CommentCybersecurity

Cyberthreats in the GCC and Middle East

by Nicole Purin
written by Nicole Purin

Cyberattacks present themselves in a multitude of facets, although there is no absolute single definition for cybercrime in existence. From a general perspective, cybercrime can be defined as “illegal activities, internet mediated, that occur in the context of global economic networks”. The main categories of attacks are hacktivism, financial theft, data theft, ransomware, cyberespionage, cyberterrorism and cyberwarfare.

Last year shed light on new dimensions of cyberthreats in the political arena, as diplomatic confrontations erupted between the United States and Russia over allegations of Russian hacking aimed at influencing the US election. But cybercrimes are materializing globally and growing exponentially. The damages being caused by cybercrime vary from financial to reputational, as well as political and military. Cyberattacks are capable of penetrating highly sensitive and protected sectors, such as defense and national security.

What is causing the rapidly evolving categories of attacks is the augmentation of internet traffic and usage, combined with the development of new platforms for internet delivery such as tablets and smartphones, to name a few. One can affirm with conviction: wherever there is the internet, cybercrime will follow. The statistics are staggering – in 2016, there were 2,871,965 globaly registered notifications about attempted malware infections that aimed to steal money via the illegal online accessing of bank accounts, according to the Kaspersky Security Bulletin. The bulletin derives its statistics from the Kaspersky Security Network – meaning the real number could be higher. “In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers aimed to seize $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million destined for Pan Asia Banking.” Fortunately, according to internet security firm Kaspersky, the ploy was discovered in time, when a typo was detected in one of the transfer requests.

In one of the first cyberattacks with huge cross-national security implications, the Stuxnet computer worm targeted Iran’s Natanz nuclear facility back in 2010. The malicious computer program differed from a virus in not needing to attach itself to an existing program, and in its ability to control electromechanical processes, such as those used to control machinery on factory assembly lines and centrifuges in nuclear reactors. Stuxnet destroyed one-fifth of Iran’s centrifuges by attacking all control systems in industrial installations.

These incidents exemplify the level of damage that a cyberattack is capable of causing. A large-scale cyberattack against either systemic financial infrastructure (a major clearing house or two or three stock markets simultaneously) or critical military infrastructure has not yet happened, but  both are deemed as realistic threats by security experts. Countries of the Gulf Cooperation Council (GCC) and in the wider Middle East are exceptionally vulnerable to cybercrime due to their exposure to interests of foreign parties, including states and activist groups as well as financial criminals, their geographical location and the political structure of the region. GCC governments are on the alert and have in recent years introduced legislative remedial actions that seek to address the cybercrime tsunami.

[pullquote]

Transnational cybercrime requires a far more sophisticated set of laws to tackle these type of crimes

[/pullquote]

Legislative overview of combating cybercrime in the GCC

Cybercrime cannot be limited to a single jurisdiction. It is transnational and fluid, and this has challenged legislators in developing and developed countries alike, as the current domestic and international laws and enforcement protocols are simply not designed to fit the current legislative models. Cybercriminals know this and the complexities make it more difficult for the authorities to battle against this form of crime. Cooperation and harmonization across borders is key in order to ensure the development of gold standards of legislation and enforcement. In the past, the GCC relied on traditional laws, emergency codes and criminal codes to address cybercrime. The current position is that cybercrime legislation in the Middle East is under development, with some specific laws passed and the United Arab Emirates (UAE) leading in this field.

Cybersecurity in the UAE has been a priority for some time due to the growing number of cyberattacks. According to Kaspersky Security, an average of 17.4 percent of users in the Middle East encountered cyberthreats in the third quarter of 2016. Adding to the urgency is the fact that the UAE is the second biggest target for cyberattacks in the world, after the US, according to cybersecurity company Norse. As Rabih Dabbousi of UAE cybersecurity firm DarkMatter pointed out in 2016: “The exponential adoption of technology increases the UAE’s attack surface which is becoming larger every second.”

According to Dabbousi, the volume of financial transactions in the UAE and the country’s attractiveness for investors are just some of the reasons why banks and other financial institutions are constantly being attacked. Faced with an intensive onslaught, the UAE has created arguably the most effective and comprehensive cybercrime law in the GCC. The first cybercrime law was introduced in 2006 (Federal Law No. 2 of 2006) and was replaced by a more expansive cybercrime law in 2012 (UAE Federal Decree-Law No. 5 of 2012), designed to combat information technology crimes and codify the relevant offenses such as the transmitting, publishing or promotion of pornographic material, gambling activities and indecent acts. The law was later expanded to cover new offenses and to ensure alignment between the UAE legislation and relevant international treaties, such as the Budapest Convention on Cybercrime (signed November 23, 2001).

As a deterrent, the UAE cybercrime law in 2012 detailed severe punishments that include prison time up to a life sentence and fines ranging between $13,614 and $81,688 depending on the level of the cybercrime. The law addresses specifically social media and any misuses that can be derived from it, such as fraud, identity theft and impersonation. The law categorizes cybercriminals as hackers who hack into other individual’s accounts, criminals who are highly knowledgable of the cyberworld and exploit it for financial gains, and individuals who threaten and commit malevolent acts such as impersonation, threats and solicitation.

 Similarly, Saudi Arabia introduced cybercrime legislation in 2007, but definitional foundations such as privacy and confidentiality should be made more expansive. In Bahrain, the electronic transactions law (Federal Decree No 28 of 2002) was being utilized to tackle cybercrime, but it lacked specificity. After much debate, the country introduced a new cybercrime law in 2015, designed to counter illegal access to IT systems. Anyone convicted of entering, damaging, disrupting, canceling, deleting, destroying, changing, modifying, distorting or concealing IT device data concerning any government body will face a maximum of ten years in jail. From the perspective of fighting cyberthreats in this region, this is a very positive development as it indicates that GCC governments are realizing the urgent need to modernize cybercrime legislation.

Turning to other Middle Eastern countries, Egypt has relied on the intellectual property law (Law No. 82 of 2002), the telecommunications regulation law (Law No. 10 of 2003) and the electronic signature law (Law No. 15 of 2004) to tackle cyberattacks. However, these laws contain fundamental issues related to identifying cybercrime, as they do not always offer an extensive definition of cybercrime so as to capture all parameters, and with procedural limitations in the prosecution of cybercriminals, especially the ones operating from overseas. Transnational cybercrime requires a far more sophisticated set of laws to tackle these type of crimes. A new Egyptian cybercrime law is imminent in 2017 and will likely seek to address several of the gaps in previous legislation.

Jordan can rely on the electronic transactions law (Law No 85 of 2001) and the cybercrime law (Law No 30 of 2010). From the perspective of a legal expert, these pieces of legislation can act as a starting point but should be reviewed and expanded as the relevant investigative procedures require beefing up. Oman adopted a cybercrime law in 2011 (Royal Decree No. 12 of 2011), and it addresses a wide range of illegal actions involving the internet and computer devices. It is focused on defining crimes committed in cyberspace such as cyberbullying and cyberterrorism. This can also be considered as a good starting point, as the initial approach was the extrapolation of existing criminal laws and telecommunications laws to combat crime, which lacked realism.

The Qatari government has passed a cybercrime prevention law (Law No. 14 of 2014), another very welcome development in a drive to combat online and cybercrimes. The law imposes many sanctions and several penalties for offenses committed through IT networks, the internet and computers, and it safeguards the cybersecurity within Qatar, as well as the country’s internet infrastructure.

Greater collaboration to shield against cybercrime

The field of internet communication is expanding continuously and cybercrime is evolving and adapting to the changing information landscape. The current legislative platform in the GCC has improved considerably in the last few years by providing legislative harmonization, as specific legislation has been passed in most countries. However, cyberattacks are becoming more bold, unpredictable and mainly transnational. The domestic laws require constant updating, and in order to prevent and shield countries from attacks, greater international collaboration is also required.

International and regional conventions for the fight against cybercrimes such as the Arab Convention on Combating Information Technology Offenses (2010) and the African Union Convention on Cyber Security and Personal Data Protection (2014) are encouraging, but remain limited in their reach and scope when measured against the global severity of cybercrime. It is believed that a new international convention on cybercrime is required  to address transnational attacks more effectively and will involve the global community as a whole.

0 comments
0 FacebookTwitterPinterestEmail
CybersecurityQ&A

The public sector’s vulnerability to a cyberattack

by Jeremy Arbid
written by Jeremy Arbid

In Lebanon, the speed at which the government is moving and the speed at which cyberthreats are developing are totally different. Cyberdefense planning, it appears, is not much of a priority for the Lebanese government. The country does not have legislation to protect digital rights, lacks legal penalties to deter criminal cyberattacks and has only patchwork solutions in place for cyberdefense. In simple terms, plans to beef up the government’s cybersecurity capabilities are moving forward at a snail’s pace.

