Qatar's National Cybersecurity StrategyQCERT's AI Hashmi on Defending Against Advanced Threats
Qatar's economy is based on using information and communications technology as a platform for innovation and prosperity.
Khalid N AI Hashmi, undersecretary of cybersecurity at the ministry of communication and information technology, says resilience and security in cyberspace are vital to Qatar's continued success and growth. Hence, a comprehensive national strategy is required to address the current and emerging threats.
To this effect, Qatar has established the National Cyber Security Committee as part of its Cyber Security Policy framed in May 2014.
Hashmi's view is to balance the need to protect interconnected ICT products and services, with the need to provide opportunities that maximize benefits and efficiencies found in ICT advances.
"The key agenda is to establish and maintain a secure cyberspace to safeguard national interest and defend the nation's critical infrastructure from large attacks," he says.
In this interview with Information Security Media Group, AI Hashmi discusses the steps taken by the government to address cyber security concerns. He also elaborates on:
- Qatar's security challenges;
- New cybersecurity initiatives;
- Strategies to protect critical infrastructure.
Al-Hashmi has over 18 years of experience in the information technology field, with expertise in cybersecurity, information infrastructure and ICT systems planning. He leads a team that works closely with government agencies, financial institutions, the energy sector, businesses and citizens to address risks, protect sensitive information and ensure the safety of children on the internet.
GEETHA NANDIKOTKUR: Could you tell us about the cybersecurity challenges in Qatar?
AL HASHMI: Due to the adoption of new technologies (cloud computing and mobile application, smart-grid technology and the substantial increase in technology users,) there has been much opportunity for development and innovation. However, these exist in an increasingly fast-paced and evolving environment which continues to impact Qatar's ability to innovate and compete in the global economy. The challenges here are :
- Skill deficit: The number of workers possessing the skills to effectively understand ICT and address cyber security issues is low.
- Global supply chain risks: The global cyber ecosystem consists of interconnected systems that often include multiple components from various sources around the world. This supply chain introduces weaknesses that malicious actors may exploit to launch attacks.
- ICS connectivity: ICSs are increasingly connected to business networks and the Internet. While this provides efficiencies that enable the remote monitoring of the mechanical processes used for oil and natural gas production, electricity generation and water purification, it also increases the vulnerability of ICSs to cyber threats.
- Information sharing constraints: Information owners or providers may be reluctant to share information about vulnerabilities, incidents and their best practices to avoid revealing weaknesses.
- Changing Privacy Expectations: Due to the increased use of personal information within government organizations and throughout international businesses, countries continue to enact and update privacy laws to protect individuals and their data.
NANDIKOTKUR: Can you elaborate on the cybersecurity initiatives and your government's new approach?
AI HASHMI: Qatar has established the National Cyber Security Committee. The objective is to ensure an effective legislative framework to address cyber-crimes and the security of its critical assets. With cyber-crime laws in place, the government is working on issuing a data privacy law and the critical information infrastructure protection law.
The National Information Assurance Policy is issued that enhances legislative framework and builds a robust foundation for cybersecurity, besides roping in ICS security standards to secure information assets and control systems.
We have established a CIIP program to work closely with critical sectors to improve their security and providing them with guidelines on address cyber security challenges.
We focus on training and awareness programs (both in-house and those developed in partnership with global partners) to build human capacity.
The threat intelligence function is responsible for monitoring Qatari cyberspace. The incident handling team works with critical sectors and the public to respond to cyber breaches.
Data Privacy LawNANDIKOTKUR: Can you elaborate on the proposed data privacy law and its impact on CISOs?
AI HASHMI: This is still being drafted and has incorporated the best global practices, legislations and nuances of the EU region. It will probably be the first law in the region.
The data privacy guidelines would revolve around how organizations handle personal data. Users will have the right to explicitly authorize the use of their personal information, and to understand the source of secondary data.
Critical Infrastructure Protection
NANDIKOTKUR: How is the government going to protect Qatar's critical infrastructure?
AI HASHMI: We formed QCERT to handle the capacity building and information sharing activity and pioneered the Critical Infrastructure Information Program (CIIP) in 2009. We identified 10 critical sectors including government, energy, finance, telecommunications, transport and health. As part of our public-private partnership model, we identified critical sector organizations and worked closely with them to help improve their information security maturity. We have issued a number of policies to address specific threats.
For example, the Industrial Control Systems security standard protects the SCADA systems that run these operations. This is the first of its kind in the region and probably amongst the very few globally.
We collaborated with the financial sector regulators to enhance the technology rules for the sector.
As part of the incident handling mechanism, we work on a priority basis with the critical sector organizations for managing cyber incidents. We have established Information Risk Expert Committees for the critical sectors of energy, finance and the government (more in the pipeline.) Through IRECs, we collaborate and create a platform for dialog within the sector, identifying pain points and working together to address them.
Organizations, regulators and we combine to build a conducive environment where participants feel secure enough to discuss issues and incidents in complete confidence. We encourage information sharing within the sector; we have also identified common projects that can be approached in collaboration to improve the cyber security posture within the sector. Our next step is to drive cross sector collaboration.
We realize the importance of threat Intelligence and have developed in-house tools to ensure relevant and specific intelligentsia for Qatar. The threat alerts and advisories are issued to keep our stakeholders informed about new and potential threats.
It is a holistic program that addresses key concerns and ensures that we have the right controls in place to build a resilient country with a very mature understanding of information security.
Besides these, the critical infrastructure protection risk assessment objectives would be:
- Develop a national CII risk management framework to guide the identification of CII assets and organizations;
- Assessment of threats, vulnerabilities and consequences. In addition to the development of risk profiles;
- Conduct regular risk assessments of CSOs and other organizations with CII;
- Conduct dependency and interdependency assessments to identify systemic risks that cut across critical sectors.
NANDIKOTKUR: Tell us about the initiatives made by QCERT to build skills and resources?
AI HASHMI: Qatar is making a huge effort to train cyber security professionals. We have trained more than 300 people on NIA Policy Implementation. We work with universities to drive awareness about information security preparing young professionals for a career in information security. We are working with colleges to ensure that they offer graduation programs in information security.