The growth of the digital world has played a vital role in modernizing government services and its mode of delivery. Many government websites are increasingly used by citizens and residents who are looking to access and utilize online government services. With this in mind, the goal of electronic government (e-government) ensures the availability of online information and services related to the public sector through consistent and reliable processes.
Security is a central challenge for states, businesses, or societies writ large at both the national and international level. Governments have already started evaluating their security within a context of preventive strategy, i.e. an approach that identifies and mitigates threats before they morph into more serious risks. With the annual cost of global cyber crime estimated at over $400 billion, it is high time countries adopt methods to secure their government entities through a national cyber security program.
In recent years, the United Arab Emirates (UAE) government has witnessed significant growth in the field of e-government services. It has been actively pursuing enhancements to its Information and Communication Technology (ICT) infrastructure. The growth in UAE’s ICT during the past decade clearly shows that the country has the potential to become a leading model of advanced technology adopters.
CURRENT STATE OF E-GOVERNMENT SECURITY
The recent hack of the US Office of Personnel Management (OPM) demonstrates that even powerful government networks can be breached as easily as those in the private sector. Government agencies are quickly adopting new technologies to provide better digital services for their citizens.
For instance, electronic and biometric national identity cards are being mandated by many countries, including the UAE. In fact, the United Nations has recognized the UAE national identity card scheme as one of the leading biometric ID implementations in the world. With increased adoption of technology, we know that citizens’ sensitive data is being transmitted to the web more often and in greater quantities than ever before.
We know the potentially destructive nature of cyber attacks through hacking demonstrations, such as last year’s Jeep hack by Charlie Miller and Chris Valasek. In another event, researchers were able to wirelessly hack a pacemaker and other critical medical devices, whereas attackers in Australia hacked into the water system and started to release untreated water into the water stream. The consequence of these hacking attempts in the real world are very serious and have the potential to cause a loss of life.
SECURING NATIONAL CRITICAL INFRASTRUCTURE
In today’s digital world, with all of the many devices and appliances that are connected to each other over the internet, it is clear that anti-threat technologies can no longer keep up. Power grids, nuclear plants, hospitals and even planes are all threatened by cyber threats.
Until recently, cyber attacks on the power grid had never been confirmed officially, and nobody expected any real incident would cause physical damage. That assumption, however, is now changing in light of the recent cyber attack against a Ukrainian power company back in December 2015 that led to temporary blackouts in parts of Ukraine.
As reported by Motherboard, the attacker used unique malware that had data wiping features. Investigators have since confirmed that the incident was in actuality a well-orchestrated attack that took months of planning.
UAE’S TRUSTED DIGITAL ENVIRONMENT THROUGH THE NESA STANDARD
Experts suggest that cyber attacks in the Middle East are expected to get worse in the coming years. According to Kaspersky Security Bulletin Overall Statistics Report for 2015, the UAE has been ranked 19th globally among countries facing the greatest risk of online attacks.
A third of UAE firms were hit by data breaches last year alone, reveals a survey by KPMG. Aware of these and other threats online, the UAE government has implemented measures over the past decade to enhance its cyber security strategy.
“We aim to create a digitally secure environment with the emphasis on shared responsibility,” Saif Al Nuaimi told the first RSA Conference in Abu Dhabi.
Towards that end, the UAE decided to create the National Electronic Security Authority (NESA), a government body whose aim it is to secure the country’s national cyberspace by protecting its ICT infrastructure through technical and regulatory capabilities.
The federal body is responsible for developing, monitoring and supervising the implementation of cybersecurity strategies, policies and standards for UAE’s critical information infrastructure. NESA compliance is mandated to all UAE government bodies and business organizations that are identified as critical infrastructure.
“Cybersecurity is one of the biggest economic and national security challenges countries face in the 21st century, explains Jassem Bu Ataba Al Zaabi, Director General of NESA. “The NESA was established in line with this modern reality and as soon as the authority was in place, we immediately initiated a thorough review of the federal efforts to defend and protect the nation’s ICT infrastructure.”
NESA aims at achieving cyber resilience, developing cyber defense capabilities, securing critical infrastructure and reducing cyber crime in UAE. As mentioned by Ben Downton, although NESA embodies a completely new standard of cyber security for the UAE, it draws on a number of already established security standards and guidance (such as ISO 27001 and NIST).
The UAE National Cyber Security Strategy (NCSS), developed and governed by NESA, defines the protection requirements of UAE cyberspace. The primary standard to follow for NESA compliance is UAE Information Assurance Standards (UAE IAS). Additionally, the NESA National Cyber Risk Management Framework defines the NESA Risk Assessment process.
UAE IAS lists 188 security controls in a prioritized approach. There are four priorities defined, and the controls are grouped into these four priorities. P1 Controls are mostly the management controls, with some technical security requirements.
From the 188 controls, NESA mandates 35 controls that help entities in building the information security foundation. These controls are required to be implemented by all the relevant entities irrespective of the outcome of the NESA Risk Assessment results.
The UAE is a place where new and emerging technologies are quickly adopted by government and enterprises in an effort to drive business growth. As reported by Friday Magazine, in the United Nations International Telecommunications Union’s recent ‘Global Cybersecurity Index’ that was released back in January 2016, the UAE ranked among the top 20 countries in the world. The index measures cybersecurity aspects such as legislation, regulation and compliance, capacity building, and international cooperation.
Many industry experts say that the UAE government has outpaced European countries in cybersecurity preparedness, protecting the country’s critical national infrastructure in the face of growing cyber threats. The country aspires to be among the best countries in the world by 2021 through UAE Vision 2021.
About the Author: Ashiq JA (@AshiqJA) is a cyber security consultant and security writer with solid experience in the security field and expertise in risk management for banking applications, vulnerability management, security audits and assessments, security policies and procedures, risk mitigation, application penetration testing and secure software development.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock