The government of the United Arab Emirates has revealed that, while cybercriminals often go after its banking industry, attackers also target the country’s other systems—especially areas of the UAE’s national infrastructure that are perceived as weak.
The banking sector attracted 35 percent of cyber-attacks, according to lieutenant colonel Yasser Mohammad Al Wahabi, who serves as Infrastructure Director, General Directorate of E-Services and Telecom for the UAE’s Ministry of Interior. The remaining 65 percent targeted government e-services, telecommunications systems, and educational institutions.
The government identified mobile phones and the cloud as a significant aid to cybercrime, according to the January issue of 999 Magazine, the official English monthly of the UAE’s Ministry of Interior. (Dubai’s MOI publishes 999 online, but several months after the print publication is published; Gulf News, the English-language paper covering the region, also reported the findings.)
“By using a stolen credit card to purchase a virtual storage in the cloud, an attacker can exploit highly refined and rapid virtual servers to breach encryption algorithms,” Major Rashid Ahmad Lootah, Director of Electronic Evidence at the General Department of Criminal Evidence and Criminology in the Dubai Police, told the publication.
Despite those massive financial losses, persuading any government to reveal the source or scope of in-country hacking attempts often proves a challenge. Dubai’s disclosure, then, is significant despite its vagueness.
Although the UAE may seem a world away, a typical corporation stores millions of dollars’ worth of data abroad. Through July 2012, the worldwide cost of global cybercrime clocked in at $110 billion, according to a Symantec report (PDF). Fraud represented 42 percent of that total. (Interestingly, the $110 billion figure is an order of magnitude less than the $1 trillion mark recently cited by McAfee, which drew widespread criticism.) According to Symantec, countries whose citizens are most vulnerable to cybercrime are Russia, China, and South Africa.
The European Union is no less affected. Troels Oerting, head of the new European Cybercrime Centre, told The Wall Street Journal that the multi-country collective is losing about 1.5 billion Euros a year from online credit card and ATM fraud, in addition to 106 billion Euros in value-added tax (VAT) fraud.
There are a few lessons here for U.S. data center operators. First, don’t assume that any sector is “safe,” even the information that you’re protecting isn’t critical financial data with an immediate payoff—personal information stored on a lightly secured server is valuable by itself, and may actually be used to unlock other, more valuable information, either via a direct hack or as ammunition for a phishing attack.
Second, ensure the security of overseas facilities is as secure as any domestic sites. Weak points may be within your own domestic network, or they may be overseas.
And finally, share information with law enforcement. It’s inconceivable that the EU didn’t have a centralized cybercrimes unit before now. Sharing information can pay off in the long run.