Cyber resilience in the GCC

Adel Hamaizia

Good morning, good afternoon, good evening, ladies and gentlemen. My name is Adel Hamaizia. I’m an Associate Fellow here at the Chatham House MENA Programme. I’m delighted to welcome you all to today’s Members’ Event in conjunction with the International Security Programme, a webinar on Cyber Resilience in the GCC.

Before introducing our outstanding panel, just some housekeeping and a very brief intro if I may. So, the event will be held on the record, it’s being recorded, and audience members may tweet using the #CHEvents. That’s CHEvents. I ask attendees to submit questions throughout the event using the ‘Q&A’ function, and of course’ please feel free to share your name and affiliation, and remember, short and sweet, simplicity is indeed the ultimate sophistication. As we have just one single hour this morning, the format will go a little bit like this. Instead of a sort of regimented presentation approach, we’ll have a very cool, candid conversation with our speakers, for say a little over half an hour or so, before opening up for Q&A with attendees, you the audience.

So’ the event builds on and is part-anchored around the Chatham House briefing paper, Is the GCC Cyber Resilient?” And this is co-authored by my colleague, Dr Joyce Hakmeh, who leads our cyber work and, you know, is part of ongoing work on cyber. We had an excellent workshop yesterday, and this was co-authored with Dr James Shires, who is on our panel today, and I believe it will be posted, the report will be posted in the ‘Chat’, for those interested in a deeper dive.

So, we are aware that all GCC states continue to embark on diversification efforts under the umbrella of various national plans and visions, which of course, ultimately seek to wean ourselves off that thing called oil, the development of more productive economies, moving away from hydrocarbons and working towards innovation, technology, knowledge-oriented economies, increasing eCommerce, and of course other new – and fostering other new and infant industries. So, to that end, digitisation is an essential pillar of such efforts. If we take Saudi Vision 2030, something that at the MENA Programme we’ve looked at quite carefully, digitalisation is paramount to each and every one of the vision realisation programmes, and there are plans to transform some ten cities into smart cities. Think here of mega and giga projects such as Neom and the Line, and we could go all over the region for these sorts of projects. Moreover, if you think about the Kingdom, the third Five Year National Strategy for Digital Transformation in the Kingdom, refers explicitly to realising a smart government, and the eGovernment programme Yesser is just one example of others in the region.

So, the pandemic has naturally spurred digitalisation efforts, which have, in turn, resulted in countries in the region seeking to further develop their cyber resilience. But then, what do we mean by cyber resilience? So, a definition here, luckily that I have some academic affiliation, so it’d be remiss of me not to bring a definition into the discussion. So, according to the UK Government, cyber resilience is the ability for organisations to prepare for, respond to, and recover from cyberattacks and security breaches. Or in the words of a colleague at a workshop just yesterday, the ability to bounce back, and fast. So, when we think of cyberattacks in the Gulf, we often think of the headline-grabbing attacks. Of course, the Shamoon attack on Aramco and others all those years ago. Stuxnet, on the other side of the Gulf, often comes up as a case study. But beyond critical national infrastructure, which we’ll hear from – we will hear about today, including from our colleague Dr Shammari, mega events such as the Dubai Expo and World Cup 2022 represent just rich pickings for the criminally inclined, and I won’t go into state actors, I’ll let my colleagues do that perhaps.

And while we sort of speak of these, you know, larger and larger attacks, which grab the headlines, it is the large number of incessant smaller attacks, which, on aggregate, prove to be the more costly and the more disruptive. So, if we take the example of the UAE, according to a Kaspersky report, the total number of brute attacks on remote desktop protocols, which is used to access Windows and servers remotely, increased by 193% from 467,000 in February last year to 1.3 million in March, just a month after when the UAE’s lockdown measures were announced. In 2020 alone, the country experienced more than 15.8 million brute force attacks, where trial and error is used to guess login info. The sheer amount of attacks in the GCC has led to some Analysts and observers describing the COVID-19 era as a ‘cyber pandemic’.

So enough from me. A little bit of scene-setting there and now we move to the actual experts. We’ll discuss trends, challenges, opportunities, policy areas, and I’d like to start by introducing an asset-stripped bio, ‘cause our colleagues are esteemed, and we’d be here for a very long time, if we were to go through the bios word-for-word, line-for-line.

So, we have Dr Reem Al-Shammari, who is a global thought leader in cybersecurity and digital transformation, with more than two decades of experience and has led significant changes to the maturity of cybersecurity and technology in the energy sector, closely linked to Kuwait’s National Cybersecurity posture and digital oilfields transformation journeys. Of course, Kuwait being 94/95% hydrocarbon export revenue dependent. So, you can imagine that this industry is not so important, tongue-in-cheek.

We also have Shaikh Salman bin Mohammed bin Abdulla Al Khalifa, CEO of the National Cybersecurity Centre in Bahrain. He graduated from Suffolk University in Boston, Massachusetts, and in addition to his time serving at the Royal Court to set up the IT infrastructure, he is currently leading the Government of Bahrain’s Technical Team in migrating the IT services to Amazon’s AWS.

Last but not least, we have Dr James Shires, a contemporary, Assistant Professor at the Institute for Security and Global Affairs at Leiden University, a fellow of the Cyber Statecraft Initiative at the Atlantic Council, and he graduated from Oxford in IR and where he holds a DPhil.

