The New Battlefront: Cyber Security Across the GCC

Defense & Security

Reports

Posted On: October 29, 2018

30 minutes read

Defense & Security

Reports

Gulf International Forum

Abstract

In the past decade, the Gulf region has become increasingly digitalized as its respective nations seek to modernize their societies in order to achieve economic diversity. Naturally however, through increased digitalization comes greater vulnerability to cyberspace hackers. Thus, the aim of this research is to assess the GCC’s ability to handle emerging cyber-threats to its technology-reliant infrastructure. Through the study of various scholarly publications, data, news articles, and government documents, it is evident that there are inconsistencies among the GCC countries resulting in varying levels of cyber-readiness. It appears that the United Arab Emirates (UAE), Oman, and Qatar are relatively better equipped than Saudi Arabia, Bahrain, and Kuwait to handle emerging cyber threats, such as those originating from Iran. While this research encompasses a diverse collection of sources, unfortunately, there is often a lack of both transparency on government security initiatives. Due to this limited information, one of the main obstacles this research faced was gathering data on government cybersecurity initiatives.

Introduction

As conventional warfare grows increasingly obsolete, the future of combat will undoubtedly shift towards the domain of cyberspace. In this dynamic dimension, an individual can inflict devastating damage upon an adversary by shutting down a power grid, effectively sabotaging the entire infrastructure of a country and unleashing civil unrest, all from a laptop thousands of miles away. Facing this threat, governments and businesses around the world are racing to reallocate their resources toward developing cyber competence to emerge as capable actors in such a precarious realm. Such important developments include investing in research, fostering education, hiring experts on the topic, and integrating cyber efforts between governments and the private sector. The GCC, however, exists in a region ranked in the bottom half-percentile for cyber education and training where roughly more than two-thirds of organizations lack the ability to protect themselves from sophisticated hacks.[1] The population of the GCC is also mostly comprised of a younger, more technologically active generation, yet the region’s lack of cyber-education exposes internet users and their networks to vicious cyber-attacks.

As internet activity has increased in the region over the past decade, a consequential series of cyberattacks have also plagued the region, such as the 2012 Aramco hack,[2] the 2012 RasGas hack,[3] and the 2017 WannaCry attack.[4] Menacingly, experts predict that prominent global events such as Dubai Expo 2020 and Qatar World Cup 2022 will only increase attacks on the region. In the past year alone, 41% of Gulf-based companies reported cyber hacks, a substantial increase from the 28% reported in 2016.[5] Consequentially, 74% of CEOs in the region view the risk of breaches in data privacy as the most pertinent threat to stakeholder trust in the business, much higher than the global average of 55% determined by a global.[6] While the loss of sensitive data is often the primary concern in cyber hacks, these worries often overshadow the potential for financial losses such as when Saudi and Emirati firms lost upwards of $5.3 million to hacks in the first eight months of 2018 alone.[7] In a region as tense as the Gulf, it is important that these cyber interactions are closely-monitored, as foreign intrusions can easily be interpreted as legitimate attacks on the state, thus creating potential for a counter-attack or a declaration of war.

Several GCC countries are actively pursuing modernization, digitalization, and economic diversification under ambitious agendas such as Saudi Arabia’s Vision 2030 or the UAE’s Vision 2021. Through these visions, some of the countries are rapidly growing their presence in cyberspace by developing ‘smart cities’ and utilizing ecommerce. However, as their reliance on technology increases, naturally, their vulnerability to intrusions into these systems grows as well. Given this push to digitalization, it is a fair question to wonder if the GCC countries are prepared to address these security threats which threaten their vital enterprises? Despite the efforts of some countries to boost their cyber-prowess, the region is plagued with limitations in their cyber defenses such as insufficient legislation, national centralization, and inter-state cooperation. Through the analysis of multiple indicators of overall cyber-preparedness such as national legislation, rankings by international organizations, and inter-state cooperation, this research finds that Qatar, the UAE, and Oman are the leading cyber powers in the Gulf region while Kuwait, Bahrain, and Saudi Arabia relatively lag. Considering these indicators, this research also translates each country’s cyber-readiness to their ability to combat emerging cyber threats in the region such as those from Iran–a highly-capable cyber power threatening the entire Gulf region today.

Individual Country Breakdowns

Saudi Arabia

With the largest economy in the Middle East, one of the most internet-active populations in the world, and a rapidly growing IT sector, cybersecurity is vital to The Kingdom of Saudi Arabia’s Vision 2030 plan which seeks to diversify its economy away from oil and gas. Saudi Arabia’s interest in cybersecurity exploded following the notorious 2012 Aramco cyberattack which resulted in a complete shutdown of the company’s digital infrastructure as the hackers posted sensitive company data on the internet.[8] Shocked by this event, Saudi Arabia has since created a variety of institutions to combat emerging cyber threats, including a Computer Emergency Response Team (CERT), a National Cyber Security Center (NCSC), and a National Cyber Security Authority (NCSA), composed of government officials pulled from already existing defense, security, and intelligence ministries and agencies.[9] These developments are particularly welcoming to the Saudis as they not only integrate multi-sector coordination in cybersecurity, but also prioritize cyber research and development–a sector that is estimated to reach a value of $3.4 billion by 2019.[10] Moreover, Saudi Arabia has passed an “Anti-Cyber Crime” law which designates a series of punishments for a variety of associated crimes.[11] While it is important for a country to have this type of penal system in place for cybercrimes, unfortunately, Saudi Arabia’s legislation appears purely reactionary, and fails to increase the country’s ability to deter intrusions and mitigate their fallout. Even more concerning, while Saudi Arabia does have some sectoral privacy laws for communications and financial,[12] these vague laws, (deemed as such by experts) have yet to develop a comprehensive data privacy law, often seen as a crucial step for protecting sensitive data in cyberspace.[13]

