Preparing for Cyber and Physical Security Risks at the 2024 Esports World Cup

Iranian Cyberattacks

Saudi Arabia is a major target of cyberattacks due to its geopolitical relevance, wealth, and high number of smart device users. (see source 1 in appendix) Cyberattacks with the primary goal of leaking confidential information comprised 40% of attacks in the Middle East during 2022 to 2023, and in 2020, the average cost of a data breach on an organization in Saudi Arabia was $6.53 million. (see source 2 in appendix) Hacking groups affiliated with Iran, in addition to Iranian state actors, are likely responsible for the vast majority of attacks against Saudi entities due to the two countries’ ongoing regional power struggle. (see source 3 in appendix) We assess that attendees, participants, and event affiliated personnel may become targets of cyberattacks by Iran during their stay in Saudi Arabia.

Saudi Electronic Surveillance

Saudi Arabia could use its electronic surveillance and monitoring capabilities in combination with human sources to conduct surveillance against foreigners attending the Esports World Cup. Saudi efforts to acquire information on people critical of the Saudi government and to enhance competitive advantages for their businesses have not stopped within the kingdom’s borders, and travelers may become targets for surveillance leading up to and during their stay in Saudi Arabia based on their employment or connections to individuals of interest to Saudi Arabia.

In December 2022, a US court found a former Twitter employee guilty of spying on users on behalf of the Saudi royal family. The former employee was part of a scheme to acquire the personal information of users, including email addresses, phone numbers, IP addresses, and birth dates of users who were critical of the Saudi government and provide the information to a Saudi government agent. (see source 4 in appendix)

In 2018, Saudi Arabia’s Crown Prince’s WhatsApp account deployed digital spyware enabling surveillance of Amazon CEO Jeff Bezos, in an act the UN Human Rights Commission called a “contravention of fundamental international human rights standards.” (see source 5 in appendix) The goal of the exfiltration of data from Bezos’ phone was likely related to whether Amazon Web Services (AWS) would establish a major data center in Saudi Arabia, after AWS had announced plans for centers in Bahrain and UAE. (see source 6 in appendix)

Terrorist Threat

Terrorism continues to be a concern for visitors to Saudi Arabia. According to the US State Department, attacks can occur with little or no warning. Past attacks have targeted tourist locations, large gatherings, transportation hubs, markets/shopping malls, and local government facilities. (see source 7 in appendix)

Houthis operating in Yemen have fired long-range missiles into Saudi Arabia, specifically targeting populated areas and civilian infrastructure; they have publicly stated their intent to continue doing so. (see source 8 in appendix) Missile attacks have targeted major cities such as Riyadh and Jeddah, Riyadh’s international airport, Saudi Aramco facilities, and vessels in Red Sea shipping lanes. (see source 9 in appendix) Rebel groups are also in possession of unmanned aerial systems and drones, which they have used to target civilian infrastructure and military facilities in Saudi Arabia. (see source 10 in appendix)

Social Media

The US State Department also highlights that social media commentary, including past comments, which Saudi authorities may deem critical, offensive, or disruptive to public order, could lead to arrest. This may include posting, re-posting, or liking comments about Saudi institutions, policies, and public life. U.S. citizens have been convicted for social media activity under Saudi laws concerning cybercrime, terrorism, and disrupting public order. Punishment for social media activity has included prison sentences of up to 45 years in some cases. Saudi courts do not necessarily consider the timeframe of the posts or the location from which they were made to be material to these cases. (see source 11 in appendix)

LGBTQ+

As of early June 2024, the Saudi Tourism Authority website stated that everyone is welcome to visit Saudi and visitors are not required to disclose their personal information and each visitor’s right to privacy will be respected. (see source 12 in appendix) However same-sex sexual relations, even when consensual, are criminalized in Saudi Arabia. Violations of Saudi laws governing perceived expressions of, or support for, same-sex sexual relations, including on social media, may be subject to severe punishment. (see source 13 in appendix) Potential penalties include fines, jail time, or death. (see source 14 in appendix)

In 2017, Saudi outlets denied claims that two transgender women along with more than 30 members of the LGBTQ+ community from Pakistan were beaten to death while in police custody after being arrested. (see source 15 in appendix) In Pakistan, transgender activist, Farzana Riaz, told a news conference on Monday that sources in the transgender community in Saudi Arabia had told her the two Pakistanis were beaten to death with sticks. (see source 16 in appendix) Saudi media reported that police had arrested around 35 people after raiding a party where men were dressed as women and were wearing make-up. (see source 17 in appendix) Saudi media did not use the word transgender, nor admit that anyone had been killed.

Attire

Tourists are expected to dress modestly in public, avoiding tight fitting clothing or clothes with profane language or images; women are not required to wear abayas or cover their hair but are expected to cover their shoulders and knees, and men should not go without a shirt. (see source 18 in appendix) Women who choose not to conform to Saudi Arabia’s dress code face a risk of confrontation by mutawa, negative or hostile comments by Saudi citizens, and possible detention. (see source 19 in appendix)

Saudi fitness influencer, Manahel al-Otaibi, was jailed for 11 years after going shopping in “Indecent clothing” and expressing her views about the conservative country in January 2024. (See source 20 in appendix)