President of Lebanon Michel Aoun, Lebanese President Saad Hariri, Lebanese Army Commander Joseph Aoun and other ministers and officials attend Lebanon's Higher Defense Council meeting on "Lebanon's Security" at Baabda Presidential Palace in Beirut, Lebanon on February 07, 2018.

On Aug. 29, Lebanese ministers convened at Beiteddine Palace, the summer residence of the Lebanese president, for a routine cabinet meeting. The 40-item agenda for discussion featured a number of pressing matters, notably long-pending judicial appointments. But the final item on the docket — examining the new National Lebanese Strategy for Cybersecurity — stole the show. After a six-month drafting process, the strategy was first introduced before the cabinet. Lina Oueidat, Lebanon’s national information and communications technology (ICT) coordinator, briefed ministers on the tenets of the cybersecurity strategy. Once the presentation drew to a close, the council of ministers adopted the landmark plan. The endorsement of the cybersecurity strategy intrigued the local media, capturing headlines and generating uncharacteristic interest among a populace accustomed to the lackluster policy initiatives of current and previous governments.

The rollout of the cybersecurity strategy was initially slated for the first week of November. Since the resignation of Lebanese Prime Minister Saad Hariri on Oct. 29, amid a whirlwind of nationwide anti-government protests, the launch date has been pushed back, presumably contingent upon the formation of a new cabinet.

The National Lebanese Strategy for Cybersecurity is composed of two main sections: 1) preparation of a cybersecurity strategy and 2) establishment of a national cybersecurity agency.

The first part rests on eight pillars:

  1. Defend, deter, and reinforce safeguards against external and internal threats
  2. Foster international cooperation in the field of cybersecurity
  3. Expand state capacity to support the development of ICT
  4. Bolster Lebanon’s educational capacity within the realm of cybersecurity
  5. Build up industrial and technical capacity
  6. Promote exports and the global expansion of Lebanese cybersecurity companies
  7. Strengthen collaboration between the public and private sectors
  8. Expand the role of security and intelligence services in cybersecurity while boosting mutual cooperation and coordination among the aforementioned agencies with the support and supervision of higher authorities

The second part of the strategy stipulates the establishment of an agency, under the auspices of the Higher Defense Council, charged with overseeing its long-term implementation.

The national cybersecurity strategy is the culmination of a months-long effort by the National Cybersecurity Committee, a body chaired by the secretary-general of the Higher Defense Council, Brig. Gen. Mahmoud al-Asmar, and shepherded by Ms. Oueidat, resident point person on cybersecurity matters, who also serves as the ICT advisor for now-caretaker Prime Minister Hariri. While crafting the strategy, committee members attended industry workshops, engaged local stakeholders, and embarked on an observation mission to Estonia, an e-governance powerhouse. The committee has also drawn up an action plan detailing the nuts and bolts of strategy implementation. Once a national cybersecurity agency is inaugurated, the committee is set to be phased out and its duties handed over to the newly formed agency. However, amid the political turbulence gripping Lebanon, the prospect of establishing a cybersecurity agency appears distant, rendering the rollout of the cybersecurity strategy the purview of the National Cybersecurity Committee.

The European Union (EU) played a critical role in bringing the cybersecurity strategy to fruition. The linchpin of EU regional digital development efforts is CyberSouth, a joint project between the EU and the Council of Europe that aims to foster legislation and policy to expand the institutional capacity of MENA governments to manage digital threats. Program beneficiaries include Lebanon, Jordan, Morocco, Algeria, and Tunisia. Within the framework of CyberSouth, Lebanese policymakers — and members of the judiciary — gained access to cybercrime workshops and subject matter experts. The EU also dispatched a communication technology expert to counsel the National Cybersecurity Committee on drafting the cybersecurity strategy. In addition, the EU has pledged funds for the implementation of the strategy over a period of four years. The flow of EU largesse will insulate the initiative from austerity measures, at least in the medium term. Moving forward, the Lebanese government must earmark sufficient sums to guarantee the full-scale implementation of the cybersecurity blueprint.

As noted in the cybersecurity strategy, the Lebanese government is pushing for the development of indigenous cybersecurity capabilities. To this end, Lebanese policymakers are pursuing — and considering — a variety of projects. Ms. Oueidat is engaged in talks to secure financial and technical assistance from the International Telecommunication Union, a United Nations agency, and its regional outpost, housed on the premises of Oman National Cert, to assemble and operate a homegrown computer emergency response team, a critical component of cybersecurity infrastructure. In partnership with Lebanese University and Saint Joseph University, the National Cybersecurity Committee also developed a cyber risk assessment tool designed specifically for state institutions. Plans to streamline security operations center (SOC) services for government agencies and critical infrastructure are in the works as well. The National Cybersecurity Committee is also pondering measures to boost the number of cybersecurity professionals, a challenge of global proportions. To narrow the personnel deficit, policymakers floated the idea of setting up a Cyber Academy tasked with training a cadre of advanced cybersecurity analysts, to be recruited from civil servants and university graduates. This is essential for the durability of Lebanon’s cybersecurity initiative.

The delineation of a national cybersecurity strategy marks a major milestone in Lebanese technology policy. As Beirut builds on the nascent strategy and refines its cybersecurity doctrine, the National Cybersecurity Committee and its institutional successors would do well to tackle lingering policy gaps. Bolstering Lebanon’s feeble data privacy laws is an ideal starting point.

 

Sevan Araz is a Graduate Fellow with the Cyber Program at MEI and an analyst at Catalisto, a New York-based cybersecurity firm. Mr. Araz also conducts research with the Defense Innovation Board. The views expressed in this piece are his own.

This article was based on an interview with Lina Oueidat, Lebanon's ICT Coordinator.

Photo by Lebanese Presidency/Handout/Anadolu Agency/Getty Images

The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars’ opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors’ views. For a listing of MEI donors, please click here.