The fight to protect Qatar’s borders in cyberspace

The news today contains many stories of cyber hacking, of varying complexity and intent. Most recently the Twitter feed of the Associated Press’ account was hacked and a false tweet was sent out claiming an explosion at the White House in the United States (US). The result? The Standard & Poor’s 500 index lost USD136 billion (QAR495 billion) in market value before it recovered. The Syrian Electronic Army, which claimed responsibility for the attack, has also targeted Qatar and its organisations such as Qatar Foundation.

Last year’s attack on RasGas crippled the company’s administrative IT system, according to a spokesperson with the company at the time. If RasGas, as Qatar’s one of two LNG producers, were to be taken offline, the ramifications would have been significant to the economy.

The looming threat is to critical national infrastructures and protecting these is a matter of national security. If it is possible for someone to hack into Iranian nuclear facilities, then what is to stop them from doing the same? asked Eric Winsborrow, the president and CEO of Zanttz, who was in Doha recently to give a talk organised by the Qatar Computing Research Institute (QCRI). Zanttz is a company based in the US that develops stealth cyber technology solutions.

Communications infrastructure, electricity, transportation, water, banking and financial systems are all possible targets for attacks, explains Winsborrow, According to Winsborrow, the speed at which both state and non-state actors have tried to leverage vulnerabilities in network based technology is alarming. Three decades ago a virus would take three months to spread around the world, but in September of 2001 the Internet world changed; The first complex blended threat – one that uses multiple intrusion techniques – was introduced. “This took three days to propagate, and that was 10 years ago, can you imagine how real-time the attacks are now?” he adds.

Financial crime

Financial crimes are usually the forte of criminal organisations, according to Craig Shultz, the vice president of security and research at Zanttz, who also attended the event. However, it is interesting to note that these organisations do very little software development themselves. Instead they are able to purchase it from the software market. “It is an illicit market,” Shultz told The Edge, “one that is almost as big as the commercial [legitimate] software market.” Most attacks originating from ‘over the counter’ software are targets of opportunity.

Recently, two prominent Middle Eastern banks, the Bank Muscat from Oman and the National Bank of Ras Al Khaimah (RAKBANK) in the United Arab Emirates (UAE) were victims of an elaborate and targeted attack. According to US authorities that uncovered the breach, two card processing companies, based in India, had their systems penetrated. The hackers then raised the credit balances and withdrawal limits on the cards which were then distributed all around the world and money was withdrawn from ATM machines in 27 different countries. The heist according to some reports amounts to as much as USD45 million (QAR164 million).

Cyber espionage

Numerous experts in the field of cyber security point towards China as the most egregious state participant in cyber espionage. The entry of state actors engaging in cyber attacks has led to a shocking increase in the numbers. Winsborrow says that in a single year the number of attacks went up suddenly from 200 million to 1.3 billion. “The numbers now are in trillions. One of our customers the US Navy gets six billion attacks a year, alone.”

The Qatar Computer Emergency Readiness Team (Q-CERT) which is the cyber security arm of the Supreme Council of Information and Communications Technology (ictQatar) works with government agencies, organisations and even citizens to monitor risks and resolve problems. It also offers training to IT professionals in key sectors that sustain the national economy such as government, energy and finance. A document produced by Q-CERT titled Government Information Assurance Policy maps out in detail policy and procedures that agencies, departments and individuals must follow to protect their information. For example the policy states that cabling carrying nationally classified information needs to be on separate cabling.

The organisation also develops legislation and regulations that cover e-commerce, data protection and protection of critical information infrastructures. Khalid Al Hashimi, the executive director at Q-CERT recently revealed that an awareness campaign would be launched in collaboration with the Central Bank to stress the importance of security in the sector.

In addition to this, the QCRI recently announced that it will set up a research centre aiming to develop solutions around cyber security issues. Commenting on the centre, Paul Wright from AccessData, a digital forensics and litigation support company, tells The Edge that the evidence from several countries indicates that implementing efficient crime prevention initiatives, such as a research centre can contribute significantly to safe and secure societies; the same applies to the electronic environment.” Dr. Ahmed Elmagarmid, executive director of QCRI, speaking at the same event recently noted that they were working to map out a framework for the research centre. “We are in the early stage of planning for this research centre, but the primary objectives will be to improve the preparedness against emerging cyber threats as part of the nation’s security,” he said.

