Report: Qatar must take urgent action against rising cyber threats

The many suppliers and consultants that Qatar has hired to increase internet access and connectivity in the country may be one of the weakest links in terms of the nation’s cyber security, a newly released report has asserted.

These consultants often have access to large amounts of sensitive data. But because supply chain companies may have lower levels of security, they are often targeted by hackers and cyber criminals as an access point to the systems of bigger organizations, the Emerging Cyber Threats 2014 report found.

The document was produced by the Qatar Computing Research Institute (QCRI) – a private, non-profit organization that is part of Qatar Foundation – whose Twitter and Facebook accounts were hacked last year.

RECENT ATTACKS

October 2013: The Syrian Electronic Army took control of Qatar’s .QA domain name and shut down numerous high-profile websites.
April 2013: The Syrian Electronic Army hacked the Twitter accounts of FIFA and its president, Sepp Blatter, and published messages saying the world football organization accepting bribes in exchange for awarded the 2022 World Cup to Qatar.
March 2013: The Syrian Electronic Army hacked the Twitter and Facebook accounts of Qatar Foundation.
September 2012: The Syrian Electronic Army sent out false breaking news alerts to Al Jazeera’s SMS subscribers and Twitter followers. That followed the hijacking of the network’s homepage by pro-Syrian government group calling itself Al Rashedon a few days earlier.
August 2012: The corporate computer systems and website of RasGas, one of the world’s largest liquefied natural gas suppliers, were taken offline by a virus attack. The incident came several days after a group calling itself “Cutting Sword of Justice” incapacitated the internal computer networks Saudi oil giant Aramco with a similar virus.

For the past few years, many cyber security experts have warned that Qatar is becoming an increasingly popular target for cyber crime.

That’s in part because of the nation’s natural gas reserves; growing involvement in international business and politics; and its role as an international media hub.

To tackle these problems, QCRI has outlined an action plan drawn from domestic and international experts in IT security, industry, government and academia.

It includes recommending that third parties’ access to sensitive data and to large amounts of information be limited.

The plan comes as Qatar focuses on increasing government services online and works to make the internet accessible to more people, as a key component of its economic diversification strategy.

The report also follows last month’s launch of the Supreme Council of Information and Communication Technology (ictQATAR)’s digital inclusion strategy.

Key threats

Among the most vulnerable targets are Domain Name System (DNS) services, such as the Qatar Domain Registry, the report states.

Last October, attackers managed to reroute website requests for 10 key domains in Qatar, including the Ministry of Interior, Ooredoo Qatar and the Ministry of Foreign Affairs.

They hijacked these websites to post material in support of embattled Syrian President Bashar Al-Assad.

There are also the common “denial of service attacks.” These are often carried out by what the report calls “political hacktivists” to push a particular political agenda.

The attackers can block access to government websites and services, or hijack the sites to send out propaganda messages.

This is particularly an issue on social media where false information can quickly spread.

QCRI is working on a number of projects to help identify trusted information sources during emergency situations, including TweetCred, which helps to assess the credibility of posts in crisis situations.

Qatar also faces threats to what the report calls its “critical infrastructure” – primarily its dominant oil and gas sector, but also the monitoring and control systems of water processing facilities.

As a desert state, ensuring a continuous supply of fresh drinking water is paramount to maintaining domestic security.

The report states that “Qatar Electricity and Water Company (Kahramaa) is another likely target of probes and attacks,” adding that hostile rival states and political groups would be the most likely to mount such an attack.

Perhaps taking such risk into account, Qatar has been mulling a draft cyber crime law that was approved by the Cabinet in February and is designed to beef up cyber security within Qatar’s key industries.

The legislation, which sparked controversy because of a reported provision to punish anyone who publishes information that infringes on Qatar’s “social principles or values,” has yet to be made public.

Arab language spam

Another significant threat to Qatar’s cyber security is a recent rise in Arabic-language spam, which has been targeting banks and financial institutions in the region, according to Russian security firm Kaspersky Lab.

Kaspersky said that “financial institutions need to harden defenses and educate consumers” to limit the impact of potential attacks.

Earlier this year, Minister of Communication and Information Technology Dr. Hessa Al Jaber addressed Qatar’s banking sector, warning that it needs to protect itself against an increasing number of sophisticated cyber attacks.

Yet another arena that will require security measures is an increasing reliance by individuals and organizations to host information on cloud systems, which can create a “treasure trove for attackers.”

The report warns that as the use of cloud services increase, there will be more incidents of leaked data and threats to privacy. To mitigate that risk, the experts say that sensitive data should only be stored with trustworthy cloud administrators.

Mobile devices

Finally, the widespread usage of smartphones and tablets is also posing new security issues.

Each person in Qatar owns 2.8 phones – the highest per capita rate in the world, according to Index Mundi. With a 77 percent growth in traffic from mobile devices forecast for the MENA region in the next three years, mobile security is set to be a big issue.

The report states that the main problem is a general lack of security awareness, particularly when using mobile devices. Attackers are developing sophisticated mobile malware to take advantage of this lack of knowledge on how to secure smartphones and tablets.

Recommendations for improving Qatar’s cyber security include setting up data sharing between the public and private sectors, with a working group set up to facilitate information flow.

The report also calls for more training and education for young people on cyber security, to create a new generation of experts and to have better public awareness among the general public about potential threats and how to secure their systems.

Thoughts?