Exclusive Interview with Cybersecurity Professional Rawaz A. Muhammed

Using the experience of several years of operation in the sphere of cybersecurity and data protection in Iraq in the private sector, I can affirm that the issues of cybersecurity in Iraq are more of a governance and institutional issue rather than a technical issue. Despite some undoubted technical failures, they are signs of more structural failures.  

I would like to speak about the significant points of this problem. Firstly, there is an absence of national cybersecurity strategy. Up to now, Iraq has yet to have an inclusive, binding national cybersecurity policy that can be followed by all government organs. By this, I would say in real practice that all individual ministries, all individual agencies, and all governorates are operating in silos with respect to cybersecurity. It does not have a unified structure, shared threat intelligence system, or unified incident response strategy. Every institution makes up its ad hoc solution — as far as it makes one. This is possibly the biggest structural weakness for Iraq's cybersecurity posture.  

Second, a lack of cybercrime law. Lack of laws implies that there is no legal framework to prevent criminals from engaging in cybercrime, victims of cyberattacks, or impose compulsory cybersecurity regulations on government and corporate organizations. This is a huge disparity. A legal framework is necessary in any country that is keen enough to improve its cybersecurity. Without it, they cannot be imposed upon or held responsible, and no legal obligation that organizations invest in security measures exists. As a data protection supervisor, this gap is especially vexing since it implies that we have no legal authority to force organizations to secure personal information, report data leakages, and ensure a minimum level of security.  

Third, lack of inter-institutional coordination. The roles of a number of government agencies in Iraq relate to cybersecurity, albeit in an indirect manner, such as the Ministry of Communications, the Ministry of Interior, the National Security Advisory, intelligence agencies, and the newly established Cybersecurity Directorate. There is, however, very poor coordination among these organizations. Their mandates are overlapping, they have blurred jurisdictions, and they are likely to have conflicting priorities. Little information is exchanged between them. This leaves coverage gaps, overlapping, and a scenario where no one organization has a good, authoritative image of the national threat picture. Fourth, political decision-making is an avoidance of technical judgment. This is a serious matter that cuts across the board. The organization of cybersecurity in most instances is based on politics and not technical excellence in terms of making decisions related to the procurement of technology systems and even staffing of the cybersecurity leadership offices. Security systems contracts can be given according to political affiliations instead of the quality of the solution. 

 The leadership positions can be held at the expense of party allegiance and not on professionalism. This means that the ones who make the most crucial decisions on the security of the digital infrastructure in Iraq are not the ones who are most qualified to make the decision. Fifth, technical inadequacies as a by-product. Sure, the technical issues are also considerable —old systems, inability to monitor and detect, weak network infrastructure, patching and updating inconsistency, the lack of appropriate backup systems, and the inability to deploy the latest security solutions such as SIEM, EDR, and zero-trust architecture.  

These technical loopholes are, however, largely a product of the failures in governance mentioned above. Weak institutions, absence of a legal requirement, and budget allocation on political and not technical priorities all lead to the unavoidable outcome that technology investments are insufficient, poorly planned, and not maintained uniformly. In a nutshell, it is a systemic issue. It is the initial phase of the creation of institutions, the second phase of stipulating legal frameworks, and the third phase of technology investment in that framework of governance. It is akin to creating a house without a foundation by purchasing technology and not taking issues of governance into consideration. 

The cybersecurity skills gap in Iraq is acute and appears in both the government and the business realm, albeit differently and due to various reasons. I will be speaking out on each sector individually and then will speak out on the capability of the private sector to offset the failures of the government. The patronage system contributes to the skills gap in government. Cybersecurity work, either in their leadership role or in the technical role, is usually allocated either on the basis of party/tribal grounds or on personal grounds. It is not particular to cybersecurity but is a systemic issue of much of the Iraqi public sector. Yet, the effects are particularly acute within the realm of cybersecurity since it is a highly professional domain, and technical expertise in the domain is not negotiable but mandatory. An uneducated person, who has a chance to oversee the cybersecurity of a company, would deliver on the expected results: inadequately configured systems, unpatched security holes, failure to detect intrusions, and lack of efficiency to respond to the events that occur.  