So just to sort of kick things off, a sort of hello question if I may, if we could start maybe, Salman, we’re on first name terms I believe, honorific titles are all – have gone into the ether. If you could just tell us a little bit, what does an average day look like in your role, a sort of elevator pitch, 60 seconds, and if you could tell us, you know, about the establishment and your role, please, Salman, over to you.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

Thank you, Adel, a pleasure to be here. So, basically, we’re at the National Cybersecurity Centre in Bahrain is basically the new kid on the block. We are establishing ourselves, we’re ramping up, and so, the nature of our day is basically monitoring what we already have connected to our infrastructure and making sure that all things are green, and nothing’s being attacked. So, as we are ramping up and onboarding more people, the more that we see and the more issues that we find. And so, our objective is not only to monitor, but elevate the nation from a cybersecurity posture. So, putting in standards, ensuring that people are complying to that standard, and measuring where they are at that standard, and finding out, you know, solutions that can help bridge that security void that sometimes exists in smaller entities. It is a challenge, it’s a long four-year path ahead of us, but I think we’ve learned, from our regional experts and international experts, and where they’ve gone right and where they’ve gone wrong, and we sort of have a good path ahead of us, and we look forward to elevating our cybersecurity posture and resilience.

Adel Hamaizia

Thank you, Salman, I appreciate that. And over to you, Reem, can you tell us a little bit about – what does an everyday – what does an average day look like for you at that Kuwait Oil Company, the benefit in Kuwait’s economy?

Dr Reem Al-Shammari

Thank you so much, Adel. An average day for us in KOC, as you have referred that we contribute to more than 93% of our national income, is always full of challenges, because working in a national and critical infrastructure entity put us, the burden of embracing the digital transformation, as well as having it on the right aspect of all the cybersecurity culture and posture. So, today, from a cybersecurity perspective, where I play the role of a [inaudible – 09:39], we have laid the grounds for the basics of our cybersecurity frameworks, for OC, and established forums where we collaborate, whether it was on a national level or at sector level or even a regional level in oil and gas.

And then now jumping into the digital transformation role, heading this journey for cybersecurity from being a passenger actually to a driver seat, where I’m leading this digital transformation journey, with the perspective of a cybersecurity advocate, and for this, we are empowering the cybersecurity from our leadership up to our business users by embracing all of that. ‘Cause without such perspectives, the digital transformation can lead to catastrophic costs, and in fact, as you have just referred in your introduction, where cyberattacks are now causing more impact, because from financial impacts or sometimes, in some cases, which we’ll go through our discussion, even human and safety impacts. So, we need to do the balance and we need to make sure that this digital transformation, which we are being accelerated very much during the pandemic, is being secure, safe, and sustainable for the even post-pandemic Inshallah era as well.

Adel Hamaizia

Thank you so much, Reem. And over to you, James, if you can tell us a little bit about sort of GCC cyber as an area of analysis and your particular interest, I’d be most grateful.

Dr James Shires

Of course, and it’s great to be here with you, Adel. My area of research is in cybersecurity governance, very briefly looking at everything from conflict and competition in the global politics of cybersecurity. These are the kinds of incidents that Adel mentioned at the start, Stuxnet and Shamoon and many more since then. But also looking at norms and co-operation as well, how states can agree to move forward together, to collaborate on increasing their level of cybersecurity governance, both worldwide and in specific regions. I’ve done a lot of work in the GCC states, talking about working with different kinds of governance structures, and this leads us directly onto resilience at a regional level as well, as at a national level. So that’s the kind of work I’ve been doing, especially feeding into the paper that we’ve produced and is the basis for my remarks at this workshop.

Adel Hamaizia

And James, ‘cause I’m a kind colleague, talking of plugs, I believe you have a – is it a book or a monograph coming out?

Dr James Shires

Yeah, so there is a book coming out in a couple of months, The Politics of Cybersecurity in the Middle East, so if you do want to learn more about cybersecurity governance questions in that region, then do check it out.

Adel Hamaizia

Available at all good booksellers, or online, most probably. So just thinking of, you know, the reason we’re on Zoom, we all know why, COVID-19 has been dubbed as this great accelerator of digital transformation but has also naturally led to the cyberthreats we discussed earlier. So, it would be interesting to hear thoughts, as a free-for-all. How resilient do you think the GCC is against these threats, and what are, in your opinion, some of the key remaining challenges or blind spots? Who would like to come in first?

Dr James Shires

I’ll leave it to Reem.

Adel Hamaizia

Please.

Dr James Shires

Ladies first.

Adel Hamaizia

Reem?

Dr Reem Al-Shammari

Yes, sure. So, when we look at the cyber resilience, [inaudible 13:07], it’s not something that we can develop and stay where we are. It’s a culture, it’s a journey, and it’s a type of vision that we need to build. Being as a resilient is something that human nature has been always, you know, embraced with, and being able to survive, and we have said it, and prepare, and respond, recover, and thrive. So, it’s all part of our lifecycle as human and survival as, you know, approach. So, making the cyber resilience today with the, again, accelerated digital transformation, has become a must. It’s not, like, a luxurious thing or what it will be nice to have, it’s no longer the case. We need to build cyber resilience completely on different layers where we inject people, process, and technology, in order for us to maintain sustainability. So, it’s not really about, “Let’s get the technologies, let’s spend this millions of dollars, and then we have a huge gap, when it comes to the human factor, and a huge gap in the processes that they’re supporting this technology.”

So, it’s a very complicated and challenging capability. It’s doable, once you have the rightful integration between the process, technology, and people, and do the rightful, let’s say, mix-and-match where you will be actually make it smarter. It’s about – not about adding the layers of defence and depth, now with this accelerated technology and the emerging technologies. It’s about making them act smarter. You can be sufficient with your existing layers of defence, but you need to make them work smarter, let them interact, and this is where it comes the big data and the analytics and the AI and ML, the machine learning, all of that. So, again, when we talk about cyber resilience, it’s not really a one man show, it’s a collective show that goes throughout all the organisation, where we need to build that culture in becoming a resilient and becoming a cyber aware culture.

