The Middle East is currently associated with extremists, civil wars and other threats of a physical nature. While governments and the security industry have been preoccupied with mitigating physical threats, a less visible and new danger has been wreaking havoc under the radar. The Middle East suffers from more cyber-attacks and with larger financial losses than any other region in the world. These attacks range from spam emails to Distributed Denial of Service attacks to data theft. In addition to relatively small-scale, private and local cyber operations, the Middle East now features on the international cyber battleground. Middle East ‘cyber warriors’ are capable of derailing nuclear weapons programmes as in the Stuxnet attack of 2010, inflicting significant damage on multinational corporations as in the Ababil Campaign of 2012 and the Saudi Aramco incident of 2015.
In the commercial sphere, the increased publicity given to cyber threats have made many Middle Eastern companies more aware of their vulnerabilities. Some have done what they can to mitigate the risks, moving data onto digital devices, clouds, and social media. Others have not upgraded their cyber-security practices or their technical defences. However, without the necessary resources and experience at higher levels, attacks against Middle Eastern businesses will continue to escalate, thereby enabling increased insecurity. These new cyber security threats have resulted in millions of dollars’ worth of damage to governmental and financial institutions around the world.
Thus the trend of cyber-attacks in the Middle East appears to be increasing, both at a commercial and governmental level. The emergence of the so-called ‘Internet of Things’ (the inter-networking of physical devices, cars, and buildings) and aspiring ‘smart cities’ (electronically interconnected urban infrastructures) such as Dubai creates yet more opportunities for hackers to interfere with anything from air-conditioning and microphones to power grids and vehicle braking systems. As the cyber threat increases its intrusion into the physical realm, state actors will have to prevent not only the loss of data but loss of life too. It is thus possible for cyber-attackers – given the motive – to turn off traffic lights to create pile-ups, prevent cars from applying their brakes and even short circuit power grids in Riyadh, causing heat-related deaths in the peak of summer. As the threat increases, so too must state and city authorities consider how they can ensure adequate defence.
However, the reality is that such a rapidly developing threat cannot always be countered, even with pre-warning courtesy of the best intelligence. This means that the relevant authorities have no choice but to prioritise the systems that might need protecting, because not everything can be defended. Prioritisation requires leadership input and cannot be left to mid-level technicians. In other words, while the technicians are responsible for the technical cyber ‘fixes’, senior management – both within business and governments – is accountable for the appropriate apportionment of resources to ensure that mitigation is aligned with endorsed priorities. In the broadest of terms, these priorities are likely to be orientated towards the protection of people, the environment, reputation and business, in that order. Given increasing outsourcing of government functions to private contractors, governments – in the Middle East as elsewhere – must ensure that business is well-protected wherever national interests are dependent on commercial entities. Gone are the days when military forces allocated to ‘key point defence’ in time of war could concentrate exclusively on physical protection.
Trends to watch out for in near future —
- Turning decision-making over to machines will be entirely seductive but safe if and only if that delegation can be withdrawn, meaning that the conditions for operating without that delegation are maintained.
- Pre-deployment of cyber weaponry in otherwise non-military positions (devices, networks, etc.) is all but certain. Much of it will be for tactical denial of information service of one form or another, but that is likely to expand into disinformation as soon as sensors assume a place in the critical path for autonomous devices.
- Cyber-attack detection using behavioural techniques, or anomaly detection against long-term norms for example, will be used with greater vigour and immense side-effect.
- The tendency for democratic regimes to delay meaningful response, and then to over-respond, will be demonstrated by cyber events.
- The information given up voluntarily in social media will be increasingly employed by governmental actors. In non-free jurisdictions, disinformation plants in social media will continue to rise in tactical utility to those jurisdictions’ aims. In free jurisdictions, social media will be a substantial component to the clearance process.
- The mismatch between features of IPv4 and IPv6 is likely to be exploited in unforeseeable ways, perhaps beginning with address hopping.
- Cybersecurity as a science will remain a goal and not an accomplishment.
Developing strategies to engage in and defend against cyber warfare , to initiate operations against remote targets without risking the lives of its citizens and soldiers will be the new and dynamic era in geo politics in Middle East. Such an approach will be cost effective and reinforce “deterrence” .
Amit Khosa: Analyst of the Observatory against the Terrorist Threat and the Jihadist Radicalization of SECINDEF (Security, Intelligence and Defense) Israel-USA International Consulting Counterterrorism. Member of the SECINDEF Team in India, the United States and Israel. Strategic Advisor / Analyst Counter Terrorism and International Security .