Editorial

The devils must go

by Yasser Akkaoui
written by Yasser Akkaoui

This year’s Arab Summit was particularly painful to watch. The pompous grandiosity of the congregated Arab leaders was nothing short of nauseating. What do they have to show for it? Collectively, these leaders are at the helm of nearly 400 million Arabs. What are their KPIs? The World Bank estimates a collective GDP of $2.56 trillion for the Arab League states. Assuming one third of that is revenue derived from resource extraction and not human productivity, we are left with a collective GDP for 22 states on par with the GDP of Italy’s 60 million people. Sixty million Italians as productive as 400 million Arabs!? Our leaders must go.

If these numbers don’t prove the case against Arab leaders, their own words certainly indict them. Speech after speech, each head of delegation took his turn addressing Arab causes and concerns, their cause célèbres. However, not once did I hear a mere mention of education, human development, social development or employment. Not once did I catch an allusion to the role of the private sector in advancing Arab economies. These decision-makers have signed international trade agreements with countries all over the world yet ignore their own neighbors.

What bothers me most, of course, is the fate that continues to plague Lebanon, my country. As a young man, I would feel a tremendous sense of pride and admiration while observing our leaders at these summits. Even during Lebanon’s darkest days – when our leaders were warlords draining us to the last drop – Lebanon could still claim to have some semblance of a democracy, and we could still proudly boast about our high-quality education and the raw talent and entrepreneurial spirit of the workforce we were releasing to the world. However, in the past 10 to 12 years, our so-called leaders have stripped us to the bare minimum. They even tried to strip us of our dignity.

There is no doubt that our country is in economic ruin for no reason other than dysfunctional management. Our politicians are so consumed with their personal ambitions and materialistic pursuits that they are only able to see the state as a tool to advance their own personal and electoral interests. The farce of the budgeting process is a case in point – a scandal that has largely unfolded behind closed doors. Why are we proposing an increase of taxes that will further bleed a populace already drained by its leaders’ lack of economic policy and vision? Where is any attempt to build capital markets that would actually boost our dormant economy instead of further burdening it?

Our inept decision-makers have no response to an increasingly discontented and livid population. These devils must go.

0 comments
0 FacebookTwitterPinterestEmail
Hospitality & TourismInterview

A grand hotel plots a new course

by Nabila Rahhal
written by Nabila Rahhal

The Phoenicia Hotel is one of Lebanon’s most renowned five star hotels. Built in 1961, it catered to the era’s most glamorous crowd, with Omar Sharif and Brigitte Bardot among its famous guests. After being destroyed during Lebanon’s civil war, it reopened in March of the year 2000,  and has managed to survive the various ups and downs of the Lebanese hospitality sector ever since.   

Dagmar Symes was recently hired as the latest general manager, making her the first woman to serve as Phoenicia’s GM.

Executive sat down with Symes to talk about her plans for Phoenicia and her ideas for bringing the hotel’s vintage glamour and appeal to 21st century guests’ needs and lifestyles.   

E   What  motivated you to accept the post of general manager at Phoenicia Hotel?

First of all, the Phoenicia is the Phoenicia: it’s the landmark in Beirut. I believe it has grown the hospitality roots in Lebanon, and is a fascinating hotel as such. The Phoenicia is a “Grand Hotel,” and a lot of my experience is very much linked to a refined environment; the grand hotel flair is really something I feel very comfortable in.

It’s also an amazing challenge. The Phoenicia never had a woman GM before, and not to discriminate against anybody, but we [women] have a different way of seeing teams and refinement, and we are maybe more communicative in that regard. I think this is exactly what the hotel needs right now. This is how things fell into place from all parties.

E    In your role as a GM of a grand hotel, what added value do you intend to bring to the table?

General managers are general, so we are a little bit everywhere, and this is how I perceive my role.

I’m the main cheerleader of the crowd, with a lot of specialists to ideally do the task. I see the true duty of a GM as leading the team, true leadership: management is here and leadership is here (gestures higher), and if you embrace the culture and embrace the people, you will get amazing results.

So, to align the team to go in the right direction with you is the key role to play, aside from the strategic part.

E   Would you say the job is 80 percent heart and 20 percent brain? Or 40 percent heart and 60 percent brain?

If I say 80 percent heart and 20 brain then InterContinental and the owners would have a problem with me! (laughs)

I would say 50/50, knowing that right now I am more on the brain side rather than the heart side because the team deserves it, and also because of these difficult times in Lebanon.

Hospitality has lost, to a certain extent, its sparkle. If you lose the spark, and you’re demotivated, you have a tendency to become maybe less quality driven. So I think to re-boost [morale] you have to spread the positive energy and pull everybody up again.

This is how I perceive the role of the GM: the first part is team-related and then of course it’s business-related and number crunching. At the end I am judged by the numbers, but if you have the right team, you get the numbers right as well because it is all filtering down properly.

E   What is your vision for Phoenicia, and how will you align it with the existing vision of the owning family, given that the hotel has been in operation for a long time?

We want to use the hotel’s very historical and well-established institutional roots to bring it to the modern world.

Why now? Because things are changing a lot. Beirut is very much into arts, into fashion, into clubbing, into a huge diversification of its culinary scene. This is why we have to be far more integrated to bring all that to a grand hotel, while still looking at the luxury and refinement appeal we have as an international platform.

The other part is the integration in the local market, which is through F&B primarily, and also through weddings. This is basically how we would like to move forward.

The third pillar is HR because Phoenicia has always been, and is, the breeding ground for the hospitality industry in Lebanon. So we want to also continue our duties by giving the youngsters in hospitality a good base to grow or to start their career because the education system is so amazing here.

E   Does that mean that you are investing in your HR and training with a new kind of capital expenditure, or is it only more activity?

What we need to do is to make people aware that it is an international company supporting the Phoenicia spirit, and I think honestly we have enough tools within the company that we largely exploit in a very healthy way. 

Many people believe this is linked to a training manager. I don’t believe so because on-the-job training now is far more important – and takes up literally 70 percent of your training – than the theoretical classroom-style approach.

We use that style of training in certain things because you have to, but the real training is with the right leaders and right managers on the spot. We have departmental trainers in every department, and a quality manager following up on that. It does not need to have an extra capital expenditure.

However for the talented, or in other words, those that have the right aptitude and attitude, and want to, we have put aside a budget to go beyond the classics. For example, I can send a pastry chef to France for four weeks to work with a Michelin chef. We have done this in the past and we will do it again.

E   You have a budget for it, but the system is not…

We have the budget and the system is in place, but it is a matter of where we focus on first. Pure gut feeling and where we stand today would be the F&B team.

This is because the F&B is selling to the local community. It doesn’t matter in which sense, if it’s à la carte or banqueting, or a wedding, it is all F&B linked. Usually, hotels have a challenge with F&B outlets, and the community has a challenge with them; because for you, you’re going into a hotel, and you think it’s not really a restaurant.

Here our competitors are the freestanding restaurants out there; we are not talking about hotels only anymore. In our vicinity there are 40 restaurants that I have to take into consideration.

E   Does that mean you are planning to redefine your F&B offerings?

Definitely.

Given what I just said, we are redefining all the concepts to be quite honest. Eau De Vie – which is our fine dining outlet – has a huge potential from the setting alone and will have a new touch. Café Mondo was less frequented in the recent past because of the huge security barrier that blocked off the scenery for some time, but now it’s accessible again, so we need to use the terrace and get this “living” spirit into the space.

Then you have the classics that need to be implemented. A grand hotel usually has an afternoon tea for example: does it need to be the afternoon tea of yesteryear? Clearly not!  But I think we have been very creative in that sense and we will revive that as well, although maybe not on a daily basis.

E   In the past, the Salha group seemed a little wary when they said they’ve moved from making most of their money with accommodations to F&B as the main driver of their revenue. What is your view on that?

This is absolutely true. Even last year’s strategy was rooms oriented, because profitability in the rooms’ part is far higher than F&B, and in different markets I would fully support this vision.