Cybersecurity firms point to an uptick in attacks on Lebanon when compared to global averages. Due to the state’s slow moving apparatuses and the high cost of investment, the best cyberdefense solution for Lebanon to protect its public sector, its private sector and online individuals, may be to migrate to the cloud – a debate which is still ongoing. Executive met with Ihab Chaaban, Information and Communication Technologies (ICT) security officer at the Office of the Minister of State for Administrative Reform (OMSAR), to learn more about Lebanon’s cyberdefense capabilities.

E   OMSAR’s first foray into cybersecurity was in hosting government websites in the mid-2000s. How has OMSAR’s role in cyberdefense since evolved?

Historically, OMSAR began in its hosting environment with informs.gov.lb, [today is dawlati.gov.lb, the official e-governmental portal] and over the years other websites were added. Suddenly, we found ourselves stuck in an unusual situation, hosting around 90 government websites without proper planning. In addition, we didn’t have technical, networking or security staff on board. With the attacks on government websites, OMSAR recruited a security officer and created a cybersecurity committee in order to share all security measures, concerns and responsibilities with all Lebanese administrations. As such, we started working on a national cybersecurity policy guidelines to be adopted and implemented by all public agencies. Furthermore, OMSAR is planning awareness workshops directed at Lebanese employees in order to raise their awareness on [cyber]security.

E   About six years ago, government websites were the target of cyberattacks. Were the attacks a catalyst for the government to improve cybersecurity capabilities?

There were many attacks hitting OMSAR servers and many websites were going down. The attacks began in 2011, targeting our web servers, hitting many websites, especially the websites of the Ministry of Interior and the Internal Security Forces. Because we had only one web server for all the websites, all the attacks affected the other government websites. [In response], the Council of Ministers decided to create a National Cyber Security Committee [NCSC]. The committee came out with recommendations to secure our [online] environment immediately, [but these were] short-term security measures. We also decided to create a new web-hosting environment and to build it based on international standards and security measures that define all the aspects of the web-hosting environment – [in order] to be a state-of-the-art national web-hostingenvironment. This needs a lot of work and funding.

[pullquote]

The country does not have legislation to protect digital rights

[/pullquote]

E   OMSAR is drafting a cybersecurity policy. Is there any update?

We are working on it right now while simultaneously improving the security measures of the current hosting environment. Each administration doesn’t have [its own] cybersecurity officers – the IT departments do the whole job. If we found a hole, we’d fix it, and if we found another then we’d fix it as well; we didn’t have a strategy, it was more like patchwork. We published a cybersecurity policy to guide the directors of the administrations on how they should create their security policies. We came up with a brief document, like a pamphlet, to make it easy to use and follow.

E   How did OMSAR assess public agencies’ readiness to adopt the recommendations of the cybersecurity policy?

Even before publishing we were wondering how to get the administrations started, so we created a checklist. This helped [departments to self-assess] where they were on cybersecurity. We published the checklist in 2015.

E   Did public agencies check it again in 2016?

It’s an internal process for the public agencies. OMSAR doesn’t have a mandate to supervise [the other adminstrations] – if they request help we are always ready to assist and provide them with the needed help.

E   In terms of measuring the assessment, is there any indication at a government-wide level of cyberdefense capabilities?

I don’t have any accurate information. In 2015, before publishing, we thought of putting the checklist online – so we could fill our database with the respective [administration’s] information. But after negotiating with decision makers, it was decided against that because of privacy and security [concerns].

[pullquote]

The attacks began in 2011, targeting our web servers, hitting the websites of the Ministry of Interior and the Internal Security Forces

[/pullquote]

E   If the oil and gas industry, for example, goes active then there will be seismic data, exploration data and many other valuable datasets. This vital data could probably be one of the more attractive hacking targets in Lebanon because of its actual money relevance. Is protecting such data part of the mindset in the ministries or at the government level?

One of the recommendations of the [NCSC] was to build a national data center for the whole government. We need more time because this issue requires critical decisions by the cabinet to identify who will take responsibility for the data center, securing it and transferring data between administrations. In addition, if we want to create a national data center, all the data for the government will be residing in it and, as such, it’s a critical issue.

E   What is being done to prepare a national data center?

In OMSAR’s e-government unit we have an interoperability sub-unit. Now we are working on creating a specific design to be implemented by the government, connecting and transferring data between administrations [in a secure way]. Maybe this will lead us to the next step of creating the centralized data center.

E   Cybersecurity breaches, cyberwarfare and criminal hacks have increased tremendously, especially in the last couple of years. Some companies are claiming a 4,000 percent increase in the rate of cyberattacks in the last five years.

Yes, for sure.

E   That seems to be a cause for concern.

There have been many voices raising this issue, especially from the Internal Security Forces, who have a cybercrime unit. They’ve requested the Ministry of Justice, and maybe the cabinet, to work on such a law. If I attack your server and steal your data, the criminal code has no text defining such cybercrimes and their penalties. For now, they’re applying the standard criminal code and adopting it to cybercrimes.

E   An individual from a cybersecurity firm said that state-sponsored hackers are sent on training missions to attack another country just so they know how to attack better. So they can attack Lebanon, and even if they get caught, there is very little danger of repercussion from the state because there is no legal framework. Another individual said because internet bandwidth in Lebanon is so limited a distributed denial of service (DDOS) attack is very easy, and it takes very little effort to shut down a website.

And this is why one of the recommendations is migrating to the cloud. Estonia, for example, is a completely electronic government – they are totally digitized. Because of the very high risks of cyberattack, they’ve migrated the government to the cloud.

E   Will the government migrate to the cloud?

In 2015 we had many [consultations] from companies to advise the government on how to build a secure cyberenvironment. Those companies advised the government to move to the cloud. We came up with a terms of reference (TOR) – all our needs and requirements for securing networks – and we took it to the previous cabinet to get approval for the funds because it is quite costly, and it was signed. Now, there’s still a debate of whether to go to public clouds, such as Amazon, Google or Microsoft, or have a private cloud since data cannot go outside Lebanon.  There is a decision from the Council of Ministers in 2014 about a partnership between OSMAR and OGERO to build a private cloud for the Lebanese government, in addition to a redundant data center for the e-government portal.

[pullquote]

If I attack your server and steal your data, the criminal code has no text defining such cybercrimes and their penalties

[/pullquote]

E   Will it be implemented?

Currently, our minister is working with the Ministry of Telecom and in collaberation with OGERO on setting a Lebanese National Cloud Computing Policy, in addition to executing a private cloud for the Lebanese administration and a secure government network for interoperability.

E   The CTO of Microsoft Middle East says their data suggests Lebanon experiences more cyberattacks than the global average, and if there was a Computer Emergency Response Team (CERT) in Lebanon, they could collaborate with Microsoft to reduce attacks to the global average.

The national cyber security committee recommends the creation of a CERT. A year ago, we had a meeting in the [prime minister’s offices] with the Telecommunications Regulatory Authority [TRA] and they mentioned that they started creating a CERT for Lebanon. But the TRA doesn’t have any mandate to create and manage the CERT I think they took it as an initiative. Currently, I don’t know of any update on the subject.

1 comment
0 FacebookTwitterPinterestEmail
Cybersecurity

Propaganda goes viral

by Matt Nash
written by Matt Nash

“I don’t believe what I read in the papers, they’re just out to capture my dime.”

– Paul Simon, Have a good time

While propaganda is as old as time and political stakeholders have used the internet to spread their messages since the web’s early days, in 2016 propaganda went viral. It was also monetized in an arguably new way, further highlighting the need for readers to check their sources – and the motivations behind those sources – before making decisions.

Fake news isn’t new, but it was a lucrative business during last year’s US Presidential election. Executive hasn’t found an exact figure for how much revenue the operators of fake news websites earned, but one US “publisher” claimed in an November 2016 interview with the Washington Post that, “right now I make like $10,000 a month from [Google] AdSense.” No shortage of US news outlets traveled to Macedonia late last year to interview teenagers who claimed to be pulling in $1,000 or more per month operating “news” websites consisting of mostly plagiarized content with the occasional “viral” report (typically a story either made up entirely or given a wild and misleading headline) that drove up hits and ad revenues.

While Facebook and Google have both pledged to crack down on fake news by attempting to keep it off the platform and starving sites hosting it of revenues, respectively, it certainly won’t go away. Efforts by these powerful gatekeepers may kill the business model that seemed to do so well last year, but they certainly can’t eliminate “clickbait” and poor journalistic practice all together. Sensationalism and outright falsehood have always been the “dark side” of journalism, seductive because it sells, but ultimately corrosive (hurting the credibility of both publishers and the wider industry, and providing a disservice to readers). Stopping the profiteers masquerading as publishers pushing fake news in recent years may make fake news less voluminous, but won’t eliminate the phenomenon entirely.

