Chatham House briefing
Published 9 March 2020
Updated 14 December 2020
ISBN: 978 1 78413 388 7
How would the states of the Gulf Cooperation Council (GCC) respond to a serious cyber incident? This could be a global ransomware event, a critical infrastructure incident targeted at the energy sector, or an attack on government departments. This paper examines cyber resilience in the states of the GCC.
All GCC states have long-term national plans that seek to refocus their economies from extractive industries towards technology and innovation, reduce the role of the public sector, and reduce high expatriate numbers through extensive training and preferential treatment for citizens.49 Following these national plans, GCC states have taken significant steps to digitize government services, with the UAE ahead of the others in many respects. Following early attention garnered by Dubai’s e-government measures in the mid-2000s, and extensive collaboration with international consultants in 2013 and 2014, the UAE occupied 34th position in the 2017 Waseda International Digital Government Rankings, with especially high scores in the promotion of digital government (9th) and e-participation (7th).50
All GCC states have long-term national plans that seek to refocus their economies from extractive industries towards technology and innovation
In the context of digitizing their governments and societies, the GCC states have all adopted measures aimed at increasing cyber resilience and at upgrading cybersecurity capacity. According to the ITU Global Cybersecurity Index (GCI), Saudi Arabia, Oman and Qatar score highly, ranking as the top three countries of the Arab world on the index.51 The following three states from the region were the UAE, Kuwait and Bahrain. The ITU index measures elements of state cybersecurity based on a range of legal, organizational, technical, capacity-building and cooperation measures. Although the ITU’s index results are often questioned, given that they rely on self-assessment by states, the positions that the GCC states occupy on the index are nonetheless significant and show the resources and investment that these countries have put in so far compared to the rest of the Arab states.52
|
Country |
Score |
Regional rank |
Global rank |
|---|---|---|---|
|
Saudi Arabia |
0.881 |
1 |
13 |
|
Oman |
0.868 |
2 |
16 |
|
Qatar |
0.860 |
3 |
17 |
|
UAE |
0.807 |
4 |
33 |
|
Kuwait |
0.600 |
5 |
67 |
|
Bahrain |
0.585 |
6 |
68 |
Source: Compiled by authors from ITU, Global Cybersecurity Index 2018.
The ITU index illustrates how GCC states have taken many measures to improve their cybersecurity posture (see Table 2). As detailed in previous papers in this series, all GCC states have developed national cybersecurity strategies and introduced or revamped their cybercrime and electronic transaction legislation. Some states have also introduced national data protection legislation. The GCC states have all created dedicated cybersecurity organizations building on earlier computer emergency response teams (CERTs). Regarding standards, the GCC Standardization Organization lists Arabic versions of the ISO 27001 cybersecurity standard published in 2009 and 2015, respectively. Notably, the UAE national cybersecurity agency, established in 2012, has also published its own cybersecurity regulatory framework, the Information Assurance Standards (IAS), based on ISO 27001 versions 2005, 2013, and the US NIST 2014 cybersecurity framework.53 The level of cybersecurity expertise is also increasing, with many universities offering undergraduate and graduate qualifications in technical and organizational aspects of cybersecurity, and significant take-up of these courses, especially by female students. Finally, the GCC states have all engaged in extensive wider education efforts, especially in child online protection in Oman and Saudi Arabia, and some regional cooperation at a GCC and Arab-state level, as well as with longstanding military partners in the US and Europe.
Overall, GCC states seek to be front-runners in digital innovation and so are vulnerable to an increasing range of cyberthreats. GCC governments have invested significantly in cybersecurity, especially since the landmark Shamoon cyberattack in Saudi Arabia and Qatar in 2012.
|
Measure |
Bahrain |
Kuwait |
Oman |
Qatar |
KSA |
UAE |
|---|---|---|---|---|---|---|
|
Cybercrime law54 |
2014 |
2015 |
2011 |
2014 |
2015 |
2012 |
|
Data protection law55 |
2018 |
– |
– |
2016 |
– |
– |
|
Cybersecurity strategy56 |
2017 |
2017 |
2010 |
2014 |
2013 |
2019 |
|
Cybersecurity organization57 |
MOI/IeGO/TRA |
CITRA |
OCERT |
QCERT |
NCSC |
TRA |
Source: Compiled by the authors.
However, there is more work still to be done in all the above areas. Despite the positive and unified picture portrayed in GCC cybersecurity strategies, they lack detail and remain very high-level, creating an image of a coherent approach without specifying clear guidance for individuals and organizations.58 For cybersecurity organizations, publicly available information on their services is limited, impeding them from playing their expected role of promoting effective IT security practices and in creating a culture of cyber awareness and hygiene.
Moreover, these organizations have shifting and overlapping areas of responsibility: for example, at a national level the relative power of Saudi Arabia’s National Cybersecurity Authority (NCA), the Saudi Federation for Cybersecurity, and National Cyber Security Center (NCSC) have changed significantly in the past three years, while, in the UAE, Dubai’s independent cybersecurity authorities and regulations have not always been coordinated with governmental initiatives in Abu Dhabi. In Bahrain and Qatar, even where there is a responsible cybersecurity organization its relative responsibilities in relation to the Ministry of Interior are not always clear, and operational activity still resides in the latter. In their review of several states’ cyber readiness, the Potomac Institute for Policy Studies reported that Saudi Arabia (the only GCC state included in the review) was ‘still insufficiently prepared in all essential elements of cyber readiness’ in 2017.59
Although the ITU Index accurately captures government regulations in relation to cybersecurity, it does not measure the implementation of key standards and regulation in both the public and private sectors. To gain a better understanding, this paper analyses implementation in the GCC using the available data, beginning with an overview of technical standards and data protection regulation, and then examines the finance, health and energy sectors – considered to be the key national infrastructure sectors in the GCC countries.
