Internet Infrastructure Security Guidelines for the Arab States

Executive Summary

As many Arab states continue to modernize and diversify their economies with a focus on digital services, trade and e-government, both the opportunities and threats of the Internet are amplified.^[1] With more dependence now on the Internet in economy, society and critical information infrastructure, maintaining Internet connectivity is essential. To do this, countries need to focus not just on cybersecurity, but specifically on policies, technologies and best practices that strengthen the security of Internet infrastructure.

How we approach cybersecurity is changing. The most up to date regional cybersecurity frameworks do not concentrate on security as the end-goal, but rather on making security facilitate overall social and economic goals. Cybersecurity today does not aim to close off infrastructure – “building moats and pulling up the drawbridge”. It focuses on the role of security in facilitating an interconnected and interdependent global digital economy. The best way to do this is to work collaboratively.

The Internet is made up of independent networks that interconnect using open standards to ensure interoperability. Internet infrastructure includes protocols and services, software and hardware, network interconnection, communication infrastructure, information and is supported with human resources. As the Internet is a ‘network of networks’, focusing purely on national network resilience will not ensure ongoing connectivity; regional Internet resilience needs to be the goal.

Key principles:

Guided by regional experts, and international and regional frameworks on cybersecurity, the Internet Society has identified these essential principles to secure the Internet:

• Awareness – Stakeholders in both the public and private sectors need to understand the security risks, as well as how they and others in the Internet infrastructure ecosystem are impacted by these risks.
• Responsibility – Each stakeholder should take responsibility for the management of security risks within their respective roles and organizations, taking into account the potential impact of their action or inaction on others.
• Collaboration – All stakeholders, including those across borders, must be included in an ongoing cybersecurity dialogue to effectively counter new and persistent threats.
• Fundamental Rights and Internet Properties – All stakeholders’ actions to manage security risks should adhere to fundamental rights, be transparent, and not infringe upon the Internet properties of voluntary collaboration, open standards, reusable technology building blocks, integrity, permission-free innovation and global reach.^[2]

Policies and strategies should include consideration of their impact on the underlying architecture of the Internet and ensure that they do not negatively impact the openness, innovation, and global reach of the Internet.

The security landscape in the Arab states:

Some key aspects of the current security landscape in the Arab states are:

• National cybersecurity strategies have not been implemented in all countries. They tend to be under-resourced and often focused on a more “top-down control” models than the more up to date collaborative approach.
• Computer Security Incident Response Teams (CSIRTS) (also known as Computer Emergency Response Teams, or CERTs) tend to have less collaboration with the private sector and other stakeholders than in other regions. More collaborative relationships are needed to improve information-sharing, vulnerability-disclosure, capacity-building and incident response.
• Internet infrastructure security and resilience lag in some other regions, but there is an appetite for more cooperative and multi-sectoral partnerships that will allow the public and private sectors to work together.

Recommendations:

Governments and other stakeholders should empower organizations and institutions to create a collaborative culture of Internet infrastructure security for economic and social prosperity.

Nationally, Governments should foster an open, collaborative and resilient Internet security ecosystem that includes:

• Identifying and protecting critical information infrastructure
• Improving Internet infrastructure resilience by facilitating deployment of security standards and best practices
• Improving Internet infrastructure resilience through better network interconnection
• Facilitating information exchange and relationship-building across all stakeholders
• Establishing and strengthening national-level Computer Security Incident Response Teams (CSIRTs),
• Using public institutions to lead by example
• Identifying and addressing legal barriers to information-sharing (including supporting ‘white hat’ security researchers) and research on security vulnerabilities, incidents and threats.

Regionally, Governments should work with all stakeholders to strengthen regional collaboration:

• Establish a regional group of security experts from government, business, technical, academic and civil society to provide non-binding guidance to the region on Internet infrastructure security issues as needed.
• Participate in and deepen existing communication and coordination cybersecurity initiatives, including consideration of whether to establish a regional threat intelligence-sharing platform
• Pool CSIRT resources where possible, for example, coordinating and sharing training courses between CSIRTs – to increase knowledge and experience and to build cross-border relationships between professionals that build trust for further collaboration
• Increase resiliency of the networks to attacks and outages by facilitating diversity of interconnections between networks, nationally, regionally and internationally.

Read the full report

---

Endnotes

[1] https://gulfif.org/the-new-battlefront-cyber-security-across-the-gcc/

[2] https://www.internetsociety.org/internet-invariants-what-really-matters