Of the many indicators of cyber-readiness, the lack of a national cyber strategy or a centralization of cyber operations poses the greatest hindrance toe Saudi Arabia’s overall cyber-readiness.[14] Crucial for any country as it promotes an adept and inclusive agenda, a national cyber strategy would foster coordination among each of the country’s sectors toward shared cyber goals. Saudi Arabia’s failure to create a unified strategy has also caused fragmentation in cyber-defense, as the responsibility is undertaken independently by a variety of ministries, agencies, and private companies. While collaboration between all sectors is vital for a nation’s overall readiness, centralizing cybersecurity under one platform is a crucial step for a country to combat cyber threats in a coordinated and precise manner. Realizing the failures of this key ally in the Middle East, the U.S. has increased its support for the development of Saudi Arabia’s cyber capabilities, making the improvement of cyber infrastructure a major component of a recent $110 billion modernization deal. [15]

Still, as the Saudi’s cyber failures persist, the GCI has allotted Saudi Arabia a score of .569[16] and on July 25, 2018, Kaspersky Lab’s “Cyberthreat Real-Time Map” officially ranked the country as the 15^th most-cyber-attacked country in the world.[17] While Saudi Arabia has strong reactionary measures in place, such as its CERT and Anti-Cyber Crime legislation, it requires more preventative controls to meet the coming threats, which ideally should be organized by the NCSC and NCSA into a single centralized strategy. As a linchpin to stability in the region, Saudi Arabia must increase its cyber-readiness to ensure security both for itself and external interests in the region.

Bahrain

Due to its key geographic positioning, membership within the GCC, and hosting of the largest U.S. naval base in the region, Bahrain must upgrade its cyber-readiness, particularly by creating a national CERT as part of an enhanced national cyber strategy that can effectively address the region’s growing threats. Similar to Saudi Arabia, Bahrain has made some progress in stimulating its overall cyber-readiness, however the island-nation too has some similarly glaring shortcomings. After cyber activism, or so-called “hacktivism”[18] was widely-used in 2011 to incite protests in the Kingdom despite government impediments,[19] Bahrain became particularly incentivized to up its cyber-readiness. In light of these events, and a rapid jump from a 55% to an astonishing 98% internet penetration rate within the country over the past decade,[20] Bahrain has subsequently developed a national cyber strategy to combat emerging threats. However, Bahrain’s strategy remains brief and outdated. For example, it discusses the need to “develop a cyber law”,[21] despite the country already having done so at the time of this research. In actuality, the Bahraini government has passed multiple pieces of legislation relevant to cybersecurity including laws related to information technology, protection of state data, telecommunications,[22] and a cybercrime law, which is based off the Budapest Convention on Cybercrime–a boost for the Bahrainis in their cyber-awareness.[23] Although the strategy is a progressive step, it provides no specific timeline for any of its objectives, suggesting that progress could be slow and unmeasurable. Furthermore, Bahrain has yet to even establish a national CERT, effectively undercutting their ability to respond to attacks, likely one of the main reasons why the GCI has assigned the country a score of .467.[24] In 2016, three Bahraini government officials attended a U.S. sponsored event on CERT development,[25] yet even after this experience the government has failed to implement such lessons. Recognizing this deficiency, the Bahrain Central Bank has established its own CERT, at least increasing the ability to protect vital financial enterprises.[26

UAE

With the second largest economy in the Middle East and a GDP close to $400 billion, the United Arab Emirates is undeniably a favored target for cyber-attacks, ranking as the number one most-targeted country in the Middle East and the 25^th most-targeted globally as of July 25, 2018.[27] [28] In 2017, 5% of all global cyber-attacks targeted the UAE,[29] throughout which 3 million Emiratis collectively lost over $1 billion.[30] These surprising statistics showcase the reality of the UAE’s allure to hackers, and have resulted in the GCI giving the country a score of .566.[31] Featuring a 91% internet penetration rate[32] and a rate of mobile cellular subscriptions per 100 people more than double that found in the U.S.,[33] the UAE is undoubtedly one of the most digitalized countries in the world today. While this achievement is in-line with the state’s Vision 2021 strategy, as the country reaches its digitalization goals, the UAE is consequently making itself more exposed to hackers.

