No Digital Fortress
UAE has invested well in electronic safeguards for its core sectors but nothing is foolproof.
Downloading a smart government utility app and paying your bills may be easy in the UAE, but the recent hack attack on the US Office of Personnel Management, which experts term the largest ever breach of American federal employee information, makes you wonder if our digital infrastructure is equipped to ward off such threats.
The US attack has been traced to China; 4 million records of current and past US government employees that were stolen are a treasure trove of information that can give hackers the ability to commit identity fraud on a grander scale. With the information in their possession, they can create new phishing scams via email which can lead to bigger cyber attacks that targets more users.
Online security firms and experts are reluctant to to say if we are in the UAE are completely safe, but there is a lot of focus in the region to create a secure online environment. Security levels for critical online infrastructure in the UAE were increased in 2012 after malware was teased into digital systems of the oil giant Aramco in neigbouring Saudi Arabia, which floored 30,000 workstations. The UAE acted swiftly to set up the National Electronic Security Authority, which has laid down protocols to protect vital information and communications (ICT) infrastructure.
The Authority is currently plugging the gaps in vital electronic links to oil, gas, water and electricity, the sectors that keep the economy running. Officials last year said they were working overtime to prevent any breach which could disrupt smart systems that run the country.
‘‘It is important to understand that if our infrastructure is affected then it is not just our ability to surf the internet and check Facebook that is impacted, but also our ability to put fuel in our cars, have a shower and turn on our light,’’ says Nicolai Solling of Help AG, who has worked with different sectors of the economy on cyber security.
Laws governing Net behaviour have been enacted and released to the public but there’s a big difference between the overall security of our infrastructure and police giving advice on general good behaviour on the Internet.
Smart government initiatives mean more sectors are on the electronic grid and more transactions are being made online using mobile applications.
Dubai Smart Government and the Abu Dhabi Systems and Information Center have their own security programmes which coordinate with the National Electronic Security Authority. There’s also the Telecom Regulatory Authority’s Computer Emergency Team (CERT) which provides minute-by-minute updates on the threat levels (which is currently low) in the UAE.
From the user’s perspective, this is the most transparent Net governance programme in the country which every resident can easily access at https://aecert.ae/en. There are facts, figures, and even an online security advisor named Salim who answers questions about threats perceptions on the Web. The CERT programme develops intelligence gathered from online attacks globally and offers recommendations to prevent a recurrence. It provides services that include digital forensics investigations and study of malware behavior which is then passed on to different smart sectors and stakeholders.
Smart and cautious
With countries in the region boasting some of the highest smartphone penetration in the world, there appears to be a rush to create smart cities and user-friendly government applications, which may not be a good idea when you consider the security implications.
Some of the apps being developed only have functionality in mind, and may have been developed in a hurry. They tend to focus more on features and less on online safety, says Nicolai.
‘’Deploying a vulnerable mobile application is a big problem as users need to update them.
‘‘So even if a vulnerability is patched by the government entity, it may be months before all users have updated to protect themselves in which time a lot of them are potential victims,’’ he says.
Other threats continue to be Distributed Denial of Service attacks that can be used to cripple smart government services, and traditional hacking and data breaches which will be a growing concern as more personal information of citizens is handled by IT systems.
Attacks can become amplified if there is no built-in security as part of the development process. It doesn’t matter then if you are on the web, smartphone apps or any other interface to the citizen — you will be compromised at all levels from the bottom up.
What’s important to note is that cyber threats are constantly evolving, so residents may find it hard to stay informed. However if you look at the overall security of an organisation you also need to understand that your security risk is impacted by how your business partners are acting. In the case of local governments, the partners that they are interacting with are citizens, businesses and other entities If there have a lack of awareness, government agencies will be impacted too.
As a example, an organisation may build the most secure application, but if the user has no awareness on security they may still be tricked into transacting with a rogue third party disguising as a government entity.
Then there’s the rise of social media which gives hackers more windows of opportunity to penetrate important systems that keep the country running.
What’s most worrying is that information people give away on themselves can be utilised in social engineering attacks, where users are tricked into a level of trust. Most government departments in the UAE have an active presence on social networks, but there is a risk of these accounts being hacked to spread false information. Government cyber security agencies have taken into account the risk involved and trawl these channels for suspicious activity, but an unsuspecting user with little or no awareness on where to draw the line can give the game away.
Yes, smart government systems are vulnerable just like any others to hackers. ‘’It would not be any surprise to me if we see this kind of (data theft similar to last week’s attack in the US) events here in the UAE, as we have the perfect ground for these attacks,’’ Nicolai says.
State-funded cyber armies inimical to the UAE’s interests and independent players are active in the restive Middle East. While we have done well to prevent these attacks with robust institutional security standards and user awareness, it is equally important to understand how to detect them and what to do when such an incident has happened.