Having had a very challenging economic environment, you had to go with certain profitability rules to be able to have funds to invest in the hotel and everything else.

But again I believe Lebanon without food is the wrong approach, and we have to have fine balance. The food part always eats most of your share, but on the other hand, as I always tell the owning company, you wouldn’t have all those restaurateurs out there if they didn’t have a profitable operation.

E   When Phoenicia reopened, it was the only venture available for a certain class of events. Now you have had a number of competitors and halls in other places in Beirut, as far as Dbayeh, and as near as The Four Seasons and The Yacht Club. So the landscape is different, and your ambition is still to be the landmark within that landscape: how do you plan to do that with other capable operators, with international backing of their own, sprouting around you?

Phoenicia has survived extremely well in a very difficult market context, and, yes, there are competitors, but you have certain market shares toward competitors.

If I compare myself with the Four Seasons, then it is the maybe more the business client and weddings rather than anything else. If I go Le Gray, it is the upscale international travelers; if I go Hilton, it’s banqueting. So you know you grab a little bit of everything, whereas I understand that the cake is getting smaller and smaller with every new competitor in the local market.

Internationally, I think you have to be smart to focus on the right markets. Here, I think Phoenicia has always been extremely international. We are making huge sales throughout the globe, starting with the European market, our region as well as going down to South America, where there is a huge Lebanese diaspora.

When there are difficult times, we are more locally focused, so we are all somehow sharing the same cake. But we have a very strong wedding segment, and this was always one of the key segments which sustained the business in tough times. Competitors also help to position you properly, and this is what I would use for our repositioning.

E   But in your repositioning, do you aim to be known as the hotel that has a little bit of everything, or the wedding hotel or the meetings, incentives, conferences, exhibitions  hotel etc.?

I think we have to be part of everything by nature of the market. We are international, we are aiming at the corporate and leisure segment, we have a kids club for families and we have a beautiful spa. Overall, we have to grab onto everything.

However, the fact remains that Lebanon as a country is extremely attractive for tourists from the Gulf region. Phoenicia was always known as one of the hotels attracting these clientele and that will come back, but it was never our main focus to attract only, and exclusively, this market. I think it is a mistake that Lebanon does, in that we all focus on this market only, because if the ban comes, or if it collapses – this is the reality – everything collapses.

But, you know, we have never lost our position as such, as a landmark. It is a matter of getting back into a certain society, and having maybe had a shift there. I think also it is natural because [we are dealing] with the new generation, which is different.

E   Regarding this element, Generation Y’s preferences and tastes are probably not the same as their grandparents’. How do you see yourself positioning the hotel vis à vis generation Y customers?

First of all, this rejuvenation part plays a big role because Generation Y in my humble opinion is extremely visual in a way, so we will work on visual impact. We work a lot on social media; we are reaching out differently through the Facebook approach, being younger and trendier.

When I say visual it’s also everything related to images: photography and linking to old values – if you look back to traditional values such as fashion and art, most of the time you would link it to Europe – but reintroducing this in a very humble way will also automatically attract the youngsters.

E   Speaking of art, you have one of the largest presences of art in your overall hotel environment, but sometimes it feels as though it is one of the most understated with regards to awareness and visibility. Are you planning on attracting more of the art crowd to the Phoenicia?

We definitely do. It’s part of our program for this year. But I think you also have to be very careful with these things, because everybody is jumping on these kind of “new trends,” and art has a certain value which you should not use and abuse in a wrong way.Phoenicia indeed has a lot of art pieces in a very discreet way – we never made something fancy out of it.

E   Will this stay the same?

Definitely.

The other thing you refer to is that feeling of Phoenicia being the most secure place for a traveler to come to. But on the other hand, of course, this total openness and accessibility was lost. What is your vision on hotel security?

I think you have to have a really fine balance. Personally, I wasn’t in Phoenicia in the old times, and I’m not even sure we needed this total security environment; I don’t believe so. We have a very well established and big security team, you cannot access the hotel through any funny backdoor. If we have delegations, fair enough, we get additional support from the local authorities.

For me, security has to have the right measure of prevention while maintaining guest contentment. If somebody really wants [to do harm] I think they are creative and smart enough to make it, but this you don’t stop through getting a third barrier around your building.

E   What about the hard targets, the numbers? Do you have goals for 2017: annual year-on-year growth, anything that you can disclose? Will you be judged by how much increase in the year you can achieve?

It’s not necessarily increase only, but of course everything, at the end of the day, is based on numbers, on GOP, on profitability. That’s the nature of the business. I think, however, that we went into our budget in a very positive way, because we believe that this year will set a new chapter with the new president and the first signs that confirmed this. We feel it also in the booking situation. If nothing really upsets this year’s environment, we will definitely have a very, very positive year.

E   Any year-on-year comparison you can give us in terms of January actual, or Q1 bookings, 2017 versus 2016 ratios?

All I can really say is that we have now already well succeeded  and well passed our general forecast for January. To the extent that we revised the entire forecast again for the remaining year with the main focus on the summer months, because this is where we believe the bulk will start coming back in. And then we will see.

1 comment
0 FacebookTwitterPinterestEmail
Uncategorized

How to protect your email from cyberattacks

by Magali Hardan
written by Magali Hardan

The numbers are overwhelming. Ten million malicious emails are prevented by Google every 60 seconds. Hold Security discovered a cache of 272.3 million hacked email accounts last year from major providers around the world, and more than half a billion personal records were stolen or lost in 2015, an increase of 23 percent from previous years, according to the 2016 Internet Security Threat Report (ISTR).

The increase in cybersecurity threats is alarming, and given the statistics, it is difficult to feel assured that our digital lives are secure. Cybersecurity should no longer be only a concern for states, businesses and public figures. It should be a major concern for every single person.

Step one: Acknowledge the threat

Alarmingly, too many people are neither concerned with nor aware of the seriousness of the problem. They adopt the attitude that it will never happen to them as they have nothing to hide. There is no need to be harboring state secrets, however, to exersize a minimum level of privacy, protection and security. Internet users should start to actively look for ways to protect themselves. The internet’s reach and scope are increasing exponentially, and organized criminal activity on the dark web is constantly on the lookout for new techniques to hack their targets, while by and large our security threshold remains the same.

The consequences of this could be devastating. John McAfee, founder of Intel Security Group, a global computer security company, has warned: “An email hack can destroy our digital world, and we won’t see it coming.” Estimates from various hacking groups say that passwords for 75 percent of the world’s email accounts are available for purchase on the dark web. Beyond that, there are thousands of videos, tutorials and softwares online on how to hack into emails, social media accounts, smartphones and others.

Step two: Secure your password and devices

It goes without saying that the first step is to have a strong password that is a mixture of uppercase and lowercase letters, numbers and symbols. Security experts warn against reusing the same password over separate accounts, and some suggest changing passwords often to add an extra layer of protection.

Other safety steps include: installing a well known antivirus, performing constant software updates, avoiding public PCs, being cautious of public Wi-Fi at airports, coffee shops and other locations, and opting for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) when available. Also, it is best to use two-factor authentication when possible.

Regarding email addresses, avoid easy to guess emails, i.e. [email protected]. Instead, add random numbers and characters, and avoid posting your email over the internet on blogs, websites and social media. Any hacker who knows an email address can click on the forgot password link in the webmail and try to guess the answers to the security questions, so make sure to give obscure answers.

If you do want people to contact you online, one trick is to post your email as a picture instead of having it written as text; spam software are not able to decode images. Avoid replacing the @ with (at) or .com with (dot) com in an email address; while people think this tricks spambots it is in fact very easy to decode.

Step three: Secure your email

The hack of Democratic Party officials during the United States presidential elections were global news, not just for their political impact, but also because of cybersecurity concerns. If those emails had the latest level of encryption, hackers would not have been able to get their content.