Personally, I have witnessed cases where people in cybersecurity management roles had little to no knowledge of network security concepts and yet were in charge of safeguarding crucial systems of government. The skills gap in the private sector is in a different form. The main issue is retention. Salaries in Iraq, including in the private sector, are very low compared to what these professionals would earn in the Gulf states, Europe, or North America, which creates problems in retaining qualified cybersecurity staff in Iraq. This gives rise to what is normally known as brain drain. Many of the most promising cybersecurity professionals in Iraq have lost their jobs in the country to pursue more promising destinations, particularly the UAE, Saudi Arabia, Jordan, and Turkey. Those who stay have mostly taken up jobs with international organizations or foreign companies in Iraq where the wages are more competitive.  

The academic level pipeline is an issue as well. Internationally standard special cybersecurity degree courses are not available at universities in Iraq, with some notable exceptions. The majority of the cybersecurity training in Iraq is theoretical, obsolete, and unrelated to the real world of the profession. Without gaining practical experience in penetration testing, incident response, digital forensics, or security operations, graduates exit school with no hands-on experience. This means more comprehensive supplementary training will be required to enable even new workers to be productive. Moreover, professionally accepted and recommended international qualifications like CISSP, CEH, OSCP, CompTIA Security+, etc. are not officially approved and advertised by the civil system of the Iraqi government.  

There is no career ladder that supports cybersecurity professionals in the public sector, no professional development model, and no recognition of specialized knowledge. This gives people no incentive to spend their time and money on getting these credentials. Is the gap that can be closed by the private sector? In part, but not altogether. During the last few years, the private sector in Iraq has played a significant role. Several privately owned entities have started to offer cybersecurity consultancy, managed security services, vulnerability testing, and penetration testing, as well as security awareness training. These firms possess some of the highly qualified professionals that have services that are internationally rated. The private sector is more receptive as well —they can be quicker with new technology, are more talented with high remuneration packages, and are more responsive to market demands than a bureaucratic government sector.  

However, privatization comes with certain limitations with regard to covering the deficits of governments based on several reasons. Firstly, there is no legal and regulatory framework, which implies that the business world is on the terrain of free compliance. The reason why companies invest in cybersecurity is not the necessity but the desire to do it. This implies that the minimum level of security in the private sector is unevenly distributed -some businesses have outstanding security, and others none whatsoever. Second, the private sector might fail to meet the role that a government should play directly, such as ensuring vital national infrastructure, building a nationwide level of threat intelligence sharing, or setting and implementing cybersecurity standards. They are the sovereign functions that require  state authority. And, finally, it must be admitted, the Iraqi private sector is even too small and underdeveloped in comparison with the private sectors of the neighboring states. The cybersecurity service market in Iraq is growing but is limited by the unmet demand, awareness of cybersecurity risk by businesses, and unfamiliar business environment within the country. To reach its full potential and add value to the skills gap closing process, the government needs to provide an enabling environment for the private sector, i.e., through legislation, incentives, public-private partnerships, and investing in education. 

Not only is it one of the most crucial questions but also one of the most worrying questions in the field of cybersecurity of Iraq. The brief reply is that there is no explicit definition of responsibility in securing critical infrastructure, and this ambiguity poses a significant threat. The Iraqi economy is based on the oil and gas industry since the majority of the government revenue is composed of oil and gas industries. This industry has infrastructure, which is predominantly owned by the state, including pipelines, refineries, pumping stations, export terminals, and power generation plants owned by such bodies as the Ministry of Oil, South Oil Company, North Oil Company, and others that are owned by the government.  

However, the technology that drives such facilities is the SCADA systems, industrial control systems (ICS), and distributed control systems (DCS), and the IT networks that power such systems are all literally installed and more often than not serviced by foreign technology suppliers and independent contractors. This leads to an alternate, bewildered state: Who is responsible for cybersecurity? Paper-wise, the owner of the infrastructure is the state-owned entity and, therefore, assumes full responsibility.  

