How governments use IT for national security wasn’t really brought to the public’s attention until 2010, when the Stuxnet computer worm was discovered. Speculated to have been created by the United States and its allies, the worm was designed to attack Iran’s nuclear facilities, spreading via Microsoft Windows and targeting Siemens industrial control systems.
According to some reports, the malware caused uranium enrichment at the Natanz nuclear facility to halt several times. And while there has been no confirmation from any government, the Institute for Science and International Security (ISIS) suggested that Stuxnet was “a reasonable explanation for the apparent damage” that the facility had seen throughout 2009 and 2010.
Stuxnet wasn’t the first time that cyber-warfare between nations had been employed, but it was the first publicy known intentional act of cyber-warfare to be implemented. Naturally, governments around the world were quick to respond upon hearing the news.
Fast-forward to today, and government spending on cyber-security—as in the enterprise world—has gone through the roof. According to Alaa Abdulnabi, Regional Pre-Sales Manager, RSA, this is down to the fact that governments aren’t prepared to take any chances when it comes to national security. And if that means spending more on cyber-protection, so be it.
“With all the surrounding threats and the increase in cyber-attacks on governments’ critical infrastructure, spending on security can only increase, and we are certainly seeing that governments are making it top priority. In simple terms, national security is not the right domain to be economic and try to cut costs because it cannot be compromised,” he says.
Abdulnabi points to an IDC report on security spending by governments. According to the report, overall security spending has been trickling upward at an average rate of about 4 percent per year, with the US federal government alone expected to spend $7.3 billion on cyber-security in 2017.
According to Alain Penel, Regional Vice President, Middle East, Fortinet, the government sector accounts for 35 percent of the vendor’s total revenue for the Middle East. And it’s easy to see why governments are so caught up with security. Aside from the spook caused by Stuxnet, Penel points towards other threats that governments are keen to mitigate against as factors in increase spending.
“Government spending is on the rise and will continue to increase. This largely corresponds to the increased threats to sensitive data being compromised by organised hacker groups,” he says.
Hacker groups such as the Syrian Electronic Army are now recognised as a force to be reckoned with—the group has compromised the websites of several high-ranking organisations over the past 12 months. Other hacktivist groups have also garnered headlines, so government organisations are doing all they can to protect themselves.
And according to Natalya Kaspersky, CEO, InfoWatch Group of Companies, it’s not just the threat of hacktivism that has governments on their toes—some countries in the region may see their critical infrastructures being threatened.
“Some countries in the region still have IT infrastructures that are supplied with worldwide monitoring capabilities, which can influence the processes in these receiving countries. This influence can be realised as infrastructural attacks like, for example, the Stuxnet virus targeted at Iran nuclear sites. Or as imposing certain information to cause disorders like was the case in Egypt, for instance,” she says.
“So when we talk about the necessity for protection, it depends on a country’s threat model. If a country considers such access to its infrastructure a threat then there is a strong necessity for protection.”
Indeed, according to Abdullah Hashim, Senior Vice President, ICT, Etisalat, a government’s first priority is to protect against damage to critical infrastructure.
“A targeted cyber-attack on a country’s information infrastructure can cripple communications, deny access to public services and cause massive economic losses. The first priority for governments is to defend their critical infrastructure assets, including communications, energy and utilities, oil and gas, citizen services, and banking and finance infrastructures, as these are the primary targets for compromise,” he says.
Naturally, governments are also worried about ensuring the privacy of their citizens’ data, and they’re keen on cracking down on cyber-crime, too. To this end, some governments have been taking a more proactive approach when it comes to cyber-security. For example, the UAE recently formed the National Electric Security Authority (NESA)—a clear indication that the country’s government is taking cyber-security seriously, according to Glen Ogden, Regional Sales Director, Middle East, A10 Networks.
“NESA’s inception clearly, shows how important a credible and properly regulated defence against cyber-attacks is to any region’s national security,” he says.
However, he also advises that individual government departments need to take responsibility for their own networks. A centralised agency can only do so much, after all.
“Whilst entities like NESA help to raise the profile of threat defence, each government or ministry still needs to take action to ensure the region as a whole is fully protected, top to bottom,” he explains.
The point, though, of organisations like NESA is to coordinate national responses to the growing problems associated with cyber-security. And according to Muhammed Mayet, Chief Technology Officer, Security, Dimension Data MEA, they are hugely important to forming a national front against cyber-threats.
“Entities like NESA are key to co-ordinating efforts to enhance cyber-security by bringing together the various clusters and agencies within governments. A failure to collaboratively implement a comprehensive cyber-security plan will result in many gaps, which could be exploited. NESA, by bringing together all the relevant parties, can effectively address this risk,” he says.
Naturally, however, the flip-side to using IT for cyber-security is using technology for cyber-attacks. And some governments across the region are well-known for their involvement in state-sponsored hacking. The aforementioned Syrian Electronic Army is a prime example of this, and other entities have popped up in recent years, says Ray Kafity, Regional Sales Director, Middle East, Turkey and Africa, FireEye.
“Cyber-espionage, or state-sponsored hacking, will continue to expand globally, as governments will not relinquish their ability to conduct law enforcement and counter-intelligence activities,” he says. He also acknowledges that the biggest security event of 2013 was probably the revelations that former US security contractor Edward Snowden made about the country’s National Security Agency. If there was ever an example of a state using technology for nefarious purposes, this would be it.
That said, the consensus seems to be that states need to protect themselves not from other states, but from motivated rogue hackers. This is particularly true in the Middle East, according to some who believe that most Middle Eastern countries tend to stick together by sharing information.
“The biggest threat is not from government or state-sponsored hacking —we don’t believe that’s truly the threat against which the region should protect itself,” says Yassine Zayed, Executive Vice President, Nexthink Middle East.
“The real risk is a combination of the increase of targeted hacktivism and the lack of technologies in place to detect it. Governments need to invest in technologies and procedures to be able to execute end-user IT analytics for security, to be able to immediately detect any abnormal activity. Hackitivism is a major threat, which tries to harm the reputation of governments, just to make noise in the media and to make a political point.”
Zayed says that these types of malicious attacks always use the advanced persistent threat (APT) methodology, and that they target end-user devices. He advises looking at products that provide all-round network visibility and real-time analytics. Meanwhile, Dimension Data’s Mayat suggests taking the lessons learnt from the private sector, engaging in a consultative approach to determine the biggest risks.
Unfortunately, governments really do need to think about these issues carefully, as the risks posed by cyber-attacks are too great to ignore. The point is made poignantly by A10 Networks’ Ogden: “Typically, governments in our region have a high level of physical security in place already,” he says. “Unfortunately, modern threats tend to favour logical security breaches rather than physical penetration of a government entity, meaning that new strategies are required to cope.”