Dirty tricks

In the past two years, Western countries have been decrying what they insist are Russian online propaganda efforts aimed at discrediting liberal democracy, but misinformation has been used as a state tool for manipulating public opinion for centuries. It is neither recent nor surprising that governments have turned to the web to promote their interests. While the West today is accusing Russia of outright lies in its propaganda efforts, governments and politicians “spin” news all the time in an effort to “manage” public perceptions of an event or issue both on and offline. The US created an Arabic-language satellite news network – Al Hurra – to win hearts and minds following its 2003 invasion of Iraq. Avoiding the moral debate about the differences between “spin” and outright falsehood, one shared consequence of both activities is the need for readers to be discerning when consuming information, which is also not new.

An under-reported aspect of two of 2016’s most surprising election results is just how much more aware readers need to be of not only what they read, but the personal information they willingly share that will increasingly influence what they read. According to both UK-based daily The Guardian and the Swiss news website Das Magazin, a company called Cambridge Analytica used big data to craft micro-targeted messages for Donald Trump and a group called Leave.EU, which promoted Britain’s exit from the European Union. Cambridge denies any use of fake news, but, the Guardian reports, the company proudly claims to have “psychological profiles based on 5,000 separate pieces of data on 220 million American voters.” Our digital footprints tell a lot about us, and how we may react to certain well-crafted messages, meaning seemingly innocuous ads on the side of whatever website you’re reading could actually be designed specifically to elicit a certain reaction from you individually (whether that’s voting a certain way or buying a certain product).

Despite all the huffing and puffing about information manipulation online in the past few months, the internet has not reinvented the wheel. The web has made information more easy to publish, disseminate and access, and Big Data gives propaganda a frightening Big Brother feel, but the web hasn’t changed the fundamental fact that readers simply must be discerning in order to avoid being duped.

1 comment
0 FacebookTwitterPinterestEmail
LeadersOpinion

Rare opportunity

by Executive Editors
written by Executive Editors

Lebanon just got a new tool to promote government transparency and accountability, as well as prevent and fight corruption. Entering into force in February 2017, a new access to information law allows anyone to request specific information from virtually all government entities. From doctors needing public health data, researchers looking for economic and social indicators, bankers, industrialists, retailers and other business owners needing figures to make long-term investments, to journalists investigating government expenditures – anyone can make use of the law, and everyone should. All one has to do is send a request describing the information sought to the office(s) that might hold it. The access to information law also requires government entities to publish key documents on their websites, including an annual report (see special feature).

The law is a tool to help battle corruption, anti-corruption activists say, because it would increase the level of transparency between the government and the public. That, by itself, helps mitigate corruption, and information requests can provide the evidence in cases of government fraud, fault and other mistakes.

But to make the law truly effective requires auxiliary legislation. The law prescribes that the government can either deny or ignore information requests, and refusals (or tacit refusals) can be appealed. The body specified to hear appeals, the anti-corruption commission (ACC), does not yet exist. Legislation to create this institution is in advanced stages, says lawmaker Ghassan Moukheiber (see Q&A in special feature). The ACC is urgently needed, and Parliament must make every effort to ratify its legislation before the end of this parliamentary session scheduled to conclude at the end of March. Without the ACC there is still a judicial recourse to hear appeals, but that may be open to interpretation. For appeals, courts might argue that the access to information law specifically states the ACC as the appropriate body to hear these cases and could decline to make a ruling. That would effectively render access to information dead in the water, if the ACC is not established quickly. If the ACC legislation is ratified, forming its board could take time, and the government does not have a great track record in appointing or renewing the mandates of the board of directors of public agencies, or in filling senior administration positions, Executive reported last month.

Access to information is also a fundamental right and a necessary condition for significant reductions of government corruption, the United Nations states in its justification for goal 16 of its Sustainable Development Goals (SDGs) initiative for 2030. Passing the legislation is an early public relations win for the government and a positive step toward achieving the UN’s SDGs.

Executive calls on the public now to exercise its right to information, demand the law’s full implementation, the quick ratification of ACC legislation and timely appointment of its board. If the public fails to hold the government to account by mobilizing on these points then the people will lose their right to complain about the never ending maelstrom of incompetence and corruption that passes for governance in Lebanon.

11 comments
0 FacebookTwitterPinterestEmail
CybersecurityLandscape

The Lebanese cybersecurity landscape

by Thomas Schellen
written by Thomas Schellen

Overall, it is not clear what the local share of the global cybersecurity market – estimated by Gartner at $81 billion in 2016 – is or might be. Estimates and anecdotal evidence suggest, however, that the local market is still small. Salah Rustum, president of local firm Commercial & Industrial Enterprises of Lebanon (CIEL) and a veteran in the data protection business here as partner with electronic signatures authentication services company GlobalSign, estimates the market at currently “around $10 million” when queried by Executive. Other decision makers in Lebanese cybersecurity consultancies and network operating companies say they prefer not to make any estimate about the current size of the cybersecurity market, citing the known dearth of reliable statistics in the country.

Beirut-based cybersecurity stakeholders also have only vague estimates on the number of qualified competitors that they face in the Lebanese market or on the number of highly skilled analysts with the required expertise to staff a Security Operations Center (SOC) – not currently existing in the country – as top-level forensic experts. General agreement, however, among stakeholders is that this specialist subsector of the information technology (IT) industry is set for substantive growth – at least double-digit year-on-year – over the coming years and that the biggest challenge is not to find new customers but to obtain qualified engineers that either already have or can obtain cybersecurity skills.

One example for this dichotomy between expected demand growth and missing manpower is Crystal Networks, a Beirut-based regional IT company of 75 employees, which according to co-founder and general manager Esper Choueiri does 40 to 45 percent of its business domestically and the remainder in the Arab region, with Saudi Arabia as the main business driver there.

Choueiri tells Executive that his company filled five new engineer positions in 2017 that were all in the security department of the venture, which has five departments. “In many cases, experienced engineers cannot be found and new engineers need to be trained in-house for cybersecurity. My biggest challenge is finding the right people, and at the same for all my customers,” he says.

[pullquote]

In many cases, experienced engineers cannot be found and new engineers need to be trained in-house for cybersecurity

[/pullquote]

Lack of local expertise

To operate a high-grade Security Operations Center, or SOC, requires teams of engineers with three levels of expertise. Engineers need between a minimum of one year of experience to perform well on the first level and at least five years on the top level, Choueiri says. By his estimate only one fifth of needs for top-level SOC experts are currently filled in Lebanon.

Also in the view of Jens Muecke, senior partner in the roughly four-year old IT security consultancy Krypton Securities in Beirut, a shortage of local experts is holding back cybersecurity development in Lebanon. “From my opinion and what we have seen in our team, many banks and companies over here are way behind. One reason is missing expertise – it is really hard to find good people here, given the instability of [this country] and the whole region. Everyone who is acquiring the skill [of a cybersecurity expert] and a reputation for having such, is getting out of here to take up a well-paid job in Europe or the US,” he says.

German-born Muecke joined Krypton after having worked with leading consultancies and international internet and software providers in the United States. The company, which has a team of seven employees in Beirut and its nominal home in Dubai, according to him has half the major banks in Lebanon among its clients, as well as some smaller companies. Krypton does about 80 percent of its business here as its expansion in other markets such as Jordan, Cyprus, and Saudi Arabia is still in the early days. It will take a few more shocks for markets in this region to fully awaken to cybersecurity. “What I think is that this region needs a few more bad examples when things happen tragically and somebody has to pay the price before they all realize what they need,” he says.

Judging from his observations, local companies to this day tend to approach cybersecurity with the same mindset with which  in earlier years they entered in other quality certification procedures. With such a mindset, companies emphasize assurance of their compliance with regulations. After they are promised cybersecurity on the cheap, they become compliant on paper but don’t achieve the knowledge transfer that they should get, Muecke says: “They have a paper saying ‘it is compliant’ but it is not. They don’t have the process and don’t do updates regularly. They don’t evaluate all reports as they should. They live day to day and hope nothing is going to happen.”

The notion that risks extend far beyond the financial sector in also the view of Tony Feghali, general manager of Potech Consulting, based at Berytech. His security company does not have exact numbers and statistics on the extent of internet-related damages at Lebanese companies but he says that in their experience, banks are not the only targets here. “They are definitely a very interesting target because that’s where the money resides, but today we’re seeing a lot of cyberattacks – especially ransomware or other type of attacks – targeting every type of business,” he says.

Huge growth potential

The growing likelihood of being targeted does not mean that local companies radiate universal awareness of their risks. According to Choueiri, awareness levels are extremely unequal. “To be realistic the banking sector is most advanced when it comes to cybersecurity and most aware among the Lebanese enterprise sector. Any company that is not IT-related is in my personal opinion totally unaware of security risks,” he says. Along with other experts he notes that besides missing awareness, it is often difficult to assess the real number and magnitude of cyber breaches and security damages in Lebanon because of widespread reluctance of breached companies to come forward and discloses their misfortune, mostly due to fear of reputation loss.