Taking steps to prevent and mitigate prospective cyber disasters, the UAE has come to terms with the reality of its precarious situation. Accordingly, it has pursued a series of measures including the development of a national cyber strategy, establishment of both a National Electronic Security Authority and a CERT, opening of a cybersecurity center in Dubai, and passing of multiple pieces of legislation. Included in this latter category are federal regulations related to the protection of intellectual property, electronic commerce, the prevention of cyber-crimes, and a recently updated harsh penal system for cyber-crimes.[34] Impressively, the UAE has allocated a large portion of resources aimed at increasing cyber defenses within an initiative to double spending on homeland security by 2024, providing a measurable timeline to map future progress in that sector.[35] Realizing that it is still maturing as a cyber actor, part of the UAE’s national strategy emphasizes education, a recent prioritization which will see the country working with international institutions to train the next generation of cyber experts.[36]

While the government in Abu Dhabi has taken considerable steps to protect the cyber infrastructure of the entire federation, the prized piece of the country’s cyber defense is Dubai’s very own cyber strategy. In this 36-page document, His Highness Sheikh Mohammed bin Rashid Al Maktoum, ruler of Dubai, outlines five key areas of focus for the city: cyber smart society, innovation, cybersecurity, cyber resilience, and national and international cooperation.[37] This strategy is a commendable initiative for the country as it specifically aids in protecting the unique and vital financial sector in Dubai, attractive targets which suffered major attacks from 2012-2014.[38]

Even with these impressive marks, the UAE has fallen victim to many notable cyber-attacks including a 2016 ATM skimmer plot which witnessed thousands of Emiratis losing money to hackers, and Operation Ghoul, which in the same year targeted the industrial, engineering, shipping, and trading sectors in the UAE and KSA.[39]

Although the UAE has had a troublesome past with cyber-attacks, so far 2018 has looked promising, with the country experiencing a 48% decrease in attacks compared to the same period in 2017.[40] This statistic, paired with the comprehensive cyber infrastructure initiatives adopted by the country in the past few years, places the UAE in particularly good standing to handle cyber threats aimed at the country. As Dubai seeks to become an entirely ‘smart-city’, (making it more vulnerable to cyber intrusions), and as it prepares to host the Dubai Expo 2020, the UAE should continue its current initiatives to reinforce its cyber capabilities to better protect both itself and the many international enterprises that have a stake in the country.

Kuwait

As the second-most targeted country for cyber-attacks in the Gulf region,[41] Kuwait has been slower than some other GCC countries in adequately addressing the relative threats posed to its cyber infrastructure. The scale of these threats is evident in the fact that in 2017 alone, Kuwait lost $1.4 billion to cybercrimes, a 4.9% increase from losses in 2016.[42] Although it has established a detailed, timely national cyber strategy comparable to those of the UAE and Qatar,[43] it has yet to meet many crucial benchmarks, such as establishing a CERT or creating a cyber curriculum in Kuwaiti universities.

However, based on recent initiatives, there is reason to expect future progress. For example, in January 2018 Kuwait hosted an international conference for cyber experts, focused on education and developing international ties on cybersecurity. Additionally, Kuwait recently enacted particularly harsh legislation assigning severe consequences for a variety of cybercrimes, such as guidelines that set sentencing at up to 10 years in jail.[44] As a country with delicate oil and financial industries, Kuwait does not adequately address cybersecurity, resulting in the GCI assigning it a score of .104.[45] If Kuwait desires to fully modernize under its Vision 2035 plan, it must focus on developing its cyber defenses, beginning with the realization of the goals of its cyber strategy, if the country wants to protect its institutions that as of late remain vulnerable.

Qatar

Today, Qatar is widely-known for managing strained relations amidst the consequential economic blockade currently ongoing with a few of its Arab neighbors. In June 2017, there was an intrusion into the Qatari government’s network, allowing hackers to post incendiary, fraudulent content attributed to the Emir of Qatar via the Qatar News Agency and various social media accounts.[46] While some may view this attack as a minor intrusion, its ramifications have proven catastrophic, resulting in a crisis which has persisted for over a year now, thus displaying the ability of a seemingly minor cyber hack to have massive consequences for a country. While this attack painstakingly exposed weaknesses in the country’s cyber defenses, Qatar actually has an impressive record of improving its cyber-readiness. Similar to that of the UAE’s, Qatar’s Ministry of Transport and Communications established a detailed national cyber strategy in 2013. This strategy established a variety of initiatives relevant to cybersecurity including a CERT, Risk Expert Committees, a Cyber Crimes Investigation Center, and a Cybersecurity Coordination Office. Additionally, it directed the Qatar Central Bank (QCB) to tailor its own Banking Supervision Rules to protect the country’s vital financial institutions by fostering specific cooperation between the QCB and the CERT.[47] Interestingly, following the inception of its national strategy, Qatar has begun conducting annual national cybersecurity drills. [48] While cybersecurity drills are common among businesses and agencies, few countries organize such a practice on a national scale, making Qatar’s consistency in doing so an obvious plus for its ability to manage any imminent attacks.

Qatar has taken these precautionary steps due to its precarious situation as well as its plan to host the World Cup in 2022. It has an established CERT which, according to the prime minister, is proficient in handling cyber threats.[49] Qatar has recognized the importance of research and development in the area of cybersecurity as seen by the creation of the Qatar Computing Research Institute, that’s job is to promote such initiatives.[50] Additionally, Qatar has sent government officials to international cybersecurity events,[51] and has hosted cyber experts from around the world to consult on the topic.[52] And, despite its strained international relations with some neighbors, Qatar has recently called for the establishment of a standardized international platform through Interpol to “enhance communication and cooperation in the field of sport events cybersecurity”.[53] This latter development shows that Qatar recognizes the necessity of international participation in cybersecurity efforts around the globe.