Adel Hamaizia

Thank you, Reem. Salman, James, do you want to come in with a few more sort of, you know, if you could hone in on maybe specific challenges that you’ve seen in your day-to-day work. Salman.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

So as COVID really wreaked havoc on most IT organis – and I mean that because the concept and the architecture of IT and its security is built on the fundamentals of a castle and moat mindset, where you come to office and everything is protected, and everything within this realm is protected. Now, with COVID, that workplace had to be extended to people’s home, and we had to have people, you know, 25,000 people potentially work from home, accessing critical systems and services. So that became a massive security risk. Everybody did not have laptops, so we needed to depend on either the home PC or actually take the PC to the employees’ home and get it done. And so that opened up the attack surface to the homes of the employees, and that sort of complicated every scenario that was there, and we had to quickly, rapidly adapt to that change.

And so, the fundamentals of the way we built security into our infrastructure is fundamentally flawed. That method of castle and moat does not work, and it’ll be sectors moving away to a more zero trust kind of a concept, where you can work from anywhere, and that’s where we should be heading. But that is a trend that needed time to pick up, and to see that change happen on the ground. COVID has made this journey much faster, and we’re going to see uptake in that within Bahrain, making sure that government and even private sector, they need to think of zero trust from day one, and can work from anywhere, and so that we are ready to deliver banking services from anywhere, educational services from anywhere, and governmental services from anywhere.

So, there is a paradigm shift, and we’ve seen attacks. We’ve seen attacks on healthcare, has gone up tremendously, and we try to mitigate that and given the circumstances…

Adel Hamaizia

Pre-empting some questions, Salman, on national infrastructure.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

No, good. So that’s basically it. I think it’s a fundamental change, and as always, we need to adapt to it.

Adel Hamaizia

Thank you, Salman. James, are there any – maybe one- or two-blind spots that you can point to from your analysis on the subject?

Dr James Shires

Yeah, so I think I would want to position the framework of the argument we make in the paper, distinguishing between centralised and distributed cyber resilience. So, we can think of two broad kinds of threats in cyberspace or the information environment. One of these threats of intrusion to networks, the kind of thing that Salman is talking about. These can be disruptive or destructive, you know, causing different kinds of economic and other harms. There are also broader threats in the online environment itself, right? Misinformation, disinformation, bullying, these kinds of things that happen online, but aren’t to do with hacking, right? And maybe we have centralised cyber resilience as being a good answer to those broader threats, but not being a very good answer to the hacking and intrusion kind of threats. For that, we need distributed cyber resilience, pushing responsibility, bringing in people from around different countries, from the public and private sectors. Really saying, “Everyone has a part to play in this,” and that’s what we’re not seeing very much.

Adel Hamaizia

James, not to get into semantics, but could you sort of distinguish between decentralised and distributed? What do we mean here?

Dr James Shires

You could do that. Decentralised would be too far away. So decentralised implies no co-ordination at all, distribution implies there is co-ordination, there is connection between these elements, but actually, the responsibility lies in different levels.

Adel Hamaizia

Great, thank you, and just to come back to sort of the points on critical national infrastructure, Salman alluded to health and of course, Reem is operating in the hydrocarbon sector. Critical infrastructure, of course, you know, SOE is holding publicly-owned or largely publicly-owned. What are the sort of current challenges specifically to protecting critical infrastructures? Are there differences between other industries, and what do we mean by ‘critical’ really? Who wants to come in?

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

So, critical, obviously, are sectors that have a significant impact on the national economy if they get infected. So, could be healthcare, could be oil and gas, could be energy. They are – and banking, but I think getting – having that affected is obviously what we’re trying to avoid by putting specific sectoral standards and – but protecting them is a challenge, because yes, some public services are partially government-owned, but they are managed through a board, and they see themselves as an independent. So, in reality, you’re actually dealing with a private sector company that is owned by the government, and the government has no say in what they do.

So, the only way to sort of manage that decentralisation is by working with the regulator of that sector. So, if you’re working with the oil and gas regulator, to build up that unified standard that should be set and met by the operators of that sector, and then the regulator can manage that risk as well punish whoever is not complying with that standard. So, it is not the government’s role to set standard, but more the regulator setting standards with government, and as well, working together to bridge those gaps, whether as Dr James says, it is the responsibility of that distributed entity to defend themselves, but it is also the responsibility of the government to assist and create a benchmark where the IT in that IT department goes back to the board and says, “I need to do this to comply with the standard.” Because they find this difficult, getting the budgets to support their cybersecurity initiative, where the board is looking for, you know, profit, and they are – they know there is going to be a penalty towards that, then they will be more accepting of, you know, the IT team in a project that they can work with.

Adel Hamaizia

Absolutely. Reem, can you share your perspective from hydrocarbons, and if I can make the question a bit more difficult, but also bring in maybe the cost imperative into the discussion, you know, an SOE operates with a different budget to a private sector, and so I think you know where I’m going with this. I’d be grateful for your insights.

Dr Reem Al-Shammari

Yes, so I would relate to Shaikh Salman’s point when he said that we, as critical infrastructure, have a very critical responsibility to others. In this critical infrastructure, you see the cyber risks extend a physical arm, where it can impact people’s safety and even lives. Where you mention the healthcare attacks, unfortunately, last year was the first ever documented death in healthcare that was indirectly mapped to a ransomware attack on one of the German hospitals. And due to that attack on the hospital, they were not able to provide the health services for that patient, and for that she was deceased. And also, in comparison to that, healthcare critical infrastructure, if we look at oil and gas, we also see incidents where there was attacks to compromise safety systems, and these critical infrastructures, it’s no longer about just losing data. Losing data is to lead to financial impacts, but the crucial thing that keeps me always awake at night, is how we need to secure these safety systems and, you know, these huge assets, because once being compromised, people’s lives can be, you know, at risk. That’s why it’s only within these NCRs, our human – the cyber risk has this physical arm where it can really endanger people’s safety and lives.

