Cyber-Security in the Clutches of Social Engineering

2 August 2016

Cyber-crimes, cyber-attack, cyber-bullying, cyber-war, and cyber-terrorism are names of threats that have a common prefix: CYBER. This refers to cyberspace, which is the medium in which these crimes occur.
Though cyberspace is the obvious common element of these crimes, statistics show that there’s another, hidden common element for these crimes to be committed 'The human element'. No matter what tool or technology is used in these crimes, the crime is still committed in cyberspace depending on humans, which has become known as social engineering.

Social Engineering

Experts have defined social engineering as a psychological attack that relies heavily on human interaction. It is built on persuading the victim to abandon security precautions and uses their confidence to convince them to break normal security procedures. As cyber security experts indicate, people are the weakest link when it comes to cyber-security, which is why psychological manipulation of cyber-attack victims is so common.

Therefore, with the absence of digital threat awareness and inefficacy of laws to protect victims, crimes like online extortion, online harassment, electronic fraud, and identity theft all find a fertile environment for growth. At first glance, Arab governments may find these crimes to be crimes against individuals, so they do not give them adequate attention (as their primary attention is on national security, not individual security). However, what they have missed is knowing that all cyber crimes are based on social engineering and an attacked individual is a gateway to attack the nation.

Social engineering attackers persuade the target to click on a link, open an attachment, install a program, or download a file. With the help of social engineering’s victims, attackers gain physical access to a target’s devices and networks, which facilitates access to a network, database, or building, then to follow-on network-based attacks, such as installing malware on the network.

According to statistics, major cyber crimes are the result of an attacker gaining initial access via social engineering, usually by convincing the victim through their own free will to download or install malware that opens up the target network to the attacker.

Egyptian laws target the wrong subject

As an attempt to keep pace with the growing social impact of information technology on the development of political events, in 2015, the Egyptian government with its legislative authority (as stated in constitution, in case of the absence of parliament as the legislative body, the executive authority has the power to legislate and issue laws to face emergent events) drafted a Cybercrimes bill, which turned out to be a flawed and imperfect law. It puts restrictions and harsh sanctions against the freedom of expression, acting as if freedom of expression is the main threat against the stability of the state. This ignores the fact that online users need to feel secure when they are using the internet and this is the main obligation of the government to maintain security for citizens – and netizens – equally!

So according to this bill, criminals who commit one of the above-mentioned crimes that target individuals (except identity theft) when creating a website, or account and falsely attributed to a natural or a moral person. But in the case of illegal access to an account that already exists, it is criminalized only in case of using one’s identity in a manner offends its owner are protected against any charges.

It is notable to mention that until this moment, this bill is not ratified by the parliament or signed by the Egyptian president to enter into force.

In May 2016, another cybersecurity law draft was presented by a Parliament member, which was not much different from the previous bill and focused on the crime of speech and free expression as if it is the major threat to national security. Article 28 of this draft law gives permission to the security authorities to arrest anyone who violates the provisions of this law, without mention of the necessity of having a prior permission from the competent court.

According to this draft, security authorities can legally detain persons without a judicial warrant, which can be considered a flagrant violation of the public rights protected by the constitution. Whereas Article 54 of Egyptian Constitution states: Personal freedom is a natural right which is safeguarded and cannot be infringed upon. Except in cases of in flagrante delicto, citizens may only be apprehended, searched, arrested, or have their freedoms restricted by a causal judicial warrant necessitated by an investigation.

Therefore, legally the victims of cybercrime, either individuals, or the state itself, they are victims of the failure of the state to provide legal protection, and support for infrastructure projects in addition to omission of raising the awareness of the individuals towards the dangers of the Internet.
The future of cyber-security in Egypt depends on protection of individual digital rights

Policymakers don’t realize that when you put restrictions on the freedom of expression, and do not take much care to protect the privacy of internet users, that they are paving the path for cyber criminals to commit crimes. They are also causing harm to the state economy and national security, because in a world being constantly digitized, the internet economy will dominate. A country that puts restrictions on digital rights will be a rejected and disliked destination for digital industry investors.

Moreover, within a few years, these countries that don’t produce information technology will not be able to protect themselves, and regarding the rapid development of cyberwar and cyberterrorism they will not be able to protect their national security.

It is a government’s essential duty to protect the assets of the country as well as national security, and this duty will not be fulfilled by putting restrictions (what are the benefits of the locks on a door, when it is freely opened to intruders?), so the first step for protecting national security is to awareness about online threats, and then govern the use of the Internet by just laws that balance between common interests and individual interests.Therefore, the conflict between the state and individual digital rights should be resolved in favor of digital rights, before it is too late.
Ms. Doaa Shendy Internet Policy Analyst & Lawyer Stanley group, Egypt