The coronavirus pandemic disrupted every aspect of life. Not the least among the disruptions: Businesses and governments scrambled to enable remote workforces. As a result of stretched networks and inadequate home security, they now face increases in cyberattacks.

We talked with His Excellency Dr. Mohamed Al Kuwaiti, head of cybersecurity for the UAE government, about these issues and more.

QUESTION: How were businesses made vulnerable by a rapid increase in remote workforces and what are some of the biggest issues companies face? How is this affected by the increase in remote shopping and other customer services?

ANSWER: Before the pandemic, most companies did not practice remote working. As such, the cybersecurity measures and practices put in place and implemented were not designed to protect the organization in the event of widespread remote access.

In addition, employees were not trained and provided with the necessary best practices and guidelines on how to exercise proper cyber hygiene during remote working. As such, when the pandemic occurred and a high ratio of employees started remote working, the organization’s data were simply not protected adequately, resulting in security breaches and data exfiltration, both intentionally and unintentionally.

On the other hand, the increase in online shopping during the pandemic was not accompanied by adequate awareness on how to protect oneself from online fraud or proper hygiene on managing one’s data in these kinds of scenarios. This includes sensitive and private data, as well as personal identifiable information: credit card information or even more seriously one’s online identity or credentials. Losing these data may result in identity theft.

Cybersecurity terms

Security misconfiguration: Security misconfiguration is a type of security vulnerability that occurs when a system or application is not properly configured to protect against unauthorized access or data breaches. It can happen when security settings are not implemented, configured incorrectly or not updated to the latest version. Read more›››

Phishing scams: A type of online fraud where scammers try to trick you into sharing your sensitive information, such as passwords, credit card numbers or other personal data. They usually do this by pretending to be a trustworthy entity, like a bank, a government agency or a popular website, and sending you emails, text messages or social media posts that look legitimate. The goal of these scams is to lure you into clicking on a link or downloading an attachment that contains malware or to fill out a form that asks for your personal information. Once scammers get access to your sensitive data, they can use it to steal your identity, empty your bank account or carry out other criminal activities.

Ransomware attacks: A type of malicious cyberattack in which an attacker gains access to a victim’s computer or network and encrypts the victim’s files or data, rendering them inaccessible. The attacker then demands a ransom payment from the victim in exchange for the decryption key that will unlock the files. The ransom demand is usually accompanied by a threat to delete or publish the victim’s data if the ransom is not paid within a certain time frame.‹‹‹ Read less

Q: What are some of the most common scams and attacks you’re seeing?
A: Phishing attacks, through emails as well as voice calls, remain a common threat today, because they are most easily executed and often used in conjunction with other methods in a blended attack on targeted users.

But on a bigger scale, system misconfiguration is another major concern, with one misconfiguration error happening to a major cloud provider recently. Allegedly data from 65,000-plus entities in 111 countries were exposed and a series of other data leaks from the original related leakage affected 150,000 companies in 123 countries.

And not to mention that ransomware remains a very real problem. In the UAE, we are committed to leading efforts to fight against this threat. In fact, we were co-chair for information sharing at the recent Second International Counter-Ransomware Initiative held in the White House (in November 2022).

Q: Cyberattacks threaten businesses with lost data, money, status and productivity. But does this kind of damage to private industry potentially affect national security? If so, how?
A: The financial sector has always been recognized as a vital part of any country’s critical infrastructure because it is a backbone to sustain our economy. The increased reliance on ICT in the financial sector, with online banking and trading, and also with with the emergence of crypto currency, e-wallets and e-commerce today, shows that the availability, integrity and resiliency of the ICT infrastructure sustaining the financial sector is of the utmost importance to our very survival.

Q: What should governments do better to support improvements in private-sector security and discourage cybercrime? Are there any UAE initiatives you can discuss?
A: Our strategy is to engage the private sector directly by getting them to be part of the equation.

As such, since last year I have been issuing a call for a public-private partnership … to harness their expertise to solve our daily problems because they have the solutions while we have the problems.

Besides the various (memorandums of understanding) that we have put in place with leading ICT companies, more recently we have started to engage the experts directly. For example, with the successful conclusion of the first CISO Circle gathering at GITEX Global 2022 that also saw the establishment of the (ISC)2 UAE Chapter in our country.

Q: Aside from cybersecurity, what other emerging risks does your role monitor?
A: Cybersecurity, data privacy, operational risks, governance and compliance – anything that leads towards data protection and the secure and safe usage of these data towards enabling business while protecting lives. This is what my role entails.

Q: What advice would you give to any new graduate considering a career in cybersecurity?
A: Consider getting your hands dirty first and always be grounded in the basic fundamentals as these are the skill sets you will depend on when the going gets tough. Program them into your mind and body: There are no shortcuts, so roll up your sleeves first!

Q: How should an organization go about assessing its critical infrastructure and securing its most vital assets?
A: The organization should gather all their department heads, both businesses and platforms, and make them the risk owners of their own departments, so as to build a complete risk register of the business.

They are not only providing the necessary information to your fingertips, but they are also going to be the largest group of devices collecting your information consciously or subconsciously. That may be the biggest cybersecurity crisis that we need to address in the future in order to protect one’s data.

Q: Are we at risk when we use open-source programs, and what steps can we take to minimize risk?
A: There are always risk benefits, whether we use open-source or proprietary software. The question should be: How can we build a risk-based program to address these risks, and build a multi-level defense system grounded in zero trust principle?

Q: How do you see technology evolving in the next five to 10 years?
A: It is going to get more and more personal as we straddle between multiple worlds or realms in our journey to the realization of the future Metaverse.

Q: What is the ethical response to ransomware? Does the government have a responsibility to protect businesses and citizens from ransomware attacks? If so, how?

---

A: We should never succumb to the threats of the perpetrators and pay the ransom. The buck should stop here as long as I am in charge. By paying the ransom, we are only going to see them get better and soon, beyond any reasonable means that we can respond to them in the future as we can only smell their smoke.

So we shall not give them a chance at all. Do not pay them to leapfrog us in terms of technology (and innovation).

Q: Is there anything we didn’t ask that you’d like to talk about?
A: The sky is no longer the limit for us anymore; space is. And space security, that is a topic that we can explore the next time we speak.