The public sector’s vulnerability to a cyberattack

In Lebanon, the speed at which the government is moving and the speed at which cyberthreats are developing are totally different. Cyberdefense planning, it appears, is not much of a priority for the Lebanese government. The country does not have legislation to protect digital rights, lacks legal penalties to deter criminal cyberattacks and has only patchwork solutions in place for cyberdefense. In simple terms, plans to beef up the government’s cybersecurity capabilities are moving forward at a snail’s pace.

Cybersecurity firms point to an uptick in attacks on Lebanon when compared to global averages. Due to the state’s slow moving apparatuses and the high cost of investment, the best cyberdefense solution for Lebanon to protect its public sector, its private sector and online individuals, may be to migrate to the cloud – a debate which is still ongoing. Executive met with Ihab Chaaban, Information and Communication Technologies (ICT) security officer at the Office of the Minister of State for Administrative Reform (OMSAR), to learn more about Lebanon’s cyberdefense capabilities.

E   OMSAR’s first foray into cybersecurity was in hosting government websites in the mid-2000s. How has OMSAR’s role in cyberdefense since evolved?

Historically, OMSAR began in its hosting environment with informs.gov.lb, [today is dawlati.gov.lb, the official e-governmental portal] and over the years other websites were added. Suddenly, we found ourselves stuck in an unusual situation, hosting around 90 government websites without proper planning. In addition, we didn’t have technical, networking or security staff on board. With the attacks on government websites, OMSAR recruited a security officer and created a cybersecurity committee in order to share all security measures, concerns and responsibilities with all Lebanese administrations. As such, we started working on a national cybersecurity policy guidelines to be adopted and implemented by all public agencies. Furthermore, OMSAR is planning awareness workshops directed at Lebanese employees in order to raise their awareness on [cyber]security.

E   About six years ago, government websites were the target of cyberattacks. Were the attacks a catalyst for the government to improve cybersecurity capabilities?

There were many attacks hitting OMSAR servers and many websites were going down. The attacks began in 2011, targeting our web servers, hitting many websites, especially the websites of the Ministry of Interior and the Internal Security Forces. Because we had only one web server for all the websites, all the attacks affected the other government websites. [In response], the Council of Ministers decided to create a National Cyber Security Committee [NCSC]. The committee came out with recommendations to secure our [online] environment immediately, [but these were] short-term security measures. We also decided to create a new web-hosting environment and to build it based on international standards and security measures that define all the aspects of the web-hosting environment – [in order] to be a state-of-the-art national web-hostingenvironment. This needs a lot of work and funding.

[pullquote]

The country does not have legislation to protect digital rights

[/pullquote]

E   OMSAR is drafting a cybersecurity policy. Is there any update?

We are working on it right now while simultaneously improving the security measures of the current hosting environment. Each administration doesn’t have [its own] cybersecurity officers – the IT departments do the whole job. If we found a hole, we’d fix it, and if we found another then we’d fix it as well; we didn’t have a strategy, it was more like patchwork. We published a cybersecurity policy to guide the directors of the administrations on how they should create their security policies. We came up with a brief document, like a pamphlet, to make it easy to use and follow.

E   How did OMSAR assess public agencies’ readiness to adopt the recommendations of the cybersecurity policy?

Even before publishing we were wondering how to get the administrations started, so we created a checklist. This helped [departments to self-assess] where they were on cybersecurity. We published the checklist in 2015.

E   Did public agencies check it again in 2016?

It’s an internal process for the public agencies. OMSAR doesn’t have a mandate to supervise [the other adminstrations] – if they request help we are always ready to assist and provide them with the needed help.

E   In terms of measuring the assessment, is there any indication at a government-wide level of cyberdefense capabilities?

I don’t have any accurate information. In 2015, before publishing, we thought of putting the checklist online – so we could fill our database with the respective [administration’s] information. But after negotiating with decision makers, it was decided against that because of privacy and security [concerns].

[pullquote]

The attacks began in 2011, targeting our web servers, hitting the websites of the Ministry of Interior and the Internal Security Forces

[/pullquote]

E   If the oil and gas industry, for example, goes active then there will be seismic data, exploration data and many other valuable datasets. This vital data could probably be one of the more attractive hacking targets in Lebanon because of its actual money relevance. Is protecting such data part of the mindset in the ministries or at the government level?

One of the recommendations of the [NCSC] was to build a national data center for the whole government. We need more time because this issue requires critical decisions by the cabinet to identify who will take responsibility for the data center, securing it and transferring data between administrations. In addition, if we want to create a national data center, all the data for the government will be residing in it and, as such, it’s a critical issue.

E   What is being done to prepare a national data center?

In OMSAR’s e-government unit we have an interoperability sub-unit. Now we are working on creating a specific design to be implemented by the government, connecting and transferring data between administrations [in a secure way]. Maybe this will lead us to the next step of creating the centralized data center.

E   Cybersecurity breaches, cyberwarfare and criminal hacks have increased tremendously, especially in the last couple of years. Some companies are claiming a 4,000 percent increase in the rate of cyberattacks in the last five years.

Yes, for sure.

E   That seems to be a cause for concern.

There have been many voices raising this issue, especially from the Internal Security Forces, who have a cybercrime unit. They’ve requested the Ministry of Justice, and maybe the cabinet, to work on such a law. If I attack your server and steal your data, the criminal code has no text defining such cybercrimes and their penalties. For now, they’re applying the standard criminal code and adopting it to cybercrimes.

E   An individual from a cybersecurity firm said that state-sponsored hackers are sent on training missions to attack another country just so they know how to attack better. So they can attack Lebanon, and even if they get caught, there is very little danger of repercussion from the state because there is no legal framework. Another individual said because internet bandwidth in Lebanon is so limited a distributed denial of service (DDOS) attack is very easy, and it takes very little effort to shut down a website.

And this is why one of the recommendations is migrating to the cloud. Estonia, for example, is a completely electronic government – they are totally digitized. Because of the very high risks of cyberattack, they’ve migrated the government to the cloud.

E   Will the government migrate to the cloud?

In 2015 we had many [consultations] from companies to advise the government on how to build a secure cyberenvironment. Those companies advised the government to move to the cloud. We came up with a terms of reference (TOR) – all our needs and requirements for securing networks – and we took it to the previous cabinet to get approval for the funds because it is quite costly, and it was signed. Now, there’s still a debate of whether to go to public clouds, such as Amazon, Google or Microsoft, or have a private cloud since data cannot go outside Lebanon.  There is a decision from the Council of Ministers in 2014 about a partnership between OSMAR and OGERO to build a private cloud for the Lebanese government, in addition to a redundant data center for the e-government portal.

[pullquote]

If I attack your server and steal your data, the criminal code has no text defining such cybercrimes and their penalties

[/pullquote]

E   Will it be implemented?

Currently, our minister is working with the Ministry of Telecom and in collaberation with OGERO on setting a Lebanese National Cloud Computing Policy, in addition to executing a private cloud for the Lebanese administration and a secure government network for interoperability.

E   The CTO of Microsoft Middle East says their data suggests Lebanon experiences more cyberattacks than the global average, and if there was a Computer Emergency Response Team (CERT) in Lebanon, they could collaborate with Microsoft to reduce attacks to the global average.

The national cyber security committee recommends the creation of a CERT. A year ago, we had a meeting in the [prime minister’s offices] with the Telecommunications Regulatory Authority [TRA] and they mentioned that they started creating a CERT for Lebanon. But the TRA doesn’t have any mandate to create and manage the CERT I think they took it as an initiative. Currently, I don’t know of any update on the subject.