When four officers of two highly respected Lebanese military institutions—the Lebanese Army and the Internal Security Forces—in mid-January took their chairs on a panel at the American University of Beirut (AUB) to participate in what the university advertised as its first Cyber Security Day, the assembled students, professors from various academic institutions, and guests, did not exude any boredom or exasperation with the “dry” topic of which the moderator of this third panel had warned. To the contrary, during the panel’s progression, ears opened ever wider, and attention spans were universally beefed to their maximum settings when Major Marc Sawan, head of the ISF’s Digital Forensics and Cybercrime Unit, started telling his cautionary tale of two information technology (IT) experts, one of them an aggressive hacker and the other an IT administrator with a habit of posting personal information.
According to the officer’s revelations of a chain of incidents unfolding over 2017 and 2018, the hacker succeeded to outsmart his insufficiently wary victim in a classical phishing attack on the basis of well-informed social engineering. By doing so, the hacker infiltrated an ISP and then a group of ISPs. When the hacker found governmental sites that were hosted on the infected ISPs, he managed to hack into these sites. The attacks peaked in hacking assaults being launched between governmental sites in Lebanon—the hacker causing them to attack one another just for fun—and even usage of these governmental sites for orchestration of an attack on a site outside of Lebanon that led the foreign site to file a complaint against a governmental site in Lebanon.
High vulnerability
Sawan’s cautionary tale concludes with “small statistics,” namely that at least six ISPs, 80 governmental sites, and over 700 sites in total were compromised in a single attack. “This is how bad the situation is in Lebanon,” he said, exasperated, before answering the moderator’s question over the immunity of Lebanese governmental sites today by adding, “I think that for the moment we do not have any immunity, because there is no cyber culture, no forensic site, and no cyber security vision in Lebanon.”
Stories about digital attacks and the damages they cause have, for several years now, been topics of international organizations endeavoring to draw attention to the problems of cybercrime growth rates. “The cost of cybercrime will have quadrupled since 2015, reaching $2.1 trillion by the end of 2019 and outpacing spending on cybersecurity by over 16 times,” said a January 2019 blog entry on the World Economic Forum’s website, which bemoaned that despite growing information security expenditures, the recent past was marked by such egregious disproportionality of cybercrime damages and cybersecurity investments.
The same, well-tested road of citing dystopian estimates “by experts” and providing scary studies to the unaware public via various uncritical media channels is often chosen by the vendors of cybersecurity tools with the dual aim to create greater awareness as well as boost sales of their products and services. By this year, however, this road is already so well-trodden and dusty that it might become difficult for the average business decision-maker to assess her or his investment needs for cyber defense tools or understand the ever-growing importance of covering one’s digital risks.
Underestimating cyber risk in recent years appeared especially virulent in Lebanon, given that citizens and companies were constantly being confronted with overburdens of various problems in the country’s existential economic situation. This possibility would at least help to explain why the country, despite its widely hailed tech-knowledge base and entrepreneurial prowess, has been regularly lambasted as underprepared for the risks of digital assaults from opportunistic cybercrimes to cyberterrorism or cyberwarfare by malignant powers.
However, a more accurate picture of the dismal digital status of Lebanon might be that the country in previous years did not only have too many other problems to pay the needed attention to its cyber risks but also that it lacked basic building blocks for becoming a cyber nation. The deficiencies included the absence of legal structures for protection of citizens’ data and digital privacy, for the punishment of criminal offenders prowling digital spheres, and of widespread digital underdevelopment in the corporate world, not just in the realm of cybersecurity.
“Our government elites have to appreciate our cyber assets, introducing digitized processes and the language of automation into governmental agencies,” says Hisham Itani, the chairman and CEO of Resource Group, a holding that entails numerous companies with focuses on various aspects of digital development. “After that, we can start thinking about how to protect these assets because then we will have something to protect. But today we have nothing, so what shall we protect? There is cyber, but there is no security. Efforts of implementing and sporadically improving cybersecurity are [undertaken] by the central bank and very few alpha banks but [cybersecurity] efforts are not yet extending to the important level of a state Security Operations Center, or SOC.”
Jacques Seif, the chief operating officer of Resource Group, adds: “From the start date of a cybersecurity ecosystem, which has not occurred yet because we are lacking a large cybersecurity project in Lebanon, we will need at least 36 months. We have the seeds for this since we are implementing cryptography and cybersecurity. Also, IT infrastructure vendors in Lebanon are delivering security applications such as intrusion prevention systems and firewalls, but you need to aggregate all of this around something called a SIEM or Security Incident Event Management system and around a SOC.”
Enter a brave new year
The good news then is that Lebanon today not only has at least a promising shot at political invigoration and reform—with the potential to reduce many headaches in the citizenry although some others look set to increase—but also that the last two months have seen a rising wave of events that appear capable of raising digital awareness. While AUB’s Cyber Security Day impressed as an academic forum with frank evaluations of the real digital Lebanon and participation by representatives of several universities, January and February of 2019 also saw a three-day conference marketed as a “Sustainable Digital Ecosystem Summit” with active corporate participation and media partnerships (Executive Magazine was a strategic media partner).
