Middle Eastern CISOs work internationally to tackle security issues

While CISOs and other security leaders in government and business in the Middle East have challenges specific to the region, such as concerns about operational technology used in the oil and gas sector, regional and global knowledge sharing is increasingly seen as an important way to fight cybercrime.

With a yearly growth rate of 15%, global cybercrime damages are predicted to cost up to $10.5 trillion annually by 2025, up from $3 trillion in 2015, according to Cybersecurity Ventures.

Middle Eastern countries are not immune to cybercrime. In its State of Ransomware 2021 report, Sophos reported that that 38% of the UAE tech executives polled said they were attacked with ransomware during the past year.

Countries in the region are fighting back. End-user spending on security and risk management in the Middle East and North Africa (MENA) is forecast to total US$2.6 billion in 2022, showing an increase of 11.2% compared to last year, Gartner has forecast.

Prime targets of hacker attacks are medical and government institutions, as well as the retail sector, oil and gas companies and critical infrastructure.

The issue of countering cybercrime is on the agenda of governments worldwide, and the UAE along with the rest of the Middle East is no exception.

In 2019 the UAE came up with its new three-year national cybersecurity strategy that among other initiatives calls for implementing a legal and regulatory framework covering all types of cybercrime. It also aims to train 40,000 cybersecurity professionals and protect the UAE’s critical assets in nine sectors, including energy, ICT, government, electricity and water, finance and insurance, emergency and health services, transportation, and food and agriculture.

The UAE joins the global fight

The UAE is developing local and global partnerships to jointly fight cybercrime, according to Dr. Mohamed Al-Kuwaiti, head of cybersecurity for the UAE Government. Cybersecurity is not the responsibility of one entity, one person or one country — it is a collaborative job and shared responsibility across all, he says.          

“We are partnering not only with hackers, government and private entities, but also academia, and even school kids. They all work to secure safe digital lifestyle and environment. We are also actively working with international consortia,” Al-Kuwaiti says.

“In fact, we have just finished the biggest [virtual] cyber exercise [Cyber 193] where we had more than 140 countries working with us to train and share information in cybersecurity. We are also working with the UN and ITU.”

The UAE was ranked fifth worldwide in the International Telecommunications Union’s Global Cybersecurity Index 2020 for its advanced cybersecurity infrastructure, jumping from number 47 previously, Al-Kuwaiti says.

Cybercrime is dangerous to the country’s critical infrastructure, such as water and electricity, aviation, and healthcare. If any of these get hacked or disrupted it can wreak havoc, as in the case of cyberattacks on hospitals during the COVID-19 pandemic, Al-Kuwaiti says, referring to last year’s two ransomware attacks on hospitals in one week in France.

Interpol starts to work with GCC

Stephen Kavanagh, the executive director of Police Services for Interpol in France, says that his organisation is currently talking to Gulf Cooperation Council (GCC) authorities and particularly to the UAE to set up a cyber-desk for the Middle East region.

“We can’t deal with all of the cyberthreats from Lyon in France. We want to be able to work with regions and the Middle East is one of them. We are talking about how we can set up a cyber-desk for the Middle East so we can break down the threat vectors that are taking place and can look at the gateway partners,” Kavanagh says.

Data on threat vectors exist globally, but no one single law enforcement agency has all that information so there is need for new relationships and partnerships. The GCC can help Interpol bridge that gap and respond to the needs of businesses and individuals.

“Instead of just defending ourselves what we need is to be able to get back on the front foot and start arresting some of those cyber criminals and putting… them [behind bars],” Kavanagh says.

UAE tests, collects threat assessment data

Hassan Abdullah, director of Security Systems at Dubai Electronic Security Centre (DESC), said his organisation, which was established in 2014, is forming a bigger team together with the Dubai Digital Authority to fight cybercrime.

“It is a common thing for cybercriminals to try and test your networks but we have a very good defence system, while entities are mature and thanks to Dubai Cyber Index the response time is very high now from entities,” he says.

Dubai Index was set up in part to monitor compliance with government cybersecurity requirements.

“We measure the response time and the resolution of (test attacks) and if there is a malware on a computer. That has dramatically increased the response time of government entities,” Abdullah says.

With new technology increasingly being implemented throughout the region, the number of cyberattacks is expected to increase, but Abdullah is optimistic because there is more awareness now about cyberthreats.

“We work together hand-in-hand with international organisations as well as GCC entities to share information,” he added.

Challenges remain, however. Despite the fact that the UAE is witnessing an increase in tech talent, there is still a lack of experts in the field, Abdullah says.

“In UAE we need at least 3,000 cybersecurity experts in the next two years,” he says.

Efforts to groom talent continue; Dubai Cyber Innovation Park, the research arm of DESC, was officially launched during this year’s GISEC Global cybersecuirty event held in Dubai in March.