For technical standards, ISO conducts an annual survey to measure the implementation of key standards including 27001 (in both 2005 and 2013 versions), illustrated in Figure 1. ISO 27001 is the international standard for information security management systems. It comprises a set of measures aimed at achieving protection and preservation of an organization’s information in line with the principles of confidentiality, integrity and availability. This survey shows that the number of ISO certificates has grown gradually in the GCC in this period, although it stayed static (and in Oman, declined) around 2013, potentially due to the introduction of the newer version of the ISO standard. The UAE is far ahead of the rest of the GCC in ISO certification, although Qatar has a high number of certificates given its small size.
ISO also tracks the number of sites where ISO 27001 applied between 2007 and 2015 (the last year for which data is available).60 This data also shows an increase in this period, although with declines in the UAE, Saudi Arabia and Oman after 2013, again potentially due to the new version of the standard. Other surveys suggest that implementation of ISO cybersecurity standards is uneven in the GCC. An academic survey of ISO 27001 in Saudi Arabia in 2014 found that standards were low on security professionals’ priorities, below personnel issues like training, expertise or salary, and organizational ones such as management involvement.61 This suggests that, despite the impressive educational opportunities in cybersecurity in the GCC, these skills are not always translated into professional practice. Overall, the GCC has adopted international cybersecurity standards slowly and unevenly, and with many businesses focused on older versions of these standards after newer ones are available.
For data protection regulation, in media interviews some cybersecurity professionals claimed that only 30–35 per cent of UAE companies would be compliant with European data protection standards (GDPR), and around half that number were even aware of the steps necessary for compliance.62 A survey by a data storage solution provider, including 100 respondents in the UAE, highlighted the existence of large amounts of data in organizations that could contravene GDPR requirements.63 Separately, Gulf Business Machines (GBM) has conducted an annual survey of ‘IT/security managers and professionals’ in the GCC since 2014 (the last year for which data is available is 2017), with the number of respondents varying between around 600 and 1,500.64 The survey is presented as an independent analysis of the cybersecurity community, although the results are shown in a way clearly designed to market GBM products. Despite this bias, its sample size and repetition make it a valuable source in an area of limited data. This survey suggests that cybersecurity capacity is slowly increasing in the private sector, as 43 per cent of enterprise respondents claimed they had the capabilities to predict and prevent cyberattacks in 2015, rising to 50 per cent in 2016; similarly, 58 per cent claimed they had an effective security strategy in 2015, rising to 79 per cent in 2017.
For finance, digital financial transactions are governed by e-transaction and e-commerce laws introduced throughout the GCC between 2002 (UAE) and 2014 (Kuwait). There are several free-trade zones in the GCC that operate under different financial regulations to the rest of the state, the most notable being the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM) and the Qatar Financial Centre (QFC). These centres also have different cybersecurity regulations, mainly focusing on data protection: DIFC is regulated by a data protection law introduced in 2005, amended in 2012; ADGM’s data protection regulation was introduced in 2015 and amended in 2018 (with an Office of Data Protection established in 2017); and the QFC has had separate data protection regulation since 2005. These regulations aim to ensure that businesses in these free-trade zones are able to work internationally, and so they explicitly claim to follow international regulations, especially that of the European Union. However, financial regulation – including on data disclosure requirements – has been insufficient to prevent the inclusion of the UAE and Oman on an EU list of 17 countries, finalized in March 2019, which either failed to comply with required financial ‘good-governance’ criteria or did not commit to doing so.65
43 per cent of enterprise respondents claimed they had the capabilities to predict and prevent cyberattacks in 2015, rising to 50 per cent in 2016
For health, the UAE has introduced Federal Law no.2 2019 for healthcare data, while Dubai’s Healthcare City has had separate data protection regulation since 2013. In Saudi Arabia the transfer of financial and health information is regulated by the relevant sector bodies. The other GCC states do not have separate healthcare cybersecurity regulation.
Given the GCC ‘late rentier’ economic model, cybersecurity threats to the oil and gas sector are particularly concerning for national governments.66 Companies in this sector have extra cybersecurity responsibilities due to their crucial role in the functioning of the state and as a core economic foundation for both international stability and national welfare. There have been several notable cyberattacks against the oil and gas industry in the GCC, including the Shamoon incident in 2012, and more recently malware that altered the settings of industrial control safety systems in a Saudi petrochemical and refining complex in 2017, with the potential to disrupt production and harm employees.67 Cybersecurity provision in the energy sector, and oil and gas in particular, has three particular challenges, in addition to the wider issues above.68 First, there is an economic incentive for companies to adopt IP-based operational technology networks for more efficient production, creating practical problems in isolating such networks from their internet-connected business networks. Second, the cybersecurity priority for these companies is protection from espionage (corporate or state-sponsored), rather than damage, as the former is seen as a more immediate threat to their business model and reputation. Third, like other industries, the oil and gas sector has a long and complicated supply chain, with many vulnerabilities introduced early on, so transferring good practices down the supply chain is difficult.
Overall, the uneven nature of cybersecurity provision in the GCC states means that it may be difficult for these states to recover from a large-scale cyber incident. GCC states need to improve their cyber resilience as well as their cybersecurity in order to withstand and rapidly recover from cyber disruption.
