Cyberthreats in the GCC and Middle East

Building legislative defense shields

Cyberattacks present themselves in a multitude of facets, although there is no absolute single definition for cybercrime in existence. From a general perspective, cybercrime can be defined as “illegal activities, internet mediated, that occur in the context of global economic networks”. The main categories of attacks are hacktivism, financial theft, data theft, ransomware, cyberespionage, cyberterrorism and cyberwarfare.

Last year shed light on new dimensions of cyberthreats in the political arena, as diplomatic confrontations erupted between the United States and Russia over allegations of Russian hacking aimed at influencing the US election. But cybercrimes are materializing globally and growing exponentially. The damages being caused by cybercrime vary from financial to reputational, as well as political and military. Cyberattacks are capable of penetrating highly sensitive and protected sectors, such as defense and national security.

What is causing the rapidly evolving categories of attacks is the augmentation of internet traffic and usage, combined with the development of new platforms for internet delivery such as tablets and smartphones, to name a few. One can affirm with conviction: wherever there is the internet, cybercrime will follow. The statistics are staggering – in 2016, there were 2,871,965 globaly registered notifications about attempted malware infections that aimed to steal money via the illegal online accessing of bank accounts, according to the Kaspersky Security Bulletin. The bulletin derives its statistics from the Kaspersky Security Network – meaning the real number could be higher. “In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers aimed to seize $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million destined for Pan Asia Banking.” Fortunately, according to internet security firm Kaspersky, the ploy was discovered in time, when a typo was detected in one of the transfer requests.

In one of the first cyberattacks with huge cross-national security implications, the Stuxnet computer worm targeted Iran’s Natanz nuclear facility back in 2010. The malicious computer program differed from a virus in not needing to attach itself to an existing program, and in its ability to control electromechanical processes, such as those used to control machinery on factory assembly lines and centrifuges in nuclear reactors. Stuxnet destroyed one-fifth of Iran’s centrifuges by attacking all control systems in industrial installations.

These incidents exemplify the level of damage that a cyberattack is capable of causing. A large-scale cyberattack against either systemic financial infrastructure (a major clearing house or two or three stock markets simultaneously) or critical military infrastructure has not yet happened, but  both are deemed as realistic threats by security experts. Countries of the Gulf Cooperation Council (GCC) and in the wider Middle East are exceptionally vulnerable to cybercrime due to their exposure to interests of foreign parties, including states and activist groups as well as financial criminals, their geographical location and the political structure of the region. GCC governments are on the alert and have in recent years introduced legislative remedial actions that seek to address the cybercrime tsunami.

Transnational cybercrime requires a far more sophisticated set of laws to tackle these type of crimes

Legislative overview of combating cybercrime in the GCC

Cybercrime cannot be limited to a single jurisdiction. It is transnational and fluid, and this has challenged legislators in developing and developed countries alike, as the current domestic and international laws and enforcement protocols are simply not designed to fit the current legislative models. Cybercriminals know this and the complexities make it more difficult for the authorities to battle against this form of crime. Cooperation and harmonization across borders is key in order to ensure the development of gold standards of legislation and enforcement. In the past, the GCC relied on traditional laws, emergency codes and criminal codes to address cybercrime. The current position is that cybercrime legislation in the Middle East is under development, with some specific laws passed and the United Arab Emirates (UAE) leading in this field.

Cybersecurity in the UAE has been a priority for some time due to the growing number of cyberattacks. According to Kaspersky Security, an average of 17.4 percent of users in the Middle East encountered cyberthreats in the third quarter of 2016. Adding to the urgency is the fact that the UAE is the second biggest target for cyberattacks in the world, after the US, according to cybersecurity company Norse. As Rabih Dabbousi of UAE cybersecurity firm DarkMatter pointed out in 2016: “The exponential adoption of technology increases the UAE’s attack surface which is becoming larger every second.”