This phenomenon, however, is global and not particular to this country or region, experts agree. The phenomenon also does not deter cybersecurity companies from expecting double-digit business growth, or better, for the next few years. Choueiri expects demand to increase between 35 and 40 percent year-on-year and has important expectations for 2017. “I have [a] feeling that this year will be the year of cybersecurity. Everybody is talking about it,” he says.

CIEL’s Rustum sees year-on-year growth as upwards of 10 percent and even believes that more is in the cards. “[Growth] will be exponential in Lebanon, because the more people know about it, the more they are going to use cybersecurity,” he says. He moreover is not worried that there could be too much competition for the market to carry but on the contrary believes that there is room for more cybersecurity players. “There is enough cheese for everybody. The idea is to stir up the people and tell them that if they want to go on the internet, they have to protect themselves,” he elaborates.

Rustum’s main worry is bringing the legal framework in Lebanon up to speed. When his business working with digital signatures was established in the 1990s, the country was praised as one of the first in the world where the technology was introduced, but thereafter it slipped every year down in rankings for technology adaptation as the draft law on digital signatures was put to rest in government drawers. “Time is really passing us by. What I am afraid of is that by the time Parliament approves the law, it is already obsolete,” he laments.     

As Executive did not find any comprehensive study on security market data in the country, it seems difficult to assess realistically, with or without legislative innovation, what chance local companies might have for rising through international ranks, whether by expertise or by business volume related to cybersecurity. However, there can be no doubt about the growing role of cybersecurity companies in global markets, which is documented by the rise and overall growing valuations of international specialist companies. The largest firms globally in the sector are based in Silicon Valley but a few are not far from our geography in physical terms (see box below).

[pullquote]

What I think is that this region needs a few more bad examples when things happen tragically and somebody has to pay the price

[/pullquote]

Work operators see threat

Local companies that are active stakeholders in the market involve not only security consultancies but also network operators. A rising hub of cybersecurity activity seems to reside in the Holcom Group of companies where Executive encountered not only Crystal Networks but also ICT company and network operator GlobalCom, which confesses to the aim of developing its own cyber SOC in partnership with global player, British Telecom (BT). 

“We first have a duty to protect our networks and then we have a duty to help our customers protect themselves,” says Habib Torbey, GlobalCom Holding’s chief executive officer and general manager of its data carrier unit GlobalCom Data Services (GDS). Torbey tells Executive that the investment into the cyber SOC will be in the multi-million dollars. Although Lebanon by his observation so far has mainly seen attacks from small-time hackers, he reasons that the investment into a cyber SOC is warranted because attacks are getting more and more sophisticated, affecting more and more markets.

“We don’t need to wait for a disaster before we start protecting ourselves. No one in this field can fight the battle alone, and in the same way that pirates are cooperating to make their attacks more sophisticated and more successful, the good guys need to cooperate,” he reasons, explaining that GlobalCom partnered in this task with BT because there is a long-standing collaboration between the companies since the 1990s and because BT “is one of the best in cyberdefense.”

According to Torbey, GlobalCom has a network that comprises backbones and over 150 sites; it carries 70 percent of corporate traffic in Lebanon through GDS. The holding also entails the Internet Services Providers IDM and Cyberia. According to BT representatives who came to Beirut for an event last month, Lebanon is regarded as one of several priority countries in Middle Eastern new markets. The multinational company  has started to address the local cybersecurity market in 2016 in partnership with GlobalCom and wants to serve the country’s 20 to 30 largest entities with cybersecurity services.   

Outsourcing security

Outsourcing cybersecurity to specialist companies would be legally feasible for local banks, although compliance with banking secrecy laws requires that they would use a cyber SOC that is located in Lebanon, asserts Torbey. “Some customers who do not understand how cybersecurity works may have a tendency to think that we can see the content of their traffic and their trade secrets. No, we don’t look at the content and we don’t want to look at the content. We just want to look at the technical specs of the traffic in order to see if there is an attack or not and how to defend against it if there is an attack,” he explains.

While operation of a cyber SOC will require running investments, Torbey says this is a necessary cost and expresses the hope to additionally turn it into revenue opportunity by selling its services. Coming from a low base in cybersecurity revenues, he expects double-digit growth of revenues and is not afraid that cyberattacks would create digital disasters for operators who know what they are up against in facing cybercrime. He says, “Once you become aware of the risk and help your customer become aware of the risk, the future is not scary. You can do something about it.”

1 comment
0 FacebookTwitterPinterestEmail
Film

Sounds of a Lebanese love story

by Sara Ghorra
written by Sara Ghorra

Philippe Aractingi, mostly famed for his war-related movies like the critically acclaimed “Bosta” (2005), its follow-up “Under the Bombs” (2007) and his biopic “Heritages” (2013), has offered his fans the exquisite fruit of two years of labor. “Listen (Ismaii)” is a masterfully crafted, delightful piece of art that is co-written, co-produced and directed by the French-Lebanese filmmaker. The movie is a multilayered pleasure to the senses. Every one of its elements plays its role perfectly, from the narrative, to the cinematography and, most importantly, the sound design. The result is a wonderfully shaped, realistic piece of fiction, fueled by romanticism, sensuality and authenticity.

Screen Shot 2017-03-16 at 1.06.30 PM“Listen” is, above all, a love story set in Lebanon in which three characters find themselves entwined. Joud, played by Hadi Bou Ayache, is a sound engineer with a knack for deciphering noise and extracting beautiful sounds that aren’t often noticeable. Hardworking, idealistic, a little shy and refreshingly genuine, he is a young man who lives for the moment. His love interest, Rana, played by Ruba Zaarour, is a sparkly and attractive model who enjoys the city’s fast tempo and knows how to dance to it without much inhibition. Extroverted, assertive and straightforward, her individuality contrasts beautifully with Joud’s.

After meeting at a film shoot, a contemporary courtship begins. One filled with moments of sharing, discovery and passion. However, their romance is abruptly paused by a stroke of fate, which leads to Joud asking Rana’s sister, Marwa, played by Yara Bou Nassar, for her help in his attempt to bring his lover back to him. Quite opposite to the character of her sister, she is a poised university lecturer who is about to get married to a British man she had been dating. Her character blossoms as the film progresses; her sensuality and femininity manifest themselves unexpectedly while Rana’s presence diminishes. Similar to how the moon can only be appreciated when the sun sets.

Screen Shot 2017-03-16 at 1.06.02 PM

While Bou Ayache, Zaarour and Bou Nassar deliver strong performances that serve the storyline, which is far from being the chief component in this film. What makes “Listen (Ismaii)” exceptionally deserving of praise is actually the artful orchestration of the remaining components of the film that tastefully enhance the narrative.

The film’s interesting frames, points of view and camera movements offer viewers the intimacy to better relate to the protagonists. The shots around Lebanon, from the grand views of the mountains to simple glimpses at street vendors, are an homage to our precious land and create room for contemplation and appreciation for the diversity of Lebanon’s scenery.

Screen Shot 2017-03-15 at 11.05.29 AM

Meanwhile, the editing succeeds in setting the perfect pace relative to the state of mind of the characters, in harmony with their emotions and the film’s action. It also shapes a nonlinear story that takes the spectator on a smooth voyage made up of flashbacks, unveiling significant moments that defined the relationship.

Yet, the ingredient that welds it all together and forges the true essence of the film is undeniably the sound design. We have the tendency to take for granted what an incredible thing it is to be able to hear, and the movie truly reminds you to “Listen”. As viewers borrow Joud’s ears, we enter an exceptional universe governed by sound and enriched with melodies.

Yara Bou Nassar

Amid all the beautiful sounds in this film, from the city’s pulse to nature’s wonder, the most enjoyable sound is the human voice – more precisely the woman’s voice. It won’t take long before the viewer sees the emphasis given to her, especially her liberal side, the one that yearns for autonomy, self-expression, and sexual satisfaction. Even though the movie doesn’t shy away from controversial scenes, it does so not with the aim to provoke, but to emulate a reality.

As the closing credits appear on the dark screen, after a surprising and sudden ending, one cannot but feel a surge of admiration and pride, as any Lebanese who appreciates the seventh art would. Go, watch, and listen.

0 comments
0 FacebookTwitterPinterestEmail
CybersecurityEntrepreneurship

Securing the entrepreneurship ecosystem

by Matt Nash
written by Matt Nash

It’s 3 a.m. Despite your family’s “no Internet after dinner” rule, your smart, web-connected refrigerator is rebelling, repeatedly attempting to load the same site. The mustard is not trying to catch up on the news, your ice box has become a zombie in a hacker’s army – a botnet, in industry lingo. While the so-called “Internet of Things” allows for the connectivity of an increasing number of previously “dumb” devices and appliances, their link to the global internet presents a vulnerability hackers have already begun exploiting.

