The Middle East’s Cyber Security Crisis

John Sheldon

Many security specialists consider the Middle East to be the testbed for cyber espionage and warfare, especially since 2009 when the Iranian nuclear program was attacked by a malicious software called Stuxnet, allegedly by Israel and the United States. Cyberspace plays a vital role across the Middle East’s public, economic, political and strategic spheres. This year is likely to prove a watershed for the region as cybercrime, terrorism, warfare and espionage all combine into what can be described as a toxic brew that could ignite or further exacerbate already volatile tensions and crises. As if this were not bad enough, the real accelerant to these phenomena is the woeful state of cyber security throughout the region.

Yet, the vast majority of cyber incidences and attacks, whether against individuals, companies or even governments, are eminently preventable if basic safeguards are put in place and a security-conscious culture is promoted through public and workplace education and training. In looking at the cyberspace trends that are emerging and coalescing in the Middle East, it is obvious why a region-wide focus on cyber security is urgently needed.

Criminal use of cyberspace is growing rapidly throughout the region as internet use expands. This rise in cybercrime is greater than in any other part of the world. Organized crime gangs from Egypt, Israel, Lebanon and Turkey – as well as gangs from Albania, Armenia and Russia – are increasingly turning to online criminal activity in the Middle East. Similarly, terrorist groups are also turning to cybercrime in order to help finance their operations.

Next, while ISIS effectively is gone from its supposed caliphate in Syria and Iraq, it is as dangerous as ever as a terrorist threat and will likely grow a bigger presence on the internet for recruitment, financing, propaganda and coordination of attacks. Meanwhile, other terrorist groups across the region, from Hamas to Hezbollah, are revamping their online presence with more slick production standards and sophistication. In 2017, Hamas mounted a sophisticated phishing campaign on Facebook that lured Israeli soldiers to accounts that purportedly belonged to beautiful young women, convincing them to give up personal details to the terrorist group. These kinds of online information operations by states and non-state groups across the Middle East will occur more frequently, and with greater sophistication, against a range of military, political and economic targets.

And while everyone spies on everyone else, or so it seems, Iran has been particularly brazen in its cyber-espionage activities against its own citizens, as well as against its regional rivals, especially Saudi Arabia. These espionage campaigns are getting better in their execution and more difficult to detect, and will continue unabated. Significantly, while Middle Eastern governments, companies and other institutions should expect that countries like Israel, China, Russia and the United States can probably access their networks at will, more and more countries within the Arab world are acquiring the technical expertise and tradecraft required to carry out their own cyber-espionage operations.

While the Middle East is regarded by great powers as a testbed for cyber-warfare concepts, as demonstrated by the 2009 Stuxnet attack against the Iranian nuclear program, the majority of states within the region have not engaged in cyber warfare until very recently. With the exception of Israel and, to a lesser extent, Iran, most Middle Eastern states have only recently viewed cyber warfare as a viable tool in interstate rivalry and competition. According to David Patrikarakos, author of “War in 140 Characters,” information has always been a major component in war, but was always used to complement conventional force. In the 21st century, however, information is the very thing being fought over and conventional force is increasingly complementing information operations. As more and more countries across the Middle East incorporate cyber-warfare capabilities and expertise into their national security institutions, the immediate future is likely to see a significant uptick in cyber warfare among countries in the region.

On all cyber fronts, the picture looks uncertain for the Middle East, a prospect not helped by the fact that, apart from Israel, no Middle Eastern country has a significant technology base where cyber technologies and software are indigenously developed, manufactured and sold. The Middle East is behind most global benchmarks in the development and use of artificial intelligence and machine learning, software development and certification, and in robotics and other forms of automation. But it is in cyber security practice and awareness and training that the Middle East is really behind.

Yet, with relatively modest investments and effort, the majority of the malign actors in cyberspace can be thwarted. Cyber-security technologies are important and enjoy healthy sales in the region. But cyber-security technology and software are only as good as the security culture practiced by its human users, and it is here where citizens, executives and policymakers should make a concerted effort.

Simple yet effective training in cyber hygiene for all employees in the workplace can go a long way in preventing the majority of cybercrime and espionage incidences. Similarly, cyber-hygiene education and training in schools, universities and in local media for all citizens who use information communication technologies can also make a large dent.

More advanced cyber-security training in government ministries, strategic industries and in media organizations is also likely needed – again, for all employees – but will pay dividends in terms of the reduction in successful cyber incidences and attacks. Regional and international companies offering cyber-security solutions should make a greater effort to emphasize the non-technical side of security to their regional clients. And private citizens, corporate executives and policymakers should all promote the idea that cyber security is the responsibility of all of us who use information technology, not just the IT department.

John B Sheldon is chairman and president of ThorGroup, a technology-policy consulting company and publisher of SpaceWatch Global.