Security for companies’ IT systems is a growth market as firms move to protect  themselves from costly phenomenon

Sunita Kaul
Special to The Daily Star

DUBAI: The Middle East accounts for just over 1 per cent of hacking globally ­ a statistic about unauthorized breaking into computer systems that may not necessarily jolt you. But take a closer look. In the United Arab Emirates alone, hacking in the first six months of this year grew 300 percent over the last six months of 2002.
Just one hacking incident ­ the ATM fraud ­ earlier this year, meant the country lost between $2 billion and $3 billion. The hacking group which got access to bank computers storing user IDs was later traced to Indonesia. But with no cyber laws in place in many developing countries, bringing the perpetrators to justice is unlikely.
The countries of the Gulf Cooperation Council, including Saudi Arabia, are now holding meetings to put together a cyber law. The law will enable the Gulf Arab countries to cooperate with one another in dealing with cyber crime. European countries already have a cooperation agreement among themselves on this issue. And so do Europe and the US.
Among countries with more than a million internet users, the United States of America and Israel are still the top 10 sources of attacks. But what is surprising is that among countries with between 100,000 and a million internet users, five countries from the Middle East region have been classified as among the top 10 countries vulnerable to hackers’ attacks, according to a recent report by Symantec. These countries are Iran, Kuwait, UAE, Saudi Arabia and Egypt. Symantec is the world leader in internet security.
According to Alexander Sheikh, a consultant who worked with Symantec, the precise figures concerning hacking in the Middle East are impossible to establish.
“Most companies are shy about declaring hacking incidents publicly, maybe for security reasons,” Sheikh said.
“But I can assure you incidents of hacking in the region are on the increase.”
To give this statement credence, he spoke of the time ­ some four years ago ­ when a major oil company in the region set up an intrusion detection system. From the day the system was set up, the company detected 2,000 illegal hackings a day on their network.
Why do hackers hack? Strangely enough, hacking is not always done with a purpose. A recent survey by Zone H (a website where hackers openly advertise their activities) showed that 30 percent of hackings were done for no apparent reason, 24 percent just for fun or because the systems were available, 20 percent by employees of an organization and the balance split between industrial spying and governmental spying.
According to Sheikh, “social engineering” is a very important part of hacking. An outside consultant works in an organization on a project, asks the secretary to give him the system password, gets access to the system, works in the organization for a few months and then leaves. But he still has the password and he can still enter the system and play havoc.
Sheikh adds: “Six months after I left an organization, I send an e-mail on my old e-mail address and it was still valid. No one had deleted it. These kinds of lapses by the systems administrator can give access to former employees to the organization’s vital secrets. “
Imagine a large organization, with many offices, but one central IT department. It could take the IT department months to know how many employees have left. In the meantime the damage could be done.
Patrick Hayati of Network Associates, an American security company with offices in the Middle East, says, “Hackers are not what people imagine ­ smart young computer savvy guys, sitting for hours at a stretch in dark dungeons, trying to get access to systems they want to hack. They are normal people, not always unknown to an organization. In fact many of them have access to the computer system that they want to hack.”
Hayati says what is most interesting and perhaps little known is the fact that it’s not just large corporations that are hacked. Individual PC owners, with computers at home, could be visited by hackers. The hacker may just browse through information in the computer without actually defiling or stealing anything.
Hayati adds that awareness in the Middle East on issues like hacking is growing and this is what is making security companies like his grow over 50 percent annually. He says the Middle East market for security services is worth more than $150 million a year.
With the ongoing war on terror, hacking from Middle East countries could be on the increase, say computer industry analysts. But their susceptibility to attacks from other governments tracking down terror attacks is also likely to increase.
Shortly after Sept. 11, 2001 a group calling itself the “Dispatchers” posted a message taking responsibility for disabling an internet service provider (ISP) in the Middle East and announcing that they would continue to attack ISPs in Afghanistan, Iraq and other Middle East countries in retaliation for the attacks in the US.
Israel is constantly trying to hack financial institutions in the Middle East, say analysts. But computer security services companies refuse to confirm whether any such attacks of hacking have been successful. They say no bank would like to talk about it. Besides being an active hacker, Israel is high on the list of countries being attacked. The attacks have escalated especially since the start of the second intifada in September 2000. Various Israeli sites have been defaced. One report says nearly 45 percent of Israeli sites have been attacked.
No one admits it but a computer expert speaking on condition of anonymity said the US is constantly monitoring internet chatter. It monitors key words which could be linked to terrorism for instance. As soon as that chatter increases, US authorities can come to know if it is directed from the Middle East. That’s how they come up with early warnings which, like in the case of the recent bomb attack in Riyadh, proved quite accurate.
Many Islamic websites have already been forced to close due to US pressure. Amine Mehabila, head of the consulting department at Comguard, says the US monitoring of some organizations and e-mail addresses has increased over the last two years.
Meanwhile on the computer piracy front, the Middle East region has recorded the most significant reduction in piracy rates globally. Piracy has dropped 34 percent from 84 percent in 1994 to 50 percent in 2002, according to the Business Software Alliance (BSA). Leading the region is the UAE with a 50 point drop from 86 percent piracy in 1994 to 36 percent in 2002.
But despite the progress, piracy still remains an irritant to software companies in the region.
Adobe systems is the world’s second largest company in desktop software with products like Photoshop, Illustrator and Acrobat. The company has been working hard at Arabizing its products for the Middle East market. The company says its software is not protected because that would mean additional costs to the end user.
Ibrahim Lahoud, regional manager of Adobe Systems, says, “If you look at worldwide rates of piracy we are talking about between 30-40 percent worldwide, then when you narrow it down to this region it’s 70-80 percent ­ then you narrow it down further ­ to Lebanon, to Egypt, it gets worse. This is where we have the highest ratios of 70-80 percent and even 85 percent ­ which is very scary ­ which means for every 100 users of your software, you have roughly 11 or 12 who pay for it and others are stealing it. So how does the market expect us to invest more if we are basically making less and less money every year?”
Asked if this will impact Adobe’s Arabization program, Lahoud replies in the affirmative: “It definitely will. Because we spend a lot of money Arabizing, yet we don’t increase the price ­ so you buy English and Arabic at the same price ­ we are already absorbing that … one day everybody will realize if the whole market is pirated, we don’t have … money to develop more Arabic software. We are not going to develop Arabic software.”
Jawad al-Radha, co-chairman of the Middle East Business Software Alliance (BSA), admits that some years back many Arabic software-developing companies withdrew from the market or shifted out of the business altogether due to losses from piracy ­ but with a piracy law proposed now in the region, they are slowly back in business. Four years ago, the BSA had only three Arabic software developers as members but today there are 15. However, he admits that though the piracy law in the region is in place there are differences in implementation. Some countries like Lebanon, Kuwait, Qatar are not strong in implementing laws, Radha says.
The BSA 2002 study shows that piracy continues to pose serious challenges to the software industry. There were no significant drops in piracy rates from 2001 to 2002. The North America, Middle East/Africa and Latin America regions all experienced only slight piracy rate decreases. So countries like Oman for instance still show a piracy rate of 70 percent ­ though this is comparatively better than the earlier 96 percent. Countries like Qatar and Bahrain continue to have piracy rates of 76 percent.
But piracy or no piracy, the Middle East IT industry has entered a high growth period. It is projected to grow to $8 billion in 2005 from the current $6 billion. Whatever the problems, and these are common to the global IT industry, no international company can afford to sit back and ignore this region.