A strategic approach to protecting national digital assets and infrast
The continuing success of digitization initiatives among the countries of the Middle East brings with it an added and growing exposure to the risk of cyber attacks. These attacks — by other states and by increasingly sophisticated criminal rings from around the world — have the potential to derail the progress of digitization, and threaten the benefits delivered through it.
Every national government in the region is striving to create a secure digital environment, but too often these efforts are fragmented, tactical, and reactive. Moreover, they do not include the participation of all essential stakeholders. Consequently, governmental responses often lag behind the ever-evolving threat landscape, and the defensive measures taken are circumvented or exploited. A strategic approach to national cyber security is needed that follows a “CCC” framework — comprehensive in nature, collaborative by intention, and capability-driven.
Middle East governments can apply the CCC framework in their own national cyber-security programs. First, they should establish a centralized national cyber-security body, with a clearly defined mandate. The established body should define a national cyber-security strategy and establish the national dialogue. Afterwards, there should be a focus on building cyber-security capabilities, both preventive and reactive, and on developing the talent and capabilities on which national cyber security rests. By acting immediately on these imperatives, governments will ensure that their nations reap the full rewards of digitization, now and in the future.
Middle East governments are acutely aware of the new threat landscape associated with digitization. To bolster their national cyber-security capabilities and elevate the protection level of their critical national information infrastructures, many of them have stepped up their cyber-security activities in recent years.
Some countries have created new laws aimed at protecting electronic transactions and prosecuting cyber crimes. Others have established critical information infrastructure protection polices and cyber-security plans, and have vested responsibility for cyber security in existing agencies or directorates. Still others have initiated national incident response protocols, and have begun building cyber-security awareness and capabilities. These are all good steps toward improving national cyber security. However, these steps alone they will not suffice to manage risks associated with the digital assets of an entire country.
Most of these existing initiatives take an IT-centric approach to national cyber security. They are tactical responses to an issue that requires a strategic solution. A national cyber-security program requires a coherent, comprehensive strategy that identifies essential national cyber capabilities, and clearly assigns ownership of these capabilities and responsibility for national cyber security to a dedicated lead agency.
Most cyber-security efforts at present are reactive. Their focus is recovery from a cyber attack, as opposed to attack prevention. An effective and enduring national cyber-security program must include proactive cyber-capabilities that can help to prevent attacks, such as information sharing and continuous monitoring for elevated situational awareness.
Most current efforts focus on the role of the government in establishing and maintaining cyber security. However, a national cyber-security program must be integrative. It must involve the private sector and citizen, and enlist their assistance in addressing the protection of critical digital assets and infrastructure no matter where it is within the country.
The gap between the cyber-security capabilities of public- and private-sector entities in the Middle East and the capabilities of their adversaries in cyberspace already represents a tangible risk, and it is growing daily. To close this gap, we believe that the governments of the Middle East need to take a strategic approach to rethink and revamp their national cyber-security efforts. Until then, tactical and technical solutions to cyber attack can serve only as stopgap measures.
The governments of the Middle East are the only stakeholders with the power, reach, and resources necessary to develop and drive a truly national cyber-security agenda, to ensure alignment of efforts, and to drive collaboration and continuous improvements through sector-specific, national, and ultimately regional governance bodies. This is why it falls to government to define a national cyber-security program, assign ownership and responsibility at the highest level, and launch the program. All that remains is for Middle East leaders to address this critical problem, which threatens their national digitization efforts and prospects for viable, twenty-first century economies.