Adaptive, Proactive and Dynamic: The UAE’s Cybersecurity Scene

Maintaining cybersecurity over the long term is an indispensable 11th pillar in the UAE “Principles for the 50”. As the Head of Cybersecurity in UAE government, why would you consider it important to have a position specifically dedicated to cybersecurity in a country? And how critical is sustaining cybersecurity in enabling the UAE to continue telling its success story?

Historically, cybersecurity has always been neglected and only triggered by negative events, such as data leakage, disrupted work due to cyberattacks. However, as the assets of any organization are increasingly digitized and that many critical infrastructure such as energy, utilities, healthcare and telecommunications are also digitized, this also means that cybersecurity takes the front seat.

Cybersecurity has pretty much evolved from being a nuisance, an inconvenience to weapon of mass disruption, and lately potentially a weapon of mass destruction. As such, it is important to take a proactive approach to manage cybersecurity so as not only to stem the problem at the root, but leveraging on cybersecurity to build trust and resiliency thereby achieve a competitive advantage and enables business. As such, to establish UAE as a leading global hub, we have to first build the UAE into a globally trusted digital oasis.

The role of the Cybersecurity Council depends heavily on external environment factors and is subjected to revision based on strategies update and feedback from major stakeholders especially on fine tuning our efforts. Our goal is quite clear, which is to establish a more secure and resilient digital oasis in the UAE.  That’s why the Council must always take proactive measures in mitigating any current and upcoming things that negatively impact our digital transformation, cyber space security and stable and reliable digital services etc.

Consequently, due to the continuous efforts and interaction with many other stakeholders, the role of the Council will take the path of evolution from a static regulatory authority to a more adaptive, proactive and dynamic cybersecurity leader globally. Towards that end, we have the ITU Global Cybersecurity index’s 5th ranking to show our progress, having advanced 42 positions from the prior ranking exercise.

Without question, we shall continue to build and not rest on our laurels. We need to work with the different sectors and stakeholders to clarify risks and externalize these risks and their treatment in our National Cybersecurity Strategy supported by policies and guidance that will be constantly updated to reflect the future needs, in a Public-Private-Partnership or PPP model that embraces the principles of openness and collaboration, that will endeavor to deliver the best outcome by harnessing the collective expertise of relevant stakeholders so that we can continue to tell our story in the next 50.

How do you rate the cybersecurity scene in the UAE? What cybersecurity initiatives that you have already implemented or shall be implemented in the near future? Do you agree that talent pool and cybersecurity professionals are key success factors for our future in the new digital era?

I would like to take a different approach to answer this question by first highlighting the vibrant cybersecurity ecosystem that we are building right now under the PPP model that I have described earlier, where all the stakeholders come together to solve problem statements, whether at the national level, emirate level or any sectoral levels. What I am trying to say here is we no longer work in silos, that should be the case even before I come on board. Hence, the Council will play a critical role here, as the hub that will enable all these coordination, information sharing and enforcement of UAE National cybersecurity strategy that is under my mandate and the policies that we shall be pushing under this strategy. 

As evident over years, with continuous effort invested into cybersecurity development, cybersecurity in the UAE has always maintained a credible record. In the latest Global Cybersecurity Index (GCI 2020) issued by the International Telecommunication Union (ITU), the UAE came in fifth, noting that the GCI is a trusted reference that measures the commitment of countries to cybersecurity at a global level. Some of the notable track record in cybersecurity include establishing the UAE Cybersecurity Council, as well as Electronic Federal Network (FEDNet) and the UAE Smart Cloud, supported by several e-safety initiatives, digital citizenship certificates and cybersecurity strategies.

The UAE’s leading position in the index is the fruit of the UAE’s digitalization strategies and policies, and the integrated and smart operational ecosystem, which helped bolster performance across all sectors. And this achievement would not have been possible without the cooperation of local entities, the coordination between public and private entities, and the high level of efficiency achieved by national cadres.