According to Dabbousi, the volume of financial transactions in the UAE and the country’s attractiveness for investors are just some of the reasons why banks and other financial institutions are constantly being attacked. Faced with an intensive onslaught, the UAE has created arguably the most effective and comprehensive cybercrime law in the GCC. The first cybercrime law was introduced in 2006 (Federal Law No. 2 of 2006) and was replaced by a more expansive cybercrime law in 2012 (UAE Federal Decree-Law No. 5 of 2012), designed to combat information technology crimes and codify the relevant offenses such as the transmitting, publishing or promotion of pornographic material, gambling activities and indecent acts. The law was later expanded to cover new offenses and to ensure alignment between the UAE legislation and relevant international treaties, such as the Budapest Convention on Cybercrime (signed November 23, 2001).

As a deterrent, the UAE cybercrime law in 2012 detailed severe punishments that include prison time up to a life sentence and fines ranging between $13,614 and $81,688 depending on the level of the cybercrime. The law addresses specifically social media and any misuses that can be derived from it, such as fraud, identity theft and impersonation. The law categorizes cybercriminals as hackers who hack into other individual’s accounts, criminals who are highly knowledgable of the cyberworld and exploit it for financial gains, and individuals who threaten and commit malevolent acts such as impersonation, threats and solicitation.

 Similarly, Saudi Arabia introduced cybercrime legislation in 2007, but definitional foundations such as privacy and confidentiality should be made more expansive. In Bahrain, the electronic transactions law (Federal Decree No 28 of 2002) was being utilized to tackle cybercrime, but it lacked specificity. After much debate, the country introduced a new cybercrime law in 2015, designed to counter illegal access to IT systems. Anyone convicted of entering, damaging, disrupting, canceling, deleting, destroying, changing, modifying, distorting or concealing IT device data concerning any government body will face a maximum of ten years in jail. From the perspective of fighting cyberthreats in this region, this is a very positive development as it indicates that GCC governments are realizing the urgent need to modernize cybercrime legislation.

Turning to other Middle Eastern countries, Egypt has relied on the intellectual property law (Law No. 82 of 2002), the telecommunications regulation law (Law No. 10 of 2003) and the electronic signature law (Law No. 15 of 2004) to tackle cyberattacks. However, these laws contain fundamental issues related to identifying cybercrime, as they do not always offer an extensive definition of cybercrime so as to capture all parameters, and with procedural limitations in the prosecution of cybercriminals, especially the ones operating from overseas. Transnational cybercrime requires a far more sophisticated set of laws to tackle these type of crimes. A new Egyptian cybercrime law is imminent in 2017 and will likely seek to address several of the gaps in previous legislation.

Jordan can rely on the electronic transactions law (Law No 85 of 2001) and the cybercrime law (Law No 30 of 2010). From the perspective of a legal expert, these pieces of legislation can act as a starting point but should be reviewed and expanded as the relevant investigative procedures require beefing up. Oman adopted a cybercrime law in 2011 (Royal Decree No. 12 of 2011), and it addresses a wide range of illegal actions involving the internet and computer devices. It is focused on defining crimes committed in cyberspace such as cyberbullying and cyberterrorism. This can also be considered as a good starting point, as the initial approach was the extrapolation of existing criminal laws and telecommunications laws to combat crime, which lacked realism.

The Qatari government has passed a cybercrime prevention law (Law No. 14 of 2014), another very welcome development in a drive to combat online and cybercrimes. The law imposes many sanctions and several penalties for offenses committed through IT networks, the internet and computers, and it safeguards the cybersecurity within Qatar, as well as the country’s internet infrastructure.

Greater collaboration to shield against cybercrime

The field of internet communication is expanding continuously and cybercrime is evolving and adapting to the changing information landscape. The current legislative platform in the GCC has improved considerably in the last few years by providing legislative harmonization, as specific legislation has been passed in most countries. However, cyberattacks are becoming more bold, unpredictable and mainly transnational. The domestic laws require constant updating, and in order to prevent and shield countries from attacks, greater international collaboration is also required.

International and regional conventions for the fight against cybercrimes such as the Arab Convention on Combating Information Technology Offenses (2010) and the African Union Convention on Cyber Security and Personal Data Protection (2014) are encouraging, but remain limited in their reach and scope when measured against the global severity of cybercrime. It is believed that a new international convention on cybercrime is required  to address transnational attacks more effectively and will involve the global community as a whole.

Nicole Purin

Nicole Purin is senior legal counsel at Standard Chartered Bank

*

Top