Most organisations have defences in place to protect against physical attacks, such as armed robbery. Protective measures operate on a few simple premises:
- Just because it has not happened, this does not mean it will not happen in the future;
- Strong, obvious defences are a deterrent against opportunistic threats, but do no guarantee against more sophisticated attackers;
- Defensive measures must remain robust, up-to-date and consistent throughout an organisation.
This should be no different for cyber threats. The threat may have changed – it is now virtual as well as physical – but the defences that companies have in place should follow the same logic. In other ways, things will be different. Unlike physical attacks, which are likely to be localised, the impact of a successful attack on, for example, a whole financial system is potentially more serious from a financial stability perspective.
Criminals, terrorist organisations or state-sponsored actors’ motivations for conducting cyber attacks vary. More often than not they are economic, but other reasons include damaging a system, either to destroy data or cause non-availability of systems, or both. The capability of these actors and thus the nature of the threat is rapidly evolving – barriers to entry are low in cyber space and attacks are readily scalable. Low-level attacks are now not isolated events but are continuous.
New Cyber Crimes Law
The main Bahrain legislation relevant to cyber crime is currently the Constitution, the Penal Code, the Telecommunications Law, and the Central Bank of Bahrain Law and its regulatory framework. In recognition of the growing cyber threat and the need to amend the existing law, Bahrain will be introducing a new cyber crimes law, once it is approved by the Shura Council, based on the cyber crime convention of 2001, among other international laws. Cyber attacks can originate from anywhere in the world and the potential advantages for Bahrain of modelling its proposed law on the convention are conciseness, more consensus, and assistance from member countries in investigating and prosecuting cyber crimes. The draft new law lists cyber offences, including unauthorised access, interference with data or a system, unauthorised interception of data, threatening to cause damage, misuse of devices, forgery, fraud and others. Special provisions will grant the courts the power to search, seize, preserve and produce stored data. Proposed penalties include substantial fines and/or imprisonment, and both firms and individuals can be held liable.
Managing Cyber Risk
Bahrain’s proposed new cyber law will align it with international laws and is a welcome development. But detailed prescription of any law is only a part of managing risk. Governments, regulators, firms and individuals all need to develop and implement best practices to counter cyber threats. For example, the Bank of England, which regulates the UK financial sector, recently launched a new framework to test for cyber vulnerabilities. Called CBEST, it brings together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests in a controlled environment. What makes this different to other security tests is that it is intelligence-led, bespoke and adapts to changing threats.
Another UK initiative from the Government Department for Business, Innovation and Skills is Cyber Essentials, a cyber security certification scheme. Companies that are awarded certification will be able to show consumers they have measures in place to help defend against common cyber threats. The scheme has the backing of insurers, which are offering reduced premiums and other incentives for firms to become certified. By implementing similar initiatives in Bahrain, as well as adopting self-protection measures like encryption and enhanced data protection, organisations and individuals will be better prepared to face cyber threats.