- Cybercrime is an escalating threat to the economies of the Gulf Cooperation Council (GCC), and to their plans for digital transformation. Reliable data on the incidence of cybercrime in the region are lacking, but news reports and statements by police and government officials give anecdotal credence to the likelihood that the problem is increasing.
- A failure to tackle cybercrime would imperil strategic development plans intended to diversify GCC economies and reduce their reliance on the hydrocarbons sector. These plans involve expanding the region’s digital capabilities – leveraging, among other things, the existence of a large cohort of tech-savvy young people and high levels of internet and mobile penetration. GCC states and cities are developing – and aspire to expand – ‘smart infrastructure’ consisting of networked devices, adaptive systems and other digital technologies. But many of the likely components of this infrastructure are known for poor security, and thus vulnerable to cyberattack.
- GCC states have invested heavily in cyber protection, and have developed a variety of legislative and other measures to tackle cybercrime. However, current policies and instruments are inadequate. Legal frameworks are underdeveloped and have yet to be fully implemented, and there is no common approach across the region. The speed of technological change means that anti-cybercrime tools, policies and laws must be continually evaluated and updated to remain effective. Differences in the substance of cybercrime laws, including the very definition of ‘cybercrime’, among GCC members pose problems for global policy coordination, as does uneven implementation.
- The development of cybercrime legal frameworks is essential to the management of cybersecurity risks in the GCC. Having cybercrime laws to which all states adhere, and that are in line with international norms and standards, would support a safe, trustworthy and secure internet. While all six GCC states have cybercrime laws in place, most of these laws focus on criminalization and expand the definition of content-related cybercrime to a wide spectrum of acts such as defamation and damaging the state’s reputation – using vaguely worded provisions which may therefore fail to ensure adequate protection of human rights as defined in international law. In addition, in most cases GCC cybercrime laws neither elaborate on procedural law nor provide a legal basis for interstate cooperation.
- Regional and international anti-cybercrime cooperation in the GCC countries is still in its infancy. Most GCC countries still rely on informal regional and international channels, such as police-to-police or agency-to-agency cooperation. While useful, these mechanisms limit investigative actions, lack a common approach, and must operate within multiple law enforcement networks.
- The GCC needs to explore feasible and practical options for regional and international anti-cybercrime cooperation. One possible course of action would be to build on agreements already in place, such as the Arab Convention on Combating Information Technology Offences. Revising legislation, promoting expertise in the judiciary, and enhancing regional and international cooperation arrangements also need to be pursued as matters of urgency if the region is to benefit from a comprehensive, multi-stakeholder, multifaceted cybersafety framework.