​Cybercrime: Why can't the Middle East get to grips with the threats?

Video: Triton malware targeting industrial facilities in Middle East.

When you see the figures, it's no surprise that the cost of cybercrime is causing considerable concern to governments and business leaders across the globe.

Cybercrime costs almost $600bn worldwide, or 0.8 percent of global GDP, up from close to $500bn, or 0.7 percent of global income in 2014, according to a February 2018 report from the Center for Strategic and International Studies and McAfee

By 2021, Cybersecurity Ventures predicts, cybercrime "will cost the world in excess of $6 trillion annually".

An international 2018 PwC study of 1,293 CEOs revealed their fear of cybercrime as a risk to growth is up 16 percent in the past year alone, perhaps reflecting emerging anxieties about ransomware and state-sponsored hacking.

Major Middle East concerns

Compared with their peers, leaders in the Middle East ranked fears around cyber threats higher, at 54 percent, than anywhere else.

More widely, cyber threats ranked just behind overregulation on 42 percent and terrorism, 41 percent, and on a par with geopolitical uncertainty.

The concerns of leaders in the Middle East and North Africa appear justified. CSIS and McAfee's study reported the United Arab Emirates (UAE) as the second most targeted country in the world for cybercrime, costing the Emirate an estimated $1.4bn per year.

Meanwhile, 2017's Norton Cyber Security Insights Report highlighted a number of other considerations, including the 47.9 hours lost per consumer to cybercrime in the Emirates last year, compared with a global average of 23.6 hours.

With 3.72 million people affected, which is more than half UAE's population, the impact, as in other countries, ranges from malware infections on 53 percent in UAE versus 48 percent globally, through to ransomware victims, 18 per cent of whom in UAE, and 17 percent globally, paid the ransom but did not receive access back to their files.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Other Gulf nations are facing the same challenges. A recent Internet Security Threat Report, volume 23, March 2018, from Symantec listed Saudi Arabia as the country with the highest email spam rate, 69.9 per cent, in 2017.

The same study ranked Oman fourth and found that the Sultanate is the country with the highest email malware rate in 2017, with one in 156 emails in the country deemed "malicious". With Saudi Arabia fifth and Kuwait eighth on this list, three Gulf countries were in Symantec's Top 10 nations for email malware last year; and four were in the top 10 for spam rates.

Allied to this issue, as Gulf News reported, illegal cryptocurrency mining on the region, is on the rise.

"The astronomical rise in cryptocurrency values last year inspired many cybercriminals to shift to coinmining as an alternative revenue source," Haider Pasha, chief technology officer for emerging markets at Symantec Middle East told them.

Cybercrime significance and solutions

The rise in cybercrime has occurred despite heavy investment by Gulf Cooperation Council states in cyber protection, and the adoption of various measures including legislation, wrote Joyce Hakem, a research fellow at Chatham House and co-editor of the Journal of Cyber Policy last year.

"Cybercrime threatens growth of the digital economy. It shakes trust in the foundations of digital commerce, and in the smart infrastructure of interconnected devices, adaptive systems and other digital technologies that governments in the region are developing, and which they aspire to expand," she wrote.

As countries in the Middle East see the further take-up of smartphones, the deployment of Internet of Things technologies, and the expansion of their smart-city ambitions, so the opportunities for cybercrime will increase.

Many governments in the region are alive to these issues and are taking steps to address current and future cybersecurity needs.

As Sevag Papazian at Strategy& told ZDNet last year: "We've noticed that awareness of the importance of cybersecurity has increased in the region. Governments are actively seeking to act on this important topic."

Papazian highlighted Dubai's recently published cybersecurity strategy and the emirate's plans for blockchain as steps in the right direction.

But he also noted how the distributed nature of government can also made it potentially harder to address imminent threats. Papazian was one of the authors of a Strategy& report in 2015, which argued for "a centralized national cybersecurity agency that reports to the highest authorities".

"In most countries, cybersecurity is still distributed across several government agencies, and there's no empowered centralized entity that builds momentum and ensures collaboration," he said.

Future cybersecurity issues

With new challenges such as illegal coinmining gaining momentum, arguably the need for bodies such as Saudi Arabia's new National Authority for Cyber Security is greater than ever. Chatham House's Joyce Hakem also makes the case "for stronger cooperation mechanisms at national, regional and international level".

"Most Gulf Cooperation Council cybercrime laws do not provide an adequate legal framework for cooperation," she wrote. "Nor do they include clear procedural provisions for implementation. In this sense, they are not fit for purpose. An overhaul of laws that addresses these gaps is needed."

To this mix, we must also recognize that In the Middle East, the importance of smaller companies to local economies presents another challenge.

Historically, this sector has lagged behind in terms of ICT infrastructure and online presence, and there is a need for increased awareness and solutions to meet their cybersecurity requirements.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Meanwhile, as the recent hack of the UAE ride-sharing service Careem showed, even larger organizations are not immune to these challenges. Personal data, including people's names, phone numbers and emails, for 14 million people were believed to have been exposed.

Government agencies, regulators, law makers, businesses and citizens must all play a role in tackling issues of cybercrime, as acknowledged by UAE's Data Privacy Day in January.

With even the most confident online users potentially falling prey to cyber attackers, as shown in successful phishing attempts, and the use of the same passwords across multiple accounts, there's a need for individuals to also take some responsibility to protect themselves.

These cybersecurity challenges at consumer, business, regulatory, and intra-government level are not unique to the region. But the extent of the region's exposure is well documented.

In 2016, PwC observed in their Middle East Economic Crime Survey that, "Most companies are still not adequately prepared for or even understand the risks faced. Only 33 percent of Middle East organizations have a cyber-incident response plan."

Jump forward to 2018, and Deloitte highlighted additional issues such as regulatory fatigue, skills, and buy-in, and the need for culture change on issues of compliance and risk management.

Given a global landscape described by Cybersecurity Ventures, as one where we will see "a dramatic increase in hostile nation state-sponsored and organized crime gang hacking activities, a cyberattack surface that will be an order of magnitude greater than it is today", now is not the time for the region, or anywhere else, to rest on its cybersecurity laurels.

Previous and related coverage

What's driving Middle East's rush to social media?

The rise of visually orientated social networks, video, and messaging apps is helping shape usage.

Fourth-generation Android espionage campaign targets Middle East

Smartphone snoopers install malware which can provide attackers with information on almost every activity performed on the device.

Skype banned, WhatsApp blocked: What's Middle East's problem with messenger apps?

Some Middle Eastern countries seem to have a difficult relationship with VoIP services and messenger apps.

Inside the boot camp reforming teenage hackers CNET

A UK program offers young cybercriminals an alternative to detention and hopes to turn them into legit tech professionals.

Where next for mobile in the Middle East? Big changes are coming

The Middle East and North Africa is a complex region, but mobile usage and services are changing fast.

Triton malware targeted critical infrastructure in the Middle East TechRepublic

Mayer Brown partner and attorney Marcus Christian explains the exploit in Triconex systems, how hardware hacks work, and the legal ramifications of cyberattacks that target infrastructure.