The two most commonly used encryption protocols are Pretty Good Privacy (PGP) and its newer successor Secure/Multipurpose Internet Mail Extensions (S/MIME). Although you can use the older PGP protocol, cybersecurity experts advise using S/MIME protocol if possible, as it is much more secure and offers authenticity (explained below), which you do not find with PGP.

[pullquote]

More than half a billion personal records were stolen or lost in 2015

[/pullquote]

S/MIME consists of two security services: digital signature and encryption. These two services combined offer a high level of email security. A digital signature is a unique code added to your email that proves authorship and assures the receiver that it didn’t come from someone pretending to be you, and that the email has not been edited or changed during its transit.

Using a digital signature alone is not enough ,however, as your email will be traveling servers in plain text, making it very easy for hackers to intercept and read. Here, the role of encryption in S/MIME comes into play. Encryption makes your email unreadable to everyone except the intended recipient.

Setting up email encryption can be a laborious process, however. Below is Executive’s guide to securing Outlook, Hotmail and Gmail email accounts.

Microsoft Outlook Desktop

application for Windows

1. Click on the File tab in Microsoft Outlook, then select Options -> Trust Center -> Trust Center Settings -> Email Security.

2. Under Digital IDs (Certificates) click on Get a Digital ID, Outlook then opens up a page with a list of some of the certificate authorities (CAs) that are qualified to issue digital certificates. (Some CAs offer free Digital ID like COMODO and StartSSL, others you will have to pay for. The price ranges between $5 per user a month to around $10 per user a month).

3. Assuming you get your Digital ID from StartSSL, all you have to do is to go to their website using Mozilla browser, sign up for the free package and your digital ID is ready to install. If it doesn’t install automatically make sure to click on the Install button.

4. From Mozilla menu tab, click on Tools -> Options -> Advanced -> View Certificates -> select Your Certificates tab.

5. Locate your certificate under “SmartCom Ltd” and click on the backup button.

6. It will then prompt you to add a password in order to protect your certificate. (Make sure to remember the password as there is no recovery option for it, and your certificate won’t work if you don’t provide the password. It’s also advisable to make a copy of the certificate file you have just downloaded and store it on a USB drive). After you complete all the instructions below, delete the file from your computer, otherwise any person accessing your computer can take it and start sending emails on your behalf.

7. Going back to Outlook, Click the Import/Export Digital ID button located under Digital IDs (Certificates) (see step two).

8. Under Import/Export Digital ID from a file click on Browse and select the digital signature file that you just downloaded on your desktop.

9. Enter the same password that you just used for backing up your digital signature in step six. Press Ok and you will be redirected to the Email Security -> Press the Settings located under Encrypted E-mail.

10. Click on the Choose button located in the Change Security Settings window to select the signing certificate. It might get selected automatically by Outlook, if not then browse and select it.

11. Press Ok and then Ok again.

12. Go back to Email Security -> under Encrypted E-mail, check the Add digital signature to outgoing messages and then Send clear text signed messages when sending signed messages.

Now you can start sending digitally signed emails, and users can differentiate them through a small red certificate icon at the right of your email if the receiver happens to use Outlook. Double-clicking on that icon will show whether the certification is valid and trusted or not.

After setting up your digital signature, the next stage is encryption. Provided you have followed the steps above, this is a simple process: click to enable encryption in your Outlook. Encryption is a two-way process, meaning that the sender and the receiver should exchange their digital signatures by email and save these in their contacts. When digital signatures are exchanged between the sender and the receiver, only then can they start exchanging encrypted emails.

Hotmail webmail client

Outlook Web Access, which runs Hotmail, only supports S/MIME on Microsoft Windows® 2000 and Internet Explorer 6 or higher. This is provided you already have a digital ID, explained in steps above. Only then can you install the S/MIME control.

Once installed, you can use the gear menu > S/MIME settings to encrypt all messages. Simply select Encrypt contents and attachment of all messages I send and Add a digital signature to all messages I send.

Gmail webmail client

Gmail supports TLS connection, which means that the connection is secure and encrypted, but not the email itself. For the TLS connection to persist when an email travels to data servers other than Google’s, then those servers need to support TLS as well. It’s important to note that Gmail emails are stored as plaintext on Google’s servers, without any encryption. Back in 2010, a Google employee was fired after being caught using information from a teenagers’ emails accounts to stalk them. Since then, Google has taken some measures to increase its security locally, although Gmail emails are still stored as plaintext on their servers.

Currently S/MIME is only active for Gmail Enterprise and not solo users, so Executive searched for an S/MIME add-on that would work on Gmail but found none. Gmail users can, however, make use of PGP encryption. As stated earlier, PGP protocol is older than S/MIME. One of the drawbacks is that it doesn’t encrypt email headers, allowing a hacker to see who an email is addressed to, though its content stays encrypted. However, when a PGP-encrypted message is additionally encrypted by a TLS connection, the sender and receiver will become encrypted as well. This solution ends up very secure, as emails are not only safely encrypted during transit, but are also stored encrypted on Google’s servers as well.

PGP relies on something called public-key and private-key, which a user must own in order for them to receive encrypted emails. Those keys are generated by third party companies that support PGP encryption. The public-key encrypts the message while the private-key decrypts it. Once a user has those keys, they must share their public-key with other users, either by uploading it to special servers or by sending it via email. Let’s say that A wants to send an encrypted email to B. A has to encode his email using B’s public-key. When the encrypted email reaches B, he can decrypt it using his private-key.

There are many free PGP add-ons available online, and they make the process very easy for anyone to use; you just have to follow their instructions. Executive has tested Mailvelope and Enlocked add-ons for webmail clients (Gmail and Hotmail), and they proved very user friendly.

However, if you don’t want to bother with add-ons, browser compatibility and so forth, you can always switch to a webmail client such as ProtonMail, as their server can’t be decrypted (though ProtonMail has become so popular you might find yourself on a waiting list), or you can use a third-party company like DocuSign where you can digitally sign and S/MIME encrypt your email before sending.

In order to be secure, you constantly need to stay up to date on the latest security releases, performing regular updates of your software, and encrypting not only your emails, but your computer, laptop and mobile as well. Act now, before you become the next victim. Stay secure, and stay safe.

4 comments
0 FacebookTwitterPinterestEmail
CommentCybersecurity

Cyberthreats in the GCC and Middle East

by Nicole Purin
written by Nicole Purin

Cyberattacks present themselves in a multitude of facets, although there is no absolute single definition for cybercrime in existence. From a general perspective, cybercrime can be defined as “illegal activities, internet mediated, that occur in the context of global economic networks”. The main categories of attacks are hacktivism, financial theft, data theft, ransomware, cyberespionage, cyberterrorism and cyberwarfare.

Last year shed light on new dimensions of cyberthreats in the political arena, as diplomatic confrontations erupted between the United States and Russia over allegations of Russian hacking aimed at influencing the US election. But cybercrimes are materializing globally and growing exponentially. The damages being caused by cybercrime vary from financial to reputational, as well as political and military. Cyberattacks are capable of penetrating highly sensitive and protected sectors, such as defense and national security.

What is causing the rapidly evolving categories of attacks is the augmentation of internet traffic and usage, combined with the development of new platforms for internet delivery such as tablets and smartphones, to name a few. One can affirm with conviction: wherever there is the internet, cybercrime will follow. The statistics are staggering – in 2016, there were 2,871,965 globaly registered notifications about attempted malware infections that aimed to steal money via the illegal online accessing of bank accounts, according to the Kaspersky Security Bulletin. The bulletin derives its statistics from the Kaspersky Security Network – meaning the real number could be higher. “In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers aimed to seize $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million destined for Pan Asia Banking.” Fortunately, according to internet security firm Kaspersky, the ploy was discovered in time, when a typo was detected in one of the transfer requests.

In one of the first cyberattacks with huge cross-national security implications, the Stuxnet computer worm targeted Iran’s Natanz nuclear facility back in 2010. The malicious computer program differed from a virus in not needing to attach itself to an existing program, and in its ability to control electromechanical processes, such as those used to control machinery on factory assembly lines and centrifuges in nuclear reactors. Stuxnet destroyed one-fifth of Iran’s centrifuges by attacking all control systems in industrial installations.