And the UAE has always been committed to building the most advanced digital economy in the world. We have identified telecommunication and cloud computing as the key fundamental pillars that will support digitalization, where telecommunication will address the element of unlimited bandwidth while cloud computing, the elements of unlimited computing and storage as we eliminate these assumptions that will limit the growth of the digital economy. Given that these are core critical infrastructure that will impact the success of the development of UAE digitalization efforts and whatever applications that sits on top of them, It is paramount that we at the Cybersecurity Council shall safeguard all UAE assets and plot a safe passage in the midst of treacherous cyber tsunami as we set sail towards the end of the world to claim the crown of top globally trusted hub.

Having said that, we have embarked on a comprehensive initiative to build policies, guidance and best practices to support building a safe harbor for the proliferation of advanced, next generation telecommunication services and cloud computing capabilities as baseline services supporting the development of next generation digital era and the herald of the Metaverse.

With regard to the cloud computing space, we have developed a policy supported by a cloud security framework that we aim to deliver as a cloud security-in-a-box service that will not only benefit organizations and companies within the UAE, but our regional partners and even globally. We are currently in the midst of working with a partner nation as co-chairs to establish the first Cloud Security Working Group under OIC-CERT for the benefit of OIC nation states and the entire Islamic community globally where we shall contribute our knowledge and help other nations harness the raw power of the cloud to benefit their communities, as “we support all countries who share our values of peace and cooperation to ensure prosperity”, as what our President, His Highness Sheikh Mohamed bin Zayed Al Nahyan said in his address to the Nation on 13 July 2022.

On the other hand, cutting-edge telecommunication (telecom) technologies such as 5G, 5G applications defined under 5G2B and Edge Computing have always been recognized as a cornerstone for the proliferation of big data and Artificial Intelligence (AI), as well as being the enabler for the adoption of other cutting-edge technologies, including Internet of Things (IoT), Fintech (blockchain, cryptocurrency and e-wallet), autonomous vehicles, and drones.

Consequently, to ensure telecom cybersecurity, trust and resiliency are critical to enable the UAE to continue telling our story in the Metaverse for the next 50 years, while maintaining its leading position globally in telecom.

Since 2019, we have the fastest speed in 5G. According to the data based on field tests by vpnMentor, the network speed in the UAE puts it at the top of the global list, ahead of Saudi Arabia and Norway, and according to Ookla, the UAE has the fastest internet speed on Android 5G devices globally. However, as our Nation’s happiness and growth depend heavier and heavier on our telecom infrastructure, the entire Nation could be held at ransom if cybersecurity of the telecom infrastructure is compromised.

As such, we have developed a UAE Telecom Cybersecurity Guidance that is currently under review, where it will efficiently strengthen the UAE telecom cybersecurity in a holistic and systematic way, which involves governance and management, implementation and improvement of a secure, resilient and self-healing telecom network. Comprised of 2 parts, the Guidance defines a defense-in-depth, zero-trusted driven multi-layered framework based on OIC-CERT 5G Security Framework, that builds security incrementally from physical layer security to application layer security based on internationally recognized standards and best practices where the first layer on equipment security looks at mandating GSMA/3GPP NESAS/SCAS certification  as a baseline requirement in the first part to defining a world-first telecom information security management system or T-ISMS based mainly on GSMA 5G Cybersecurity Knowledge Base and other global standards such as ISO 27001, the original ISMS. The development of T-ISMS is called for to develop an ISMS that is specially designed for the telecom sector, with specific guidelines that are otherwise missing in a traditional ISMS that tends to be overly generic and therefore losing its relevancy in a critical infrastructure such as telecom. Our experience in harnessing 5G shall be shared with other OIC member nations as well as GSMA as we look towards not only contributing our experience back to the industry but also putting the UAE in a good stead to set pace for further development in the telecom space for future adoption of the next generation technology.

