In November 2020, the UAE Cabinet established the UAE Cyber Security Council to develop a comprehensive cybersecurity strategy and create a safe and strong cyber infrastructure in the UAE.

As a part of the UAE Cabinet’s vision to strive toward a more secure digital transformation, the Cyber Security Council is headed by the UAE Government’s Head of Cyber Security. The Council is tasked with contributing to the development and creation of the Nation’s legal and regulatory frameworks covering cybersecurity as well as securing existing and emerging technologies. The Council is also responsible to build a vibrant ecosystem for cyber security across UAE driving innovation and stimulate economic growth in cyber through collaboration and partnerships with industry, academia and international cyber diplomacy. The Council is also responsible to pioneer and implement awareness & capacity development initiatives across UAE to enhance to safety and security of the UAE populace, in line with the UAE leadership’s vision for the nation.

The Council is working towards building an effective cyber security ecosystem across the UAE. The main responsibilities of the council can be categorized across the below:

• National Cyber Strategy, Policy & Standards
• Critical Information Infrastructure Protection (CIIP) Program
• Cyber Assurance Program
• Cyber Advisories
• National SOC (NOSC)- Cyber Fusion Center
• Advanced Cyber Incident Response, Threat Intelligence Sharing and Resilience
• National Cyber Accreditation Program and Trust Framework
• Innovation in Cyber
• International and Domestic Collaboration and Public Private Partnership Programs
• Cyber Education and Skills Program

The Council is leading the “National Cyber Capacity Building” initiative in the UAE, a multipronged program addressing several crucial aspects for improving the nation’s cyber resilience and strengthening the overall cyber security posture. The program addressed key milestones across five main dimensions namely:

• Cyber culture and awareness
• Cyber skills development
• Cyber technology and infrastructure improvement
• Cyber policy framework enhancement
• Cyber collaboration

The Council has a structured framework for addressing cyber security incidents which is outlined in the National Cyber Security Incident Response Framework and Plan. The framework and plan cater for the following:

• Institutionalize and enforce a national capability and establish a cyber incident response community to manage major cyber incidents, including identifying the roles and responsibilities of participating entities in response operations and raising the readiness of entities to respond to cyber-attacks.
• Unify the concept of managing cyber incident response between relevant entities at the national level in the UAE and increase awareness by conducting exercises between entities to respond to cyber-attacks.
• Integrate this capability in the relevant UAE national security and national crisis management institutional context.
• Define the cyber situational awareness and coordination essential for effective cyber incident response.
• Raise awareness of national cyber incident management capabilities and processes; and
• Inform incident response processes at the entity, sector, and national levels.

The Council has outlined comprehensive plans and information sharing capability to build situational awareness in the UAE. This involves collaboration with federal & emirate level entities involved in cyber security and encompasses sectoral insights towards combatting cyber threats. Another aspect is the regulatory and law enforcement participation in cyber security threat environment through deterrent and punitive measures against cyber threats.

The UAE Cyber Security Council is endorsed and supervised by the UAE Cabinet. The Cabinet is the executive authority of the federation. Under the supreme control of the President and Federal Supreme Council, it manages all internal and foreign affairs of cyber security under the Constitution and federal laws. The Cabinet therefore is the authority that enforces the cyber security regulations through the Council in the UAE.

The “Cyber Pulse” program is aimed at driving cyber culture awareness at a national level, helping the UAE citizens understand the impact of cybersecurity attacks and providing guidance to protect themselves and their families from cyber threats.

Furthermore, “Cyber Future Leaders” pillar helps leaders local, federal, and semi-government entities within the UAE to better understand the importance of cybersecurity and the impact of cyber-attacks on their organizations. The “Cyber Pulse” program employs a holistic approach to ensure maximum reach across the UAE populace and build advocates for cyber security across the various cadres of the UAE populace. The program across its various pillars also focusses on building resilience across the critical information infrastructures across the nation with cyber drills and training initiatives for the technical cyber workforce. Lastly the council runs various “Capture the flag” events to nurture and recognize upcoming talent in the field for cyber security. The comprehensive coverage enable the Council to have an all-encompassing awareness and engagement program across the nation.

Keeping in line with UAE’s vision and strategies towards global collaborations, the Council is engaged on multiple international forums to build partnerships and relationships to further UAE’s cyber security agenda. Some prominent forums include the WhiteHouse Counter Ransomware Initiative, with 27 participating countries that aim to combat ransomware and thwart cyber criminals and the participating in the United Nations ITU initiatives. Further from a regional context, the UAE is involved in the GCC forum on cyber security that aims to build the collective cyber resilience of the Gulf region. Cyber Security Council also invited 18 LDCs (least developed countries as defined by the United Nations) to attend the World Government Summit at Expo 2020 to meet with the ITU and participate in extensive workshops designed to solve Cyber Challenges and is actively engaged in capacity development initiatives in these nations.

The Council is actively engaging with academia and industry sectors to promote innovation and R&D efforts in cyber security. These will be done through establishing centers of excellence for cyber security.

The Cyber Security Center of Excellence (COE) will create a platform for collaboration, sharing, and partnership to benefit the growth of the cyber security ecosystem in the United Arab Emirates. The COE will leverage expertise and skills obtained from across Industry, Academia, and Government.

