Cybercrime and Its Impact in the Gulf Cooperation Council Region

Introduction

The introduction of information and communication technologies nowadays offers a great range of advantages for society, especially for the financial sector. Unlimited access to information and communication technologies (ICT) supports freedom of speech as well as promotes online banking and the usage of various mobile data services that ease the lives of many. However, such a growth of information technologies does not exist without any possible risks. Due to the fact that the majority of essential services like water supply and electricity depend on the smooth functioning of the ICT, there have been many attempts on hindering their performance and therefore cause harm to society.

It is a commonly known fact that attacks against the Internet infrastructure and services take place on a regular basis. Hacking and online fraud are the primary examples of attacks on the ICT. Furthermore, the financial damage caused by such attacks is reported to be quite substantial. The estimated annual cost of the global attacks is approximately one hundred billion dollars.

This paper will aim to explore the nature of cybercrime as well as the impact it has on the financial integrity of businesses. Because the issue of cybercrime is currently one of the major concerns regarding the informational and financial security of separate individuals or entire corporations, it is crucial to outline the challenges presented by this type of crime for better understanding how to deal with them in the future. Therefore, the paper aimed to answer the following questions:

1. What is cybercrime and what concerns does it pose to the international community as whole or specific areas such as the GCC region?
2. What is the impact of cybercrime on the financial sector?
3. What are the costs companies are forced to pay to restore the business in the aftermath of crime? Can these costs be quantified easily?
4. What are the examples of cyber attacks affecting the GCC region as well as other countries or companies?
5. What are the current laws on cybercrime in the GCC region?
6. What is the expert opinion regarding the challenges associated with cybercrime?

The listed above questions are targeted at loosely exploring the emerging problem of cybercrime and its impact on the financial sphere. Despite that there is enough research on the issue as a whole, there is a lack of in-depth studies on how the effects of cybercrime can be quantified exactly or how the number of cybercrime instances can be reduced. There is also a lack of research on how the GCC governments currently deal with the increased number of attacks on the financial sector. The following questions should be included in future research on cybercrime:

1. How the lost opportunities associated with cybercrime can be reduced?
2. Are there any GCC laws on cybercrime that should be changed or improved?
3. What exact measures companies can implement to reduce the number of cyber-attacks?
4. Can GCC region governments negotiate to cooperatively issue a legislative framework that will address cybercrime? Should their cooperation include private and public sector companies?
5. Are there any examples of GCC or international companies that have effectively battled with a cybercrime so that there is less damage caused to their informational and financial security?
6. What is currently done by governments for reducing the negative impact of cybercrime on the financial sector? What is advised to do next?

What is Cybercrime?

Cybercrime can be defined as a range of crimes committed through the use of the Internet and computers as tools or victims. Cybercrime ranges from spamming efforts to fraudulent acts that include illegal trespass into global security systems or theft of valuable information. Therefore, any criminal acts such as money theft from bank accounts or downloading illegal music and video files are regarded as cybercriminal activity. However, cybercrime is not limited to monetary offenses, creating viruses and posting confidential information online is also considered a cybercrime.

The majority of cybercrimes cannot be differentiated into one specific category of crime, which contributes to the limited capacity of cybercrime records. The statistical reports on cybercrime in the majority of regions are primarily conducted by the Internet Crime Complaint Center. By using statistics, the analysts are able to prepare information on the trends and rates of cybercrime.

The issues of cybercrime and cybersecurity cannot be separated from the general concerns of the global community. This is supported by the fact that the United Nations General Assembly resolution related to cybersecurity points at cybercrime as one of the major challenges for the global security systems that exist within the international dimension. For example, before reaching a recipient, an e-mail containing illegal information can pass through a series of countries. Therefore, when investigating such instances of cybercrime, international cooperation between countries is of the highest importance. In addition, many cyber crimes occur due to the fact that modern technologies are the same everywhere. Therefore, standardization allows for the same protocols being used across the world.

What is the Impact of Cybercrime?

Background

As shown by the recent events, cybercrime in the financial sphere is a pervasive issue; and one from which the assets of the GCC countries are not protected to a complete extent. It has been estimated that the cost of global cybercrime is greater than the GDP of eighty percent of countries throughout the world. In addition, the number and nature of criminals conducting cyber offenses are constantly increasing to include not only individuals but criminal syndicates, the organization of terrorists, and even countries. The inexpensive tools for conducting cybercrime are nowadays widely available; therefore, the threat actors rarely have to resort to any unknown methods to conduct cybercrime. Keeping the issue of cybercrime under control is becoming more difficult as technological advances developed. Nowadays criminals are able to use many sophisticated methods for committing fraud or stealing funds or personal information. In addition, some criminals prefer to collaborate and work in cooperation in order to commit fraud on a larger scale. Given all these facts, the efforts towards preventing cybercrime a predominantly technological, which means that their effect only lasts until a solution to deal with the technological prevention methods is developed. Therefore, the advances in the technological sphere are challenged by the rapid pace at which cybercriminals are able to develop their new methods of fraud.