With the exponential growth of online risk, of course, comes both an opportunity for consultants and companies specialized in providing cyberdefense, and the need for companies large and small to increase security spending. In the last six years, venture capitalists have grown more keen to cash in on the flourishing cybersecurity market. Startups focused on data protection attracted $3.48 billion in investments in 2016, down slightly from $3.9 billion in 2015, but 76 percent above the $833 million poured into young data defenders in 2010, according to research company CB Insights. The company also reports that in 2015, four cybersecurity startups attained so-called “unicorn” status (meaning their value was  in excess of $1 billion), with one more of the mythical beasts joining the stable in 2016. Tech news websites feature lists with the 20 hottest cybersecurity startups to watch. A quick view of such lists reveals that career moves by specialists in this field from protecting the state to the private sector is a potentially lucrative choice – a number of newer ventures boast former Israeli or US digital warriors at the helm or among the top brass.

While niche specializations are beginning to develop in the Lebanese entrepreneurship ecosystem, such as fintech, cybersecurity is not one of them. 

A short list

Since Lebanon’s entrepreneurship ecosystem first began buzzing around 2001, it has produced a few cybersecurity companies – consultancy seems more popular than solutions-provision, although exact numbers are difficult to come by – but according to Executive’s research, since 2013 there have only been two start-ups with incorporated cybersecurity focus. The first, Myki, has been profiled in the magazine before but was not available for an interview. The password-management company is now listed as a portfolio company on the site of local VC Leap Ventures, and – according to an unsourced announcement on Crunchbase.com – raised $1.2 million in a third funding round at the end of January. Myki founder Priscilla Elora Sharuk told Executive in March 2016 that the company had raised $600,000 up to that point.

Early last year, Universant Technology Corporation became the newest local entrant to the cybersecurity market, founder Joe Hage tells Executive. Hage has a background as both a successful entrepreneur and a security specialist. He explains that his rapidly growing company – which has doubled its workforce in the last 12 months – was born primarily to leverage Hage’s network of contacts. Along with an angel investor providing the company with an initial capital boost, Hage had “seed clients,” i.e., “contracts in hand pending incorporation.” He has bold ambitions hoping to identify and nurture local talent to win big-ticket contracts in the Gulf, and has secured one so far. To this end, Hage says Universant partnered with the American University of Science and Technology (AUST) and has created an informal group of security researchers, which he describes as “almost an R&D staff.” He lists acquisition as an exit strategy but talks with a passion that suggests he may shed a few tears if ever asked to hand his baby off to new parents.

[pullquote]

It is easier and cheaper to build securely from the beginning

[/pullquote]

Aware of the risks

While Lebanon’s ecosystem is not pumping out cybersecurity startups, data protection is on everyone’s mind. Jana El Husseini, project coordinator at Smart ESA, says the new incubator and accelerator run by the Ecole Superieure des Affaires – a local business university established in 1996 – will teach the startups it hosts security basics. Ramy Boujawdeh, deputy general manager of Berytech, explains that security is taught as a module in the education program that the Berytech incubator provides to all startups there.

Fares Samara, the chief technology officer at the accelerator Speed@BDD, teaches young companies security basics, but notes that as Speed works with idea-stage companies that have yet to develop minimum-viable products, few students under their tutelage have advanced security needs. He points to the growth of what he called “infrastructure as a service,” an evolution of software as a service made possible by cloud platforms from companies like Microsoft, Amazon and Google, he half-jokes that IT staff in early-stage companies don’t even need to understand how to setup a secure server (as the Microsofts, Amazons and Googles are doing that for them nowadays). As startups grow, managing the increasing amounts of data they collect becomes more complex, requiring either customization of back-end infrastructure offered by third-party providers or the design of an in-house back-end, which is where most vulnerabilities can surface, Samara explains. Once a startup begins to expand, its internal security needs grow, he says.

Security by design

Online advice for startups thinking of their own security frequently note that it is easier and cheaper to build securely from the beginning (even if this includes upfront costs like penetration testing and causes some delay in bringing a new product to market) than trying to patch vulnerabilities after intruders have gotten in. It was with this advice in mind that the local carpooling app, Carpolo, opted to build its own back-end early on instead of relying on a third-party, company co-founder Ralph Kheirallah tells Executive. Kheirallah echoes Samara in noting this infrastructure will add the most value to the company as it grows, but argues it was worthwhile to invest from day one. Carpolo is using a business-to-business model – pitching itself to employers, a shift from the initial B2C model – and currently finding interest among local banks, clients with very strict security requirements.

Locally and globally, banks are high-priority targets for cybercriminals (see overview page 16) and security is a top concern for startups looking to enter the financial sector. Saeb Nahas – a manager at Phoenician Funds, a local VC with a fintech, e-government and health care focus – explains that portfolio fintech companies go through extra screening to ensure their systems are secure. “We have experts who go in and do fake attacks” to “pinpoint problems” early on for portfolio companies, Nahas says. Additionally, security evaluations are part of Phoenician Funds’ due diligence when evaluating an opportunity, he notes. 

Never too small

With the increased sophistication of cybercriminals, and the ease with which they can attack, small companies today have to be far more aware of threats – and better prepared for attempted intrusions – than they did even five years ago. Mario Gaudet, chief technical officer for Economena Analytics, talks of a war being fought by the minute. The company is a platform for economic data for the Middle East and North Africa region. Gaudet says his network analytics reveal attempted attacks almost 24-hours per day, with “at least” 20 attempts per hour. Hacking, he says, “has become a business.” Defending against increasingly savvy criminals, therefore, is a need that will only grow for companies of all sizes.

By all accounts, Lebanon’s entrepreneurship ecosystem understands the security threat, but as safe and secure as a system can be, everyone interviewed for this article reiterated some version of a joke security professionals are rumored to frequently make, “there’s no patch for human stupidity.” Whether it is reusing weak passwords for every account or sending sensitive data over an unsecure WiFi connection, people remain the weakest link in the cybersecurity chain.

1 comment
0 FacebookTwitterPinterestEmail
Banking & InsuranceCybersecurity

Cyber(in)securities

by Thomas Schellen
written by Thomas Schellen

At the center of the cybersecurity issue in Lebanon resides, as with many issues in this country, an unfortunate and seemingly unmovable constellation. In one corner towers the banking sector as the primary force and primary concern for all things economic and also all things digital. The banking industry, as all the expert voices in conversations with Executive about the cybersecurity issue acknowledged, is the biggest target for cyberattacks and the most advanced in awareness, preparedness and spending on cybersecurity in Lebanon.

Crouching in the opposite corner is the public sector. It is limited by severe lack of information technology (IT) spending budgets in general, and cyberdefense in specific. Many ministries are not equipped with a single cybersecurity specialist in their IT departments. In the perception of experts on Lebanon’s cybersecurity, the public sector is in a worse state than the private sector and moreover gives the appearance of being engulfed in complete ignorance of advanced methods to maintain safety and simultaneously be on the cutting edge of internet usage.

Banks have undergone an evolution from a few years ago when they used to rely on having just one individual staff member with security responsibility who reported to the IT department. This was done to comply with a Banque du Liban (BDL), Lebanon’s central bank, requirement that mandated banks to have this security representative. Overall, in the experience of Iskandar Aoun, head of the security department at Banque Libano-Française (BLF), “it was a marginal function”.

According to him, this has changed in recent years as cybersecurity advanced from a marginal matter to the biggest threat for all banks and a major concern to their boards of directors. “This evolution occurred on different levels: the organizational level, the regulatory level, the media level and, of course, the technological level,” he says. On the important organizational level it is common, at least in the sector’s alpha group banks, that the security entity nowadays “is a complete entity with a minimum of five or six staff and reports directly to upper management,” Aoun explains.

The gauss Malware

Deputy General Manager Sleiman Maaraoui, head of Systems, Division Projects and Infrastructure at Société Générale de Banque au Liban (SGBL), tells Executive, via an emailed response, that maintaining first-class cybersecurity capabilities requires a “relatively significant percentage of IT spending” and quantifies the share of cybersecurity measures at around 10 percent of the IT budget. “At SGBL, we have a dedicated team [within Information Technology Security Evaluation Criteria (ITSEC)] to monitor cyberactivity and track any suspicious behavior using cutting edge tools. Alongside, IT teams have dedicated resources to support and maintain this infrastructure,” he says.

Maaraoui confirms that cybersecurity investments have gone up due to the necessity of implementing the latest tech tools and are expected to increase further. “This cost will increase over the coming years to meet targets set by top management and add new functionalities that will provide a seamless integration and an easier adoption by our customers,” he says, citing as an example biometric tools such as fingerprints, voice identification and face recognition.

