By Benjamin Lotto

In 2014, Oman shocked much of the world when it ranked in at number three on the Global Cybersecurity Index (GCI), a UN-sponsored report that ranks countries’ commitment to cybersecurity. Oman continued the trend in 2017, when it placed fourth in the world, and in both reports, Oman was ranked first in the Arab world in terms of cybersecurity commitment. Oman, a country that had 4% internet penetration in 2000, was suddenly ranked as one of the most advanced and security-committed cybersecurity powers in the world—far ahead of its neighbors. Like many other cybersecurity researchers, I found myself asking: how did Oman get here?

When it comes to understanding how good a country is at cybersecurity (what researchers call “a cybersecurity posture”), things are not always so straightforward. Cybersecurity capabilities are inherently hard to estimate due to cybersecurity’s essential focus on confidentiality. Many countries are reluctant to fully detail their cyber capabilities, and some data is in turn hard or even impossible to glean. Some index reports, such as the GCI, offer a way around this: a measurement of how advanced a country’s cybersecurity posture is by funneling publicly available data through assessment frameworks. By analyzing a country’s cybersecurity policies, initiatives, and standards and technologies in use, indices try to gauge how well a country digitally secures things. And, according to the UN in 2014 and 2017, Oman was excelling by all measures.

When it comes to Oman, its success has a lot to do with an early commitment to cybersecurity and a serious interest in building a globally competitive digital economy. In 1998, Oman began setting up a National Committee for Information Technology. It unveiled its “Digital Oman Strategy” in 2003, identifying Oman’s vision for developing a “sustainable knowledge-based economy.” It set up its own Computer Emergency Response Team in 2010, and established the UN-sponsored Arab Regional Cybersecurity Center in 2012. Symbolizing Oman’s strategic significance, the UN did not choose any other GCC country as a partner to lead Arab cybersecurity initiatives—it chose Oman. His Majesty Sultan Qaboos set Oman on a path prioritizing cybersecurity by including it in Oman’s Vision 2040 strategic development plan and began allocating millions of rials toward cybersecurity programs—an initiative Sultan Haitham has continued with the establishment of the Cyber Defense Center in 2020. More importantly, Oman has heavily invested in information and communications technology, public-private partnerships (e.g. with Microsoft, Cisco), developing widespread IT education and certification efforts, digitalizing its government, and building up its local cybersecurity market, to say nothing of its position as a leader in regional and global cybersecurity forums. It seemed like Oman began forging its path to becoming a cybersecurity superpower. Six years ago, however, things started to change in major indices.

Since 2018, Oman has steadily dropped in major indices measuring cyber capabilities. Despite leading the indices early on, Oman ranked 21st in the world in the GCI in 2020, and 30th in the world in 2024 according to the National Cyber Security Index, another index run by Estonia and the UNDP. What caused this change? 

One explanation behind this is that it’s not necessarily that Oman is doing worse when it comes to cybersecurity, it’s that other countries are catching up and matching or surpassing Oman’s cybersecurity development pace. Moreover, different indices also have different criteria for what makes a country cybersecure, further muddying the definition of an advanced cybersecurity posture. As a researcher I interviewed at King Abdullah University of Science and Technology put it, cybersecurity readiness indices do not always straightforwardly measure a country’s cyber posture. Often, they simply represent a snapshot of a country’s cyber posture development and may not capture every initiative, change, or regulation. Consequently, they are not always the most apt way to compare countries’ approaches to cybersecurity.

Field interviews I’ve conducted with Omani cybersecurity experts, government officials, and journalists point to another reason behind the drop in Oman’s rating: Oman can improve when it comes to cybersecurity. For example, some critical infrastructure sectors (e.g. green hydrogen and energy) currently lack publicly available cybersecurity regulation, and there is a lack of standardization in cybersecurity requirements across different sectors. Some IT professionals I’ve talked to worry that cybersecurity is prohibitively expensive, forcing cybersecurity to be an afterthought (if necessary), rather than a structural design choice. Moreover, a lack of required penetration testing in the private sector and a general deficit in the cybersecurity workforce leads small and medium enterprises to either not know their cybersecurity posture or be understaffed (or both). This all points to what I coin a patchwork effect in cybersecurity: some industries have strict requirements, some do not; some sectors have up-to-date regulations, some do not. 

Paradoxically, however, this puts Oman in a strategically advantageous position. There are major benefits to regulating slowly, as Oman can learn from and implement the best global cybersecurity standards its allies, such as the United States, have put into practice. By standardizing and systematizing comprehensive cybersecurity regulations across all sectors while growing its cybersecurity workforce, Oman can and will continue its path to cyber excellence.

After all, evolving threats to critical infrastructure—such as ransomware, supply chain exploitation, and attacks on artificial intelligence—have pushed cybersecurity to be top of mind for many public- and private-sector decision-makers in Oman. Global cybercrime cost the world an estimated $8.15 trillion in 2023, and forecasts estimate that cyberattacks are expected to only increase over the next five years. And while Oman may not yet be a cybersecurity superpower, that needn’t mean it won’t be. Oman has some work to do to tackle tomorrow’s threats, but I firmly believe it is up to the challenge. 

Benjamin Lotto is a Fulbright Scholar, journalist, and academic from the US. He is currently researching Oman’s cybersecurity posture as part of a Fulbright research grant in Oman. The views expressed in this article are entirely those of its author and do not necessarily represent the views of the Fulbright Program, the U.S. Department of State, or any of its partner organizations.