economy, this has not been implemented.94 Overall, an increasingly digital economy creates a wider range of cybersecurity risks, especially for identity fraud and theft, as areas of individuals’ lives and organizations’ activities are potentially affected by malicious activity on networks and devices.95
Second, the adoption of 5G telecoms networks will also have a significant impact on cybersecurity in the GCC. Within days of each other, GCC states, including the UAE, Qatar and Saudi Arabia, all claimed to be the first worldwide to implement ‘live’ 5G networks.96 Despite these claims, industry reports suggest a low level of 5G readiness more broadly, as 5G adoption depends on the development of appropriate devices and services as well as the networks themselves.97 Elsewhere, 5G cybersecurity has been framed around the risk of access by hostile governments: for example, US President Donald Trump has issued an executive order banning US companies from using information and communications technology from any provider considered a national security threat.98 This executive order was primarily targeted against Huawei due to concerns over its links to the Chinese state and potential espionage.99 While Chinese companies are investing in 5G in the GCC (through Huawei, OPPO, and other firms),100 there has been little public debate about the relative benefits of this involvement in a manner akin to that in Europe, Australia and the US, and so the cybersecurity risks are either not well captured or they are accepted as a trade-off for the competitive pricing of Chinese 5G infrastructure.
Industry reports suggest a low level of 5G readiness more broadly, as 5G adoption depends on the development of appropriate devices and services as well as the networks themselves
Third, the Internet of Things (IoT) also changes the cybersecurity landscape in the GCC. The IoT increases the attack surface for malicious cyber activities, as many more points of entry exist into home and corporate networks and IoT manufacturers have low incentives to secure their devices rather than prioritize market speed and flexibility.101 The IoT is still a future development for much of the GCC, although contracts have been signed to provide specific satellite infrastructure, and some market reports claim that up to half of hospitals in Qatar, the UAE, and Saudi Arabia use IoT solutions.102 Cybersecurity professionals in the GCC recognize these risks: for example, Ooredoo (in Oman and Qatar) has joined a not-for-profit aiming to increase awareness of cybersecurity risks in IoT and encourage secure standards.103 The UAE’s Telecommunication Regulatory Authority (TRA) has published a new policy aimed at regulating the services and devices associated with IoT.104
Fourth, and finally, artificial intelligence (AI) and machine learning are technological fields with deep implications for cyber resilience in the GCC. The importance of big data for AI exacerbates existing cybersecurity risks to individuals, businesses and governments from the deletion, manipulation, and theft of valuable data. On the other hand, AI itself provides an exciting new avenue for research and product development in cybersecurity, offering the promise of scalable real-time threat detection and increasingly automated responses. In October 2017, the UAE adopted a minister for AI to signal its commitment to the adoption of these technologies, especially in the planned smart cities of Dubai and Abu Dhabi.105 Saudi Arabia has made AI a cornerstone of its announcements in a range of technological plans, including the new city NEOM and the Future Investment Initiative.106 However, so far there is no evidence of a substantial technological shift with cybersecurity implications over and above these announcements.107
These technological changes will have as yet unknown implications for cyber resilience, especially in the context of extensive international competition between global powers such as the US and China for control of resources and knowledge in most of these areas. However, these changes can be grouped into three main areas.
AI itself provides an exciting new avenue for research and product development in cybersecurity
First, will AI or IoT leadership lead to new privacy demands or violations, especially in GCC-led adoption of smart cities? Will data be the new oil in the GCC and what approach to data governance, storage and use will the region adopt? How will ownership of the region-specific and global datasets required for training competent AI algorithms affect state power and private-sector relationships?
Second, will the trade-off between economic benefit and risks of espionage in 5G and AI, exemplified by current US pressure on its European allies, apply to the GCC states in the future? If required to choose, will they remain under its security umbrella and continue investing in US companies, or will they embrace China in a ‘pivot’ that may be both ideologically aligned and economically beneficial?
Third, and finally, if the GCC states become leaders in these technologies, as intended, what are the implications for cyber risks? How will this change regional competition, both intra-GCC and regarding Iran, especially as the latter already seeks to circumvent US sanctions through cyberespionage, and tensions between Iran and the US increase?
These questions are essential for understanding not just the current state of cyber resilience in the GCC, but its future trajectory in the coming decades. Consequently, GCC governments should examine the impact of relevant new technologies on cyber resilience, discussing openly the risks of these technologies and appropriate solutions.