The Gulf: Facing up to cyber threats

Gulf governments are clamping down on Blackberry phones, claiming national security concerns, but there are far larger technology threats to worry about. Published in MEED, 17-25 September 2010

Blackberry users in the UAE have less than a month to make the most of their mobile phones. Unless the country’s authorities gain the ability to monitor all communications over the smartphones, some services offered on the device will be suspended on 11 October.

The country’s Telecommunications Regulatory Authority (TRA) wants to be able to monitor encrypted traffic between Blackberry devices in the same way that it can with any other mobile device, claiming it is an issue of national security.

The UAE is not alone. All governments around the world intercept communications in an effort to tackle crime and protect national security. Authorities in Saudi Arabia, India and Indonesia have also used the same rationale to threaten the suspension of Blackberry services and Bahrain banned the use of a Blackberry chat application in April. Research In Motion (RIM), the Canadian company that makes the phones, insists it cannot hand over encryption codes as it does not keep them.

Wider crackdown

Critics fear the threats against Blackberrys could be the start of a wider crackdown. “We think it sets a dangerous precedent,” said Philip Crowley, assistant secretary in the US State Department, on 2 August. “The UAE has reasons to be concerned about how information can be used by those who wish to attack the UAE or others. But again, restricting technologies in the 21st century, we think, is a move in the wrong direction.”

According to some observers, the move against Blackberry is misdirected as there are plenty of other technologies, such as virtual private networks [VPNs], where security can be maintained.

“Superficially, it’s a legitimate argument if terrorists are using encrypted communications these countries cannot intercept,” says Pradeep Khosla, founding director of Carnegie Mellon CyLab, the cyber security research centre at the US university. “But I have my doubts about it because you cannot intercept every possible two-way communication. People who you think are potential problems can use encrypted communications anywhere – if you have a VPN that communication cannot be intercepted – so I don’t understand what problem is being solved.”

What is not in dispute is the threat that communications technology can pose to countries – whether in helping opponents to organise attacks and social unrest or as a platform on which to make the attacks.

The latter threat was made clear in 2007 when Estonia – then in the middle of a heated diplomatic dispute with Russia – suffered a wide-ranging distributed denial of service attack on websites linked to its critical infrastructure, including the parliament, banks, major news organisations and government ministries. While Russia was the main suspect, nothing has been proven.

Since then, there have been reports of similar attacks during the 2008 war between Georgia and Russia over the breakaway republic of South Ossetia – on both Russian and Georgian websites – and on South Korean government sites in 2009, allegedly by North Korea.

Almost all significant areas of life in the Gulf states could, in theory, be targeted by attacks over communications networks, from traffic lights to air traffic control systems and the power grid.

Critical infrastructure

“The greatest concern is critical infrastructure, so banking, energy, health, the military-industrial base and transportation,” says Rex Hughes, associate fellow for cyber security at Chatham House, a UK think-tank. “If an attacker were to target air traffic control and they had insider knowledge or help, then some kind of damage could definitely be done. We haven’t seen those types of attacks, that governments have admitted to, [but] it doesn’t mean they haven’t happened.”

While the global nature of communications systems makes them vulnerable to attack, so the links within networks means it is also difficult to estimate the consequences of any assault.

“The nature of global corporations today is that things are more and more integrated,” says Hughes. “There may be dependencies in the system that a lot of corporations and even governments may not be aware of until a crisis happens. As the internet grows it’s not so much the human interface but the automated stuff that happens behind the scenes.”

Adding to the problem is that countries and their defence forces are generally not set up to deal with this threat of cyber warfare.

“People are trying to build on top of existing infrastructure or policies that were meant to solve problems where geography or time were relevant, but this is no longer the case,” says Alexander Ntoko, head of corporate strategy at the International Telecommunication Union (ITU), the Geneva-based UN agency for information and communication technology issues.

“It is no longer just a state that can launch an attack on another state. An individual can launch an attack on a state because it is possible for an individual to have enough weapons to launch an attack, which is not the case with conventional weapons. There are cyber criminals renting these resources. So you can become a one-man military outfit,” he says.