These incidents exemplify the level of damage that a cyberattack is capable of causing. A large-scale cyberattack against either systemic financial infrastructure (a major clearing house or two or three stock markets simultaneously) or critical military infrastructure has not yet happened, but  both are deemed as realistic threats by security experts. Countries of the Gulf Cooperation Council (GCC) and in the wider Middle East are exceptionally vulnerable to cybercrime due to their exposure to interests of foreign parties, including states and activist groups as well as financial criminals, their geographical location and the political structure of the region. GCC governments are on the alert and have in recent years introduced legislative remedial actions that seek to address the cybercrime tsunami.

[pullquote]

Transnational cybercrime requires a far more sophisticated set of laws to tackle these type of crimes

[/pullquote]

Legislative overview of combating cybercrime in the GCC

Cybercrime cannot be limited to a single jurisdiction. It is transnational and fluid, and this has challenged legislators in developing and developed countries alike, as the current domestic and international laws and enforcement protocols are simply not designed to fit the current legislative models. Cybercriminals know this and the complexities make it more difficult for the authorities to battle against this form of crime. Cooperation and harmonization across borders is key in order to ensure the development of gold standards of legislation and enforcement. In the past, the GCC relied on traditional laws, emergency codes and criminal codes to address cybercrime. The current position is that cybercrime legislation in the Middle East is under development, with some specific laws passed and the United Arab Emirates (UAE) leading in this field.

Cybersecurity in the UAE has been a priority for some time due to the growing number of cyberattacks. According to Kaspersky Security, an average of 17.4 percent of users in the Middle East encountered cyberthreats in the third quarter of 2016. Adding to the urgency is the fact that the UAE is the second biggest target for cyberattacks in the world, after the US, according to cybersecurity company Norse. As Rabih Dabbousi of UAE cybersecurity firm DarkMatter pointed out in 2016: “The exponential adoption of technology increases the UAE’s attack surface which is becoming larger every second.”

According to Dabbousi, the volume of financial transactions in the UAE and the country’s attractiveness for investors are just some of the reasons why banks and other financial institutions are constantly being attacked. Faced with an intensive onslaught, the UAE has created arguably the most effective and comprehensive cybercrime law in the GCC. The first cybercrime law was introduced in 2006 (Federal Law No. 2 of 2006) and was replaced by a more expansive cybercrime law in 2012 (UAE Federal Decree-Law No. 5 of 2012), designed to combat information technology crimes and codify the relevant offenses such as the transmitting, publishing or promotion of pornographic material, gambling activities and indecent acts. The law was later expanded to cover new offenses and to ensure alignment between the UAE legislation and relevant international treaties, such as the Budapest Convention on Cybercrime (signed November 23, 2001).

As a deterrent, the UAE cybercrime law in 2012 detailed severe punishments that include prison time up to a life sentence and fines ranging between $13,614 and $81,688 depending on the level of the cybercrime. The law addresses specifically social media and any misuses that can be derived from it, such as fraud, identity theft and impersonation. The law categorizes cybercriminals as hackers who hack into other individual’s accounts, criminals who are highly knowledgable of the cyberworld and exploit it for financial gains, and individuals who threaten and commit malevolent acts such as impersonation, threats and solicitation.

 Similarly, Saudi Arabia introduced cybercrime legislation in 2007, but definitional foundations such as privacy and confidentiality should be made more expansive. In Bahrain, the electronic transactions law (Federal Decree No 28 of 2002) was being utilized to tackle cybercrime, but it lacked specificity. After much debate, the country introduced a new cybercrime law in 2015, designed to counter illegal access to IT systems. Anyone convicted of entering, damaging, disrupting, canceling, deleting, destroying, changing, modifying, distorting or concealing IT device data concerning any government body will face a maximum of ten years in jail. From the perspective of fighting cyberthreats in this region, this is a very positive development as it indicates that GCC governments are realizing the urgent need to modernize cybercrime legislation.

Turning to other Middle Eastern countries, Egypt has relied on the intellectual property law (Law No. 82 of 2002), the telecommunications regulation law (Law No. 10 of 2003) and the electronic signature law (Law No. 15 of 2004) to tackle cyberattacks. However, these laws contain fundamental issues related to identifying cybercrime, as they do not always offer an extensive definition of cybercrime so as to capture all parameters, and with procedural limitations in the prosecution of cybercriminals, especially the ones operating from overseas. Transnational cybercrime requires a far more sophisticated set of laws to tackle these type of crimes. A new Egyptian cybercrime law is imminent in 2017 and will likely seek to address several of the gaps in previous legislation.

Jordan can rely on the electronic transactions law (Law No 85 of 2001) and the cybercrime law (Law No 30 of 2010). From the perspective of a legal expert, these pieces of legislation can act as a starting point but should be reviewed and expanded as the relevant investigative procedures require beefing up. Oman adopted a cybercrime law in 2011 (Royal Decree No. 12 of 2011), and it addresses a wide range of illegal actions involving the internet and computer devices. It is focused on defining crimes committed in cyberspace such as cyberbullying and cyberterrorism. This can also be considered as a good starting point, as the initial approach was the extrapolation of existing criminal laws and telecommunications laws to combat crime, which lacked realism.

The Qatari government has passed a cybercrime prevention law (Law No. 14 of 2014), another very welcome development in a drive to combat online and cybercrimes. The law imposes many sanctions and several penalties for offenses committed through IT networks, the internet and computers, and it safeguards the cybersecurity within Qatar, as well as the country’s internet infrastructure.

Greater collaboration to shield against cybercrime

The field of internet communication is expanding continuously and cybercrime is evolving and adapting to the changing information landscape. The current legislative platform in the GCC has improved considerably in the last few years by providing legislative harmonization, as specific legislation has been passed in most countries. However, cyberattacks are becoming more bold, unpredictable and mainly transnational. The domestic laws require constant updating, and in order to prevent and shield countries from attacks, greater international collaboration is also required.

International and regional conventions for the fight against cybercrimes such as the Arab Convention on Combating Information Technology Offenses (2010) and the African Union Convention on Cyber Security and Personal Data Protection (2014) are encouraging, but remain limited in their reach and scope when measured against the global severity of cybercrime. It is believed that a new international convention on cybercrime is required  to address transnational attacks more effectively and will involve the global community as a whole.

0 comments
0 FacebookTwitterPinterestEmail
CybersecurityQ&A

The public sector’s vulnerability to a cyberattack

by Jeremy Arbid
written by Jeremy Arbid

In Lebanon, the speed at which the government is moving and the speed at which cyberthreats are developing are totally different. Cyberdefense planning, it appears, is not much of a priority for the Lebanese government. The country does not have legislation to protect digital rights, lacks legal penalties to deter criminal cyberattacks and has only patchwork solutions in place for cyberdefense. In simple terms, plans to beef up the government’s cybersecurity capabilities are moving forward at a snail’s pace.

Cybersecurity firms point to an uptick in attacks on Lebanon when compared to global averages. Due to the state’s slow moving apparatuses and the high cost of investment, the best cyberdefense solution for Lebanon to protect its public sector, its private sector and online individuals, may be to migrate to the cloud – a debate which is still ongoing. Executive met with Ihab Chaaban, Information and Communication Technologies (ICT) security officer at the Office of the Minister of State for Administrative Reform (OMSAR), to learn more about Lebanon’s cyberdefense capabilities.

E   OMSAR’s first foray into cybersecurity was in hosting government websites in the mid-2000s. How has OMSAR’s role in cyberdefense since evolved?