More realistically, the state-owned system is not necessarily in a position to protect these systems using technical skills. The technology vendor has the ability to contract with the obligation to maintain the system but not necessarily the topic of cybersecurity or just the system they installed. The one that is covered is not the entire network environment but just the system installed. The day-to-day operation support given by the private contractor might have certain security duties, but these are usually ill-defined and inconsistently applied. I have seen this indecision in action. In several instances, when a cybersecurity issue was detected in an oil and gas facility, there would be a lag in the response since no one was certain whom they should contact to handle the issue. Vendor The state agency assumed that it would be completed by the vendor. The contractor thought that it would be taken care of by the vendor. The state entity was expected to give guidance to the contractor.  

In the meantime, the vulnerability was not addressed. This is a welcome mat to threat actors due to such a lapse in responsibility. There are other contributing factors to the aggravation of the problem. To begin with, the SCADA and ICS systems that are widely used in the oil and gas industry of Iraq are outdated systems that were not designed by considering cybersecurity. They are constructed to be reliable and efficient in their operation and not to be secure. It is costly and difficult to retrofit security on such systems. Second, cultural opposition to the priority of cybersecurity is common in the oil and gas industry. The culture is typically grounded on physical security, and Operational Sustainability and cybersecurity are viewed as IT problems, rather than operational risks. Third, the contracts include the state entities and the private vendors that are more likely to lack clear cybersecurity stipulations, security monitoring service level agreements, and the necessity to conduct security audits and penetration testing. It only takes an open regulatory framework that defines the cybersecurity responsibilities of the critical infrastructure operators, providers of the technology used by them, and their service providers. 

 This construct should specify minimum levels of security —such as those that comply with IEC 62443 on industrial control systems or the NIST Cybersecurity Framework —and should be reviewed and evaluated periodically. It should also establish the incident reporting requirement whereby, in case of a cybersecurity incident, an adequate communication channel and responsibility towards the response are in place. Absence of such a framework also implies that the status quo will be preserved: both parties will think that the other is in the wrong, and the most valuable economic asset that Iraq has will remain inadequately safe against an environment of more complicated and determined attack than ever. The possible impact of an effective cyberattack on the oil and gas infrastructure in Iraq is immense, not only economically but also considering the environmental harm, personal safety, and national security. 

The law of cybercrime is one of the most important practical problems that I and my colleagues in the private sector must face on a daily basis. It is not an abstract legal issue —it has real-world, physical consequences to how business is conducted, invested, and hedged in Iraq. I would like to show you how exactly this legal vacuum affects us. Firstly, there is no legal penalty for cybercriminals. 

 In the absence of a cybercrime law, a clear legal framework to prosecute individuals or groups involved in cyberattacks, data theft, online fraud, or ransomware attacks is lacking. The local or foreign cybercriminals know that Iraq is a relatively less dangerous target, exquisitely because the legal repercussions of detection are vague. Even in those situations when one of the cybercrimes is reported and the criminal is apprehended, the Iraqi law-enforcement agencies lack any specific legal tools to probe and punish cybercrimes. 

 The current criminal law provisions used were not created in the digital sphere and are usually insufficient to cater to the nuances of cybercrime. This gives a de facto safe haven to cybercriminal activity, and consequently, Iraq is an attractive target. Second, it does not have any mandatory security conditions. Without legislation, companies are not legally obligated to take certain cybersecurity precautions or perform regular security evaluations or have certain minimum protection levels. By contrast with the European Union, where the GDPR and the NIS2 Directive offer some demands to organizations in both regards: ensuring the safety of their personal data and the protection of valuable services. 

 Or, as its analogue, to Saudi Arabia, where binding cybersecurity frameworks have been discovered by the National Cybersecurity Authority. In Iraq nothing is the same. Every company makes its own decision on the level of security to be implemented —or not. As a data protection supervisor, I aim to implement the best practices, including ISO 27001 and NIST, among other relevant standards in the industry, although voluntarily. There is no legal requirement that would compel me to do so, and there is no regulatory body that would inspect whether I do or not. Third, the implications for foreign investment and international relations. Cybersecurity due diligence is a growing part of risk assessment carried out by international companies considering either investment or operations in Iraq. Discovering that Iraq has no legislation against cybercrime, no legislation against the protection of data, and even no legislation that enforces the implementation of data security systems raises red flags. 