“And geography is not an issue – you do not need to be next to a country or have a missile with a 2,000 kilometre range – those things do not matter anymore.”

Military breaches

Even the mightiest military machines are at risk. The US, for example, was taught a tough lesson in its vulnerabilities in 2008, when someone at a US military base in the Middle East put a small flash drive into a computer and caused havoc.

The incident has only recently been declassified. According to US Deputy Secretary of Defence William Lynn, writing in the latest issue of Foreign Policy magazine, the flash drive was infected with a computer virus, which then spread around the network, causing what he described as “the most significant breach of US military computers ever”.

It might have been the most significant breach, but it was not the only one launched that day, or any other. According to Lynn, US military and civilian computer networks are probed thousands of times every day and thousands of files have been acquired, including weapons blueprints, operational plans and surveillance data.

“More than 100 foreign intelligence organisations are trying to break into US networks,” he said in the article. “Some governments already have the capacity to disrupt elements of the US information infrastructure.”

The US military has responded by setting up a new cyber command earlier this year, led by a four-star general. Increasingly, other governments around the world are also organising their systems to prepare for the emerging threats. The ITU is tracking at least 136 initiatives by 51 organisations around the world to deal with cyber security.

Of those initiatives, 12 are in Arab countries. They include the establishment of national Computer Emergency Response Teams (CERTs) in Oman, Saudi Arabia, Qatar and the UAE, which are designed to safeguard each country’s information and communications systems. On a regional level, the GCC-CERT initiative was launched in June 2008 to provide a framework for regional cooperation in this area.

Beyond the Gulf, Egypt and Tunisia have set up similar bodies and, in January, Morocco put forward a proposal for a National Cybersecurity Management System, which could act as a model for national and regional action to deal with cyber crimes.

“CERTs are a very good defence strategy,” says Ntoko. “It is a defence mechanism which makes you able to respond to threats. In terms of being able to try to reduce the damage that could be inflicted on your network you need to have a CERT.”

One of the key issues that governments will have to come to terms with as they develop such defences is balancing the needs of national security on the one hand with the demands for privacy and free speech on the other.

Leslie Harris, president of the Washington-based Centre for Democracy & Technology, says her organisation would be less critical of the UAE’s policy towards Blackberrys if there were clear checks and balances.

“In the UAE, they’re arguing that they have the right to a ‘back door’ to intercept and inspect all communications,” she says. “What’s lacking is there’s an enormous focus on creating the door for the government to come in and no focus on what is the appropriate legal standard or process for access.”

However, she says it is almost inevitable that more interception will happen in the future. “Anything that you can build surveillance into I think governments are going to increasingly demand surveillance capabilities be built in,” she says. “We’re sort of in an arms race here.”

Personal freedom

The potential for friction between governments’ desire to monitor communications and the rights of citizens became particularly apparent in Iran in the wake of the disputed presidential election in June 2009.

Finland-based Nokia-Siemens Networks came in for sustained criticism from members of the European Parliament and others, who accused it of helping the Iranian authorities to crush the opposition movement by providing telecoms surveillance equipment to the mobile networks – an area of the market that the company has since exited.

Since the clampdown, authorities have continued to monitor and suppress the opposition movement, but their tactics are evolving.

“We’ve seen more blocking [of websites], but also more subtle tactics being used by governments,” says Lucie Morillon, head of the new media desk at Paris-based Reporters Without Borders. “In Iran, authorities have been slowing down the bandwidth right before major demonstrations or rallies just to make sure people have a hard time sending out or downloading videos of the protests.

“It is the sort of technical issue that would make you think it is not really censorship but just a temporary problem. States are switching from basic censorship to more subtle controls.”

No matter what they do to protect their own systems or to disrupt the communications of their opponents, however, no government will be entirely successful.

“None of these systems are 100 per cent secure – no system ever will be, it’s impossible,” says Khosla. “Every system has holes in it.”