Over the past decade, countries in the Middle East, particularly Saudi Arabia and other Gulf states, have transitioned from minimal attention to cybersecurity regulations to the establishment of comprehensive frameworks in response to a surge in cyberattacks. The rise in cyber operations, disruptive incidents, and hacktivism has prompted the region’s major nations to develop more advanced cybersecurity laws and regulations, resulting in a complex regulatory environment that businesses must navigate, as noted by regional experts.
In their pursuit of transforming from traditional petrochemical economies to knowledge-based systems, Middle Eastern nations have made substantial investments in digital and cloud technologies over the last twenty years. This shift has unfortunately led to an increase in cyberattacks and criminal activities. In response, countries such as Qatar, Saudi Arabia, and Oman have created robust regulatory frameworks aligned with international standards, as highlighted in a recent Cisco analysis of the region’s regulatory landscape.
The primary objective of these initiatives is to safeguard valuable future investments against the threats posed by destructive cyberattacks and geopolitical tensions, according to Yuri Kramarz, a principal engineer at Cisco’s Talos threat intelligence group. He emphasizes that as states began diversifying their economies towards digital platforms, they recognized the critical role of technology adoption in generating revenue and employment. It was not until the late 2000s and early 2010s, when cyberattacks became more sophisticated, that governments began to take significant action.
Once the cyber threat was acknowledged, regional governments acted decisively, with Saudi Arabia and the United Arab Emirates (UAE) at the forefront, as reported by business consultancy Oliver Wyman. Although Middle Eastern nations have made considerable progress, they still face various challenges ahead.
Mideast Plays Catch Up
In 2014, countries in the Middle East initiated the development of cybersecurity and data protection frameworks in response to a series of significant cyberattacks, including the Stuxnet incident and the Shamoon wiper attack. The recent escalation of tensions in the region has led to an increase in sophisticated hacktivism, denial-of-service attacks, and compromises within supply chains, exemplified by Israel’s cyber-physical assault involving detonating pagers.
Kramarz from Cisco highlights the Shamoon wiper attacks as a pivotal example of the threats that have altered the perception of cybersecurity in the Middle East. Although lacking in complexity, the Shamoon wiper virus incapacitated over 30,000 workstations at Saudi Aramco, the state-owned oil company of Saudi Arabia.
“As we have observed, a cybersecurity attack can significantly affect the economy of an entire nation,” he remarks.
In light of the rising international tensions in the region, numerous countries within the Gulf Cooperative Council (GCC) have formulated national cybersecurity strategies that incorporate international regulatory frameworks and standards, establishing a baseline of security controls, particularly in critical sectors, according to Koroush Tajbakhsh, a director in the cybersecurity division at FTI Consulting in Dubai.
Standardized Approach Pays Off
Organizations that have adopted standards from the United States’ National Institute of Standards and Technology, the European Union’s General Data Protection Regulation, or the global International Organization for Standardization are significantly advanced in fulfilling the majority of cybersecurity controls mandated by various nations in the Middle East, according to Cisco’s Kramarz.
He notes that “most national standards and frameworks are constructed upon these established standards.” Nevertheless, it is crucial for companies to consider the unique requirements of each country, especially regarding data localization, incident reporting, and adherence to sector-specific regulations, which may often be accessible only through regulatory bodies that impose additional frameworks on top of existing national regulations and laws.
However, the enforcement of these regulations can be inconsistent, frequently due to a lack of expertise concerning newly enacted laws or the absence of established offices for data authorities. This inconsistency creates challenges for companies aiming to prioritize their compliance efforts. Furthermore, the inadequate enforcement contributes to irregular responses to data breaches, as highlighted by FTI Consulting’s Tajbakhsh.
He emphasizes that “effectively addressing cybercrime and data breaches is less about deficiencies in local data protection legislation and more about the effective enforcement of those laws.” While legal frameworks are in place, cross-border enforcement remains problematic when attempting to prosecute foreign agents or international crime syndicates, as this necessitates local data offices to achieve a level of operational maturity that includes the capability for cross-border data sharing.