Industry will contribute to the COE through specialist skills, knowledge of emerging threats, best practices, and industry-specific thought leadership. The focus areas of Industry cover IT/OT/IoT, Emerging Technologies, Cyber Governance, Risk & Compliance, and Cyber Detection & Response.

Academia will contribute to the COE through research & development, accredited courses, and certified training programs.
The focus areas of academia include bachelor’s and master’s degrees in the field of cyber security and 3rd party certifications such as CISSP, CEH, OSCP, CISM, etc.

Government will contribute to the COE through nationwide cyber awareness, future leaders initiatives, regulatory enhancements, and investments

The national cyber security program emphasizes on continuous improvement. This is achieved through assurance and compliance mechanisms that are outlined in the National Cyber Security Governance Framework.

Answer: UAE’s vision for UAE’s National Cyber Security Strategy is “To create safe and resilient cyber infrastructure in the UAE that enables citizens to fulfil their aspirations and empowers businesses to thrive”. Also, National Information Assurance Framework, National Cyber Risk Management Framework, UAE IA Regulation and other cyber Policies and standards have been published to encourage critical information infrastructure program. These frameworks, policies, regulation and standards apply to all critical sectors, not necessarily mandated.

The “National Cyber Capacity Building” initiative also aimed at enhancing the national UAE cyber policy framework. The policy framework covers a wide agenda from establishing a clear national cybersecurity governance, to protecting the critical information infrastructure, to enhancing incident response, to building cyber accreditation programs, and to defining emerging technology security requirements amongst others. The last set of pioneering projects was

The cyber security strategies and capability building initiatives are rolled out across all UAE agencies- federal and emirate level. Relationship and collaboration between various agencies is maintained through the steering committee that has been established at national level with representatives from federal and local governments who provide direction and monitor the successful implementation of the various cyber security programs and initiatives. The Council also leverages various engagement channels such as social media and digital media to create awareness on new and upcoming threats on cyber security coupled with recommendation to ensure the safety and security of UAE’s cyber space. The extensive engagement of the Council across the UAE ecosystem is further enhanced through its presence and insights into upcoming issues such as sustainability, digital evolution and nation building initiatives and participation in conferences, exhibitions and global priority initiatives in cyber.

The changing cyber threats have led to a holistic outlook for cyber security in the UAE, the Council has outlined plans as follows:

• Preparation, development and modernize the national strategy of cybersecurity in the country, thereafter, raising it to The Cabinet for accreditation, and follow-up in coordination and cooperation with the relevant authorities and entities.
• Proposal and preparation of the legislation, policies, and standards to enhance the cybersecurity for all targeted vital sectors in the country, thereafter, raising it to The Cabinet for accreditation, and follow-up implementation in coordination and cooperation with the relevant authorities and entities.
• Proposal and preparation of the complete national plan for cyber strategy, including the attacks and threats, while assessing its readiness, thereafter, raising it to The Cabinet for accreditation, and following-up the implementation while conducting periodic exercises in coordination and cooperation with the relevant authorities and entities.
• Development of the general framework and mechanism through which exchange, sharing, and governance of information related cybersecurity between entities and sectors locally and internationally, in coordination and cooperation with the relevant authorities and entities, thereafter, raising it to The Cabinet for accreditation.
• Development of the standards and requirements associated with the compliance of cybersecurity in the digital government systems and capabilities, networks, and digital infrastructure, through which the readiness to block and defend against risk and threats, will be enhanced, in coordination and cooperation with the relevant authorities and entities, thereafter, raising it to The Cabinet for accreditation.
• Proposal and preparation of standards and controls for the construction of a national operations center of all kinds for cybersecurity, that which includes the center for control, reconnaissance, monitoring, exchange and decomposition of information, thereafter, raising it to The Cabinet for accreditation, in coordination and cooperation with the relevant authorities and entities.
• Proposal of standards and control measures related to the import, export, and use of equipment, devices, and software with a high degree of sensitivity to cybersecurity in cooperation with relevant authorities and entities, thereafter, raising it to The Cabinet for accreditation.
• Development of the necessary plans to build the nation’s talents and capabilities in areas of cybersecurity, in coordination with the relevant authorities and entities, and work on raising awareness and community participation.
• Proposal and implementation of studies and research necessary for the development in areas of cybersecurity in coordination with the relevant authorities and entities.
• The Cyber Security Council is mandated to ensure the compliance of the place policies, frameworks and guidelines, thereafter, providing continuous assurance to the Cabinet on the implementation of the national mandates towards increased maturity of the UAE’s cyber ecosystem.

The “Cyber Pulse” program is aimed at driving cyber culture awareness at a national level, helping the UAE citizens understand the impact of cybersecurity attacks and providing training to skill people including university students to respond effectively to cyber threats. The Council also runs various initiatives under the umbrella of the “Cyber Protective Shield” consisting of cyber drills on cyber ranges, management table top exercises, Capture the Flag events, building the future cyber workforce across UAE based universities, entities and key critical sectors. The Council also runs a national bug bounty program for UAE government and other entities to provide a proactive mechanism to mitigate vulnerabilities using a trusted platform and verified testers.