Despite these notable marks, the country still has some holes in its overall cyber-defense platform. Although its cyber readiness ranks better than many other countries, Doha’s strategy acknowledges that they lack sufficient cyber experts. Further, the nation’s cybersecurity platform remains fractured amongst a variety of companies and institutions and must become more centralized at the national level.[54] Yet, given Qatar’s regular cyber drills, this fragmentation is not quite as concerning since they allow all of these institutions to practice cooperation. Additionally, its cyber strategy drafted specific objectives for 2014-2018, which were largely achieved, such as creating legislation and enhancing international cyber cooperation. However, despite meeting most of its goals, the country now needs to update the strategy for the future, ideally with a focus on preparation for the 2022 World Cup. Still, Qatar has admirably prioritized cybersecurity in a comprehensive manner, and although it may have a higher level of readiness than other countries, it is vital for the country to increase these efforts to handle the growing allure the country provides to hackers around the globe.

Oman

Although it is not as modernized or technologically advanced as some of its neighbors, the Sultanate of Oman ranked third in the Middle East for countries’ cyber-readiness in 2018 and 2017 under the GCI.[55][56] Despite their meager 86% internet-penetration rate,[57] Oman has a robust national cyber strategy and a highly-active CERT, even offering a “security meter” on their website–a mechanism that utilizes live data to determine the level of cyber vulnerability in the country at any given time.[58]

A large reason for its high rank is due to Oman’s eGovernance Framework. This thorough set of regulatory legislation organizes government IT projects in a manner aligned with the country’s cyber strategy and establishes appropriate standards for realistic IT initiatives, effectively reducing the risk of intrusion for the country.[59] Among other laws, such as an anti-cybercrime act and e-transactions law, this legal framework allotted Oman a GCI score of .98 out of 1 for cyber legislation in 2017, second in the world only behind Estonia.[60] Moreover, Oman has displayed ambition in the areas of research and development and international cooperation related to cybersecurity. Muscat is home to the International Telecommunication Union’s (ITU) Middle East Regional Cybersecurity Centre[61] and an Ernst and Young cybersecurity threat center,[62] both of which draw flocks of cybersecurity experts who share expertise and collaborate on cybersecurity initiatives. Additionally, Omani officials are known to constantly attend numerous international cybersecurity conferences around the globe, many hosted by the multiple international cyber organizations with which Oman is already affiliated, such as the Anti Phishing Working Group (APWG) and the Forum of Incident Response and Security Teams (FIRST).[63]

As a result of these comprehensive measures, Oman successfully thwarted 880 million cyber-attacks which targeted the country in 2017. With this profound record, it is no surprise that Oman’s CERT is responsible for coordinating the GCC’s CERT throughout the region.[64] As a clear regional hub for cybersecurity, Oman has emerged as one of the most cyber-ready countries in the region despite being a generally low-tech society. Other countries in the region should look to Oman as a model for cybersecurity, particularly focusing on their detailed legislation, focus on research and education, and diligent international collaboration.

Regional Cyber Threats

Although each of these countries have their own unique cyber infrastructures and differing levels of cyber-readiness, and thus were assessed on an individual basis, it is important to reiterate that international cooperation is key to any successful cyber strategy. Ibrahim Alshamrani, executive director of operations at Saudi Arabia’s National Cybersecurity Centre has noted that although the GCC countries cooperate on cybersecurity, they “cannot work alone” and their current efforts are insufficient.[65] Largely, deficient cooperation efforts stem from the current Gulf Crisis which has fostered cyber-attacks between Qatar and its blockading neighbors, most notably Saudi Arabia and the UAE. Particularly for the GCC, cooperation among these states is vital to deter emerging cyber threats, such as those originating from Iran. Nested opposite to the Arab Gulf states, Iran is widely-regarded as one of the most menacing cyber state actors in the world today and regarded by the U.S. government as the third biggest cyber threat today behind China and Russia.[66] While the identities and affiliations of these hackers are often unclear, U.S. intelligence generally suggests that many of these hackers are either backed by, or at least affiliated with the central government in Tehran. Growing tensions over the past decade in the Gulf region have led increased trends of Iranian cyber-attacks against GCC countries, particularly after Iran’s nuclear facilities were victimized by the devastating Stuxnet cyber-attack in 2010, allegedly perpetrated by Israel and the U.S.[67] In response to GCC countries importing western cyber experts to bolster their cyber capabilities, Iran has initiated increased cooperation with Russian hackers to gain training from some of the premier cyber hackers in the world today.[68] This cooperation was observed in a 2017 intrusion into Aramco’s systems in which evidence apparently showed direct Russian-Iranian participation in executing the attack.[69]

