by Cristiano Galli
From a sociological perspective, the United Arab Emirates (UAE) is an isolated case in the global scenario. Founded in 1971 from the enlightened vision of a small group of Arab rulers, the Country has seen an astonishing economic, cultural and technological development in a very short time. In just less than fifty years, little and isolated Bedouin communities turned into one of the world most technologically advanced and multicultural socioeconomic entities. Currently the UAE is permeated by the outcomes of the digital transformation. Its population’s personal information is collected, monitored and supervised by powerful Artificial Intelligence-based platforms and by easy access digital interfaces, in order to maximize effectiveness of the public administration and Government procedures. All possible personal needs are accessible through phone applications that deliver official documents in eye blink time span.
Such an invasive approach to personal information clashes with the western cultural approach to privacy, but indeed it is counterbalanced by UAE’s need to protect its homeland and to provide its citizen and expats with a safe and secure environment. UAE’s social structure is peculiar. Only 11% of the Emirates’ population is actually composed of Emirate citizens, the remaining 89% is an heterogeneous composition of expats from all over the world.
The highly digitalized public administration requires a strict and modern approach to cybersecurity and the UAE is a leading nation in this field. The national Telecommunication Regulatory Agency (TRA) – based on global exponential increase in cyber-related incidents and associated cost (estimated in 608 billion USD in the 2014-2017 timeframe) – has developed an integrated and synergic cybersecurity strategy. The strategy is deemed to secure the UAE’s interests beyond economic losses. Minimizing direct financial, client, reputational and service impact is the core purpose of this strategy.
Strategy development has leveraged on 3 key sources of insight: Global Industry Reports (more than 50 global indices and publications have been analyzed), experts (a panel of experts with deep knowledge on cybersecurity topics has been engaged globally) and the reference from 10 benchmark countries (benchmark has been created analyzing the cyber ecosystem of the 10 world leading countries in cybersecurity).
The UAE’s Vision for Cybersecurity has been introduced in 2019 “to create safe and resilient cyber infrastructure in the UAE that enables citizens to fulfill their aspirations and empowers businesses to thrive”.
The Strategy is based on 60 initiatives across 5 pillars, as depicted in the figure below:
The Cybersecurity laws and regulation pillar will entail the creation of a legal framework to address all types of cybercrimes and of a regulatory framework to secure existing and emerging technologies. A highlight should be posted on the priority of supporting protection for SMEs (Small and Medium Enterprises). Three key initiatives will ensure the implementation of essential cybersecurity standards, mandate cybersecurity implementation certificate for government suppliers and building a one-stop portal to support SMEs in standard implementation.
The Vibrant cybersecurity ecosystem pillar will be tackled through initiatives aimed at tapping into the internal and global cybersecurity market, driving demand, supporting business, facilitating access to finance and business development. Specific effort will be devoted to culture, mindset and skills development through educational plans and citizen awareness through information campaigns. Twelve reward programs will be delivering money and benefits to entities and individuals in order to promote cyber-healthy behaviors. Capability-building will be achieved with an integrated effort among local and international universities in order to encourage students to pursue cybersecurity oriented careers.
The National Cyber Incident Response Plan will be implemented in order to promote a strong and swift coordinated response to cyber incidents. The Plan is based on a single point contact streamline incident detector and reporting. Inter-agency intelligence sharing will promote effective and active monitoring of cyber threats. An advisory service will be in place to support cyber protection of third party agencies and entities.
The Critical Infrastructure Protection pillar will be achieved safeguarding assets in 9 critical sectors: energy, ICT, government, electricity and water, finance and insurance, energy services, health services, transportation, food and agriculture. The Protection Plan will hinge on world-class risk management standards and strong processes for reporting, compliance and response.
The Partnership pillar will be pursued by mobilizing the whole ecosystem through local and global engagement of public and private sectors, academia and international consortia.
The Cybersecurity Strategy and related plans and activities will be supervised by 9 governance vehicles. Nine sector committees will supervise and monitor the CIIP Program while other two National Government organizational structures will support the implementation of the National Incidence Response Plan. The National Incident Response Committee (NRC) will supervise the Incident Response Program, while the Cyber Intelligence Unit (CIU) will enable intelligence sharing among different agencies.
TRA will monitor strategy implementation using two strategic and seventeen operational KPIs (Key Performance Indicators) and will strictly monitor progress through periodic National Cybersecurity Strategy progress updates.
The UAE’s commitment to ensure a safe and secure cyber environment to its citizens and residents is aggressively tackling the globalized threat to the cyber domain. No state entity could consider maintaining credibility and competitiveness in a globalized world without a serious, viable and realistic cybersecurity strategy.