Cybersecurity spreads far beyond the borders of the United States. Malicious actors, ranging from nation-states to criminal groups to terrorist organizations, are launching cyberattacks with impunity, and American businesses operating in the Middle East are on the front lines of this cyber war.
Last week the U.S. Chamber of Commerce, in partnership with the American Business Council of Dubai & the Northern Emirates, the Dubai Chamber of Commerce and Industry, and Dubai Internet City, hosted a Cybersecurity Forum in Dubai to examine the challenges American businesses face in the United Arab Emirates (U.A.E.) and across the Middle East.
The forum sought to answer two questions: Are the challenges and threats facing American firms in the Middle East the same as those in the United States? And are companies in the region addressing them in the same way?
Companies in the Middle East face a unique set of challenges, and it wasn’t too long ago that there one of the first battles in cyberspace occurred. Iran’s nuclear facility in Natanz was attacked by a sophisticated computer worm—Stuxnet. In response, malicious cyber actors launched a destructive cyberattack against Saudi Aramco and executed the largest Distributed Denial of Service (DoS) attack against eight financial institutions in the United States.
Fast forward to today. Shukri Eid, Cisco’s Middle East managing director, describes the current state of play, saying, “The industrialization of hacking has launched a new era of professional, entrepreneurial, and resourceful cybercriminals operating in a high-growth hacker economy. Increasingly profit driven, their attacks are sophisticated, often targeted, efforts controlled by well-funded organized crime and occasionally driven by political agendas.”
It’s clear that more needs to be done at the operational and policy levels to address these threats.
We heard the same thing over and over at the forum. Cybersecurity is multidimensional and to adequately address the threat and reduce the risk requires investments in people, processes, and technology.
There are a number of workforce issues that businesses must consider. Recruiting a skilled information security workforce is a huge challenge that involves finding the right candidates, with the correct certifications for an organization. Educational institutions in the region must develop programs that industry needs to fill their IT department. Businesses must also train their employees on best practices and educate them on cyber threats. Employee cybersecurity training is never complete and must be continuous if organizations wish to reduce the number of network intrusions resulting from human error.
Companies in the Middle East must invest in cybersecurity technologies. Industry’s innovation has produced powerful tools that if properly deployed will reduce risk. Recognizing the vulnerabilities of internet-connected devices, General Electric, for example, is building cybersecurity into its products and software, in other words “software by design.” This is a smart approach that innovators and entrepreneurs should to follow.
However, even the most sophisticated technology won’t prevent an end user from downloading an attachment with a hidden executable or forgetting to change the default password. Technology on its own won’t improve cybersecurity. It must be bracketed with employee training and awareness across the entire organization.
Most executives know that a cyberattack will affect consumer confidence, their brand and reputation, and their earnings. That’s why building cybersecurity into their business plan is critical. Cybersecurity isn’t just an IT issue and organization should approach cyber from the perspective that they’ve already been hacked. American companies should continuously hunt for malicious cyber actors already on their networks, prepare and exercise incident response plans, develop relationships with information sharing organizations, and expand partnerships with law enforcement agencies and other federal agencies.
It’s against this backdrop that the Chamber is establishing the U.S.-Gulf Cooperation Council (GCC) Cyber Working Group. The Chamber believes that through greater public-private collaboration and communication regarding cyber threats and best practices, we can better ensure the economic security of all countries involved. The working group will focus on facilitating a sustained and constructive dialogue between American companies and the public and private sectors in the U.A.E., Saudi Arabia, and other countries in the Arabian Gulf.
It is crucial that the United States and the U.A.E work together on cybersecurity because malicious cyber actors know no international borders. Through events such as this forum and the new working group, the Chamber will continue to be a lead advocate and provide access for American businesses in the Middle East.