UAE’s information assurance regulation: foundation of a trust-based digital economy

In 2020, as lockdowns were put in place and workers retreated to their homes in droves, bad actors struck. While economies worldwide spiraled downwards, the volume of cyber-incidents took the opposite trajectory, with digi-criminals taking advantage of isolated users, surges in BYOD, and the incidence of tech sprawl policed by overworked IT teams.

These trends were felt acutely in the United Arab Emirates (UAE), long a favoured hunting ground among digital predators. According to Etisalat Digital’s cybersecurity team Help AG, Distributed Denial of Service (DDoS) attacks saw a 183 per cent increase last year in the UAE alone. And in a 2020 survey conducted by KPMG, UAE business stakeholders expressed their pessimism about the 2021 threat landscape. Some 98 per cent had a dreary outlook for the year when it came to overall levels in cybercrime. Almost two thirds (61 per cent) were worried about phishing while 42 per cent expressed concern over escalations in ransomware.

Indeed, in its State of the Market Report, Help AG also cited regional rises in the dreaded lock-and-extort attacks, warning that DDoS campaigns were often used as distractions while dropping ransomware. According to another study on ransomware, many UAE victims said they had paid as much as $1.4m and 42 per cent had been subjected to total operational shutdowns. To add insult to injury, 90 per cent of those that paid reported being hit again.

A standardised response

But the good news for UAE businesses is that the government here has always been proactive on matters of technology, especially when it comes to cybersecurity, information security and privacy. Keen to protect its digital economy and the businesses that call it home, the UAE has initiated the Information Assurance Regulation as a key element of its National Cybersecurity Strategy (NCSS). The Information Assurance Standard calls for a broad range of best practices in protections and management, including business continuity, disaster recovery, compliance, certification, and accreditation. The end goal is a unified national framework that the government intends to be followed by every enterprise.

The standard also calls for increases in the levels of protection in information systems and urges the implementation of risk-based controls. It directs organisations to clearly define the roles and responsibilities of those within their ranks who are charged with overseeing (and guaranteeing) cybersecurity.

A trust-based economy

In its pages, the UAE Information Assurance Regulation sets out the reasons for adoption of the standards. It is clear that the government recognises that economic activity is oiled by confidence and can seize up in its absence. The standard mentions the benefits of a trusted digital environment for businesses and individuals across the nation, tying those benefits directly to cybersecurity, which the Telecommunications and Digital Government Regulatory Authority (the TDRA, author of the standard) considers to be the shared responsibility of every organisation and individual. While the TDRA leaves room for collaboration and partnerships between public and private sector organisations, compliance will be largely the domain of each individual enterprise.

As with most compliance regulations in the digital space, the UAE government is only pursuing what every sensible business stakeholder should want: resilience. If last year taught us anything, it was the value of preparedness as it relates to continuity. The TDRA’s guidelines are worded in such a way as to be flexible because it knows that each industry and business is different. Predictably, the standard applies to some industries more rigidly than to others, but adoption of the guidelines is in the interest of any business that operates in the digital economy. The TDRA makes this point quite plainly. The IA regulation, while mandatory for some, is urged for all.

AI-based network threat detection and response: An effective tool for compliance

One part of the security controls alluded to in the UAE Information Assurance Regulation are those related to communication and network security. In this regard, the standard is timely. As practices such as remote working and distance learning took off in 2020, the modern network became manifestly more complex than at any time since the emergence of cloud computing. In such environments it behooves IT stakeholders to reconsider their threat postures.

Using the network itself to detect threats before they become breaches and to understand the risk posed by every connected system and user, are key to effectively applying the communication and network security controls. While security engineers have being trying to do this for years, the boost in computing power has finally made it possible for them to tap into the power of Artificial Intelligence (AI) and Machine Learning (ML) and tilt the game of threat detection in their favour. The wide availability of AI and ML power paved the way for the evolution towards AI-based behavioural Network Detection and Response (NDR) tools that go a long way towards automating the kinds of security controls the TDRA cites. Information transfer, network security management, cloud computing, and incident management and response are all covered in this approach. The power of AI can also be used to score systems, devices, and users according to the risk their behavior poses ― another suggested practice in the IA guidelines.

AI-based behavioral NDR tools can be a significant leap towards compliance for UAE enterprises as they align with the government’s vision. If its implementation is spread widely enough, we can quickly achieve the trust and confidence required for innovation and competitive participation in the global digital economy.

Rabih Itani is the country manager – UAE at Vectra AI