Although Iran based-groups have conducted countless significant attacks against the GCC countries, one such sequence of attacks known as Operation Cleaver is particularly noteworthy. Operation Cleaver was a coordinated series of global cyber-attacks conducted by Iranian based hackers that infiltrated Kuwait, Saudi Arabia, Qatar, and the UAE from 2012-2014 and, (due to the covertness of the hackers), potentially beyond. Specifically, these attacks targeted the oil and gas industries, telecommunications, airports, government entities, and airlines, which experts surmise were conducted both to gain negotiating influence over the targeted countries and to exact revenge for the Stuxnet attack.[70] Although a Cylance report published on the operation states the hackers were acting in the interest of Iran, the U.S. government never officially regarded the attack as sanctioned by the Tehran government. An Iranian government representative commented that such an accusation “is a baseless and unfounded allegation fabricated to tarnish the Iranian government image”.[71] However, the reality of heavy internet usage restriction in Iran makes it unlikely that the hackers would be able to successfully operate without the knowledge of government officials. Due to the sheer volume of attacks conducted under this operation, the exact damage to the GCC industries is unclear, particularly since many of the victims were unaware of the intrusions until months later. However, intrusions of this sort carry additional concern for the GCC governments as aside from merely stealing data or shutting down systems, Iranian hackers could, through a process known as phishing, monitor sensitive information being circulated through either company or government networks. This information could potentially provide Tehran with vital intelligence, allotting them an advantage amidst an ongoing strategic standoff in the region. Although, aside from exposing the weaknesses in the countries’ defense mechanisms at the time, the attack also showcased the Iranian ability to conduct such a large-scale effort–an alarming reality for the Gulf region. Observers expect that this trend of Iranian aggression will persist as Iran seeks retribution for U.S. sanctions and the Gulf countries’ support for such measures. Thus, the GCC must recalculate the allocation of their defense resources to accordingly secure their interests in the cyber realm from imminent Iranian aggression.

GCC Collaboration

Considering their security pact, the GCC does indeed foster inter-state collaboration to boost the region’s cyber-defense capabilities. While some countries collaborate more than others in the region, all countries have been united by participating in a GCC-wide cybersecurity drill organized by the Qatari CERT,[72] contributing to a GCC CERT, consolidating efforts in the ITU regional cybersecurity center in Muscat, and host conferences such as the upcoming 2019 Gulf International Cyber Security Symposium.[73] This growing focus is expected to lead to a cybersecurity industry in the region which will surpass $10.4 billion in value by 2022, a key sector in the region’s objective to develop sustainable economic growth.[74]

Outside of the region, the GCC has pursued united international cooperation with countries such as the UK and U.S. through meetings in which both sides have agreed to increased collaboration on cybersecurity initiatives hoping to guard the GCC from external aggression, just as it does through air and missile defense collaboration.[75] [76] Despite such agreements, the GCC in general needs to continue increasing its international involvement in cybersecurity by following the lead of Oman in joining groups such as APWG and FIRST. Additionally, the block should continue to bring in experts on the topic[77] in order to counter the influx of Russian experts aiding Iranian cyber warriors.

The GCC must acknowledge that, due to increasing globalization, effective cybersecurity is not a task that can be successfully tackled by any one country alone. The bloc must also realize that due to their economic and geographical integration, if one country has vulnerabilities in their cyber infrastructure, all countries in the region are consequently vulnerable. Thus, the GCC countries must not only cease cyber aggression amongst themselves but should also unite under a common platform that puts each individual country on a similar level of cyber-readiness under unified standards.

Conclusion

While the GCC has ambitiously undertaken the goal of developing modern, digitalized societies, it appears that there are inconsistencies among the region in sufficiently protecting these enterprises and other vital institutions that are highly-vulnerable to cyber threats. Generally speaking, Qatar, the UAE, and Oman stand as relative leaders in cyber-readiness in the region, while Saudi Arabia, Bahrain, and Kuwait lag, inadequately meeting the needs of other advancements in their countries’ infrastructure. In an increasingly globalized world, the fate of a country’s security no longer rests on one country’s actions alone. Thus, although some countries are proficient in their cybersecurity, the failures of neighboring countries increase the entire region’s vulnerability. If the GCC seeks regional stability, it must comprehensively develop inter-state and intra-state practices, standards, and mechanisms that are tailored to the region’s unique geographic positioning, regional adversaries, and developing economies. Without coordinated efforts from governments, the private sector, and average civilians, the region will be unable to protect the delicate diversified economies and digitalized societies it aims to develop under various modernization plans.

The research was conducted by GIF Research Intern Russell Seeger with the supervision of GIF Executive Director Dania Thafer.

References:

[1] Moreau, Madeline. 2015. “How strong are the Middle East’s cybersecurity networks.” Global Risk Insights. https://globalriskinsights.com/2015/09/how-strong-are-the-middle-easts-cybersecurity-networks/

[2] Leyden, John. 2012. “Hack on Saudi Aramco hit 30,000 workstations, oil firm admits.” The Register, August 29. https://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/

[3] Zetter, Kim. 2012. “QATARI GAS COMPANY HIT WITH VIRUS IN WAVE OF ATTACKS ON ENERGY COMPANIES.” Wired, August 30. https://www.wired.com/2012/08/hack-attack-strikes-rasgas/

[4] Everington, John. 2017. “UAE on high alert over WannaCry attack.” The National, May 13. https://www.thenational.ae/business/uae-on-high-alert-over-wannacry-attack-1.71629