It seems that the crunch moment in banks’ elevation of cybersecurity to the top in their list of priorities came after the 2012 discovery of the so-called Gauss malware, which had penetrated over 1,600 computers in Lebanon at several of the country’s top banks according to global security company Kaspersky Lab’s count. According to a Kaspersky Lab statement from August 2012, Gauss malware was a “nation-state sponsored cyberespionage toolkit designed to steal sensitive data,” specifically targeting online banking credentials and browser passwords. The malware was said to have been active for more than nine months before it was discovered on some 2,500 machines. According to Aoun at BLF, which was one of six major Lebanese banks which the statement mentioned by name. Several banks that were infected by the malware even refused to declare this fact.

Humble hacking past gives way to risk laden present

As Aoun tells Executive, the risk associated with cybersecurity breaches some 10 years ago was “relatively low” and this low risk was reflected in “humble topologies,” meaning simple physical or logical layouts of the computer networks at every bank. Hacking attacks were slow, often involving days of hackers poking around to find system vulnerabilities, and damage was of the kind that even successful breaches were hardly mentioned, i.e. any damage was below the cost of reputation loss if the breach was disclosed.

“Until now, we did not have a major breach in the area, especially in banks. We have the small [incidents] of fraud where an email sent by a customer asked to transfer money somewhere, and then the bank discovered that it was fake and the request was for a transfer to an unknown account. We did not have major breaches, touch wood,” he says.

In the 2017 environment, however, hacking tools are far more advanced. “All the hacker has to do is send a nice-looking email that contains an attachment or malicious URL link, and all that the end user needs to [do] is double click on the attachment or the URL with the result that malware is installed on the system, and the hacking job is done. The whole environment is infected,” he says, adding that the great increase in risk is reflected in banks having deployed advanced topologies to deal with this risk. 

The adjustment to greater cyber risks on the technological level was mirrored in regulatory developments. According to Aoun, every bank has been obliged by the central bank to declare any incident that occurs on its premises, and the central bank evaluates all this information and incorporates it in updates of circulars related to security. He says, “Whether it is physical, a downtime of the system, a cyberattack, data theft, fraud, operational risk or anything [else], you are obliged to declare it to the central bank. We have to declare, and we also have to have a policy to inform our customers about an attack. I can also say that it is better for the bank to inform its customers rather than them finding it out over the internet or through media reports.”

According to SGBL’s Maaraoui, the rising importance of cyber risk has led to its embedding in the bank’s thinking, in addition to all other requirements that occupied the attention of banks, such as anti-money laundering regulations and recent rules on financial standards. “Cybercrime is no less important than compliance pressures or local and international regulatory tightening. This importance has been growing year after year thanks to digitalization,” he says.

In Maaraoui’s words, cybersecurity may not be on the agenda of every board meeting at the bank, but he confirms, “board members are fully aware of threats and challenges faced with cybersecurity.” Moreover, he implies that amidst a whole array of measures to enhance customer protection in contemporary banking, the issue of protection against theft of their banking data and other forms of cybercrime is possibly the most sensitive one. “If sensitive information is stolen or otherwise misused, the public will not see that the financial institution is a victim of a malicious actor, only that it did not properly protect that which was entrusted to it. Regulations enforce severe penalties for non-compliance, while the organization’s public image can be irreparably damaged,” he says.

Banking roads to better security

By the perception of perhaps the most potent company that Lebanese can turn to as a global powerhouse and authority in IT and cyberdefense, Microsoft, Lebanese banks have taken the national lead in cybersecurity measures, but often did so in ways that do not allow them to be on the forefront of digital innovation, warns Microsoft Country Manager for Lebanon Hoda Younan. 

“Organizations in Lebanon, even in industries that we believe are advanced, like financial services, are very conservative and do not build on innovation because of fear [of being connected]. They sometimes cut off their people from the internet to protect themselves. We saw this as a reaction to the attack that three or four years ago that reached all banks. If you disconnect, this will definitely protect [you in one way], but it prevents you from innovating. Speaking from the perspective of a Lebanese person who feels responsible, I see that we have a lot to do. We need to build on the experience that the multinationals are giving us when they come into the country, so that we can be more aware and more protective,” Younan says.

According to Microsoft experts, local organizations face challenges that relate to a mindset of placing trust in static concepts of perimeter defense. In choosing a physical gap approach for their cybersecurity, they tend to bet their fortunes, and their lives, on erecting huge walls – in a way that resembles the approach of medieval castellans who build ramparts that were seemingly impenetrable. That approach worked only until trebuchets were invented (as the Microsoft-published game Age of Empires 2 already taught its addicts some 18 years ago).

For Nasser Kettani, Microsoft’s chief technology officer in the Middle East and Africa, to have online banking today is not enough for a bank to be innovative. For them to be able to innovate, he advises banks to develop a mindset for cybersecurity that is adapted to the current time, meaning to focus not on perimeter defense of their networks, but on technology and intelligence that can be obtained from the cloud. Moreover, perimeter defenses can be ineffective against internal hacks, he adds, citing the example of the National Security Agency (NSA) in the United States.

“The ability of banks to innovate in terms of Artificial Intelligence, Internet of Things, blockchain and a lot of things that you can do [is limited] because they have not changed their security posture. What we are finding is that you can expose yourself to the internet and be safe, but you have to change your way of doing things,” Kettani tells Executive. This requires a new security posture, he says, citing gains in security that companies and entire countries can achieve through collaboration.

In the case of Microsoft, the company – which at all times in digital history was a target of hackers – is now more than ever subject to cyberattacks since it moved a few years ago to become a major provider of services on the cloud. It responded to the threat with huge investments in cybersecurity – in 2016 it spent over $1 billion purely on cybersecurity according to Kettani – and also leveraged the data insights it obtained from operating about 200 cloud-based services with 100 billion user logins per month.

“Data collection gives you more insights than you can get otherwise. This volume of data that we see from around the world helps us to get intelligence that nobody else can,” he says. Microsoft uses these insights for building new security tools to protect itself and its customers through different units inside the Microsoft organization and also partners with other IT companies and law enforcement operatives in many countries – for example through national Computer Emergency Response Teams, or CERTs – to extend the umbrella for protection against cybercrime.

Under the common perception of most crime choosing the road of least resistance, the best defense will be one that elevates the criminals’ risk of detection and punishment when caught. Implementing such a strategy in Lebanon, however, transcends the capabilities of banks and other private sector entities. It necessitates legal measures and organized cybersecurity collaboration of private sector players with the state and with one another.

Calls for more government actions

This important need for interaction is reflected in the views of the cybersecurity specialists at BLF and SGBL. Of the important measures that the government should undertake in Aoun’s perspective, one prudent initiative would be to give companies tax incentives on investments into cybersecurity systems to make it as affordable as possible and help smaller players beef up their defenses. According to Aoun, “the government should not impose any tax [on cybersecurity systems]. This will reduce the equipment cost and encourage the banks to invest in security products.” In parallel to incentivizing cybersecurity investments, he advocates secondly, that the government should enforce cyber insurance as mandatory for banks, and thirdly that it should develop national cybersecurity infrastructure. Specifically, Aoun advocates for the creation of a CERT for Lebanon.

“A CERT will issue guidelines, monitor risks and inform banks of attacks. This has become an urgent matter for Lebanon,” Aoun reasons, adding that having a national team will also provide faster information on attacks that happen elsewhere because CERTs communicate with one another across countries. “If there is a threat in one country, they will communicate the information to all countries and every local CERT will communicate with the companies in its jurisdiction to take precautions – this needs government action to legislate. A CERT team will also minimize the phenomenon by which everybody refuses to say what is going on,” he says.    

Regarding collaboration among cybersecurity officers of Lebanese banks, Aoun maintains that this issue was raised by BLF in the drafting of a letter to the Association of Banks in Lebanon and was also mentioned in discussions with the Banking Control Commission. The call is for regular meetings or a convention of CIOs (chief information officer) so that these professionals may share their experiences and exchange information with one another, meaning that all stakeholders are provided with immediate information on new risks and incidents.

Also in Maaraoui’s view, there is urgent need for government action on comprehensive legislation. He says, “The Lebanese government is urged to pass a new law that facilitates online transactions, yet ensures its security and authenticity by enabling [the] digital signature and extending it to full digital identity.”

He also recommends that laws to fight cybercriminals should be put in place and that legislative actions in those two regards should be coupled with other laws and central bank circulars to guide banks forward toward “true secure omni-channel experience. The guidance of banks toward ever-increasing cybersecurity should furthermore be accompanied by actions of the Banking Control Commission of Lebanon (BCCL),” Maaraoui opines.