Emerging Threat in the GCC Region

The most important findings gathered from the PWC survey suggest that cybercrime is now ranked second in the list of all reported economic crimes in the Middle East. While the global statistics indicate that 24% of companies that went through economic crime reported cybercrime, the GCC region reports 37%. The most common types of cybercrime affected the spheres of computer networking, applications, and systems. However, data stored by third parties as well as mobile devices can also become targets of cybercrime.

The recently occurred cases suggest that any company can be affected by cybercrime. Two of the largest gas and oil companies in the Middle Eastern region reported an attack on their networking system, causing thousands of separate computers disruption in their operation. Between 2012 and 2013 the financial sector across the region also reported instances of cybercrime in Oman and the United Arab Emirates.4

The motivation for cyber-attacks in the region can include financial, political, personal, and ideological. For example, in 2014 the oil companies in UAE, Saudi Arabia, and Qatar received anonymous threats of cyber-attacks from the politically motivated group of hackers. The threat was made due to the hackers being unsatisfied with the US being used as the currency for selling and buying oil in the region. Therefore, companies are not the only targets that could have been affected by the attacks, governments were at high risk, too. However, such threats are rarely substantiated by the actual attacks.

One of the primary characteristics of cybercrime as an evolving threat is the pace with which a crime can be performed, causing the crime victims a substantial loss of financial assets or data before they find out that an attack has been performed. Therefore, the effectiveness of many responses to cyber-attacks is completely diminished. In many cases, the system a company relies on when working can often become the main tool used against it by a cybercriminal who can then change or hid his or her identity.

Therefore, the fundamental challenge for the Gulf region and its businesses is understanding the risks of cyber-attacks and keeping up with their pace. Very often computer networks used by the companies are not complicated enough to account for the risks associated with the disruptions caused by much more sophisticated tools cybercriminals use. It is important to mention that some local governments have already taken some action to manage and prevent cybercrime, with the 2012 UAE’s Cyber Crimes Law and the 2012 Saudi Arabia’s Arab Cybercrime Agreement leading the action.

What are the Cybercrime Costs?

Due to a variety of factors, measuring the actual cost of cybercrime is difficult. These factors include the cybercrime effect on the safety systems the damage caused to the reputation of a company, interference with the business operations, and loss of opportunities. According to the recent survey conducted by PWC, when asked to estimate the costs of cybercrime effects on the business in the past two years, 35% of respondents could not give a specific answer while 40% believed that their business did not suffer from cybercrime.

The received results indicate the significant scale of the issue. In the majority of instances, the companies that never reported their financial loss due to cybercrime are usually unaware that they have been victims of such fraud or have probably incorrectly quantified the cost of the cyber-attacks. Such statistics are not unusual since the mentioned findings on cybercrime in the GCC region coincide with the global reports that also mentioned forty percent of companies not reporting any financial loss caused by cybercrime.

The Middle Eastern survey also included respondents who did report their financial loss from cybercrime; however, the numbers are quite low. Six percent of respondents claimed that their loss had been approximately 1 million dollars while two percent reported the loss between 5 and 100 million dollars. On the basis of the report, it can be concluded that the financial damage caused by cybercrime in the GCC region could be far more substantial than the majority of the company’s report.

What Are the Examples of Cybercrime in the GCC?

UAE Example

The statistics of Dubai have indicated a significant increase of 88% in the overall number of cybercrimes in 2013 compared to 20128. In 2013 the Dubai Police investigated under one thousand five hundred cases of cybercrime, which is three times more than the number of crimes reported in 2011.

Due to the significant increases in Internet use (UAE penetration of 92%), the transfer of personal or corporate information has become the easiest it has ever been. In the country, the most used online services are e-shopping, e-banking, e-bills, and e-government transactions. All of the mentioned services have proven to be very convenient for the users; however, there is a significant threat of cybercrime.

According to Altaher’s article in Gulf News, the United Arab Emirates is nowadays the target of approximately 5% of the worldwide attacks. Moreover, the rate of such attacks has increased by five hundred percent since 2011. The expert opinion expressed by Rabih Dabbousi, the senior vice-president of Dark Matter, a cyber security company, suggested that “Cybercrime follows the money. The money of financial transactions in the UAE, the establishments of financial free zones and the overall appeal of investing in the country are only some reasons why banks and other financial institutions are constantly being attacked”.8 Furthermore, Dabbousi also explained that the oil and gas industry of the region is the second target for the cyber attacks.