 Multinationals are accustomed to operating within a particular legal system, and the absence of such systems in Iraq makes the air of uncertainty and a sense of threat. It may deter investment and complicate the creation of businesses, not to mention the fact that it will further deter the urge of international partners to reveal sensitive technologies or data to the Iraqi counterparts. Fourth, protection and privacy of data are not enforceable. Without a law on data protection, customers/citizens lack legal or judicial safeguards over their personal data in case of mishandling, leakage, or theft of the personal information. Law does not require business corporations to notify the people about the breach of their information.  

There are no fines in case of a breach of personal information protection, and no third-party data protection body is available to check adherence. This aspect of the work is one of the most difficult as a data protection supervisor. The reason why I have taken data protection measures is that data protection is the right thing to do and it is in line with the international best practices, yet I cannot call on a legal obligation that has compelled me to take data protection measures. This makes it difficult to find a budget, justify investments in security technologies, and get the organizational buy-in on the data protection effort. Fifth, virtual cyber insurance does not exist. Companies in mature markets also purchase cyber insurance to provide financial protection in the event of a cyberattack, such as the incident response cost, forensic investigation expenses, legal expenses, regulatory fines, and business interruption costs. 

 However, there needs to be an adequate legal and regulatory framework in the cyber insurance market. The insurers should be in a position to assess risk based on the legal obligations, industry expectations, and regulatory expectations. Absence of such frameworks in Iraq implies that there can be practically no means through which the insurers can properly price cyber risk therefore cyber risk is (or is extremely expensive) to price insurers products. Sixth, incident response and reporting have no regulation. The entity involved in a cybersecurity attack is not legally obliged to report the attack to any authority, to inform those who fall victims or to take specific actions to correct the situation in the event thereof. Mandatory breach notification laws exist in most of the countries and require organizations to disclose the breach incidents within a given time, normally 72 hours. It has numerous purposes: it will enable the agencies to document the tendencies of perils, it will equip individuals in need to take certain precautionary measures, and it will make the organizations responsible for the timely and effective reaction. This is not the case in Iraq. Incidences tend to be underreported or simply swept under the carpet, and therefore the true magnitude of cybercrime in Iraq is likely much larger than the one in the spotlight. Being a cybersecurity expert and the manager of the data protection department, I will tell you the truth: we do our best in the private sector to convey the greatest possible standards, such as ISO 27001, NIST Cybersecurity Framework, CIS Controls, and other global standards. 

 But we do not do anything under any legal requirement but on a voluntary basis. This endangers the entire ecosystem because it creates a mammoth gap between those companies that are concerned about cybersecurity and those whose concerns are non-existent. The lack of law is not merely a nuisance; it is a bane to creating a safe digital space in Iraq. 

I am a positive pessimist, but I would prefer to be direct and realistic about the magnitude of the work and the conditions under which such a big change can occur. I would like to comment upon each of the elements of this question. Is Iraq able to bridge its cyber gap? Yes, I believe it is possible, but it cannot happen without some drastic shifts in the manner in which the government handles cybersecurity. In 2025, the creation of the Cybersecurity Directorate was a beneficial move. It is an indication that the government is appreciating cybersecurity as a priority and is ready to establish institutional frameworks to deal with it. The international relations, such as the relations with the ITU, bilateral agreements with the countries that already have more developed cybersecurity ecosystems, and relations with international technology vendors, bring the experience, training, and technology that Iraq does not possess at present. The increasing investment in cybersecurity services by the private segment shows that there is market interest and entrepreneurial vitality in the area.  

These are, however, the conditions required and not the conditions. They provide the foundation, but closing the cyber gap truly is hard work that needs to be dedicated to, allocated resources, and, above all, political will over a few years. I would like to describe the changes that are required. To start with, political influence ought not to be involved in technical decision-making. This is the only change that should take place. At the technical qualification, professional certification, and proven expertise levels, all tiers of cybersecurity, beginning with the Cybersecurity Directorate and culminating with the IT security teams of the respective ministries and agencies, must be staffed. The patronage system that nowadays prevails in the appointment of the public sector is incompatible with effective cybersecurity.  