“BCCL should mandate an external, internal and overall ‘security assessment’ to be performed by third-party companies with expertise and certification in cybersecurity, [similar to that of a financial auditor], the results of which are then sent to the bank, but also directly to BCCL,” he argues, citing a similar practice in Luxembourg as an example before adding that not only banks, but the entire enterprise-level environment in Lebanon needs directing toward measures that will prevent or at least minimize “potential financial, but more importantly reputational damage.”

Scenarios faced by insurers

While banks face the dual need to embellish their security – at the same time constantly enhance and evolve their online accessibility and digital services in order to respond to changing customer expectations – and also remain competitive in the face of disruptive fintech startup companies, insurers need to approach digitization and cybersecurity under a somewhat different paradigm. On one hand, they are, just as banks are, financial companies, and thus, attractive targets for cybercrime-syndicates and individual hackers. They therefore must adapt to the digital world in their distribution strategies. On the other hand, they have the mandate to harness cybercrime as an opportunity for providing new insurance services. Moreover, their function extends to demanding that insured parties comply with preconditions for insurability, whether in the form of fire doors in a building or firewalls in a data center.

In the multi-faceted context of being stakeholders in their own cybersecurity and insuring risks of others, Lebanese insurers could find a new boom in cyber insurance premiums, says Max Zaccar, chairman of Commercial Insurance and president of the Lebanese Insurance Association. “In future, cybersecurity could be a huge portion of overall business for insurance, with estimates going as high as 50 percent of premiums to be generated by cybersecurity,” he declares.

Zaccar concedes that there is yet limited understanding of insurance for cyber risks in Middle East. He points, however, to a factor that should make cyber insurance a welcome addition to the product offerings of local insurers. “Most of the cyber insurance risk, if underwritten by local companies, will be reinsured abroad, so companies will not face too much risk of having to pay out of their own pocket,” he explains.

Lebanese insurance companies have some demand from banks for cyber insurance policies, says Fateh Bekdache, general manager of BLOM-Bank affiliated Arope Insurance. “Cybercrime is a delicate subject that is becoming very important. A lot of insurers were reluctant to consider cyber coverage because it is very complicated,” Bekdache tells Executive.

He adds that it is a complex and challenging task to draft standard cyber insurance policies, which will stipulate the coverage terms of such contracts. This is a development in the domain of international reinsurance giants that local insurers observe from the sidelines. “There is a race among reinsurers as to who will draft a contract that is more advanced than that of the other. We are sitting and watching,” Bekdache says.

Another challenging issue is the fact that many companies are reluctant to declare if they have experienced a breach or quantify losses from intrusions, which makes claims management even more delicate. As Zaccar and Bekdache concur, the reported growth of breaches in Lebanon is high, but it is only the tip of the iceberg and statistics suggest that local organizations, just as companies everywhere, in their vast majority do not report their breaches.   

Numerous recent reports by international consultants, banks and insurance players have highlighted cybersecurity as a growing area of business and insurance. Bank of America Merrill Lynch was quoted as estimating the cybersecurity business to represent on average 6 percent of IT expenditures, which was worth $75-77 billion in 2015 and projected to reach $170 billion by 2020. A 2015 report by PricewaterhouseCoopers sees cyber insurance as a “potentially huge but untapped opportunity for insurers and reinsurers,” estimating worldwide annual gross written premiums as set to grow from $2.5 billion in 2014 to $7.5 billion at the end of the decade.

Lloyds of London said in a 2016 report that over 90 percent of large European businesses surveyed had experienced a data breach, and 51 percent were worried about being hacked by cybercriminals for financial gain. However, only about 50 percent were aware that cyber insurance coverage for a data breach is available and many were equally unaware that cyber insurance not only provides a pay-out after a cyberattack, but also helps with expert consultancy during a crisis.

Moreover, most of the market, up to 90 percent, is currently in selling cyber insurance to companies in the United States. Given that cyber risk is a globally universal growth phenomenon, the estimates for future cyber insurance needs seemingly cannot be overstated.   

To take the discussion of cyber insurance in Arab countries forward, the Lebanese Insurance Association and the General Arab Insurance Federation are collaborating to convene a digitization conference this May in Beirut. According to Zaccar, the first day of the two-day event will be dedicated to new digital distribution channels and the related issue of digitizing insurance services, while the second day will be dedicated to cyber insurance and the Lebanese law enforcement perspective on cybercrime.

1 comment
0 FacebookTwitterPinterestEmail
LeadersOpinion

Protect us from the modern plague

by Executive Editors
written by Executive Editors

When modernity was sending out its first rays of thought in the Enlightenment Age, thinker Thomas Hobbes wrote speculatively that the natural state of man is “war of all against all.” Overcoming the universal conflict to him was the central historical argument for the formation of states. Captivating and influential as his frightful idea of constant warfare as man’s original modus operandi was, it stands in history as a construct that could not be corroborated. We desire peace and are accustomed to existing in an interplay of conflict and harmony, in which we grudgingly live through periods of war, only in hope of a new peace. Until now.

More than ever before, the digital age could bring mankind closer to a situation of, albeit virtual, war of all against all. This is not talk of some online game. Cyberwarfare, cyberterrorism and organized cybercrime comprise a devilish triangle that is growing more sophisticated, more intense in its attacks, more devious, more profitable and greedier by the minute. Microsoft’s Chief Technology Officer for the Middle East, Nasser Kettani, tells Executive of assumptions that cybercrime will grow from a $500 billion impact on the world economy in 2015 to a staggering $4 trillion impact by 2020 (see overview). Cybercrime already reaps more profit than the illicit drug trade, but if the projections above prove correct, the impact of cybercrime will scale up from less than 1 percent of the world’s GDP to over 4 percent in just a few years – the International Monetary Fund (IMF) projects world GDP for 2020 to be $93.6 trillion.

This is bad enough for an illicit economic impact and sure to bring about unwelcome distortions to the societal equilibriums within states around the world, raising the specter of the type of disorder that existed in Prohibition-era America just before the Great Depression. What is even more frightening is that nobody is safe from deliberate cyberattacks – no government, corporate entity or individual. Under most social contracts of the modern age, people trusted their states with what sociologist Max Weber called the “monopoly on the legitimate use of physical force” in times of peace because they expected the state to guard them, broadly in line with Hobbes’ reasoning about the state’s role and raison d’etre.

Protection

This protection was never complete. Interpersonal violence and organized crime were the troubling exceptions to the state’s power of protection. But now, in the digital age, it seems that disruptive forces – whether cybercrime-syndicates, terrorist organizations or even hostile states – are punching many holes in the protective ability of nation states over our digital lives, which are increasing in importance as the new dimension that is being added to human existence in the internet age.       

Even in full awareness of the many challenges that Lebanon’s (almost) elected parliamentarians face in this time, Executive calls for urgent implementation of the long overdue legislation on our digital rights and the best possible protection by the Lebanese state in the digital world to its citizens and residents. In the long run, digital rights may very well be as important as the voting rights, on whose timely implementation this year Executive insists in the sharpest form possible. For Lebanese citizens and the economy, the state’s contribution to protection against cybercrime through appropriate legal frameworks with stiff penalties will be vital, and so will be the implementation of best defense capabilities through a national Computer Emergency Response Team (CERT).

The world today is full of global dangers and policy challenges, from weapons of mass destruction and ever present dictatorial or totalitarian tendencies to technologically generated scourges. Lebanon, in addition, has its specific political plagues and worries. But let’s not forget that the greatest challenge to social contracts is the challenge to keep the lid on the human capacity for evil and that the noblest challenge for the state in this regard is to protect its people in their freedom. This makes it important for Lebanon to ward off cybercrime and cyberwarfare in the best possible and most globally integrated way. And there is much to do.

Lackluster cybersecurity

Lebanon is presently two decades overdue with its law on digital signatures. The public sector is short of cybersecurity experts in many ministries. Private sector financial players, namely our banks, are leading in awareness of the importance of cybersecurity, but there are still many issues to be solved in cyber protection of financial institutions, and of the still under-aware and under-concerned companies in other industries.

We are lacking legal penalties that can deter cybercriminals and need the legislative framework, budget and skilled experts to develop a national CERT (computer emergency response teams) as a core element in our cyber defenses. By all expectations, cybersecurity will be one of the most important issues globally in 2017 and beyond. We thus encourage the security agencies to speed up the development of national preparedness for cyberattacks. Most importantly, we call on the Lebanese Parliament and the executive branch to pass and implement necessary cybersecurity legislation now.

2 comments
0 FacebookTwitterPinterestEmail
CybersecurityOverview

The battle between good and evil goes virtual

by Thomas Schellen
written by Thomas Schellen

The serpent’s tale is a powerful narrative that has captured man’s attention over millennia. The contemporary version of the story goes something like this: the digital garden at first was created as a lush world filled with smart gadgets, useful computer programs, fun games, social networks and great business opportunities. People were delighted with these gadgets and used them freely to their hearts’ content. But then a snake entered this garden and hid in the undergrowth.