[5] Xuequan, Mu. 2018. “Cyber attacks on Gulf Arab firms rise sharply in last 12 months: report.” Xinhua, May 2. http://www.xinhuanet.com/english/2018-05/02/c_137149712.htm

[6] Ashkar, Hani and Anderson, Stephen. 2016. “Confidence and courage through change.” PWC. https://www.pwc.com/m1/en/ceo-survey/middle-east-findings.html#concerns

[7] Geronimo, Adelle. 2018. “Data breaches cost Saudi Arabia, UAE firms up to $5.31M.” Tahawul Tech, July 29. https://www.tahawultech.com/industry/technology/data-breaches-cost-saudi-arabia-uae-firms-up-to-5-31m/

[8] Leyden, John. 2012. “Hack on Saudi Aramco hit 30,000 workstations, oil firm admits.” The Register, August 29. https://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/

[9] Reuters. 2017. “Saudi Arabia sets up new authority for cyber security.” November 1. https://www.reuters.com/article/us-saudi-cyber-security/saudi-arabia-sets-up-new-authority-for-cyber-security-idUSKBN1D13HS

[10] Hathaway, Spidalieri, Alsowailm. 2017. “KINGDOM OF SAUDI ARABIA CYBER READINESS AT A GLANCE.” Potomac Institute. http://www.potomacinstitute.org/images/CRI/CRI2_0_SaudiArabiaPofile.pdf

[11] Amrutha, M. 2017. “Saudi Arabia Cyber Crime Laws.” STA. https://www.stalawfirm.com/en/blogs/view/atthack-anti-cyber-crime-law-in-saudi-arabia.html

[12] Unwala, Azhar. 2017. “Why Saudi Arabia’s New Cyber Security Authority Will Need The Private Sector To Succeed.” Frontera, December 4. https://frontera.net/news/mena/why-saudi-arabias-new-cyber-security-authority-will-need-the-private-sector-to-succeed/

[13] Kalman, Matthew. 2017. “New Saudi Cybersecurity Agency May Prompt Broader Privacy Law.” Bloomberg. https://www.bna.com/new-saudi-cybersecurity-n73014471770/

[14] Hathaway, Spidalieri, Alsowailm. 2017. “KINGDOM OF SAUDI ARABIA CYBER READINESS AT A GLANCE.” Potomac Institute. http://www.potomacinstitute.org/images/CRI/CRI2_0_SaudiArabiaPofile.pdf

[15] U.S. Department of State. Bureau of Political-Military Affairs. 2018. U.S. Security Cooperation With Saudi Arabia

https://www.state.gov/t/pm/rls/fs/2018/279540.htm

[16] Throughout this paper, there will be references to the Global Cybersecurity Index (GCI). The GCI is a multi-stakeholder initiative published annually by the International Telecommunication Union (ITU) which assesses countries’ overall cyber-readiness based primarily on five categories: legal measures, technical measures, organizational measures, capacity building, and cooperation, and then provides each country with a score out of 1 based on their performance in each category. “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf

[17] https://cybermap.kaspersky.com

[18]Afifi-Sabet, Keumars. 2018. “What is Hacktivism?” ITPRO. http://www.itpro.co.uk/hacking/30203/what-is-hacktivism

[19] Raddatz, Martha. 2011. “Social Media Fuels Protests in Iran, Bahrain and Yemen.” ABC, February 15. https://abcnews.go.com/International/social-media-fuels-protests-iran-bahrain-yemen/story?id=12926081

[20] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. http://www.itu.int/net4/ITU-D/idi/2017/index.html#idi2017economycard-tab&BHR

[21] Kingdom of Bahrain. Information & eGovernment Authority. 2017. Cybersecurity Strategy. https://www.bahrain.bh/wps/portal/!ut/p/a1/rZJfT8IwFMW_CjzscfTuf-fbJIgSQAOibC9kK2WbbO3oOnDf3g1iookIJvatze_cnHtOUYCWKGDhPo1DmXIWZu09sFf3j2BrOtZH2FgY4D3a_Zk7AG0IVgP4XwEwjEELOE_Oi6vbGK7Tgz7paw9mo59MADx8Oxs_3_UBhsYl_SsKUECYLGSCfBrzfcGFDLMVZQokPKcK7KqUbDtZyralAmHEK9lpOSpYTplUgNQRFSUllUhl3SmlCCWN63ZsQdI18l17TYiBHRUocVWT2liNTN1UNc0Ce-1auon1zzXOHO9iDHPKTqtcCPMI_JbWCTjvw2-MOmedNBPmf9x8dEXD6dtuF3hNT5xJ-i7R8j-LagzEGY-On9X3WGTgGAWCbqigoleJ5jmRsihvFFDgcDj0Ys7jjPYIzxX4SZLwsnH4nURFvljk2KjV0WAznapBZGX7sdftfgCuCVCy/dl5/d5/L2dBISEvZ0FBIS9nQSEh/

[22] “Cyberwellness Profile Bahrain.” 2014. International Telecommunication Union. https://www.itu.int/en/ITU-D/Cybersecurity/Documents/Country_Profiles/Bahrain.pdf