The choices a cybersecurity director makes, who was appointed based on party affiliation rather than technical competence, will be different and worse than a choices made by a cybersecurity director who was appointed based on merit. This requires a civil service reform in which cybersecurity professionals are given a professional career track, a clear line of qualifications, a good salary, and political immunity. Second, the legislation on cybercrime and data protection should be passed in Iraq. This is the top on the legislative agenda. In the absence of a legal framework, the rest of the efforts are sand-based. Some of the key issues that the law needs to cover include: definition and criminalization of cybercrimes (unauthorized access, data theft, malware distribution, ransomware, denial-of-service attacks, identity theft and online fraud); industry-wide internet-based security standards that operators of critical infrastructure and Organizations dealing Dealing with sensitive data need to adhere to rights to data protection and privacy of individuals (including breach notification rules) and establishment of regulatory institutions. Third, a dedicated and fixed budget on cybersecurity. Cybersecurity can not be financed as an appendix or a budget line in larger IT budgets. It requires long-term, dedicated investment in technology acquisition, human resources, training and development, research and development, and international collaborations. The government should reserve some percentage of its IT spending on cybersecurity according to international standards.  

This funding should also assist in setting up scholarship programs to take Iraqi students to foreign institutions to acquire specialized training in cybersecurity and develop training facilities and cyber ranges nationwide where experts can train their talents and develop research programs in Iraqi universities. Fourth, actual cooperation with the business world. The government has to start to no longer view the private sector as a mere provider or contractor in national cybersecurity. This means involving the representatives of the private sector in formulating, creating standards, and disseminating threat intelligence. The establishment of such public-private alliances is critical for infrastructure protection.  

The establishment of regulatory frameworks is what enables cybersecurity companies in the private sector to create and compete. The benefit of practical experience, market discipline, and innovation that the government sector often lacks and must take advantage of can be provided by the private sector. Fifth, creation of a national CERT (Computer Emergency Response Team). Iraq needs a fully operational, well-staffed national CERT that can serve as the center of coordination of the detection, response, and recovery of cybersecurity incidents. Such a CERT should be capable of serving the general population and the private sector; providing threat intelligence and early warning mechanisms; coordinating with the international CERTs and other security agencies; and maintaining situational awareness of the national threat environment. Other countries in the region, like the UAE, Saudi Arabia, and Jordan, have also come up with effective national CERTs which can serve as an example to Iraq. Sixth, global alliances should be functional and not symbolic. 

 Iraq has entered into a number of memoranda of agreement and collaboration with global agencies and countries regarding the field of cybersecurity. Most of these alliances, however, have been mostly symbolic, with photo opportunities and signing ceremonies with little or no follow-up action as regards technology transfer, capacity building, and operational cooperation. The operationalization of such partnerships into deliverables, timelines, and metrics and holding partners to account is necessary to ensure that such partnerships fulfill the goal of bridging the cyber gap. But what could the time be like? Considering all these prerequisites (which is a massive assumption), I think it would take Iraq at least 7-10 years of concerted effort before it could get its cybersecurity stance up to even slightly resembling that of the more high-tech neighbors (the UAE or Saudi Arabia).  

This timeline shows why it will be time consuming to enact laws, develop institutions, train personnel, introduce technology, and develop an organizational culture and procedures that foster successful cybersecurity. It would be 15-20 years before the gap between the rest of the world, which is ahead in some areas, can be bridged. What political changes would be needed? The greatest political change is that the topmost tier of government, the prime minister, the council of ministers, and the parliament have come to the realization that cybersecurity is a national security issue and not a technical issue that can be delegated to the lowly bureaucrats. This recognition has to be backed up with action: law, funding, institutional change, and responsibility. 

 It also requires the willingness to make technical appointments more apolitical and build professional and merit-based careers in cybersecurity. Without the political will, i.e., cybersecurity is a back burner, i.e., patronage is the order of the day, legislation is still in limbo, and budgets are still inadequate; the cyber gap will never be sealed. It will widen. And the fallout will only continue to worsen as the Iraqi economy, government services, and critical infrastructure will be even more digitized and thus more vulnerable. As specialists in this field, it is our responsibility to step up and assist in closing this divide, but we cannot do it single-handedly. It must have a national determination, starting at the top but trickling down the government and society.