This serpent was more cunning than all of the gadgets and programs in the garden. It told people that they could partake in superior knowledge, if they just clicked on its emails and attachments that promised innocent fun and untold riches. But when the people listened to the snake and clicked, viruses and Trojan horses were unleashed and infested the digital garden. Thus, evil was released and proved impossible to eliminate.

In 2017, this ancient serpent is only too real. It is called malware and has reached a proliferation rate that is mind boggling and difficult to comprehend. What does it mean for individuals in the digital world that more than 1 million new malware tools come into existence every three days and that their number keeps growing? Or that more than 500 million personal records were stolen or lost in 2015, according to the 2016 Internet Security Threat Report?

How can an average user visualize, in front of their inner eye, that according to the Cisco Cybersecurity Report 2017, spam email increased from 500 spam messages per second in 2012 to 3,500 spam emails per second in 2016? Moreover, what can one do to protect their mobile phone? At the world’s largest congress for innovation and products in this sector – the Mobile World Congress (MWC) last month in Barcelona – security companies like Intel took this opportunity to turn our attention to the vulnerability of our beloved smartphones and pushed their various solutions, such as multi-factor authentication and home security platforms.

Numbers concerning the impact of breaches on businesses are just as bad. According to Cisco’s report, which was released at the end of January, of the organizations that experienced cyber breaches, more than one-fifth lost customers after a breach, almost one-third lost revenues, and close to one-quarter lost business opportunities. Serious damages – more than 20 percent losses of customers, revenue or opportunities – struck about 9 percent, 11 percent and 10 percent of breached organizations, respectively. There are reports by the bucket, which all have in common that they generally document the steady increase of cybercrime and also show that average costs per breach can be life-threatening for small, medium and large businesses.

Growing threat

Actually, whichever source one checks, all numbers about malware are bad, as malware is growing rapidly. But it is not only mass that matters. The student hackers of before, who did their hacks simply because they could, are still around, as are ideological hacktivists and small-time crooks. Yet the really malignant cyberactors today can be crime syndicates, terrorist organizations and even states. Cyberattacks are no longer like aiming a shotgun on a flock of small birds in the indiscriminate expectation to hit any one of them. They can be as surgical as a remote-controlled scalpel, hitting deliberately sought-out targets that can be a specific bank, government agency, any large corporation, small company, or even a single family or an individual.

With improved organizational skills on top of the high rate of proliferation and the increased sophistication of attack instruments, it is estimated that cybercrime will expand exponentially for years to come. Given a growth rate of internet viruses that would make any ethical company blush with shame for expanding so fast because it would be a sign of being either unsustainable or exploitative, the economic infestation of the digital world with cybercrime is predicted to grow eightfold in impact by the year 2020.

It can hardly come as a surprise, therefore, that there is an increase in cybersecurity conferences in the Middle East this year (the Executive calendar of regional conferences last month listed four conference headers containing the word “cyber” for the period between February and April 2017, up from one event in the same timeframe in 2015 and two in 2016). It is also unsurprising to see the internationally growing flood of alarming reports from the cyberfront, which generally mix dreadful warnings about cybercrime damages, with a pitch for selling this or that cybersecurity service. But, it nonetheless bears repeating that cybercrime is projected to reach $4 trillion in four years time – nota bene about the same magnitude as the GDP of Germany.

Clearly, it has not escaped companies around the world that the only thing we can safely say about our digital lives is that they are not safe. Banks are the biggest prize for many cybercrime syndicates where 2016 and the still young 2017 saw some spectacular international breaches. One large recently reported  case involved Lloyds Banking Group in the United Kingdom. Claiming in an overview of its business to be the UK’s largest digital bank with 12.5 million online customers, Lloyds Banking Group has 818 billion pounds in assets (2016) and includes Lloyds Bank, Halifax Bank and Bank of Scotland. It was attacked in a distributed denial-of-service (DDoS) assault in January 2017 and for two days was under heavy data fire.

This breach also got a lot of attention because it had been preceded only months before by another successful cyberattack against a UK bank. In that incident it was TESCO Bank that suffered online thefts amounting to about 2.5 million pounds in total. The bank, which has more than 7 million customers, reported that roughly 9,000 customers each had as much as 600 pounds (approximately $750) siphoned from their accounts and pledged to refund those losses within 24 working hours. But, last year’s biggest incident in the financial markets was the criminal exploitation of the SWIFT interbank messaging network via an intrusion into Bangladesh Bank, the country’s central bank.

According to a December 2016 statement by security company Kaspersky Lab, this incident constituted “the [world’s] biggest financial heist” and used SWIFT-enabled transfers to steal $100 million, of which many millions appear to have not yet been recovered. According to reports, SWIFT has since updated its network through a global payments innovation (GPI) messaging platform and is asking member banks to take better cybersecurity measures.

Banks in Lebanon are clearly awakening to the challenges they face in the digital realm, or they are at least more aware than they were some years ago, said several Beirut-based cybersecurity experts. Moreover, every local cybersecurity consultant or company that Executive talked to said that banks constitute between half and 80 percent of their clientele. However, it seems that there is much room for improvement in the cyberdefense strategies of Lebanon’s banking industry, and there are open questions about the statuses of their cybersecurity measures. Some experts said that they found holes in the protection of some banks, and a surprising number of Lebanese banks told Executive that they preferred not to give interviews about cybersecurity issues, citing their “sensitive nature”.

The state of Lebanese cybersecurity is much foggier when it comes to the private sector economy outside of banking and the public administration in this country. From missing experts to non-existing budgets and weak awareness, the picture of cybersecurity in civilian government agencies is, politely said, dim and very different from developed countries.

In the United States, for example, the federal authorities are major cybersecurity customers. There is even a specific assessment of this market that estimates annual federal investments into cybersecurity with a recent forecast for spending to grow from $18 billion in 2017 to $22 billion by 2022, at a steady compound annual growth rate of 4.4 percent. In the European Union, regulatory cyberframeworks of international consequence have been adopted in 2016 and the EU’s General Data Protection Regulation – with steep fees for violators of privacy – will come into force in 14 months, in May 2018. In the UK, the new National Cyber Security Centre (NCSC) – operating since October 2016 – was inaugurated last month by Queen Elizabeth. The NCSC was created as an authority on cybersecurity, with a mission to improve cyber resilience.

Lebanon seems to be nowhere near similar levels of readiness found in the public sectors of the developed world. This is problematic for a number of reasons. There is no doubt that Lebanon has its share of state-level enemies which have a vested interest in creating any sort of impairment for the country’s development or obtaining sensitive information from public administration units. In addition, 2016 made it clear that age-old hostile behaviors of states (reminiscent for example of the Cold War era) have gone digital, such as seeking to influence a country with propaganda or manipulating elections with fake news.

Government agencies in the Middle East had a very recent reminder about the danger of targeted cyberattacks against them, attacks that were very damaging and possibly involved state sponsors. The Shamoon 2 virus made a repeat appearance in Saudi Arabia in January, after viruses from this family have hit the country twice in the past. Shamoon 2 targeted and disrupted at least 22 institutions, Al-Arabiya reported, including several ministries. Remarks made by government officials from several GCC countries at a cybersecurity conference held last month in Saudi Arabia said that there was an increase in attacks on their countries. Moreover, there are numerous initiatives in Gulf countries to embellish cyberdefenses and legal frameworks.

The defensive wall

In a broader picture, the global landscape of cyberthreats and defenders (see infographic below) has its villains that are growing more powerful and sophisticated from year to year. The malware arsenals of villainy are stocked with a wide variety of tools: viruses, their variants, such as worms which are self-contained malware and Trojans which disguise malware as innocent or useful programs, and further sub-variants from rootkits that give illicit administrator-level access to a computer or network to ransomware that blocks the legitimate owners’ access to a computer.

Across from these cyberattackers and their arsenals stand the other stakeholders in the digital world. They use perimeter defenses such as firewalls, preventive approaches such as assumed-breach policy, early detection instruments such as threat monitoring, forensic tools and skilled defense centers such as SOCs and CERTs, and most of all try to fortify the entities most vulnerable to falling for cyberattacks – the human being in the digital world – through training and awareness building.

All non-villainous stakeholders in the digital world are in one of two general categories: those that are primarily targets, like financial companies, utilities, the industrial sector, education institutions etc., and those that are defenders against cyberattacks, like specialized software companies and cybersecurity consultants. The borders between stakeholders that are targets and those that are defenders importantly are fluid: cybersecurity and defense is everybody’s affair and some of the leading contributors to the protection of the digital world against evil attacks are the large software and systems multinationals, network operators, integrators, device manufacturers and all companies with large IT departments.    

Infographic by: Ahmad Barclay

0 comments
0 FacebookTwitterPinterestEmail