[23] Bahrain News Agency. 2015. “New cybercrime law enacted.” December 2. http://www.bna.bh/portal/en/news/653755

[24] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. http://www.itu.int/net4/ITU-D/idi/2017/index.html#idi2017economycard-tab&BHR

[25] U.S. Embassy Manama. 2016. U.S. and Bahrain Cooperate on Cybersecurity.

https://bh.usembassy.gov/u-s-bahrain-cooperate-cybersecurity/

[26] Central Banking. 2016. “Bahrain central bank establishes cyber-security emergency response team.” May 25. https://www.centralbanking.com/central-banks/financial-stability/micro-prudential/2459390/bahrain-central-bank-establishes-cyber-security-emergency-response-team

[27] Gulf News. 2018. “UAE, Kuwait most vulnerable for cyberattacks in the Gulf.” June 24. https://gulfnews.com/business/sectors/technology/uae-kuwait-most-vulnerable-for-cyberattacks-in-the-gulf-1.2241327

[28] https://cybermap.kaspersky.com

[29] Zaatari, Sami and Geranpayeh, Sarvy. 2017. “5% of global cyber attacks targeted UAE last year.” Gulf News, May 15. https://gulfnews.com/news/uae/crime/5-of-global-cyber-attacks-targeted-uae-last-year-1.2027770

[30] Debusmannn Jr, Bernd. 2018. “Over 3m UAE consumers lost $1bn to cybercrime in 2017.” Arabian Business, January 23.

https://www.arabianbusiness.com/technology/388166-over-3m-uae-consumers-lost-1bn-to-cybercrime-in-2017

[31] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf

[32] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. http://www.itu.int/net4/ITU-D/idi/2017/index.html#idi2017rank-tab

[33] “Mobile cellular subscriptions (per 100 people).” The World Bank. https://data.worldbank.org/indicator/IT.CEL.SETS.P2?locations=US-AE

[34] Khaleej Times. 2018. “Up to 25 years in jail, Dh4m fine for breaking cybercrime law in UAE.” https://www.khaleejtimes.com/news/general/up-to-25-years-in-jail-dh4m-fine-for-breaking-cybercrime-law-in-uae

[35] Guven, Hande. 2018. The State of Cyber (In)security in the United Arab Emirates. http://www.cs.tufts.edu/comp/116/archive/spring2018/hguven.pdf

[36] Malek, Caline. 2017. “UAE aims to equip next generation of cyber security experts with right tools.” The National, October 17. https://www.thenational.ae/uae/education/uae-aims-to-equip-next-generation-of-cyber-security-experts-with-right-tools-1.668035

[37] Dubai Electronic Security Center. 2017. “Dubai Cybersecurity Strategy.” http://csc.dubai.ae/res/wp-content/uploads/DCSS-EN.pdf

[38] Guven, Hande. 2018. The State of Cyber (In)security in the United Arab Emirates. http://www.cs.tufts.edu/comp/116/archive/spring2018/hguven.pdf

[39] Maceda, Cleofe. 2016. “Revealed: Cyber attacks that hit UAE in 2016.” Gulf News, December 19. https://gulfnews.com/business/sectors/banking/revealed-cyber-attacks-that-hit-uae-in-2016-1.1948415

[40] Gulf News. 2018. “Revealed: Cyber attacks that hit UAE in 2016.” https://gulfnews.com/news/uae/government/cyberattacks-in-uae-decline-by-48-says-tra-1.2225447

[41] Gulf News. 2018. “UAE, Kuwait most vulnerable for cyberattacks in the Gulf.”

https://gulfnews.com/business/sectors/technology/uae-kuwait-most-vulnerable-for-cyberattacks-in-the-gulf-1.2241327

[42] Naseba. “Cyber Defense Summit Kuwait.” https://www.naseba.com/what-we-do/commercial-services/cyber-defence-summit-kuwait-2018/

[43] The State of Kuwait. Communications & Information Technology Regulatory Authority. 2017. “National Cyber Security Strategy for the State of Kuwait 2017-2020.” https://citra.gov.kw/sites/en/LegalReferences/English%20Cyber%20Security%20Strategy.pdf

[44] Trenwith, Courtney. 2015. “Kuwait passes tough new cyber, terror law.” Arabian Business, June 4.

https://www.arabianbusiness.com/kuwait-passes-tough-new-cyber-terror-law-595062.html

[45] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-PDF-E.pdf

[46] DeYoung, Karen and Nakashima, Ellen. 2017. “UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials.” Washington Post, July 16. https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html?utm_term=.ce248c512eb1

[47] Qatar Ministry of Transport and Communications. 2014. Qatar National Cyber Security Strategy. http://www.motc.gov.qa/sites/default/files/national_cyber_security_strategy.pdf

[48] Qatar Ministry of Transport and Communications. 2017. Q-CERT Conducts Phase 1 of 5th National Cybersecurity Drill “Star 5”.http://www.motc.gov.qa/en/news-events/news/q-cert-conducts-phase-1-5th-national-cybersecurity-drill-“star-5”

[49] Xin, Zhou. 2017. “Qatar ups safety measures against cyber attacks: PM.” Xinhua, November 6. http://www.xinhuanet.com/english/2017-11/06/c_136732133.htm