Historically, OMSAR began in its hosting environment with informs.gov.lb, [today is dawlati.gov.lb, the official e-governmental portal] and over the years other websites were added. Suddenly, we found ourselves stuck in an unusual situation, hosting around 90 government websites without proper planning. In addition, we didn’t have technical, networking or security staff on board. With the attacks on government websites, OMSAR recruited a security officer and created a cybersecurity committee in order to share all security measures, concerns and responsibilities with all Lebanese administrations. As such, we started working on a national cybersecurity policy guidelines to be adopted and implemented by all public agencies. Furthermore, OMSAR is planning awareness workshops directed at Lebanese employees in order to raise their awareness on [cyber]security.

E   About six years ago, government websites were the target of cyberattacks. Were the attacks a catalyst for the government to improve cybersecurity capabilities?

There were many attacks hitting OMSAR servers and many websites were going down. The attacks began in 2011, targeting our web servers, hitting many websites, especially the websites of the Ministry of Interior and the Internal Security Forces. Because we had only one web server for all the websites, all the attacks affected the other government websites. [In response], the Council of Ministers decided to create a National Cyber Security Committee [NCSC]. The committee came out with recommendations to secure our [online] environment immediately, [but these were] short-term security measures. We also decided to create a new web-hosting environment and to build it based on international standards and security measures that define all the aspects of the web-hosting environment – [in order] to be a state-of-the-art national web-hostingenvironment. This needs a lot of work and funding.

[pullquote]

The country does not have legislation to protect digital rights

[/pullquote]

E   OMSAR is drafting a cybersecurity policy. Is there any update?

We are working on it right now while simultaneously improving the security measures of the current hosting environment. Each administration doesn’t have [its own] cybersecurity officers – the IT departments do the whole job. If we found a hole, we’d fix it, and if we found another then we’d fix it as well; we didn’t have a strategy, it was more like patchwork. We published a cybersecurity policy to guide the directors of the administrations on how they should create their security policies. We came up with a brief document, like a pamphlet, to make it easy to use and follow.

E   How did OMSAR assess public agencies’ readiness to adopt the recommendations of the cybersecurity policy?

Even before publishing we were wondering how to get the administrations started, so we created a checklist. This helped [departments to self-assess] where they were on cybersecurity. We published the checklist in 2015.

E   Did public agencies check it again in 2016?

It’s an internal process for the public agencies. OMSAR doesn’t have a mandate to supervise [the other adminstrations] – if they request help we are always ready to assist and provide them with the needed help.

E   In terms of measuring the assessment, is there any indication at a government-wide level of cyberdefense capabilities?

I don’t have any accurate information. In 2015, before publishing, we thought of putting the checklist online – so we could fill our database with the respective [administration’s] information. But after negotiating with decision makers, it was decided against that because of privacy and security [concerns].

[pullquote]

The attacks began in 2011, targeting our web servers, hitting the websites of the Ministry of Interior and the Internal Security Forces

[/pullquote]

E   If the oil and gas industry, for example, goes active then there will be seismic data, exploration data and many other valuable datasets. This vital data could probably be one of the more attractive hacking targets in Lebanon because of its actual money relevance. Is protecting such data part of the mindset in the ministries or at the government level?

One of the recommendations of the [NCSC] was to build a national data center for the whole government. We need more time because this issue requires critical decisions by the cabinet to identify who will take responsibility for the data center, securing it and transferring data between administrations. In addition, if we want to create a national data center, all the data for the government will be residing in it and, as such, it’s a critical issue.

E   What is being done to prepare a national data center?

In OMSAR’s e-government unit we have an interoperability sub-unit. Now we are working on creating a specific design to be implemented by the government, connecting and transferring data between administrations [in a secure way]. Maybe this will lead us to the next step of creating the centralized data center.

E   Cybersecurity breaches, cyberwarfare and criminal hacks have increased tremendously, especially in the last couple of years. Some companies are claiming a 4,000 percent increase in the rate of cyberattacks in the last five years.

Yes, for sure.

E   That seems to be a cause for concern.

There have been many voices raising this issue, especially from the Internal Security Forces, who have a cybercrime unit. They’ve requested the Ministry of Justice, and maybe the cabinet, to work on such a law. If I attack your server and steal your data, the criminal code has no text defining such cybercrimes and their penalties. For now, they’re applying the standard criminal code and adopting it to cybercrimes.

E   An individual from a cybersecurity firm said that state-sponsored hackers are sent on training missions to attack another country just so they know how to attack better. So they can attack Lebanon, and even if they get caught, there is very little danger of repercussion from the state because there is no legal framework. Another individual said because internet bandwidth in Lebanon is so limited a distributed denial of service (DDOS) attack is very easy, and it takes very little effort to shut down a website.

And this is why one of the recommendations is migrating to the cloud. Estonia, for example, is a completely electronic government – they are totally digitized. Because of the very high risks of cyberattack, they’ve migrated the government to the cloud.

E   Will the government migrate to the cloud?

In 2015 we had many [consultations] from companies to advise the government on how to build a secure cyberenvironment. Those companies advised the government to move to the cloud. We came up with a terms of reference (TOR) – all our needs and requirements for securing networks – and we took it to the previous cabinet to get approval for the funds because it is quite costly, and it was signed. Now, there’s still a debate of whether to go to public clouds, such as Amazon, Google or Microsoft, or have a private cloud since data cannot go outside Lebanon.  There is a decision from the Council of Ministers in 2014 about a partnership between OSMAR and OGERO to build a private cloud for the Lebanese government, in addition to a redundant data center for the e-government portal.

[pullquote]

If I attack your server and steal your data, the criminal code has no text defining such cybercrimes and their penalties

[/pullquote]

E   Will it be implemented?

Currently, our minister is working with the Ministry of Telecom and in collaberation with OGERO on setting a Lebanese National Cloud Computing Policy, in addition to executing a private cloud for the Lebanese administration and a secure government network for interoperability.

E   The CTO of Microsoft Middle East says their data suggests Lebanon experiences more cyberattacks than the global average, and if there was a Computer Emergency Response Team (CERT) in Lebanon, they could collaborate with Microsoft to reduce attacks to the global average.

The national cyber security committee recommends the creation of a CERT. A year ago, we had a meeting in the [prime minister’s offices] with the Telecommunications Regulatory Authority [TRA] and they mentioned that they started creating a CERT for Lebanon. But the TRA doesn’t have any mandate to create and manage the CERT I think they took it as an initiative. Currently, I don’t know of any update on the subject.

1 comment
0 FacebookTwitterPinterestEmail
Cybersecurity

Propaganda goes viral

by Matt Nash
written by Matt Nash

“I don’t believe what I read in the papers, they’re just out to capture my dime.”

– Paul Simon, Have a good time

While propaganda is as old as time and political stakeholders have used the internet to spread their messages since the web’s early days, in 2016 propaganda went viral. It was also monetized in an arguably new way, further highlighting the need for readers to check their sources – and the motivations behind those sources – before making decisions.

Fake news isn’t new, but it was a lucrative business during last year’s US Presidential election. Executive hasn’t found an exact figure for how much revenue the operators of fake news websites earned, but one US “publisher” claimed in an November 2016 interview with the Washington Post that, “right now I make like $10,000 a month from [Google] AdSense.” No shortage of US news outlets traveled to Macedonia late last year to interview teenagers who claimed to be pulling in $1,000 or more per month operating “news” websites consisting of mostly plagiarized content with the occasional “viral” report (typically a story either made up entirely or given a wild and misleading headline) that drove up hits and ad revenues.

While Facebook and Google have both pledged to crack down on fake news by attempting to keep it off the platform and starving sites hosting it of revenues, respectively, it certainly won’t go away. Efforts by these powerful gatekeepers may kill the business model that seemed to do so well last year, but they certainly can’t eliminate “clickbait” and poor journalistic practice all together. Sensationalism and outright falsehood have always been the “dark side” of journalism, seductive because it sells, but ultimately corrosive (hurting the credibility of both publishers and the wider industry, and providing a disservice to readers). Stopping the profiteers masquerading as publishers pushing fake news in recent years may make fake news less voluminous, but won’t eliminate the phenomenon entirely.

