With government e-transformation, the growth of cloud services and data centres, e-commerce and almost universal smartphone use, Oman is seizing many of the opportunities provided by the latest developments in ICT. However, there are also new risks, particularly breaches in cybersecurity. Preventing these risks, while ensuring seamless and high-speed connectivity and growth is a major challenge and, thankfully, one that the sultanate is very well prepared for. In the latest UN Global Cybersecurity Index, Oman was ranked as the most prepared nation in the GCC region and fourth in the world for dealing with cybercrime as of 2017.

Growing Risks

The sultanate’s sector regulator, the Information Technology Authority (ITA), reported in 2018 that the previous year had seen a total of 880m cyberattacks on government networks. Some 1.41m of these specifically targeted government websites – a figure down on the 1.75m recorded in 2016 – while the ITA’s Information Security Division also dealt with 1,859 spyware and 11,370 virus and malware incidents. In addition, some 2,459 real cybersecurity attacks were reported by government employees and the general public. While these numbers are high, they are by no means exceptional these days. A total of 6.4bn fake emails are sent every day, and in the first quarter of 2018 there were some 1.7bn ransomware attacks worldwide, with 2.4m of them occurring just in the neighbouring UAE. Thus, the sultanate’s adoption of a comprehensive and coordinated cybersecurity strategy has been crucial in defending the country against attack. This has helped boost the ICT sector, as a good security record is essential to becoming an ICT hub.

Plans & Programmes

Indeed, the sultanate has had a high level cybersecurity strategy and master plan in place for some years now. A national governance roadmap for cybersecurity comes under this, with one of the main institutions carrying this out being the Oman Computer Emergency Readiness Team (OCERT). Launched in April 2010, this has been tasked with specifically detecting and analysing risks and raising awareness of them across the sultanate. The Team conducts training exercises and courses for young people, and disseminates information on best practices, as well as current and potential risks, including the issuing of security threat warnings and notices. In addition, the Team organises courses in schools, in conjunction with the Ministry of Education. OCERT also operates within the ITA’s Information Security Management Framework, which has been put together from studying best practices in a variety of private and public sector environments. The Framework establishes a robust system for businesses to use, ensuring a secure working environment, creating confidence amongst users and integrating disaster and business recovery strategies. Regular inspections and monitoring exercises are also held, along with stress tests of vital infrastructure. In September 2018, for example, a major exercise was held to test the preparedness of the electricity grid’s control systems.

Oman also has specific laws to deal with security threats, including a specific Anti-Cybercrime Law. This addresses issues such as IP and data protection, privacy, enforcement of electronic contracts, jurisdictional matters and e-payment systems. A further Law of Electronic Transactions deals with issues thrown up by e-commerce, and particularly ensuring the validity of online purchases. The Oman e-governance framework also includes its own security compliance requirements.

Ernst & Young has been contracted to perform a benchmarking exercise in Oman, as part of its Global Information Security Survey. The ITA and OCERT work closely with 10 other international organisations, including the International Telecommunications Union (ITU), to share cybersecurity assets. Since 2013, OCERT has also hosted the first ITU Cybersecurity Centre.

The sultanate has been proactive in hosting conferences and other international gatherings on cybersecurity, demonstrating awareness of this vital issue.