One of the primary points that put the United Arab Emirates on the radar of cybercriminals is the technological advances targeted at increasing the quality of the population’s life. The differentiation and innovation strategies contribute to the steady increases in cyber attacks. Therefore, the country is becoming more and more visible from the economic and social competitive perspective, which attracts cybercriminals.

Saudi Aramco Attacks

The 2012 cyber attacks on Saudi Aramco, the official Saudi Arabian Oil Company, had a tremendous impact on the way global companies now approach the issue of cybercrime. The computer network of the company was infected by the Shamoon virus that affected thirty thousand Windows-operating computers. The response from the company was not effective despite the vast resources available. It took Saudi Aramco under two weeks in order to restore the network and recover from the damage caused the company.

The main purpose of the Shamoon virus was the complete deletion of all data contained in the hard drivers of corporate computers. Despite that Shamoon did not provoke oil spills or explosions, the virus did enough damage to cause the loss of valuable information on oil production. The US Secretary of Defense Leon Panetta described the virus as being very sophisticated since there is a very small number of countries or organizations capable of performing such an attack. Because the virus rendered all computers useless as well as greatly undermined the operational capabilities of Saudi Aramco the financial impact of the attack is incomparable to that of the U.S. Government hacks of the fingerprint database. The Cutting Sword of Justice took responsibility for the attacks and referred to the “crimes and atrocities” Saudi Aramco committed as the main motivation. However, there were suspicions that the cyber attack was sponsored by the Iranian regime which had also been subjected to the same virus attacks prior to Saudi Aramco.

According to the response from the international community, the Saudi Aramco attacks were the “wake-up call” for the global businesses that do not treat the threats of cyber-attacks seriously. If a similar attack were to be performed with other critical global infrastructures, the effect on the communication networks, financial markets, as well as health and safety services would have been tremendous.

Company Case Study: Sony Pictures Cyber Attack

In September 2011, a hacker with the nickname Recursion (Cody Kretsinger) was arrested for conducting an attack on Sony Pictures Corporation. The arrest was conducted with the help of the proxy server that disguises the online identity of its users. With the available information on website logs, the police were able to match the criminal’s IP address with the timestamps of when the crime was committed. However, the 2011 attack was one of the attacks that targeted Sony Pictures. In November 2014, a cybercriminal group named “Guardians of Peace” released Sony’s confidential information such as photos of Sony’s employees, e-mail conversations, information on salaries, and copies of films that have not yet been released. The hack was associated with the release of The Interview movie which included a comedic portrayal of North Korean leader Kim Jong-un.

According to the LA Times article by Miller and Hamedy, the financial costs of the 2014 Sony attack were very large. The company had to spend more than $35 million on covering up the damage caused by the lack of corporate and private information about its employees. The costs included the improvement and rebuilding of the computer networks, paying the forensic team for the investigation, as well as investing in resolving legal matters that were caused by the hacking. Furthermore, it was speculated that the hack was implemented by the company’s former or current employees dissatisfied with their job, so Sony had to spend more time and effort investigating the security breach at the company. It is crucial to mention that such an attack on the company’s security caused widespread financial damage, given that it was a “malicious criminal act,” as stated by Sony Pictures’ executives Amy Pascal and Michael Lynton.12

The digital infiltration caused by the attack was very complicated for the company to clear up, causing, even more, costs that had been complicated to quantify. For example, the studio lost costs on the box office sales as well the revenue from home entertainment because of the release of five movies that could bring the company a large financial income. Despite that the possible costs could not be quantified to an exact number, it is safe to state that the damage caused by piracy is very large. For example, it was estimated that the company could earn approximately $100 million on the leaked movie “Annie,” however, the piracy put a great dent in the expected revenue.

Apart from the great financial damage that the cyber attack caused Sony Pictures, the company had to account for the downtime. It was estimated that the company employs approximately six and a half thousand employees that had to work without computers because of the invasion into their corporate e-mail accounts. This kind of disruption could also potentially cause a financial loss because the company missed out on potential business opportunities, like, for example, finding a new script for a top-selling blockbuster movie. Furthermore, it can be stated that Sony’s competitors do not wait for the company to restore its operation. As stated by Top Chapman, a director of cyber operations at EdgeWave, a cyber security company, it was very hard to measure the exact financial impact cyberattack caused the company because of a variety of unpredicted and predicted costs such as network rebuilding. Nevertheless, the impact was greatly damaging to the company.

To summarize the example of Sony Pictures’ hacking, it can be stated that the costs caused by cybercrime are very hard to quantify because of the loss of business opportunities that the company could have had if the attack did not occur. Furthermore, the downtime in which employees had to work without the help of computer networking also implies some major financial loss. Thus, the financial impact of cybercrime is always large because criminals carry out a specific range of actions targeted to damage the company’s financial and technological integrity.