Thus, in order to implement these strategies and initiatives that we talked about, we need a team to execute them. It is imperative to consider Emiratization as a key factor that will boost the cybersecurity talent pool in the UAE and the availability of top talent for the industry to plug the talent gap. With the announcement of 100 coders a day initiative under Projects of the 50s, it is clear that we need to have a clear and executable cybersecurity capacity building strategy. A strong cybersecurity posture for the UAE can only be achieved if we can address the talent piece, because cybersecurity is all about bringing people, process and technology together where people is always the weakest link.

Therefore, this is why the Cybersecurity Council will be signing an MOU with Khalifa University and supporting initiatives such as establishing the soon-to-be-opened Cyber Pulse Innovation Center at the Abu Dhabi Polytechnic so that we can pursue cybersecurity talent incubation right from the start before the next talent pool enters the job market, and enhance cybersecurity talent pool resiliency, and to keep them within the eco-system by establishing a professional association to take care of cybersecurity professionals in the country. In fact, a cybersecurity competency roadmap can be built and a career roadmap can be defined for all cybersecurity roles within our country that will have global relevancy and retain talent within our system while continuing to attract new talents to join us globally and more residents to enter the profession. This will be critical not only for us to build our competitive advantage but more pragmatically, to grab as much of the pie in a global manpower shortage of cybersecurity professionals, where the gap was estimated to be as much as 3 million, that was revealed in the 2021 (ISC)2 cybersecurity workforce study where (ISC)2 is the world largest IT security organization, a non-profit organization specialized in training and certification for cybersecurity professionals.

Towards that end, supported by DWTC, we shall be launching the CISO (Chief Information Security Officer) Circle, which is a gathering of the crème de la crème of CISOs based in the UAE; a group of the most senior executives in charge of cybersecurity in all organizations, both public and private sectors alike. The CISOs will come together in fellowship to drive the buy-in and recognition of our human resource efforts as we define the cybersecurity competency roadmap for years to come, to build, reinforce and anchor the new professional association for cybersecurity professionals. And we want it to be an industry-led effort where companies will not only hire based on the criteria set, but also build a career progression guidance internally based on this competency roadmap that we shall develop, spearheaded by the CISO Circle. The first CISO Circle meeting shall be hosted during GITEX, to be chaired by myself as the patron.

What is the core of the cybersecurity strategy that you strive to implement? In addition to adopting internationally recognized cyber security standards and best practices, what will be the most effective technologies that help in the fight against cyber threats that the country will face? Can we be truly independent and have the capability to respond to these threats? What would be the key success factors for our future in the new digital era? What do we need to do to be safe against these threats, today and tomorrow? What do you envisioned UAE cybersecurity will develop and evolve into?

Generally speaking, governments and industries share similar goals of mitigating cybersecurity threats to network infrastructures, preventing cyberattacks, and reducing the impact of malicious cyber behaviors. Also, PPP should be leveraged to ensure that both industries and governments achieve at the desired policy outcome of more secure digital environment. It is imperative that multiple parties work together to fully understand and assess potential threats in order to take appropriate mitigation measures.

In his address to the Nation on 13 July 2022, our President, His Highness Sheikh Mohamed bin Zayed Al Nahyan said the following:

“We will continue to pursue our pivotal role in building bridges, promoting dialogue and establishing active and balanced relations that are based on transparency and mutual respect with other countries”; “We need to double the efforts to safeguard the UAE’s capabilities and achievements. Our top priority is the UAE and its people”; and “We need to accelerate our economic development and we will continue to enhance our economic competitiveness and top global indicators. Our priority is to develop our capabilities in science and technology”.

As such, it is critical that we pivot our PPP model to accommodate and address his vision. As such, the Cybersecurity Council’s mission is to:

1. Create world-class standards for cyber security;
2. Ensure the privacy of individuals;
3. Secure our critical national infrastructure;
4. Foster cyber innovation; and
5. Develop a highly skilled cyber workforce.

