The Middle East is currently associated with Islamist extremists, civil wars and other threats of a physical nature. While governments and the security industry have been preoccupied with mitigating physical threats, a less visible and new danger has been wreaking havoc under the radar.

A recent report on cybersecurity by PwC (March 2016) states that the Middle East suffers from more cyber-attacks and with larger financial losses than any other region in the world.[1] These attacks range from spam emails to Distributed Denial of Service attacks to data theft. In addition to relatively small-scale, private and local cyber operations, the Middle East now features on the international cyber battleground. Israeli, Iranian and Syrian ‘cyber warriors’ are capable of derailing nuclear weapons programmes (as in the Stuxnet attack of 2010) and inflicting significant damage on multinational corporations (the Ababil Campaign 2012 and the Saudi Aramco incident of 2015). These new cyber security threats have resulted in millions of dollars’ worth of damage to governmental and financial institutions around the world.

Its deniability and relative cost-effectiveness have persuaded some Middle-Eastern decision-makers that cyber-warfare provides a much smarter approach than dropping bombs. The Chinese strategist Sun Tzu, writing in about 500 BC, is as relevant today as he was when he wrote that: “The supreme art of war is to subdue the enemy without fighting.” An untraceable and fast-moving cyber-attack can inflict significant damage whose extent the victim may well wish not to publicise. Stuxnet, the US-backed Israeli cyber-warfare initiative, is believed to have infected one-fifth of Iranian nuclear systems in 2010, setting back the programme by some two years. The malware exploited a ‘zero-day’ or badly written code in Microsoft Windows operating systems that allowed infiltration of the Iranian centrifuge controllers. In response, Iran accelerated development of its own cyber-warfare capabilities, spending an estimated $1 billion on cyber-warfare and thus indicating a growing cyber arms race in the Middle East.

In the commercial sphere, the increased publicity given to cyber threats have made many Middle Eastern companies more aware of their vulnerabilities. Some have done what they can to mitigate the risks, moving data onto digital devices, clouds, and social media. Others have not upgraded their cyber-security practices or their technical defences. However, without the necessary resources and experience at higher levels, attacks against Middle Eastern businesses will continue to escalate, enabled by – as well as enabling – increasing insecurity.

Thus the trend of cyber-attacks in the Middle East appears to be increasing, both at a commercial and governmental level. The emergence of the so-called ‘Internet of Things’ (the inter-networking of physical devices, cars, and buildings) and aspiring ‘smart cities’ (electronically interconnected urban infrastructures) such as Dubai creates yet more opportunities for hackers to interfere with anything from air-conditioning and microphones to power grids and vehicle braking systems. As the cyber threat increases its intrusion into the physical realm, state actors will have to prevent not only the loss of data but loss of life too. It is thus possible for cyber-attackers – given the motive – to turn off traffic lights to create pile-ups, prevent cars from applying their brakes and even short circuit power grids in Riyadh, causing heat-related deaths in the peak of summer. As the threat increases, so too must state and city authorities consider how they can ensure adequate defence.

As more and more systems become reliant on electronically-based controls, so should designers be required to integrate cyber defences from the earliest stages of the design. Those defences will need to be future-proofed, so they can be upgraded to meet developing threats. There is nothing new in such a concept; this has been the case for many years with oil and gas platform, as an example – which, worst case, can be remotely controlled by eco-warriors and malign state-level actors. Command and control systems for trains and aircraft are just as vulnerable and have been for some years. What has changed is the universality of the threat.

However, the reality is that such a rapidly developing threat cannot always be countered, even with pre-warning courtesy of the best intelligence. This means that the relevant authorities have no choice but to prioritise the systems that might need protecting, because not everything can be defended. Prioritisation requires leadership input and cannot be left to mid-level technicians. In other words, while the technicians are responsible for the technical cyber ‘fixes’, senior management – both within business and governments – is accountable for the appropriate apportionment of resources to ensure that mitigation is aligned with endorsed priorities. In the broadest of terms, these priorities are likely to be orientated towards the protection of people, the environment, reputation and business, in that order. Given increasing outsourcing of government functions to private contractors, governments – in the Middle East as elsewhere – must ensure that business is well-protected wherever national interests are dependent on commercial entities. Gone are the days when military forces allocated to ‘key point defence’ in time of war could concentrate exclusively on physical protection.

Harrison Brewer is a guest-writer for Deverell Associates; he is studying Classics and International Relations at McGill University, Montréal. You can reach him at [email protected]

[1] PricewaterhouseCoopers, A False sense of Security? Cybersecurity in the Middle East, (London: Creative Design Centre, 2016). April, 2017. https://www.pwc.com/m1/en/publications/documents/middle-east-cyber-security-survey.pdf

Graphic: copyright Invisible-Dog