The role of the U.S. government in assisting with resolving the issue with Sony Pictures remained unclear. In his article, Scott Shackelford mentioned that many problems with protecting from cyber-attacks are associated with the lack of attributed responsibility of the government or state agencies for the committed cyber attacks. Therefore, because the attack was associated with the scandalous movie The Interview, the North Korean government could have played an indirect role in supporting the hacking targeted at Sony Pictures.

What is the GCC’s Cyber Security Laws?

The governments of the GCC region have recently adopted new laws that were drafted collectively. Despite the fact that the majority of the member states already have their own cybercrime laws, the Gulf is becoming much more integrated economically, politically, and culturally, therefore requiring a unified set of laws that can be applied throughout the region.

The newly adopted law is very similar to the one in Oman and to a large extent covers all technology-associated acts that fall under the category of cybercrimes. These acts include e-documents forging, stealing credit card information, creation and distribution of viruses, cyber terrorism, communications interception, hacking, accessing the e-system without authorization, as well as other acts that put the integrity of private and corporate information at risk.

The cybercrime law was adopted in order to reach the following five objectives:

• Provision of high-quality control and management of the data protection services;
• Raising awareness of the cyber security importance;
• Implementation of various methods of ensuring cyber security in the region;
• Creating a nationwide plan for facing the risks associated with cybercrime;
• Making sure that the member states are committed to the task of eliminating the instances of cybercrime.

The United Arab Emirates is the GCC state that has the most comprehensive laws regarding cybercrime – the UAE-Law No. 5 of 1012 concerning Combating Information Technology Crimes, which replaced the previous Cyber Crimes Law adopted by the government in 2006. The 2012 UAE Cyber Crime Law has added a range of new crimes and included the offenses related to the country’s obligations in the context of international treaties. In addition, the 2012 laws included a much higher penalty for the offenses compared to those outlined in the previous 2006 law.

The 2012 law was the first legislative document that included and codified a full range of offenses that can be implemented with the use of the Internet; furthermore, the sentences for individuals that were found guilty of cybercrime are also included. The new additions to the punishable under the law crimes include the promotion or distribution of pornographic material, indecent acts, and gambling on the Internet. Therefore, this law encompasses a range of possible violations that can be easily performed with the use of the Internet.

Qatar has also been working towards establishing cybercrime laws beneficial for outlining primary principles related to managing this type of crime. Issued in 2014, Qatar’s Anti-Cybercrime Law aggressively targeted a large range of technology-related crimes by means of imposing significant penalties for those proven guilty. The types of cybercrimes included in the law range from the criminal acts committed in relation to software and data specific to the usage of various methods and systems that facilitate the actions targeted to blackmail and defame other individuals.

One of the most significant aspects of Qatar’s Cybercrime law is its addressing cross-border cybercrime. In order to prevent cybercrimes occurring across the border but may be linked to Qatar, the law provides specific rules related to the extradition of suspected criminals that committed unlawful acts classified as cybercrime.

The law distinguishes five separate types of cybercrime, which include the infringement of intellectual property rights, the electronic transaction with cards (forging cards, unlicensed production, unauthorized usage), fraud and forgery of electronic documents, content crimes (terrorism, false news, child pornography, and social principles infringement), and hacking.

GCC Challenges Regarding Cybercrime – Expert Opinion

The expert opinion on the issue of cyber security is provided by Megha Kumar, the head of the software research and advisory practice at IDC in the Middle East, Turkey, and Africa. As the manager in research, Kumar has been the primary person responsible for delivering and controlling projects across a variety of technological levels (storage, IT security, analytics, databases, etc.) at the same time with actively participating in the collaboration with vendors that wished to improve their competitive strategies on the market.

Challenge 1

Megha Kumar, the senior analyst at IDC MEA, stated that GCC countries require much more effective collaboration when it comes to the issue of cybercrime. As a specialist in the sphere of cyber security, Kumar underlined that with the growth of international companies in the region that collaborate with customers and partners around the globe, the need for high-quality cyber security systems has skyrocketed significantly. Due to the quick pace of technological advances development, many companies have become targets of cybercriminals that want to achieve either financial gain or disrupt the operation of the companies to damage their reputation. Also, the increased attention to the issue of cybercrime is seen from the growth in spending on security software across a number of business sectors.

The expert underlines that many of the advanced threats posed to the security systems of the region can remain unnoticed for a long period of time and thus cause major damage. This fact contributes to the overall complexity of the challenge. Furthermore, the developing countries are currently characterized by the second and third technology platforms merging to become one entity, which also poses a great threat to the security of cyberspace.

Cybercrime is largely influenced by financial motivation; however, there is also an issue when hackers try to deface an information network by promoting an unfavorable political agenda that does not go along with the commonly practiced views and ideas. Therefore, the implications for cybercriminal activity are not purely financially-driven, any platform can become a subject of an attack targeted at damaging the reputation.

Challenge 2

Nowadays, the concerns about information technology security include not only GCC companies that investigate ways for securing their networks and operational data. According to Kumar, governments also show concerns when it comes to protecting valuable information. With the improvements of the cross-country levels of cooperation and networking, companies and governments become the main victims of cybercrimes, which have also been growing and expanding in terms of sophistication and the damage they can cause to the current economic environment. Cybercriminal activity such as thefts of identity or virus distribution is becoming motivated by financial gain, as seen from the significant spread of cases of online financial scamming and online illegal transactions. Furthermore, the methods of cybercrime have expanded into a broad variety – criminals take advantage of the vulnerabilities that exist within the social networking and hosting sites in order to get confidential information about the users and then manipulate such information to gain the financial outcome.

Kumar underlined the fact that GCC countries had experienced cyber-attacks of this kind. Some of the most infamous examples include ATM’s hackings, the 2009 attacks of Ghostnet targeted at Kuwait and Bahrain, cyberattacks on large oil companies, and the defacements of various publication websites.

The GCC banking services are nowadays investing in security and authentication solutions to protect their customers. The providers of telecommunication services are also investing in establishing new security solutions for protecting their customers from fraudulent acts. Nevertheless, the organizations within the operating industries should not be the only actors responsible for establishing cyber security governments are the primary bodies that should lead the process of securing cyberspace from criminal activities.

The GCC region is characterized by the governments filtering out information that contradicts the general beliefs or ideas. In a similar way, governments should look into securing the Internet space against cybercriminal activity. It is highly important since attacks that occur on a larger scale can damage the communication networks in the region and sometimes even lead to physical and financial losses to private users or corporate bodies. While the UAE, Qatar, and Saudi Arabia have been proactive with their approach towards cybercrime, other GCC countries are still challenged with adequately addressing the issue on a legislative basis. The establishment of such agencies as CERT (computer emergency response teams), unique task forces that specifically deal with cybercrime, and campaigns for raising the awareness of the cyber security importance are some of the examples of how GCC countries can start addressing the problem of cybercrime, eliminating it in the future. Therefore, the GCC governments are advised not to view cyber attacks as something limited by geographic boundaries.

Challenge 3

Megha Kumar also discussed another major challenge for the GCC information technology sector – the issue of software piracy. According to the 2011 “BSA Global Software Piracy Map”, the rate of software privacy in the GCC is:

• 51% in Saudi Arabia with the commercial value of $449 million;
• 61% in Oman with the commercial value of $36 million;
• 37% in the United Arab Emirates with the commercial value of $208 million;
• 50% in Qatar with a commercial value of $62 million.

Therefore, the region is highly exposed to software piracy which has its own specific impact on cyber security. Despite the fact that pirated software is much more vulnerable to viruses, companies, and private individuals often use it due to the fact that it is much cheaper. Nevertheless, the software that has been manipulated by a third party can offer an unauthorized entry for various bots, viruses, and hackers, which can easily disrupt the performance of the system. Furthermore, pirated software can include systems for fighting the security breaching attacks – it is not limited to mobile applications or games. Because many users do not wish to pay for security system upgrades and full versions of the software and opt for a cheaper pirate alternative, they make their computers vulnerable to many kinds of dangerous attacks that undermine the integrity of private or corporate data.

GCC governments are currently trying to address the issue of pirated software due to the significant pressure that comes from software developers that work in the region. While some primary steps have been taken by the GCC governments, there is very much to be done in the future in order to take the issue of software pirating under control.

Challenge 4

The fourth challenge in establishing cyber security in the region relates to a gap that exists between businesses and the information technologies the businesses employ. According to Megha Kumar, the opinions of the decisions makers in the IT departments do not coincide with the IT’s understanding of how information security should be managed. In the majority of cases, Chief Information Officers see the lack of skills as the main disadvantage of the IT department while the information technology managers feel that there is very little support from the higher authorities in terms of implementing new solutions for information security. Therefore, there is a major lack of cohesive strategies for cyber security that are acceptable for everyone. In order to implement a much more extensive range of information security strategies, the existing gap should be eliminated.

The GCC organizations are currently working towards employing much more sophisticated solutions for information technology security in order to manage the issues of hacking, traffic network, as well as little user awareness. Apart from that, many organizations are trying to add information security training into their corporate agenda thus raising awareness of cyber security initiatives that address the challenge of security attacks.

The survey that included Chief Information Officers has shown that fifty-seven percent of the participants admitted that sustaining cyber security at the same time with coming up with innovative solutions was the biggest priority they had to deal with in the year 2014. Furthermore, half of the respondents stated that ensuring smooth information security in their department was the second major challenge to be addressed. Thus, it is evident that many organizations in the GCC region are majorly concerned about how performance can be sustained alongside their business availability. Additionally, many admitted that the rate of IT solutions investments evolves at a much slower speed in comparison with the speed of the security landscape.

Chief Information Officers also mentioned additional challenges that exist within their area of expertise. Namely, the improvements in IT assets utilization, connectivity management, and systems availability are just some of the additional aspects of concern. Contrary to the opinions expressed by the Chief Information Officers, IT managers mentioned that the sophistication of the cyber-attacks has increased exponentially while the support from the executive management decreased. Another enterprise security challenge is related to no cohesive security strategies, which have been agreed upon collectively by the executives and the IT managers.

The results of the survey indicated that the GCC companies are majorly investing in various initiatives for information security since the challenges they face are exponential. In relation to this, in 2014 companies predominantly invested in firewall systems, detection of intrusion, as well as attack and data loss prevention systems. Kumar also mentioned that there is an increased focus on deploying firewalls of the next generation, which are able to offer a much more detailed look at how the enterprise information can be better protected.18

Challenge 5

The last challenge related to establishing cyber security in the GCC region is associated with the economic crisis. There is an unfortunate trend, which suggests that software piracy and cybercrime will be greatly deprioritized when the governments deal with the impact of the economic crisis, especially the financial and political challenges. Nevertheless, it is highly important that the governments address the problem with a higher intensity at such times since the sphere of information technology will be much more susceptible to possible fraudulent acts. The implementation of greater efforts for enterprises and consumer education on the importance of cyber security policies will not only benefit in creating a much more effective environment for business but also ensure that individuals and corporations are protected against cyber-attacks at the time when the government is dealing with other challenges.

Particularly, GCC countries such as Qatar, the United Arab Emirates, and Saudi Arabia have always perceived their business environment as the safest. Therefore, for them to increase their attractiveness for any type of business (local or international), it is crucial for them to improve the regulation of cyber security policies and implementation of laws targeted at protecting the private and corporate assets from the instances of cyber-criminal activity.

On the other hand, the current situation in Qatar regarding the issue of information technology security is extremely volatile. The volatility is experienced not only in terms of malware but also in the aspect of hacking instances, cyber warfare, and persistent threats that have become much more complex and advanced than they used to be. Furthermore, the advances in big data, cloud computing, and mobile media also greatly contribute to the volatility of cyber-security when it comes to its management, implementation, and development. According to Kumar, Qatar’s businesses should perform an evaluation of the investments that go towards the information technology security sector at the same time with rationalizing the costs, protecting the existing assets as well as coming up with innovative security solutions. Thus, businesses should address the sustainability of their security systems while making sure that such systems are the main enablers and supporters of their operation.

For countries like Oman, the main challenge in managing the issue of cybercrime relates to budget constraints. Due to the fact that many companies are trying to get as many resources as they can through downsizing their headcount, the issue of enterprise software security is becoming an even larger challenge than it has already been. In the course of downsizing the employee count in a company, there is a potential risk of some dissatisfied workers taking important information with them to use against the company in the future. Thus, the challenge of cyber security remains under-addressed and overlooked at many levels of business life.

Megha Kumar concluded with the statement that “as the GCC region recovers, the governments will need to ensure not just political and economic stability but also digital stability to sustain growth levels”.[22]

Summary and Analysis

According to the findings from the conducted research, the GCC region is currently highly vulnerable to a variety of cybercrime that is being imposed upon different business spheres. The evolving coverage of the Internet, the widespread availability of technology, and the lack of commitment to the problem of cybercrime are the main issues that challenge the business and the government areas of GCC.

The cyberattack performed against the corporate software of Saudi Aramco can be classified as the ‘wake-up call’ for the GCC to start taking the issue of cybercrime seriously. In order to keep control over cyber security as well as manage the financial or reputational damage a company has experienced, the GCC countries are working cooperatively to establish a set legislative framework that includes the types of crimes classified as cybercrime and the punishment the perpetrators will receive if proven guilty. In addition, such a framework implies mutual cooperation between member states in terms of the extradition of cybercriminals.

It has been concluded that the calculation of costs that appear as a result of cybercrime is a complicated process. The factors like cybercrime’s effect on the safety systems, the damage caused to the reputation of a company, interference with the business operations, and loss of opportunities are very hard to estimate. Additionally, many businesses do not know the financial impact cybercrime caused to their companies. According to the survey conducted by PWC, when asked to estimate the costs of cybercrime effects on the business in the past two years, 35% of respondents could not give a specific answer while 40% believed that their business did not suffer from cybercrime. The issue of lost business opportunities associated with cybercrime is another problem that requires further attention. As seen from the Sony Pictures example, the corporation experienced some major financial loss associated with the release of movies to be screened in the nearest future. Despite that the lost financial opportunities cannot be exactly quantified, it is evident that cybercrime affects businesses in a variety of ways.

Therefore, the lack of awareness about the issue of cybercrime contributes to the challenges the GCC region faces. In addition to the fact that not many businesses are able to estimate the costs of cyber-attacks on them, the researchers reported that there is a lack of cooperation between the IT managers in companies and the Chief Information Officers due to the different views on how the issue of cybersecurity should be addressed.

Due to the fact that currently cybercrime is ranked second in the list of the most concerning threats, the future direction of the government, as well as corporations, should move towards mutual cooperation in terms of establishing cyber security and eliminating possible damages it causes to the overall financial industry. To deal with the issue effectively, there should be a comprehensive evaluation of the previously-implemented methods of cybersecurity, as well as the employment of skilled professionals in the sphere of IT who can bring innovative solutions to the table.

Similar to the way GCC countries should work cooperatively towards establishing cybersecurity on each level, there is a positive prospect for working with other international organizations and governments that have much more experience in protecting businesses and customers from possible cyber attacks. Because the economic and financial sphere of the GCC region is evolving to meet the expectations of the global and local communities, the changes in the area of cyber-security should go hand-in-hand with the changing environment. The financial sector at large suffers from cybercrime because of the incompatibility of the available crime tools and the systems they attack. Therefore, massive emphasis should be put on creating innovative cyber-security measures that will not be as vulnerable to many types of cybercrime.

Future research on the problem of cybercrime affecting the financial sector should focus on how the financial damage from attacks can be addressed as soon as possible for eliminating the possible loss of business opportunities. Downtime greatly affects the operation of many companies; therefore, future research should include the development of a ‘cyber attack emergency’ system that companies can implement if necessary. Also, there is a need for exploring GCC legislation in-depth to find any laws that can be changed or improved. The importance of international cooperation should not be overlooked because the problem of cybercrime has no limits or geographical boundaries. Lastly, it is advised to study cases when businesses effectively implemented counter-measures in the course of cyber attacks as well as how they were able to minimize downtime and ensure that there are no business opportunities lost.

References

Altaher, Nada. UAE a Target of 5 Per Cent of Global Cyber Attacks. 2016. Web.

Broadhurst, Roderic, Peter Grabowsky, Mamoun Alazab, and Steve Chon. “Organizations and Cyber Crime: An Analysis of the Nature of Groups Engaged in Cyber Crime.” International Journal of Cyber Criminology 8.1 (2014): 1-20. Print.

Bronk, Christopher, and Eneken Tikk-Ringas. The Cyber Attack on Saudi Aramco. 2013. Web.

BSA Global Software Piracy Map. 2011. Web.

Go-Gulf. Cyber Crime Statistics and Trends. 2013. Web.

Gulf News Technology. Major Gap Remains Between Business and IT over Cybersecurity. 2015. Web.

Info Security. Saudi Aramco Cyber Attacks a ‘Wake-up Call’, Says Former NSA Boss. 2014. Web.

ITU. Understanding Cybercrime: Phenomena, Challenges, and Legal Responses. 2012. Web.

Jairwdeh, Terek. Introducing a Cybercrime Law in the GCC. 2014. Web.

Kumar, Megha. Cybercrime Challenges in the GCC. 2010. Web.

Miller, Daniel, and Saba Hamedy. Cyberattack Could Cost Sony Pictures Tens of Millions of Dollars. 2014. Web.

Nagraj, Aarti. Hackers Warn of Cyber Attacks on Oil Companies in Saudi, UAE, Qatar. 2014. Web.

National Crime Prevention Council. Cybercrimes. 2012. Web.

PWC. Economic Crime in the Arab World. 2014. Web.

Salt, David, and Maryam Shaikh-Doha. Qatar Tracks Down on Cybercrime with New Laws. 2014. Web.

Shackelford, Scott. “From nuclear war to netwar: Analogizing cyber attacks in international law”. Berkeley Journal of International Law, 21.1 (2009): 193-251. Print.

Appendix 1

Survey

The issue of cybercrime is of the highest importance in the GCC region. In your opinion, what entity should be the most responsible for addressing such a challenge? The government of each GCC country separately.

All GCC governments should be responsible cooperatively.

IT companies.

Specially trained security professionals.

What is the most appropriate sphere of investment when it comes to protecting one’s business against the financial loss of cyber security?

Employee programs for training and awareness.

Active monitoring of the security situation.

Employ a CISO that will be in charge of cyber security.

Invest in all spheres of IT security in equal quantities.

Which of the below-listed strategic initiatives will be the most effective for the GCC region?

Risk-based frameworks for cyber security,

Formal collaboration with global partners.

Cyber security insurance.

Cloud-based cyber security.

Which business sector in GCC is the most vulnerable to cybercrime attacks?

Oil and gas industry.

Retail.

Banking and finance.

Entertainment.

All of the above.

Should there be an increase in cyber security funding if a company experiences particular financial difficulties?

Yes. With the financial difficulties comes great vulnerability to outside cyber-attacks.

No. The company should first address the financial challenges and then manage the issue of cyber security.

Who or what, in your opinion, are the main perpetrators of cybercrime?

• Current employees of the company.
• Former workers.
• Hackers.
• Activists.
• Service providers, contractors, and consultants.

Appendix 2

Interview with Cybercrime Expert, Misha Glenny

Misha Glenny is a world-renowned cybercrime specialist and an author of numerous works on cybercrime such as DarkMarket: Cyberthieves, Cybercops, and You, McMafia: A Journey Through the Global Criminal Underworld, and others. Mr. Glenny had a strong view that because technological advancements affect every sphere of life, especially business, cybercriminals are given a large platform for attacking the financial integrity of companies, putting the overall security of the business processes at risk. Also, apart from putting an emphasis on the fact that cybercrime significantly affects the financial sector, Mr. Glenny underlined that there were no international limits to developing cyber weapons, which presents a major challenge to the international community.

In my opinion, Mr. Glenny gave unexpected answers that present a completely different perspective on cybercrime compared to what the general views are.

Interviewer: Mr. Glenny, can you please comment on the current situation in the area of cybercrime? For example, do you see a potential threat in the spread of computer viruses such as Shamoon or Stuxnet?
Mr. Glenny: Given the fact that there is a lack of information about the developers of such viruses, the current situation regarding the issue continues to alarm. However, one of the advantages that we can employ to withstand cyber attacks relates to knowing how the virus affects the systems as well as what damage they cause. Every business, especially in the financial sector, should have a specific plan of action if a cyber attack occurs to minimize the damage and ensure efficient recovery.
Interviewer: One of the most common types of cybercrime in the financial sector is bank account hacking. In your opinion, can people blame the bank and ask for compensation? Furthermore, can these people classify as ‘cybercrime victims’?
Mr. Glenny: Of course, it is very unpleasant when your bank account is hacked. However, it is important to distinguish between the types of cybercrime that impact the banking sphere. The loss of monetary assets is managed by the bank, therefore, in the majority of cases, a client gets the stolen money back. However, the mining of valuable data such as passport information and credit history can seriously damage the client’s privacy, and banks cannot ensure that such mining will not cause any negative consequences. Therefore, it is always important to care about valuable information that can be used against the client, rather than his or her monetary assets.
Interviewer: It is always important to know more about offenders that commit cyber crimes. Can you elaborate on this issue? Who are cybercriminals and how the judicial system can prosecute them?
Mr. Glenny: The question of who are cybercriminals is very broad. Some of these people are experienced criminals, some of them are professional hackers, some of them have been prosecuted and are in jail. The real issue is the purpose of their actions because it can vary significantly. For example, there are so-called ‘white hackers’ that commit cybercrime for, in their opinion, ethical goals. Some hackers commit cybercrime to destabilize the political situation while others only aim at the financial side of affairs. On the other hand, there is no point in making classifications because all cybercrime is a crime and deserves to be punished.
Interviewer: Can you please expand on the new threats regarding cybercrime arising in the nearest future?
Mr. Glenny: The issue of threat is associated with the public’s necessity to use technology in their personal or corporate life. A person’s life cannot be functioning without technology the same way a business cannot operate without the involvement of Informational Technologies. These two components become one in the workplace and become perfect platforms for cybercriminals to undermine technological security and steal valuable data. The emerging threat associated with cybercrime is in the principle that most technologies require connection to the Internet for updating, receiving, or sharing information. Such technologies are deeply integrated into the life of users, allowing cybercriminals to abuse the integrity of personal information. Therefore, the main threat of cybercrime to be predicted is the usage of the “Internet of Things” as the weakest link in data security. I can give you an example of cyber criminals now targeting smartwatches that use unprotected access points to valuable information.
Interviewer: To conclude our conversation, I would like to ask you about how cybercrime can be avoided? Can the ‘cyber arms’ be taken out of the hands of criminals?
Mr. Glenny: Unfortunately, I have no clear answer to that question because anyone can have access to technology in the sense of ‘cyber arms’. The real issue is that different governments have different interests regarding information security. For example, in the United States, the main concern is the protection of intellectual property while the GCC region is heavily focused on protecting the financial integrity undermined by cybercriminals. It is hard to say how can cybercrime be avoided; however, paying attention to how personal information is stored and shared is one of the primary principles.