And our objective is to promote a safe cyberspace backed up these core values:

1. To help to charter the journey towards a cyber smart society;
2. Engage in constructive collaboration and knowledge sharing so as to establish the UAE as a leading cybersecurity hub globally;
3. Provide the necessary thought leadership globally as we move into a new digital era and the metaverse;
4. Build a robust, secure and resilient infrastructure that supports digital transformation and provides the foundation to provide leadership globally by being the beacon of light safeguarding against any cyber tsunami as we chart forward into the digital future.

Thus, to achieve our mission our remit are as follows based on the current National Cybersecurity Strategy:

1. Proposing and preparing legislations, policies and standards necessary to enhance cyber security for all targeted sectors in the country
2. Submitting the legislation, policies and standards to the Council of Ministers for ratification
3. Develop an integrated national incident response plan which includes attacks and threats, and assessing readiness
4. Establishing the mechanism and general framework governing the exchange of information related to cyber security between different entities and sectors, locally and internationally.

Earlier, I have eluded that the role of the Council will take the path of evolution from a static regulatory authority to a more adaptive, proactive and dynamic cybersecurity leader globally that builds on openness and collaboration. I would say that is a key strategy as we want to play the role of a trusted partner to all entities within the UAE and work more closely internationally with other Nation States and international organization, to play a more important role as we shall aim to influence proceedings through open collaboration, for example with the OIC and OIC-CERT, UN and UN bodies such as ITU and even establishing new partnerships and collaboration models leveraging on key platforms that we have built and nurtured over the years such as GISEC,  GITEX and the World Government Summit. 

However, we must be mindful that traditionally, cybersecurity is viewed as a gatekeeper and therefore in some situation can be a show stopper where projects are known to be slowed down for the reason of not meeting compliance requirement.  At the same time, for the reason of compliance, especially now that the UAE has enacted a personal privacy act, that sometimes, things are not moving due to stricter controls or maybe just due to the lack of understanding of what it takes to meet the requirements of the new law. Cybersecurity should not be viewed as an inhibitor towards adoption of any emerging technologies and innovation, it should instead chaperon the proliferation of these new deep technologies. As such, besides encouraging the entire nation to leverage cybersecurity, it can be used as a conversation starter, to stimulate business and strike a balance between supporting business and supporting lives. My mandate also includes creating cybersecurity as a key industry as well. Towards that end, the Cybersecurity Council together with the Ministry of Industry and Advanced Technology’s introduced a National In-Country Value (ICV) Programme providing incentives and growth opportunities for the cybersecurity industry. After all, Prime Minister His Excellency Sheikh Mohammed Bin Rashid Al Maktoum declared at the inauguration of Cybersecurity Council, that the “country’s security in the digital space was as important as security in the other areas”. He also said on another occasion that “the race for excellence has no finish line”.

Therefore, we shall witness the first cybersecurity unicorn born in this country, and many to come. But first, we shall play the role of the super-connector. Only by “building bridges and promoting dialogue”, that we can be successful as a key player on the international stage where the old adage “the Sky is the Limit” no longer holds truth, but “Space is the new limit”, as what my daughter has exclaimed to me the other day when we had this conversation that have confounded me. In her, I see future for the next 50, and in order to achieve that, I must safeguard our children’s journey towards the digital future right here, right now, right now, where here is one small step for her, one giant leap for the UAE.

Awards and Achievements in Year 2022

1. On 23 March 2022, The UAE Cybersecurity Council hosted 120 entities in the largest bug bounty competition in Dubai, UAE.
2. On 28 April, 2022, the most users in a cyber capture the flag (CTF) video hangout is 674, and was achieved by UAE Cybersecurity Council, in Dubai, UAE.
3. As part of Expo 2020 Dubai, the UAE Cybersecurity Council, Expo 2020 Dubai, and ITU jointly held Cyber 193 virtual exercise and was attended by more than 140 countries.
4. UAE Cybersecurity Council received the 2022 (ISC)² Government Professional Award for MEA region

Whatsapp