So, if we look at only as, again, Shaikh Salman has pointed that it is a collaborative effort between us, to others, these challenges, and I always believe that wherever there’s a challenge, there’s opportunity beneath it, and we just need to focus on that opportunity and make it outweigh this challenge. So, for my own, again, area of expertise and our success stories, we have seen that, yes, as entities in the oil sector, and you keep referring to us as hydrocarbons, yes, we are energy and oil and gas sector, we have managed to unify the cyber framework that governs all these nine companies. And with that unified cyber framework, now we have a unified matrix that combines all the national standards, the guidelines that relates to our operations. In KOC we have healthcare, we have marine, we have off-shore, we have even electricity and water treatment. So, we have embedded, in this cyber framework for all the other nine companies, a unified cyber framework, and then we have some mapping it to our own maturity and our cyber posture and roadmap.

Having such a framework governing all of the whole oil sector within one country is a success by itself, because again, as Shaikh Salman said, it’s really a challenge for each institute to do it by itself, but when we collaborate as one sector, in a very highly targeted industry, where financially it is first being part of the energy sector, a second part of it, which requires us as collaboration. And I’m very much proud to say that within Kuwait we have achieved that, what we have a unified cyber framework for us in the energy sector, where we map, built out our communities and have our roadmaps ahead.

When we talk about cost-wise, now with the ransomware, with the impacts and with the production, it can be a temporary shaft to the ceilings, billions are being now, let’s say, being lost because of this inappropriate investment in IT, and I am no longer looking at as an IT issue. It’s actually a business risk, and the whole leadership is the one who owns this risk. It’s not an IT, actually, ownership, it’s in the leadership, ownership, and IT will be able to assist and would cater for this. One thing about cybersecurity is a business-wide, where IT and OT and these NCRs need to collaborate together to reduce this risk and to get them with the necessary actions.

Adel Hamaizia

Thank you, Reem. James, did you have anything that you wanted to add on the critical national infrastructure side, desalination, nuclear, or otherwise?

Dr James Shires

Yeah, just a quick cross-cutting point really, is that actually, it can be very difficult to tie specific vulnerabilities to sectors. What we see often is that shared IT services across sectors are equally vulnerable. So, saying there is a threat in this sector and not in that sector often doesn’t work in the cybersecurity space. You know, we can see this in the Hafnium or the Microsoft Exchange incidents, right, where you know, lots of organisations of all kinds are using those servers.

The other point that I wanted to make is that it is often about supply chains as well. Right, in the introduction of vulnerabilities, earlier on it’s the supply chains, or the entanglement of supply chains, in broader geopolitical questions. Where do you source your, you know, routers? Where do you, you know, outsource your data management? That kind of stuff as well. And this is where thinking about resilience rather than security is really helpful. Thinking about security says, “We can’t do this. We don’t want to get involved. We have to make sure everything is clean,” in maybe the US political parlance. Resilience would say, “No, we want to be able to do this, but ensure that we have enough redundancy, maybe in safety systems, or we encrypt our data, we take some protections, that we can carry on functioning, even though we’re not 100% secure or reliable, in terms of our supply chains.”

Adel Hamaizia

Thank you, James. You mentioned the US. I’m going to come to that shortly, before we go to Q&A. But I just wanted to come to something, which is at the heart of a lot of the development programmes, which is the people, developing the people, human capital development, etc., etc. So, it’s quite – I think it’s a sort of well-known issue that there is a global skills shortage in cyber security and in this space more generally. So, it would be interesting to hear thoughts on how the GCC is mitigating this shortage. And if I can again, make the question a little bit more difficult, how do you reconcile this with some of the nationalisation of workers’ policies in the region as well? I’m not sure who wants to take that on, who’ll come in first.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

I’ll take that on.

Adel Hamaizia

Perfect.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

So, building capacity is something dear to my heart. So, listen, we’ve got people graduating every year in IT regionally. The problem is that people don’t give them enough time and invest in them and build up capacity. So, you need to build up this mentorship programme and capacity building programme and really, you know, throw them in the deep and you will be surprised how people are able to pick up that knowledge and really shine. So, it is a problem, if you’re planning on hiring people internationally, but I think if you plan to build capacity locally, then I think it’s an opportunity, because there is this supply of technical resource is not going to end, and I believe that by having the right programmes at the university level, the right internship plan, the right capacity building plan, you can cover that in a few years, and that – I’ve seen it happen and people will shine. But they need to have the right mentorship, the right training programme, and have – trust the team to succeed and also fail. And if they do mess up, you don’t penalise them, you give them that support, and that will help cover that skills gap very quickly. We need to depend on our local resource, so I believe nationalisation and the skills gap go hand-in-hand.

Adel Hamaizia

But Salman, you guys are too expensive, so how do you – you nationals, you’re too expensive, so how do you compete with this war for [inaudible – 29:51] on experts?

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

They’re not – you will be surprised. You will find that the international workers are being paid more than the locals. It is fact, and this is not fiction.

Adel Hamaizia

In the private sector, yeah.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

No, even in government, an expat makes more than a local. So, the gap in pay is not there. You’re not hiring a local worker, you’re hiring a highly skilled technical person in demand internationally, so that kind of capital is not, you know, it’s real, so actually, there is an opportunity in hiring young locals, build up the capacity. But again, it is about the right mentorship, and that’s where you need the expert with you, building up your team. So that – I think it’s an opportunity.

Adel Hamaizia

Thank you. Reem, do you want to come in?

Dr Reem Al-Shammari

Yeah, I will echo what Shaikh Salman has mentioned, and again, cybersecurity is – has a lot outward passion. So, when you have a very passionate people that really loves secure to have this patriotic, you know, sense of securing our society’s future or our community now, all the kids are online and treating their online education as like the [inaudible – 31:06] said, these are being exposed to more, bigger communities. So, building a specialised, let’s say, technical traps, yes, there’s development through academia, as well as the certification from the well-trained institutes. So, it’s no longer about a Bachelor degree. Cyber is never about a Bachelor degree. It’s about getting your hands dirty and really exposing yourself to these on job training let’s say attachment, let’s say field studies, where they really go hand-in-hand, where the action happens, where we are on the frontiers trying to defend, trying to explore, and go and hunt, as we do with every court in our operations. Building the capabilities is always, there is a shortage, and I can see there’s a question about having the shortage, so again, there will always be a shortage in ever-emerging technologies. And there will always be, because this is a key – this an ongoing approach. But we need to, I think, more holistically, by utilising and make best of this technology, we can utilise AI and machine learning into perform the activities that humans are not very much required, and we can utilise these human capabilities into a more innovative and more, you know, creative pros where we can map this shortage.

