Dubai Updates Cybersecurity StrategySecurity Leaders Assess Value of the Revisions
The city of Dubai in the United Arab Emirates has launched a revised cybersecurity strategy that offers voluntary guidance for businesses and government units. Some observers say it represents a substantial improvement over earlier efforts, while others say the new plan fails to articulate an action plan to help secure the region against new threats.
The new strategy, designed to help portray Dubai as a world leader in cybersecurity, eventually could be expanded nationwide.
"The strategy's a forward move from the earlier ones, as it focuses heavily on security and connectivity of smart cities. It also focuses proactively on the upcoming challenges of the next decade," says Dr. Jassim Haji, director-information and security, Gulf Air (see: Smart Cities: Security Challenge).
Haji said the new strategy emphasizes cyber hygiene, including such steps as the government and private entities implementing secured services, consumers accessing the services in a secured manner and government monitoring to ensure guaranteed security of the services.
In contrast, the old strategy focused primarily on narrower details of securing systems and infrastructure.
But some critics say that the revised strategy focuses too much on defensive efforts to protect against threats and not enough on building a proactive cybersecurity approach. Plus, they say it lacks details on execution methods.
The New Cybersecurity Plan
In a statement about the new strategy, UAE Prime Minister Sheikh Mohammed bin Rashid AI Maktoum notes: "It is critical to unify the efforts of the government, private institutions and individuals to provide a secure cyberspace and make the region the safest electronic nation in the world."
Cybersecurity is becoming more important as the world becomes more connected as a result of the spread of smart technologies, Sheikh Mohammad said.
The new plan focuses on five goals:
- Creating a cybersecure smart city;
- Encouraging cybersecurity innovation through research and development;
- Building a secure cyberspace with controls required to protect data confidentiality, integrity, availability and privacy;
- Ensuring cyber resilience to preserve continuity and availability of IT systems;
- Implementing national and international collaboration to manage cyber risks.
Security Policy Gaps
While Dubai prescribed a standard information security policy in 2008 via CERTae, the new plan takes a holistic approach focusing on key steps that are critical in the current cyber threat environment.
The earlier policy defined a set of standards, guidelines and procedures that specify the expectations regarding appropriate use of information and/or information assets and network infrastructure. The government's objective was to protect organizations and users from illegal or damaging actions by individuals, either intentionally or unintentionally.
"The new strategy is indeed holistic and is purely a defense strategy specifically observed among developing nations," says one security practitioner, who ask not to be named. "But the most developed countries have been advocating an offensive approach to bolster their cyber offensive capabilities."
Dubai's new strategy is focused on taking a reactive approach and doesn't emphasise that security is a business enabler, says Dubai-based Mirza Asrar Baig, founder & CEO, at IT Matrix & CTM360, a cybersecurity solutions company.
One of the five domains of Dubai's new strategy is driving cyber innovation to promote research and development for cybersecurity.The goal is to create a cyber smart society by establishing free, fair and secure cyberspace.
Some critics, however, argue that the new Dubai strategy lacks detail. They contend that the plan must help to ensure that organizations have the right cybersecurity controls to manage and secure emerging technologies, such as virtual currencies, artificial intelligence and 3D printing.
Baig says the government should take the extra step of creating stringent regulatory requirements for threat mitigation plans. "The government should set a trusted body to enable organizations to report threats and expect some coordinated response on cyberattacks when required," he adds.
Haji argues that the UAE government "should enable the region to focus more on the next-generation challenges related to cyber and information security laws, data transfer and data encryption regulations.
The Dubai plan emphasizes establishing national and international collaboration to encourage local and global partnerships to share best security practices.
But another security practitioner, who asked not to be identified, calls for UAE to adopt an information sharing legislative mandate to help "build trust among stakeholders to collaborate and contain cyber threats."