In order to protect themselves, organisations need to look at where they are exposed and vulnerable to cyber crime, says Wright. That will tell them two important things, he adds, “Firstly are they a ‘target of choice’ or a ‘target of opportunity’, and secondly are they the ‘low hanging fruit’ that can be picked quite easily.”

Symantec, a security software company’s latest Internet Security Threat Report 2013 showed that there has been a 42 percent increase in targeted attacks in 2012. Their objective, explains Shultz from Zanttz, is to go after important data like intellectual property (IP). The numerous research projects in Qatar, some of which have commercial applications are prime targets for such attacks. In the US and Europe, more IP has been lost in the past year and a half than in the entire history, claims Shultz, “If you look at the actual damage and losses which we do a lot of, it is in excess of a trillion dollars.” The economic damage this inflicts is enormous and many companies do not know they are victims until it is too late.

Sometimes hackers are looking for sensitive data, “A lot of clients come to us because they have lost the last dozen bids, because the are being underbid by the exact same percentage every single time they go, and it is suspicious. Typically when we come in, it is after one of the executives has been fired,” adds Shultz.

“The illicit software market is almost as big as the commercial software market,” - Craig Shultz, vice president of security and research, Zanttz.

Mike Chung, an expert on cloud computing and security at KPMG Netherlands, who was recently in Doha, offers that the biggest problem with cyber crime in general and espionage in particular is that we simply do not know much about our adversaries. Countries such as China have been singled out numerous times but have denied the accusations. The CEO of Huawei - one of China’s biggest technology companies also blamed for engaging in espionage – in a rare briefing to the press noted that, “We have never sold any key equipment to major US carriers, nor have we sold any equipment to any US government agency. Huawei has no connection to the cyber security issues the US has encountered in the past, current and future.”

There is also another war being waged. While the media on a daily basis show attacks that cause physical destruction, what it does not show, what it cannot show is a war being waged using technology, says Zanttz’s Winsborrow. “There is a cyber war being waged. It is not a war fought with bombs or bullets, but a far more insidious one because it is done from far, far away.” However, Chung disagrees, telling The Edge, “We have to be careful with the word ‘cyber warfare’.” At this time, he says, we cannot talk about war because it would imply that people are dying or that entire IT systems are being destroyed, which is not the case yet.

“There is a war being waged. It is not a war fought with bombs or bullets, but a far more insidious one.” - Eric Winsborrow, CEO Zanttz.

The US government for the first time in a report to Congress blamed China, stating that numerous systems owned by the government had been targeted for intrusions, some directly attributable to the Chinese government and military. The increasing use of proxy-war strategies to commit cyber attacks will further complicate the issue of identification, according to a Royal United Services Institute journal publication on Proxy warfare and the future of conflict. To date there is no global treaty in place to manage cyber warfare.

Social engineering

When it comes to business one of the key areas of weakness in any security system is the human aspect, and companies must be mindful of this when developing an IT policy for an organisation. Social engineering in the context of cyber security is simply the ability to trick individuals into divulging confidential information. Most recently, the Qatari Ministry of Interior (MOI) notified users of a ransomware trojan that was infecting computers in Qatar. The malicious code functioned by blocking the user from accessing any functions on the PC until they made a payment. In this case the page that appears is a dummy MOI website. Social engineering is a very effective method utilised by hackers. Most are probably aware of the email scam masquerading as ridiculous claims from a Nigerian prince. What you might not know is that social engineering is the reason this scam has been successful for so long. A recent research paper from Microsoft explained that scammers have begun to intentionally dumb down messages, eliminating anyone who might make things more difficult for them.

Education and protection

Relatively new technologies such as the cloud, that are being adopted by organisations have significant security issues to contend with. Since resource sharing is an essential component of cloud computing, each security incident may impact multiple customers. Chung explains that there is not much that can be done to avert security risks other than to have a good exit scenario and incident response mechanism. He does, however, add the caveat that the overall level of security is high in the cloud when compared with internally managed IT services.

Qatar’s increasing prominence and the current regional dynamics make it a prime target for attacks. And it is one that both companies and government should take seriously.

One such example in Qatar is Vodafone Qatar. Farrukh Ahmed, Vodafone Qatar’s chief technology security officer tells The Edge that they are acutely aware of the rise in global cyber attacks, and are centrally monitoring their defences. “We continue to invest heavily to protect our assets as well as those belonging to our customers. It’s imperative that businesses in Qatar take this threat seriously and ensure they are poised to meet these challenges.”