So, again, we need to build this culture, not only a specific qualified technical expertise we need to – I’m sorry, we need to spread this culture into our communities, even within our kids, we need to raise this cyber awareness culture in our families, because this is our new lives, this is the new digital era, where it comes from education, health and even within our operations. As Shaikh Salman said, cyber working from everywhere, now cyber needs to be anywhere. So, I’m sorry, working from anywhere, then cyber needs to become now everywhere, or it was in our mindset, or even our lifestyle as well.

Adel Hamaizia

Absolutely, I know, this is one thing that I think keeps coming up, this notion of cyber hygiene and cyber awareness as a culture, a mindset, ‘the way we do things around here’ to use business school terminology. But James, unless you had any comments on that, I actually wanted to come to you on a more expansive topic that takes us to sort of global tectonic geopolitics, geoeconomics. And if you don’t mind, if you could sort of come in and start us off on this question, which is, when thinking about sort of the new technologies and a global competition around these technologies, how do they affect resilience? And I’d be grateful if you could touch specifically on elephant, camel in the room, which would be the US-China competition beyond Anchorage, clean networks, I think back to the last administration, Pompeo leaning even on Israel, one of the closest ally in the Middle East. So, if you can be leaned on by the US in Israel, surely the Gulf may have some questions or answers that it needs to think about when thinking about 5G, AI and the Huawei-isation of smart cities in the region.

Dr James Shires

Yeah, thanks very much. I’m just going to try and do a, sort of, like, circus flip and go from the resilience and the capacity building question into this geopolitical competition. Just to start with by reflecting a couple of the insights of the workshop that we had yesterday on capacity building, there was a lot of good conversation there, and I want to make sure that it was captured. One of the good insights was trying to push for regional centres of excellence, saying not everyone can do everything really well, but especially if you’re an academic institute or a government institute, really focus on training, focus on one specific part of the cyber resilience problem, and then share that across the region. And so maybe in Oman there’s one thing, maybe in Bahrain there’s another, maybe in Qatar there’s another, and these can work together and try and improve their resilience overall.

The next point I wanted to say was to think about capacity building and skills as two kinds of approaches. One is focused on qualifications. Right, there’s a lot of desire, especially given the skills shortage, to say, “Look, I’ve completed these certificates. I’ve got these letters, these – after my name,” that kind of thing. Now, sometimes that works, if it’s done in the right way, but often it doesn’t work, right? And as Reem very rightly said, you know, you need to get your hands dirty. We need to have lots of different kinds of expertise with people of all kinds of backgrounds. In Saudi Arabia, there’s a lot of really good penetration testing companies, right, former hackers going in and just trying it out themselves, right. So, this is a broad question about qualifications.

The same applies to technical standards, and we have a question from James in the ‘Chat’ saying, “Well, isn’t resilience all about technical standards or is it more indirect?” The answer is, depends what approach you take. If you want to take an approach to technical standards, this is all about passing an audit, that is ticking a certain box, then of course, they’re not going to work very well. If your approach to technical standards, as Shaikh Salman said earlier on, is all about the government assisting organisations in doing what they need to be doing anyway, then that’s much better.

Now, here’s my pivot the geopolitical question.

Adel Hamaizia

Pivot to Asia or to the US?

Dr James Shires

Well, to both, because what happens is, you get this – before you have a – maybe a more sort of thoroughgoing Cold War kind of context, in terms of geopolitical competition between the US and China, especially when it gets into the broader security relationships, what you get is competition in technical standards, competing in cybersecurity and internet governance spheres, about who controls the way that the rules are set for these different companies, right? Is it – if we’re setting security standards for routers, does Huawei have a part to play in that? Or if the UK or the US said, maybe we can only set security standards that exclude Huawei. So, actually, these technical standards questions, things about resilience, things about security, are really an important part of the geopolitical question here overall. So, I would say, yes, there will be a lot of geopolitical competition coming up in the future. At the moment, this is taking place very much at the governance level, including in cyber technical standards.

Adel Hamaizia

Thank you so much. We’ve received quite a few questions, and we’re going to go live and ask people to sort of unmute themselves and speak. But one last question, if I may, and I’m going to pick on Reem, only because I was very happy when we had a conversation last week, I hope you don’t mind me disclosing, but there are sort of sector specific examples around GCC co-operation within your space, and I’d be very keen if you can just, for the benefit of colleagues, you know, NOC/NOC, National Oil Company/National Oil Company co-operation. Could you tell us a little bit about that?

Dr Reem Al-Shammari

Yes, I believe, five years ago, I’ve seen – I was witnessing in one of the GCC conferences, there was a wish, what if our culture, as the Middle East, we can share threat intelligence? Today, I’m saying, I’m so proud that we are sharing. We have formal forums of threat intelligence sharing on all levels, where it was at the sector level, and within Kuwait we have an oil and gas forum where we share threat intelligence on the spot, and our model is always throwing that together, and we have seen that into action. We have another also forum at the regional level, where we also share threat intelligence between the oil and gas entities, and what we have actually focused on, to break the culture of the Middle East where sharing intel information is a little bit, you know, conservative, we were focusing on sharing the technical aspects of the attacks and what are the signs of the attacks. I will avoid using any acronyms of cyber, because we know that some of the audience are not cyber. So, we were focusing on the impacts of that attack. What are the signs that we can foresee from that attack, and whomever, this is from our expertise, whoever attacks our neighbour is also attacking us at the same time. Whoever attacking my, okay, company, is also attacking me at the same time, because we’re sharing the same, let’s say blood, or operations, when we talk about oil and gas.