Dirty tricks

In the past two years, Western countries have been decrying what they insist are Russian online propaganda efforts aimed at discrediting liberal democracy, but misinformation has been used as a state tool for manipulating public opinion for centuries. It is neither recent nor surprising that governments have turned to the web to promote their interests. While the West today is accusing Russia of outright lies in its propaganda efforts, governments and politicians “spin” news all the time in an effort to “manage” public perceptions of an event or issue both on and offline. The US created an Arabic-language satellite news network – Al Hurra – to win hearts and minds following its 2003 invasion of Iraq. Avoiding the moral debate about the differences between “spin” and outright falsehood, one shared consequence of both activities is the need for readers to be discerning when consuming information, which is also not new.

An under-reported aspect of two of 2016’s most surprising election results is just how much more aware readers need to be of not only what they read, but the personal information they willingly share that will increasingly influence what they read. According to both UK-based daily The Guardian and the Swiss news website Das Magazin, a company called Cambridge Analytica used big data to craft micro-targeted messages for Donald Trump and a group called Leave.EU, which promoted Britain’s exit from the European Union. Cambridge denies any use of fake news, but, the Guardian reports, the company proudly claims to have “psychological profiles based on 5,000 separate pieces of data on 220 million American voters.” Our digital footprints tell a lot about us, and how we may react to certain well-crafted messages, meaning seemingly innocuous ads on the side of whatever website you’re reading could actually be designed specifically to elicit a certain reaction from you individually (whether that’s voting a certain way or buying a certain product).

Despite all the huffing and puffing about information manipulation online in the past few months, the internet has not reinvented the wheel. The web has made information more easy to publish, disseminate and access, and Big Data gives propaganda a frightening Big Brother feel, but the web hasn’t changed the fundamental fact that readers simply must be discerning in order to avoid being duped.

1 comment
0 FacebookTwitterPinterestEmail
LeadersOpinion

Rare opportunity

by Executive Editors
written by Executive Editors

Lebanon just got a new tool to promote government transparency and accountability, as well as prevent and fight corruption. Entering into force in February 2017, a new access to information law allows anyone to request specific information from virtually all government entities. From doctors needing public health data, researchers looking for economic and social indicators, bankers, industrialists, retailers and other business owners needing figures to make long-term investments, to journalists investigating government expenditures – anyone can make use of the law, and everyone should. All one has to do is send a request describing the information sought to the office(s) that might hold it. The access to information law also requires government entities to publish key documents on their websites, including an annual report (see special feature).

The law is a tool to help battle corruption, anti-corruption activists say, because it would increase the level of transparency between the government and the public. That, by itself, helps mitigate corruption, and information requests can provide the evidence in cases of government fraud, fault and other mistakes.

But to make the law truly effective requires auxiliary legislation. The law prescribes that the government can either deny or ignore information requests, and refusals (or tacit refusals) can be appealed. The body specified to hear appeals, the anti-corruption commission (ACC), does not yet exist. Legislation to create this institution is in advanced stages, says lawmaker Ghassan Moukheiber (see Q&A in special feature). The ACC is urgently needed, and Parliament must make every effort to ratify its legislation before the end of this parliamentary session scheduled to conclude at the end of March. Without the ACC there is still a judicial recourse to hear appeals, but that may be open to interpretation. For appeals, courts might argue that the access to information law specifically states the ACC as the appropriate body to hear these cases and could decline to make a ruling. That would effectively render access to information dead in the water, if the ACC is not established quickly. If the ACC legislation is ratified, forming its board could take time, and the government does not have a great track record in appointing or renewing the mandates of the board of directors of public agencies, or in filling senior administration positions, Executive reported last month.

Access to information is also a fundamental right and a necessary condition for significant reductions of government corruption, the United Nations states in its justification for goal 16 of its Sustainable Development Goals (SDGs) initiative for 2030. Passing the legislation is an early public relations win for the government and a positive step toward achieving the UN’s SDGs.

Executive calls on the public now to exercise its right to information, demand the law’s full implementation, the quick ratification of ACC legislation and timely appointment of its board. If the public fails to hold the government to account by mobilizing on these points then the people will lose their right to complain about the never ending maelstrom of incompetence and corruption that passes for governance in Lebanon.

11 comments
0 FacebookTwitterPinterestEmail
CybersecurityLandscape

The Lebanese cybersecurity landscape

by Thomas Schellen
written by Thomas Schellen

Overall, it is not clear what the local share of the global cybersecurity market – estimated by Gartner at $81 billion in 2016 – is or might be. Estimates and anecdotal evidence suggest, however, that the local market is still small. Salah Rustum, president of local firm Commercial & Industrial Enterprises of Lebanon (CIEL) and a veteran in the data protection business here as partner with electronic signatures authentication services company GlobalSign, estimates the market at currently “around $10 million” when queried by Executive. Other decision makers in Lebanese cybersecurity consultancies and network operating companies say they prefer not to make any estimate about the current size of the cybersecurity market, citing the known dearth of reliable statistics in the country.

Beirut-based cybersecurity stakeholders also have only vague estimates on the number of qualified competitors that they face in the Lebanese market or on the number of highly skilled analysts with the required expertise to staff a Security Operations Center (SOC) – not currently existing in the country – as top-level forensic experts. General agreement, however, among stakeholders is that this specialist subsector of the information technology (IT) industry is set for substantive growth – at least double-digit year-on-year – over the coming years and that the biggest challenge is not to find new customers but to obtain qualified engineers that either already have or can obtain cybersecurity skills.

One example for this dichotomy between expected demand growth and missing manpower is Crystal Networks, a Beirut-based regional IT company of 75 employees, which according to co-founder and general manager Esper Choueiri does 40 to 45 percent of its business domestically and the remainder in the Arab region, with Saudi Arabia as the main business driver there.

Choueiri tells Executive that his company filled five new engineer positions in 2017 that were all in the security department of the venture, which has five departments. “In many cases, experienced engineers cannot be found and new engineers need to be trained in-house for cybersecurity. My biggest challenge is finding the right people, and at the same for all my customers,” he says.

[pullquote]

In many cases, experienced engineers cannot be found and new engineers need to be trained in-house for cybersecurity

[/pullquote]

Lack of local expertise

To operate a high-grade Security Operations Center, or SOC, requires teams of engineers with three levels of expertise. Engineers need between a minimum of one year of experience to perform well on the first level and at least five years on the top level, Choueiri says. By his estimate only one fifth of needs for top-level SOC experts are currently filled in Lebanon.

Also in the view of Jens Muecke, senior partner in the roughly four-year old IT security consultancy Krypton Securities in Beirut, a shortage of local experts is holding back cybersecurity development in Lebanon. “From my opinion and what we have seen in our team, many banks and companies over here are way behind. One reason is missing expertise – it is really hard to find good people here, given the instability of [this country] and the whole region. Everyone who is acquiring the skill [of a cybersecurity expert] and a reputation for having such, is getting out of here to take up a well-paid job in Europe or the US,” he says.

German-born Muecke joined Krypton after having worked with leading consultancies and international internet and software providers in the United States. The company, which has a team of seven employees in Beirut and its nominal home in Dubai, according to him has half the major banks in Lebanon among its clients, as well as some smaller companies. Krypton does about 80 percent of its business here as its expansion in other markets such as Jordan, Cyprus, and Saudi Arabia is still in the early days. It will take a few more shocks for markets in this region to fully awaken to cybersecurity. “What I think is that this region needs a few more bad examples when things happen tragically and somebody has to pay the price before they all realize what they need,” he says.

Judging from his observations, local companies to this day tend to approach cybersecurity with the same mindset with which  in earlier years they entered in other quality certification procedures. With such a mindset, companies emphasize assurance of their compliance with regulations. After they are promised cybersecurity on the cheap, they become compliant on paper but don’t achieve the knowledge transfer that they should get, Muecke says: “They have a paper saying ‘it is compliant’ but it is not. They don’t have the process and don’t do updates regularly. They don’t evaluate all reports as they should. They live day to day and hope nothing is going to happen.”