[50] https://www.qcri.org

[51] Global Ties U.S. 2018. “FIVE QATARI OFFICIALS TO PARTICIPATE IN U.S. EXCHANGE PROGRAM ON CYBERSECURITY.” https://www.globaltiesus.org/news/international-exchange-in-the-news/1015-five-qatari-officials-from-the-interior-transport-and-communications-ministries-to-participate-in-us-exchange-program-on-cybersecurity

[52] Martin, Aaron. 2018. “Ahead of 2022 FIFA World Cup, cybersecurity experts gather in Qatar.” Homeland Preparedness News, April 2. https://homelandprepnews.com/countermeasures/27620-ahead-2022-fifa-world-cup-cybersecurity-experts-gather-qatar/

[53] Aljundi, Hisham. 2018. “Qatar seeks common platform to boost communication on cyber-security.” Qatar Tribune, March 26. http://www.qatar-tribune.com/news-details/id/118029

[54] Qatar Ministry of Transport and Communications. 2014. Qatar National Cyber Security Strategy. http://www.motc.gov.qa/sites/default/files/national_cyber_security_strategy.pdf

[55] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. https://www.itu.int/en/ITUD/Cybersecurity/Documents/Global%20Cybersecurity%20Index%202017%20Report%20version%202.pdf

[56] International Telecommunication Union. 2018. “Oman third best prepared in world to thwart cyber attacks.” https://www.itu.int/en/ITU-D/Cybersecurity/Pages/Oman-third-best-prepared-in-world-to-thwart-cyber-attacks.aspx

[57] International Telecommunication Union. ICT Development Index 2017. http://www.itu.int/net4/ITU-D/idi/2017/index.html#idi2017economycard-tab&BHR

[58] https://www.cert.gov.om

[59] e.Oman. “Oman eGovernance Framework.” https://www.ita.gov.om/ITAPortal/Government/Government_Projects.aspx?NID=76

[60] “Global Cybersecurity Index (GCI) 2017.” International Telecommunication Union. https://www.itu.int/en/ITUD/Cybersecurity/Documents/Global%20Cybersecurity%20Index%202017%20Report%20version%202.pdf

[61] https://www.itu.int/en/ITU-D/Cybersecurity/Pages/Regional_Cybersecurity_Centre.aspx

[62] Shakeel, Shayan. 2017. “Ernst and Young opens cybersecurity threat centre in Oman.” Arabian Business, December 17. https://www.arabianbusiness.com/technology/385335-ernst-young-opens-cybersecurity-threat-centre-in-oman

[63] International Telecommunication Union. 2014. “Cyberwellness Profile Oman.” https://www.itu.int/en/ITU-D/Cybersecurity/Documents/Country_Profiles/Oman.pdf

[64] Shakeel, Shayan. 2017. “Ernst and Young opens cybersecurity threat centre in Oman.” Arabian Business, December 17. https://www.arabianbusiness.com/technology/385335-ernst-young-opens-cybersecurity-threat-centre-in-oman

[65] Badam, Ramola. 2017. “GCC urged to coordinate cyber security following Wannacry attack.” The National, May 21. https://www.thenational.ae/business/technology/gcc-urged-to-coordinate-cyber-security-following-wannacry-attack-1.90087

[66] Fortune. 2018. “These 3 Countries Pose the Biggest Cyber Threats, U.S. Officials Say.”

http://fortune.com/2018/07/26/biggest-cyber-threats/

[67] http://large.stanford.edu/courses/2015/ph241/holloway1/

[68] Holloway, Michael. 2015. “Stuxnet Worm Attack on Iranian Nuclear Facilities.” https://www.scmagazineuk.com/iranian-oilrig-expands-attacks-works-russian-hackers-for-hire/article/1474647

[69] Groll, Elias. 2017. “Cyberattack Targets Safety System at Saudi Aramco.” Foreign Policy. https://foreignpolicy.com/2017/12/21/cyber-attack-targets-safety-system-at-saudi-aramco/

[70] Cylance. 2014. “Operation Cleaver.” https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

[71] Finkle, Jim. 2014. “Iran hackers targeted airlines, energy firms: report.” Reuters, December 2. https://www.reuters.com/article/us-cybersecurity-iran-idUSKCN0JG18I20141202

[72] Gulf Times. 2016. “Q-CERT holds GCC Cyber Security Drill.” http://www.gulf-times.com/story/521096/Q-CERT-holds-GCC-Cyber-Security-Drill

[73] https://10times.com/cybersecurityabudhabi

[74] King, Neil. 2018. “Taking on the GCC’s cyber criminals.” Gulf Business, January 7. http://gulfbusiness.com/taking-gcc-cyber-criminals/

[75] Bennett, Cory. 2015. “White House pledges cyber cooperation with Gulf leaders.” The Hill, May 14. http://thehill.com/policy/cybersecurity/242162-white-house-pledges-cyber-cooperation-with-gulf-states

[76] WAM Emirates News Agency. 2017. “GCC, UK discuss cybersecurity cooperation.” http://wam.ae/en/details/1395302654186?src=ilaw

[77] Arab News. 2018. “US experts to teach Saudi students cyber warfare.” http://www.arabnews.com/node/1333506/saudi-arabia