Healthcare particularly vulnerable

The healthcare sector is the most vulnerable to cyberattacks and is targeted more often than other sectors by cybercriminals, according to some cybersecurity experts.

Cyberattacks on hospitals are particularly dangerous, says Sultan Owais, digital lead at the UAE Prime Minister’s Office.

“We definitely need skills in many critical sectors. We also need technologies and norms and practices to meet this challenge,” Owais says.

Healthcare organisations have equipment that has been used for 20-25 years and it is not meant to be maintained from an IT perspective and updated. Such specialist equipment has unique weaknesses that commercial laptops bought from a shop don’t have, he explains.

Maintaining this equipment is its own sort of challenge that requires its own set of practices, Owais says. That’s why health regulators are setting priorities for the industry across the globe, he adds.

Cyberattacks on healthcare industry are especially dangerous because they don’t just deal with money but the health patients, notes Ramakrishnan Natarajan, vice president of IT at  Emirates Hospital.

Ransomware attacks compromise health records, including backups, and can make it impossible to get them back. And when health records are compromised, no one knows how they may be utilised, Natarajan says.

There are a lot of steps CISOs can take to fight these attacks. First of all, one needs to get the basics right, Natarajan says. The most important thing is that employees should be trained on healthcare safety and information security. In fact, this sort of training should be tied to their KPIs (key performance indicators), he suggests.

Healthcare organisations are top ransomware payors

Abdullah Marghalany, cybersecurity chief officer at the Ministry of Health, General Directorate of Health Affairs in Medina, Saudi Arabia, says that the healthcare system is the sector most attacked by cybercriminals and is the biggest payer of ransom money.

Every attack costs healthcare organisations $7 million on average and last year there were cyberattacks worldwide every 40 seconds, he says, adding that some 37% of all the cyberattacks in 2020 were on healthcare systems.

“Last year it cost the world $6 trillion of ransom money paid to cybercriminals. If we compare this money to countries’ economies, it would be the third largest economy in the world after the US and China,” he says.

Also, there are hidden costs. There are costs related to shutting down systems after a cyberattack, Marghalany says. Organisations, especially in the healthcare system, need to invest more in new technologies and also people to help confront cybercrime, he says.

The National Cybersecurity Authority of Saudi Arabia (NCA) compels every organisation and every CISO both in the public and private sectors to have a cybersecurity strategy and comply with NCA guidance, Marghalany notes.

In fact, the NCA audit organisations twice a year to check the compliance, he adds.

Saudi Arabia was ranked second after the US in the International Telecommunications Union’s Global Cybersecurity Index 2020 for its cutting-edge cybersecurity infrastructure, up from the previous year’s 40th place, he says.

OT a critical issue for critical infrastructure

The main challenge in protecting critical infrastructure from cyberattacks is OT (operational technology), according to a GCC-based oil and gas production cybersecurity expert, who did not want to be named. Most solution providers focus on IT rather than OT.

The existing solutions require the shutting down of production to put new applications in place, but that is difficult to do: oil must be pumped continually. It’s a very big problem, the expert said.

His views are echoed by a number of other industry experts.

In IT the main security issue is data. But OT includes physical assets, plants, equipment, and all kinds of hardware, which present countless attack vectors. So OT is easier to attack, said Jad H. Abdulsalam, CISO at Saudi Arabian Mining Company (Maaden).

That’s why priorities and methodologies are different for OT. The challenge on the OT side is that organisations have legacy infrastructure, as most plants were built at a time when today’s cybersecurity issues were not prevalent. This is the reason why most facilities do not have up-to-date security systems and controls. It requires some time for a complete upgrade of a plant or production line, Abdulsalam explains.

Some of the solutions require a complete upgrade, which is expensive, and if the upgrade requires suspension of a production line, it will cause huge financial losses and interruptions.

It will in turn affect the company’s reputation, commitments, and ability to deliver, Abdulsalam, says.

Attacks on OT on the rise

There has been an increase in cyberattacks on OT in the last five years and the impact of such attacks can be disastrous. OT security technology was designed back in 1980s and 1990s, while more recent industrial OT solutions have been developed in the last three to four years.

Currently, there are hundreds of OT technologies in the world that need to be evaluated with new security systems. It will take time, Abdulsalam says.

“It is one of the biggest challenges in our region because in our case in general, in OT, one of the main things that you need to have is the right level of visibility on the infrastructure otherwise you will not be able to identify and catch the threats,” Abdulsalam says.

“However, we are starting to see a good number of companies delivering solutions, but still it requires some time to bring it the right way and also for an organisation to go along with this new technology to be mature enough to reach the right level,” he added.

Shaik Abdulkhader, who up until recently was CISO at Qatar Petrochemical Co. (QAPCO), said because of the relative lack of maturity of OT security solutions, cybercriminals are committing crimes without getting caught.

A lack of information sharing in the region adds to the problem, he says.

Apparently, while international cooperation on security is ramping up, more work remains to be done.