Having this heads up to my colleagues, to my members and to my partners in the region actually raised the cyber defences lines for them and make us more trustworthy. It has strengthened the confidence between us as a circle, and we became today, at least one step ahead from the adversaries, who are also collaborating and sharing these threat innovative techniques. Now, with this collaboration we are becoming more stronger. With this collaboration we have more heads up for others to share. So [inaudible – 39:58] have break – broken – the steely type of the culture where it’s very much, you know, conservative, sharing threat intelligence, because now, it’s about one region, as Shaikh Salman said, we are always working as one entity, when it comes to the GCC, and we will always do our best to target this objective and to make sure that we are all aligned with this same goal in securing. And we are today living these very strong collaboration and informal entities that collaborates in threat intelligence, which is hopefully, will be expanded at national and governmental sectors as well, Inshallah.

Adel Hamaizia

Thank you so much. Following the recent ruptures, in recent years within the GCC, where we hope you can put the co-operation back into GCC as we enter its fifth decade. I’d like now to go to questions in the audience. And I’m going to call on two people, starting with Majid Bee, and then going to Beverley Milton-Edwards. If you could share questions, as succinct as you’ve written them, if that’s possible. Majid, please. Can we unmute Majid?

Majid Bee

Hello, can you hear me?

Adel Hamaizia

Yes, we can. Please, Majid.

Majid Bee

Thank you. Shaikh Salman, and I wanted to ask, with Bahrain’s initiative, I think back in 2017, to move all government services or maybe a majority of the services into AWS with that agreement, obviously that’s for economic reasons, as well as expansion and flexibility on the government spending on IT services. But did you see a difference in the security spending in that perspective? Did it explode in spending? Did it increase beyond a certain expectation? Especially that the security that was available on AWS or Cloud services natively are very different from those on premises.

Adel Hamaizia

Thank you so much, Majid. Colleagues are welcome to share their affiliations as well, not under duress, but you’re welcome. Next question will go to Beverley Milton-Edwards, Beverley. Can we unmute Beverley? Are you with us? Hello Beverley? No? Going, going, gone. I’ll ask her question on her behalf in absentia. So, Beverley asked, “What key initiatives in 2021 can we point to from the GCC Standing Committee on Cyber in the development of common norms, and is there a future for cyber diplomacy in the GCC? We’ll start with Salman, if you could pick up on the question, the Bahrain-specific question, then I’ll come to James and/or Reem on the second question.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

Sure, thank you Majid, though, for the question. So, moving to the Cloud was sort of scary for me. We get the instructions to go to the Cloud, it was scary, but we figured it out and how to do it in a more secure way. As to your question on spending, I mean, literally, the tools that are on the Cloud are the same thing on prem. You literally – moving to the Cloud allowed us to move more quickly. There is no bureaucracy in now purchasing anything on the Cloud. We don’t need to go through tenders, so it allowed us to react much faster, and the costs are actually much lower, ‘cause there’s no middleman. As for choice of product, it’s literally the best of breed, so we literally choose what we want and what works for us and try it out. So, it is actually more cost-effective and allows us to react very quickly. So, it’s been a blessing to cybersecurity. And there is not much tool differences, and we have just more choices than what’s being sold in the local market. So, it was better for us. I hope that answers your question.

Adel Hamaizia

Thank you, Salman. James, Reem, do one of you want to come in on the point around key initiatives, regarding the GCC Standing Committee on Cyber and the future for cyber diplomacy in the GCC?

Dr James Shires

I can come in, if that’s okay?

Adel Hamaizia

Please.

Dr James Shires

And just to talk a little bit about places where the GCC together can contribute to cyber diplomacy more broadly. The first thing to say, as well, clearly there’s some cyber diplomacy that has to go on intra-GCC, apparently, we know the diplomatic crisis has healed, but there’s still a lot to do there, in terms of increasing that co-ordination. I know we saw the Bahraini representative call very recently for a more unified approach across the GCC and maybe an even unified cybersecurity centre, right? So not just a planning committee, but a GCC cybersecurity centre.

More broadly, looking internationally, we can think about cyber diplomacy for GCC countries contributing to the open-ended working group of the UN, which has recently completed a report consensus on cybersecurity, and also, the future initiatives at the UN, and maybe a programme of action.

Finally, one thing that is increasingly happening, both in the region and more broadly, are states sharing their approach to international law in cyberspace, how that applies to cyber operations when states should and should not conduct cyber operations, especially against other states or critical infrastructure. International real questions on this question are not settled, and the more states that contribute their view, including the GCC states, the better.

Dr Reem Al-Shammari

Now, if I can add a comment…

Adel Hamaizia

You should – please.

Dr Reem Al-Shammari

…to James, again, this cyber resilience or cyber collaboration is a journey, and we have started to build collaborative initiatives at the GCC level, where we have done collective cyber drills between the GCC countries. We have our oil and gas sector forums, I think there’s also some financial collab forums and collaboration, but again, as James said, Dr James has referred that it’s a journey, and we can always enhance. When we talk about our collaboration at the global level, within Kuwait we are contributing at various entities where we talk about and representing there in the World Economic Forum with the cyber resilience initiative there. So, we’re contributing to the community very highly and very crucially, because we believe that cyber resilience or cybersecurity is a world matter and it’s a global issue, rather than only at the regional or even a local matter, where we always built on our collaboration, on our allies’ partnership, into confronting this ever-emerging threat, and having these defences and cybersecurity preparedness. So, we have, on the ground already, and in progress many initiatives that we are building up on it, but again, yet the future is also very much promising of enabling and increasing these contributions as we move ahead, Inshallah.