The notion that risks extend far beyond the financial sector in also the view of Tony Feghali, general manager of Potech Consulting, based at Berytech. His security company does not have exact numbers and statistics on the extent of internet-related damages at Lebanese companies but he says that in their experience, banks are not the only targets here. “They are definitely a very interesting target because that’s where the money resides, but today we’re seeing a lot of cyberattacks – especially ransomware or other type of attacks – targeting every type of business,” he says.

Huge growth potential

The growing likelihood of being targeted does not mean that local companies radiate universal awareness of their risks. According to Choueiri, awareness levels are extremely unequal. “To be realistic the banking sector is most advanced when it comes to cybersecurity and most aware among the Lebanese enterprise sector. Any company that is not IT-related is in my personal opinion totally unaware of security risks,” he says. Along with other experts he notes that besides missing awareness, it is often difficult to assess the real number and magnitude of cyber breaches and security damages in Lebanon because of widespread reluctance of breached companies to come forward and discloses their misfortune, mostly due to fear of reputation loss.

This phenomenon, however, is global and not particular to this country or region, experts agree. The phenomenon also does not deter cybersecurity companies from expecting double-digit business growth, or better, for the next few years. Choueiri expects demand to increase between 35 and 40 percent year-on-year and has important expectations for 2017. “I have [a] feeling that this year will be the year of cybersecurity. Everybody is talking about it,” he says.

CIEL’s Rustum sees year-on-year growth as upwards of 10 percent and even believes that more is in the cards. “[Growth] will be exponential in Lebanon, because the more people know about it, the more they are going to use cybersecurity,” he says. He moreover is not worried that there could be too much competition for the market to carry but on the contrary believes that there is room for more cybersecurity players. “There is enough cheese for everybody. The idea is to stir up the people and tell them that if they want to go on the internet, they have to protect themselves,” he elaborates.

Rustum’s main worry is bringing the legal framework in Lebanon up to speed. When his business working with digital signatures was established in the 1990s, the country was praised as one of the first in the world where the technology was introduced, but thereafter it slipped every year down in rankings for technology adaptation as the draft law on digital signatures was put to rest in government drawers. “Time is really passing us by. What I am afraid of is that by the time Parliament approves the law, it is already obsolete,” he laments.     

As Executive did not find any comprehensive study on security market data in the country, it seems difficult to assess realistically, with or without legislative innovation, what chance local companies might have for rising through international ranks, whether by expertise or by business volume related to cybersecurity. However, there can be no doubt about the growing role of cybersecurity companies in global markets, which is documented by the rise and overall growing valuations of international specialist companies. The largest firms globally in the sector are based in Silicon Valley but a few are not far from our geography in physical terms (see box below).

[pullquote]

What I think is that this region needs a few more bad examples when things happen tragically and somebody has to pay the price

[/pullquote]

Work operators see threat

Local companies that are active stakeholders in the market involve not only security consultancies but also network operators. A rising hub of cybersecurity activity seems to reside in the Holcom Group of companies where Executive encountered not only Crystal Networks but also ICT company and network operator GlobalCom, which confesses to the aim of developing its own cyber SOC in partnership with global player, British Telecom (BT). 

“We first have a duty to protect our networks and then we have a duty to help our customers protect themselves,” says Habib Torbey, GlobalCom Holding’s chief executive officer and general manager of its data carrier unit GlobalCom Data Services (GDS). Torbey tells Executive that the investment into the cyber SOC will be in the multi-million dollars. Although Lebanon by his observation so far has mainly seen attacks from small-time hackers, he reasons that the investment into a cyber SOC is warranted because attacks are getting more and more sophisticated, affecting more and more markets.

“We don’t need to wait for a disaster before we start protecting ourselves. No one in this field can fight the battle alone, and in the same way that pirates are cooperating to make their attacks more sophisticated and more successful, the good guys need to cooperate,” he reasons, explaining that GlobalCom partnered in this task with BT because there is a long-standing collaboration between the companies since the 1990s and because BT “is one of the best in cyberdefense.”

According to Torbey, GlobalCom has a network that comprises backbones and over 150 sites; it carries 70 percent of corporate traffic in Lebanon through GDS. The holding also entails the Internet Services Providers IDM and Cyberia. According to BT representatives who came to Beirut for an event last month, Lebanon is regarded as one of several priority countries in Middle Eastern new markets. The multinational company  has started to address the local cybersecurity market in 2016 in partnership with GlobalCom and wants to serve the country’s 20 to 30 largest entities with cybersecurity services.   

Outsourcing security

Outsourcing cybersecurity to specialist companies would be legally feasible for local banks, although compliance with banking secrecy laws requires that they would use a cyber SOC that is located in Lebanon, asserts Torbey. “Some customers who do not understand how cybersecurity works may have a tendency to think that we can see the content of their traffic and their trade secrets. No, we don’t look at the content and we don’t want to look at the content. We just want to look at the technical specs of the traffic in order to see if there is an attack or not and how to defend against it if there is an attack,” he explains.

While operation of a cyber SOC will require running investments, Torbey says this is a necessary cost and expresses the hope to additionally turn it into revenue opportunity by selling its services. Coming from a low base in cybersecurity revenues, he expects double-digit growth of revenues and is not afraid that cyberattacks would create digital disasters for operators who know what they are up against in facing cybercrime. He says, “Once you become aware of the risk and help your customer become aware of the risk, the future is not scary. You can do something about it.”

1 comment
0 FacebookTwitterPinterestEmail
Film

Sounds of a Lebanese love story

by Sara Ghorra
written by Sara Ghorra

Philippe Aractingi, mostly famed for his war-related movies like the critically acclaimed “Bosta” (2005), its follow-up “Under the Bombs” (2007) and his biopic “Heritages” (2013), has offered his fans the exquisite fruit of two years of labor. “Listen (Ismaii)” is a masterfully crafted, delightful piece of art that is co-written, co-produced and directed by the French-Lebanese filmmaker. The movie is a multilayered pleasure to the senses. Every one of its elements plays its role perfectly, from the narrative, to the cinematography and, most importantly, the sound design. The result is a wonderfully shaped, realistic piece of fiction, fueled by romanticism, sensuality and authenticity.

Screen Shot 2017-03-16 at 1.06.30 PM“Listen” is, above all, a love story set in Lebanon in which three characters find themselves entwined. Joud, played by Hadi Bou Ayache, is a sound engineer with a knack for deciphering noise and extracting beautiful sounds that aren’t often noticeable. Hardworking, idealistic, a little shy and refreshingly genuine, he is a young man who lives for the moment. His love interest, Rana, played by Ruba Zaarour, is a sparkly and attractive model who enjoys the city’s fast tempo and knows how to dance to it without much inhibition. Extroverted, assertive and straightforward, her individuality contrasts beautifully with Joud’s.

After meeting at a film shoot, a contemporary courtship begins. One filled with moments of sharing, discovery and passion. However, their romance is abruptly paused by a stroke of fate, which leads to Joud asking Rana’s sister, Marwa, played by Yara Bou Nassar, for her help in his attempt to bring his lover back to him. Quite opposite to the character of her sister, she is a poised university lecturer who is about to get married to a British man she had been dating. Her character blossoms as the film progresses; her sensuality and femininity manifest themselves unexpectedly while Rana’s presence diminishes. Similar to how the moon can only be appreciated when the sun sets.

Screen Shot 2017-03-16 at 1.06.02 PM

While Bou Ayache, Zaarour and Bou Nassar deliver strong performances that serve the storyline, which is far from being the chief component in this film. What makes “Listen (Ismaii)” exceptionally deserving of praise is actually the artful orchestration of the remaining components of the film that tastefully enhance the narrative.

The film’s interesting frames, points of view and camera movements offer viewers the intimacy to better relate to the protagonists. The shots around Lebanon, from the grand views of the mountains to simple glimpses at street vendors, are an homage to our precious land and create room for contemplation and appreciation for the diversity of Lebanon’s scenery.

Screen Shot 2017-03-15 at 11.05.29 AM

Meanwhile, the editing succeeds in setting the perfect pace relative to the state of mind of the characters, in harmony with their emotions and the film’s action. It also shapes a nonlinear story that takes the spectator on a smooth voyage made up of flashbacks, unveiling significant moments that defined the relationship.

Yet, the ingredient that welds it all together and forges the true essence of the film is undeniably the sound design. We have the tendency to take for granted what an incredible thing it is to be able to hear, and the movie truly reminds you to “Listen”. As viewers borrow Joud’s ears, we enter an exceptional universe governed by sound and enriched with melodies.

Yara Bou Nassar

Amid all the beautiful sounds in this film, from the city’s pulse to nature’s wonder, the most enjoyable sound is the human voice – more precisely the woman’s voice. It won’t take long before the viewer sees the emphasis given to her, especially her liberal side, the one that yearns for autonomy, self-expression, and sexual satisfaction. Even though the movie doesn’t shy away from controversial scenes, it does so not with the aim to provoke, but to emulate a reality.

As the closing credits appear on the dark screen, after a surprising and sudden ending, one cannot but feel a surge of admiration and pride, as any Lebanese who appreciates the seventh art would. Go, watch, and listen.

0 comments
0 FacebookTwitterPinterestEmail
CybersecurityEntrepreneurship

Securing the entrepreneurship ecosystem

by Matt Nash
written by Matt Nash

It’s 3 a.m. Despite your family’s “no Internet after dinner” rule, your smart, web-connected refrigerator is rebelling, repeatedly attempting to load the same site. The mustard is not trying to catch up on the news, your ice box has become a zombie in a hacker’s army – a botnet, in industry lingo. While the so-called “Internet of Things” allows for the connectivity of an increasing number of previously “dumb” devices and appliances, their link to the global internet presents a vulnerability hackers have already begun exploiting.

With the exponential growth of online risk, of course, comes both an opportunity for consultants and companies specialized in providing cyberdefense, and the need for companies large and small to increase security spending. In the last six years, venture capitalists have grown more keen to cash in on the flourishing cybersecurity market. Startups focused on data protection attracted $3.48 billion in investments in 2016, down slightly from $3.9 billion in 2015, but 76 percent above the $833 million poured into young data defenders in 2010, according to research company CB Insights. The company also reports that in 2015, four cybersecurity startups attained so-called “unicorn” status (meaning their value was  in excess of $1 billion), with one more of the mythical beasts joining the stable in 2016. Tech news websites feature lists with the 20 hottest cybersecurity startups to watch. A quick view of such lists reveals that career moves by specialists in this field from protecting the state to the private sector is a potentially lucrative choice – a number of newer ventures boast former Israeli or US digital warriors at the helm or among the top brass.

While niche specializations are beginning to develop in the Lebanese entrepreneurship ecosystem, such as fintech, cybersecurity is not one of them. 

A short list

Since Lebanon’s entrepreneurship ecosystem first began buzzing around 2001, it has produced a few cybersecurity companies – consultancy seems more popular than solutions-provision, although exact numbers are difficult to come by – but according to Executive’s research, since 2013 there have only been two start-ups with incorporated cybersecurity focus. The first, Myki, has been profiled in the magazine before but was not available for an interview. The password-management company is now listed as a portfolio company on the site of local VC Leap Ventures, and – according to an unsourced announcement on Crunchbase.com – raised $1.2 million in a third funding round at the end of January. Myki founder Priscilla Elora Sharuk told Executive in March 2016 that the company had raised $600,000 up to that point.

Early last year, Universant Technology Corporation became the newest local entrant to the cybersecurity market, founder Joe Hage tells Executive. Hage has a background as both a successful entrepreneur and a security specialist. He explains that his rapidly growing company – which has doubled its workforce in the last 12 months – was born primarily to leverage Hage’s network of contacts. Along with an angel investor providing the company with an initial capital boost, Hage had “seed clients,” i.e., “contracts in hand pending incorporation.” He has bold ambitions hoping to identify and nurture local talent to win big-ticket contracts in the Gulf, and has secured one so far. To this end, Hage says Universant partnered with the American University of Science and Technology (AUST) and has created an informal group of security researchers, which he describes as “almost an R&D staff.” He lists acquisition as an exit strategy but talks with a passion that suggests he may shed a few tears if ever asked to hand his baby off to new parents.

[pullquote]

It is easier and cheaper to build securely from the beginning

[/pullquote]

Aware of the risks

While Lebanon’s ecosystem is not pumping out cybersecurity startups, data protection is on everyone’s mind. Jana El Husseini, project coordinator at Smart ESA, says the new incubator and accelerator run by the Ecole Superieure des Affaires – a local business university established in 1996 – will teach the startups it hosts security basics. Ramy Boujawdeh, deputy general manager of Berytech, explains that security is taught as a module in the education program that the Berytech incubator provides to all startups there.

Fares Samara, the chief technology officer at the accelerator Speed@BDD, teaches young companies security basics, but notes that as Speed works with idea-stage companies that have yet to develop minimum-viable products, few students under their tutelage have advanced security needs. He points to the growth of what he called “infrastructure as a service,” an evolution of software as a service made possible by cloud platforms from companies like Microsoft, Amazon and Google, he half-jokes that IT staff in early-stage companies don’t even need to understand how to setup a secure server (as the Microsofts, Amazons and Googles are doing that for them nowadays). As startups grow, managing the increasing amounts of data they collect becomes more complex, requiring either customization of back-end infrastructure offered by third-party providers or the design of an in-house back-end, which is where most vulnerabilities can surface, Samara explains. Once a startup begins to expand, its internal security needs grow, he says.

Security by design

Online advice for startups thinking of their own security frequently note that it is easier and cheaper to build securely from the beginning (even if this includes upfront costs like penetration testing and causes some delay in bringing a new product to market) than trying to patch vulnerabilities after intruders have gotten in. It was with this advice in mind that the local carpooling app, Carpolo, opted to build its own back-end early on instead of relying on a third-party, company co-founder Ralph Kheirallah tells Executive. Kheirallah echoes Samara in noting this infrastructure will add the most value to the company as it grows, but argues it was worthwhile to invest from day one. Carpolo is using a business-to-business model – pitching itself to employers, a shift from the initial B2C model – and currently finding interest among local banks, clients with very strict security requirements.

Locally and globally, banks are high-priority targets for cybercriminals (see overview page 16) and security is a top concern for startups looking to enter the financial sector. Saeb Nahas – a manager at Phoenician Funds, a local VC with a fintech, e-government and health care focus – explains that portfolio fintech companies go through extra screening to ensure their systems are secure. “We have experts who go in and do fake attacks” to “pinpoint problems” early on for portfolio companies, Nahas says. Additionally, security evaluations are part of Phoenician Funds’ due diligence when evaluating an opportunity, he notes. 

Never too small

With the increased sophistication of cybercriminals, and the ease with which they can attack, small companies today have to be far more aware of threats – and better prepared for attempted intrusions – than they did even five years ago. Mario Gaudet, chief technical officer for Economena Analytics, talks of a war being fought by the minute. The company is a platform for economic data for the Middle East and North Africa region. Gaudet says his network analytics reveal attempted attacks almost 24-hours per day, with “at least” 20 attempts per hour. Hacking, he says, “has become a business.” Defending against increasingly savvy criminals, therefore, is a need that will only grow for companies of all sizes.

By all accounts, Lebanon’s entrepreneurship ecosystem understands the security threat, but as safe and secure as a system can be, everyone interviewed for this article reiterated some version of a joke security professionals are rumored to frequently make, “there’s no patch for human stupidity.” Whether it is reusing weak passwords for every account or sending sensitive data over an unsecure WiFi connection, people remain the weakest link in the cybersecurity chain.

1 comment
0 FacebookTwitterPinterestEmail