UAE’s Machinery of Government for Cybersecurity

  • Ahmed Almansoori

Student thesis: Master's Thesis

Abstract

State and non-state actors continually target the United Arab Emirates in cyberspace for economic and political reasons. A vital element of a national cybersecurity strategy is to have clear and coordinated cybersecurity machinery of government. There is a pressing need to describe the UAE government’s present cybersecurity machinery since its current cybersecurity machinery is generally unknown. This study aims to determine the changes in the UAE government’s cybersecurity machinery between 2010 and 2022 and explain what drove these changes. The research uses a qualitative methodology with interviews, gray literature, and official websites as data sources.

The thesis found that changes in the UAE government’s cybersecurity machinery between 2010 and 2022 changed in a way that the integration increased across and between levels of government, and the centralization of cybersecurity responsibility for functions at each level of government also increased. In addition, the number of agencies and specialized groups also increased. The thesis found some similarities but also substantial differences in the changes in the four local emirates (Abu Dhabi, Dubai, Umm Al Quwain, and Ras Al Khaimah) machinery of government for cybersecurity.

There were two main similarities. The first was that the integration with the federal government through the Cyber Security Council increased by integrating the local emirates cyber agency's cyber incident response and reports. The second was increased information flows between the national and local government cybersecurity agencies, such as the local emirates cyber agencies sending their quarterly reports to the Cyber Security Council and the Cyber Security Council sending its cybersecurity risk information to local emirates. Both similarities created a whole-of-government approach to cybersecurity.

There were several differences. In Abu Dhabi, ADSIC, as of 2010, was the primary agency responsible for cybersecurity regulations and roles. With the establishment of ADDA in 2019, it became responsible for cyber regulating, auditing, and assessing the cyber security posture of Abu Dhabi’s local government entities. This made the machinery more streamlined and cooperative. For Dubai, the machinery has changed in many ways since 2010. However, the most significant changes were during the establishment of DESC in 2014, which regulated the local government’s cybersecurity, created cybersecurity policies, and is responsible for other roles like incident response and cyber defensive operations. The machinery changed again in 2021 when DESC underwent the newly established authority “Digital Dubai” and four other local Dubai government entities. This made the machinery more streamlined and integrated. For the emirate of Umm Al Quwain, it changed in a way that before 2010 there was no clear view of the machinery of government for cyber security. In 2013 UAQ Smart Gov was launched as an electronic government body that provided all local emirate government services and sought worldwide accreditation for digital transformation and cybersecurity.

The UAQ Smart Gov manages and controls all government agency databases in UAQ Smart Gov, the only emirate to do so. UAQ Smart Gov maintains all local data centers in the emirate. This made the machinery more of a centralized government to ease management audits, problem-solving, and diwan accountability. For Ras Al Khaimah emirate, the machinery started when the EGA was established in 2007 by the ruler of RAK. It began as an entity under the Executive Council of Ras Al Khaimah. It was responsible for delivering IT services to the emirate government department. The digital transformation process started in 2014. Each local department in the emirate was accountable for ICT operations, including information security (IS), before 2014. Information security operations needed to be solidified or extremely obvious but were part of ICT operations. Each department was directly responsible for these operations.

The thesis also found that three main reasons drove the changes in the UAE government’s cybersecurity machinery between 2010 and 2022. The first was the increasing and rapidly changing cyber risk, and the second was to secure the government’s digitization goals. The third reason was to implement cybersecurity strategies in the government. The thesis has also found what drove the changes for the local four emirates. The reasons that caused the changes in the emirate of Abu Dhabi are the new laws from the emirate ruler, an increase in the centralization of cybersecurity responsibilities for functions at the emirate level, and to regulate cybersecurity. For Dubai, the main reasons were the emirate’s ruler and new digitization, cyber strategies, and initiatives, and to increase the centralization of cybersecurity responsibilities for functions at the emirate level and regulations of cybersecurity on local government agencies. For the emirate of Um Al Quwain, the main reasons were copying practices of other emirates and achieving globally recognized criteria for digital transformation and cybersecurity, and because of top-down instruction by the UAE government. Ras Al Khaimah emirate changes were driven by demands by the executive council of RAK, achieving globally recognized criteria for cybersecurity, and because of top-down instruction by the UAE government.

The findings of this study are useful as it will assist (1) cybersecurity government members in better understanding their roles and (2) policymakers in identifying gaps and overlaps in the organization’s cybersecurity efforts, and (3) third-party firms seeking to engage a particular agency or government body for regulatory or commercial purposes. Significantly the findings have contributed to the literature by analyzing the extent to which the various theories may explain why changes occur in the machinery of government in the UAE. The thesis concludes that two of the main (Pollitt’s and Kingdon’s multiple streams) theories were fully aligned with the findings of the thesis. Also, three main (Resource, Davis et al.’s and Castleman’s) theories were partially aligned with the results. Lastly, two main (Hogwood, Contingency) approaches were not aligned with the thesis findings.
Date of AwardDec 2022
Original languageAmerican English

Keywords

  • cybersecurity
  • cybersecurity machinery of government
  • machinery of government
  • UAE machinery of government

Cite this

'