Adel Hamaizia

Thank you so much, Reem. Salman…

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

Yeah, if I may add, I just wanted to say…

Adel Hamaizia

– if you don’t mind, just adding a little point.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

So, with regards to cyber diplomacy, it is something that is factual, even with the situation that happened in the past, if one of the countries, that is not talking to the other, sees a problem, or an attack on a GCC country, even if they’re not talking, we’re picking up the phone and saying, “You are being attacked by X and Y.” So, it – politics aside, when it comes to the security of the GCC, security is paramount, and it’s number one on the radar, whether it’s physical security or cyber.

Adel Hamaizia

Thank you so much, Salman. What I’m going to ask for now, are very quick questions and very succinct answers, if that’s okay. Sayed Bashir, did you want to come in and ask just one of your questions, if that’s okay. One of your questions, and then we’ll go to Kayan Williams. Sayed Bashir, can we unmute Sayed Bashir? Sayed? Sayed, are you with us? Okay, no, I’ll read out his question again.

Sayed Bashir

Hi, yes.

Adel Hamaizia

Sayed, please.

Sayed Bashir

Yes, I’m here, I’m here. Thank you very much for the opportunity. I just, you know, being in this area for almost two decades, I see the little digital transformation happen, it’s only in the think tanks and the oil and gas sector. What about the other domains? And when are we going to, you know, focus, so that, you know, the whole sector comes up?

Adel Hamaizia

Sorry, could you repeat the last point, sorry?

Sayed Bashir

Yeah, so my question is, like, how about having the digitalisation transform or widespread it into other categories, other domains?

Adel Hamaizia

Okay.

Sayed Bashir

My internet is very bad, I’m sorry for that.

Adel Hamaizia

Thank you, Sayed, thank you. If we could go to Kayan Williams?

Kayan Williams

Yeah, and my question was really related to costs. I’ve spent a lot of time working in energy sectors, and often, when I’m building something like a power plant or a compressed liquid natural gas plant, that investment is supposed to last 30 or 40 or 50 years. So, my question to the panellists was really, how do you reconcile those long-term investments with the need for digitisation and digital transformation? Because you’ve going to have some technical debt and loss of value, as you’re replacing old infrastructure with new infrastructure.

Adel Hamaizia

Very interesting question. Well, if we could start with the last one and go to Reem, if that’s okay. Could you say a little bit about, you know, costing and accounting jujitsu, when it comes to these sorts of projects?

Dr Reem Al-Shammari

Yes, it’s a very great question, thank you so much Kayan for asking it. At least I will say it from my own perspective. When we do an investment in digital transformation projects, or even in a project by itself, being a visionary leader, I always look at this investment to last five to ten years. Yes, emergent technology will always be there, and there will be always something to replace it, however, I equip that project, or I put this investment, with the flexibility to be, you know, expanded, to be enhanced, and again, to reflect this cost effective and return on investments. So, when they talk about digital transformation from our own perspectives, we look at the current investment, and how the new investment could actually do – lead us to the cost of optimisation, thrive toward excellence, operations enhancement, and really do the mapping with that, again, perspective of having a visionary long-term investment.

We come up with solutions, again, when we look at the existing or technology, transferring them or migrating them to the new ERPs or new environments, which I’m currently being challenged with. We do the mapping and the balancing, and we always avoid the big bank. Having a big bank can be catastrophic when it leads to the obstruction of business or even reflection on costs. So, we always need to balance this new technologies and old technologies, and have always this perspective of a long-term investment, by adding the necessary controls that enables you to have this flexible rocket, where I always keep telling my people and my partners, “When I’m building a rocket, I’m building a rocket that can sufficient serve me and my country – and my company, sorry, for the coming 15 years. I need to have this flexibility of features that will always keep it renewable and always keep it geared up with all the new adapts and tech apps that will make it always able to keep up with this, you know, emerging technologies.” So, it’s always about how we embrace these technologies and how we really, rightfully, put this investment that can serve us on the long run.

Adel Hamaizia

Great, thank you, Reem. If we could get just a couple of – one or two very quick comments on the first question, which was, which sort of new domains or frontiers can we, sort of, you know, incorporate digitalisation into our efforts? Salman or James?

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

Salman or James? You know what? Basically, I think everything’s been touched digitally, every – I mean, with COVID, getting your groceries, getting your food delivered, getting this, everything has been transformed digitally. I don’t think anything has not been touched by this digital transformation, and with that, obviously, the risks associated with it is ever-increasing. So, I don’t see a sector that is not being digitised. I mean, at least here in Bahrain, whether it’s banking, whether the way we transfer money, whether it’s financial services, whether it’s healthcare, all of that has changed, and hopefully, for the better.

Adel Hamaizia

Thank you, I’m going to…

Dr James Shires

Just to add to that.

Adel Hamaizia

Sorry, James, please.

Dr James Shires

Very quickly, the danger is that some sectors do continue, especially if you have separate regulatory frameworks, or even free trade or separate zones, right? And this is clearly the case in data protection in the GCC, where you have different data protection legislation, especially for financial centres, compared to the country as a whole. So, there is still a danger that these rather than acting as leading lights that then spread elsewhere, that these sort of run away from the rest of the states, and that doesn’t help the regulatory framework.

Adel Hamaizia

Great, thank you. We’re going to wrap up soon, ‘cause we have a hard stop at 11:00, but I’m wanting to creep in a couple of last things and a question from Esther, which will sort of help us sum everything up with our key takeaways and lessons. But I wanted to come back to the geopolitics and geoeconomics and opportunities or challenges because I like to do that. And that is, we had an interesting political, geopolitical development at the end of last year, with the Abraham Accords. Naturally, we’re all aware of Israeli cyber prowess and technological prowess. Could we get any comments from whoever would like to comment on this, on what are – you know, what are the opportunities or challenges around this? Are we going to have issues around normalisers not wanting to co-operate with non-normalisers in this space, or is that a far-fetched idea? Who would like to comment on that?

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

I’ll take a shot at that question, Adel.