Tony Ghattas, the chief operating officer of the event’s organizer IFP, said the group was aiming to develop the sustainable digital ecosystem theme into a series of annual events in Lebanon and took the experience of the first summit as a starting point for internal discussions as to whether the next conference in the series will be held before the end of 2019 or in 2020. “It is going to be an annual gathering of like-minded professionals and stakeholders. The objective [of the event series] is to develop the digital ecosystem,” he said, talking about convergence of the key trends such as IoT, AI, Blockchain technologies, and digital identities under a comprehensively legislated framework that would establish Lebanon as the regional leader in its digital ecosystem.
IFP’s summit was followed by another event with an even more precisely defined focus on new cybersecurity solutions that could be applied in Lebanon. The one-day event at the end of January was driven by a partnership of local information security firm CIEL, an expert in email security and digital signatures, and Finnish firm Ubisecure, a specialist that wants to bring its digital identity management and access management solutions to Middle Eastern markets.
Declaring his satisfaction with the event and optimism for stronger future adoption of cybersecurity solutions in different MENA markets, Salah Rustum, chief executive officer of CIEL, assesses the state of cybersecurity awareness in Lebanon as being significantly improved when compared to two years ago. “I expect good progress and good comprehension of the problem of cybersecurity and am sure that many organizations in need of cybersecurity will go ahead to apply the needed measures,” he tells Executive. “I will not try to forecast if it would be commercial establishments, or banks, or government entities that will be most responsive throughout this year but am speaking in general that awareness of cybersecurity has really surfaced in Lebanon.”
For good measure, the Digital Arabia Network—which presents itself as the entrepreneurial lab for Arab digital future—spiced up the aforementioned corporate and academically themed events with a strong dose of social entrepreneurship in early February when it convened in the Beirut Digital District to present the initial results of an effort toward Digital Mapping of the Arab World. While the complete results were not available at time of writing, a press release of the DAN Mapping Project—the project is covering six countries in the Levant and North Africa—enthuses that “Lebanon appears to be growing in the digital sphere.”
Most importantly, however, the first month of the year witnessed the coming in force of Law 81 that is relevant for the growth of fundamental digital services, such as electronic transactions, privacy and data protection, prosecution of cybercrimes and organization of digital processes in Lebanon.
From the perspectives of private sector stakeholders whom Executive talked to, the progress represented by Law 81 is enormous, despite the limitations of the current framework. “Law 81 has some loopholes, but a law with loopholes is better than no law,” comments Salah Rustum. Resource Group COO Jacques Seif emphasizes, “The merit of Law 81 is that it sets a legal framework for electronic transactions in Lebanon, which is a great progress by itself.”
On the executive side of the government, the corresponding impulse of new digital hope is the appointment of the first Minister of State for Information Technology and Investment, Adel Afiouni.
Overcoming digital déja-vu
The good mood and improved perceptions of Lebanon’s cybersecurity awareness in the eyes of corporate players in this space notwithstanding, Lebanon has much to do to overcome its digital inertia. The result spurt of conferences and talks prompt flashbacks over similar talk of digital development strategies 15 and 20 years ago. Hearing in one conversation that the country is in need of leapfrogging into the digital era reminded yours truly strongly of an interview at the end of the 1990s when a senior expert at the Office of the Minister of State for Administrative Reform, Raymond Khoury, expressed his conviction that Lebanon would need to “supersonically leapfrog” in terms of e-government.
According to a report in The Daily Star, former economy minister Nasser Saidi, visiting in late February, mused how perceived current discussions on AI-enhanced e-government and papers on digital strategy resembled proposals circulated at an e-government themed Beirut conference in 2003. “[Government leaders] are still living back in the ’60 and ’70s, when they should be living in the 2020s and planning for the 2030s,” Saidi was quoted as saying.
Even event organizers IFP caused a hint of déjà vu in the observer’s mind. The company, which so energetically went about lifting the IT topic of a sustainable digital ecosystem in 2019, had been a notable absentee from the organizing of IT-centric trade shows in Lebanon since the early 2000s, when it was running an annual Beirut IT fair by the name of CompEx.
With so many points where depressed digitization and cybersecurity watchers in Lebanon might see the current surge in cybersecurity awareness and new digital vigor—especially on the side of public sector minds—as a temporary flash rather than sustainable change, it should serve well to envision the upside potentials of leapfrogging hops into the digital eras in one’s mind. For example, researching success stories from peer countries, and then visualizing the downsides of not making the overdue jump into the future is useful.
For this exercise, all a Lebanese citizen or resident needs to do is, for example, to visit certain entrenched line ministries and administrative units where paper-based processes are—in 2019 still—being used to incredible bureaucratic excess. Or a seeker of such examples can traverse the central offices of the biggest municipality in Lebanon and pay attention to how much their personal time and effort all urban residents have to invest into jumping over bureaucratic hurdles for accessing normal services that could easily be provided digitally.