Adel Hamaizia

Please, and Salman, for the benefit of our colleagues, where Salman is sitting in Bahrain, Bahrain is one of the four countries in the region that reached an agreement, as part of these Accords with Israel.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

So, I think we all want peace. We don’t want to have an unstable countries around us. I mean, we’ve seen this with the Arab Spring, it does not help anyone, people’s lives get lost, and at the end of the day, we want peace, and we want each country to grow naturally. So, when you get into the politics, it is the same threat actor that is common amongst us. We are being attacked by the same threat actor, and that same – the more we unite to stabilise the region, the better our citizens will live. With regard to sharing information, that is left to each country, and I think what toolsets that they use, what they don’t choose to use, is left to the individual states, but at the end of the day, we all have the same goal in mind, and is the peace and stability of our nations and the prosperity of our citizens. And that’s our ultimate goal, and we all share that same common goal and same adversary. So, I think we will potentially work better together as a whole, and I think time will tell where this will lead us.

Adel Hamaizia

Thank you, Salman. Did you have anything to come in on that point, James?

Dr James Shires

Yeah, so I have – I could make a couple of broader points, questions on the Israeli model for cybersecurity, in terms of civil/military relations from the tech sector.

Adel Hamaizia

And in 60 seconds, can you?

Dr James Shires

And then, very quickly, there is a danger, there’s a risk, that maybe normalisers will be dragged into Israeli/Iran cyber confrontation. We’ve seen tit-for-tat disputes there, happening over the last year or so. That is a risk that I think we need to be more aware of.

Adel Hamaizia

Thank you so much for that, that’s excellent, and then it’s a point that we’ve touched on. And dual use technology we can come to in future engagements and activities and data storage zones and competition within the GCC, Riyadh, Abudabbi, regional HQs, etc., etc. So those are a few footnotes for a discussion and further research and engagement. What I’d like to do now is, I wanted to get your sort of final takeaways or couple of lessons learned in sort of 60 seconds, and if we could frame them around a question from colleague Esther Naylor. I won’t ask her to come in, but I’ll read out her question. She asks, “How can GCC states show leadership in cyber, and what opportunities are there for co-operation among the states?” So, in your sort of, you know, final takeaways, I’d be grateful if you could comment on those, and if you could maybe – quantifying is always helpful, give the GCC, as an aggregate body, a grade out of ten on how it’s doing for cyber resilience. We’ll start with James.

Dr James Shires

Sure, so I would give the GCC a seven, mainly because, you know, that’s a standard grade at Leiden University. And, you know, it means there is plenty more to do, but they can definitely show leadership, not only in terms of doing more internally and intra-GCC, but also looking out to the world as well, taking a bigger step, in terms of cyber diplomacy, international cyber governance.

Adel Hamaizia

Great, thank you so much, James. Salman?

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

I think we come from the same university, probably, James, so we’ll give our countries seven. Yes, there’s a lot to do, and I think, you know, to be resilient is, I think, to depend on your local capacity, build up that capacity, be as agile as your attackers are, because we can’t isolate ourselves and say, “I’m not going to share this, I’m not going to co-operate.” No, your adversary is sharing information, sharing tools, in seconds and hours, and we can’t wait days to share information. So, I think the globe can – you know, we can share information, share our tools, and be as agile within the GCC and with our international colleagues and act as one entity, I think we’ll be more resilient and be able to defend ourselves better.

Adel Hamaizia

Thank you so much, Salman. Last word to you, Reem.

Dr Reem Al-Shammari

And thank you so much. So, it’s a little bit controversial to put a number on that, because being an Engineer, I will always do my math rightful before I put a number, so I will not put it as a scale of ten. However, I will say we are in a very good scale where we are maturing, and again, it’s a journey. Leadership is always the one that owns and dictates this culture and all of us, whether it was at a government level or a regional level or of course within the country itself, or within the company itself, the key takeaway is actually to always prioritise. We cannot secure everything at the same time, so we need to prioritise, and this reflects one of the questions, how about the cost? How can I handle the cost? You cannot do the big bank, you cannot secure everything, you need to know your crown jewels, you need to define your tech landscape.

As Shaikh Salman said, we’re now at a bigger landscape with this new norm, so we need to define it, we need to know our crown jewels, and prioritising and securing them and build the collaboration all around us, whether it was locally, regionally, and globally. Because we will always be stronger together, and this is what I have seen put it into action, and it was always making us enhancing each other, whether it was by more sharing, threat intelligence sharing or even building on experiences. If there’s a success story, I can just leverage it, and this work is happening currently today, within the forms that I have mentioned, and I’m very much proud what we have achieved in two years of hugely enriching an environment, and we work as one team. Again, Inshallah Salman, when you said it, we are one team, one region, we are that into action when you talk about the energy sector, and I am very confident that we share the same culture when we elaborate it on the whole region, as one. We say it in Arabic [mother tongue – 60:48], but we always work as one entity, Inshallah, in the current times as well.

Adel Hamaizia

Thank you so much, Reem. I think it was a fantastic session, as Patricia Lewis has just mentioned in the chat. I’d agree we’ve covered a lot of ground from San Francisco to Shanghai, Tangiers to Tehran, from Kuwait to the Cloud. I think it was a truly brilliant tour d’horizon. I ask colleagues to continue to follow the work of the International Security Programme on this issue, led by Joyce Hakmeh and Esther Naylor. I’d like to take this opportunity to thank our wonderful speakers. I’ve learnt a lot. We hope to get them over to Chatham House in peacetime, beyond Zoom, handshakes and all. I’d also like to thank Chatham House colleagues. As I say, Joyce Hakmeh, Lauren Cornwall, Esther Taylor and Clare Smiley for making this event happen, and last but not least, you, the participants for your valuable questions and for tuning in. Have a lovely rest of the day and evening. Thank you very much. Take care, goodbye.

Dr Reem Al-Shammari

Thank you so much, [mother tongue – 61:49], thank you.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa

Thank you, Adel, thank you. Take care.

Dr James Shires

Thank you.

Dr Reem Al-Shammari

Okay, everyone.