Qatar's 2016 Cybersecurity AgendaQCERT's Khalid Al Hashmi on Tackling Risks
Promoting entrepreneurship, innovation and economic development is a priority in Qatar. Its national cybersecurity agenda is designed to ensure that security policies help businesses strike the right balance between security and economic growth, says Khalid Al Hashmi, assistant under-secretary, cybersecurity, in Qatar's Ministry of Information and Communications Technology.
See Also: 2016 State of Threat Intelligence Study
"While my agenda's ensuring our security policies are aligned to respond to new challenges, our guidelines, frameworks and standards assist stakeholders in finding the right balance," he says in an interview with Information Security Media Group (see transcript below).
QCERT has been implementing its National Cyber Security Policy framed in May 2014, creating awareness among stakeholders in building a resilient infrastructure. "We don't intend to introduce security as a business block; rather, ensure the decision's well-informed, considering all risks, rather than based solely on financial ROIs," he says.
To help fuel economic growth, QCERT has created a National Information Risk Framework - exhaustively reviewed by internal and external stakeholders. "We will publish the document soon on our website, work with a few stakeholders to pilot the framework, help them understand risks and handle threats," he says.
In this interview, AI Hashmi also discusses the new data privacy bill that's in the works. He offers insights on:
- Initiatives taken to beef up security in 2016;
- Trends that impact security practitioners;
- Initiatives to bridge skills gaps.
AI Hashmi leads Q-CERT, the first National CERT in the Gulf Cooperation Council region and among the first organizations to initiate the Critical Information Infrastructure Protection program. Hashmi, who has more than 18 years of experience in IT, and expertise in cybersecurity, information infrastructure and ICT systems planning, leads a team working closely with government agencies, financial institutions, energy, businesses and citizens to address risks, protect sensitive information and ensure safety of children on the Internet.
Cybersecurity Initiatives in 2016
GEETHA NANDIKOTKUR: What were QCERT's cybersecurity initiatives in 2015? How do you envision beefing up security in 2016?
KHALID Al HASHMI: Q-CERT initiatives are aligned with Qatar's National Cyber Security Strategy. Some important tasks in 2015 included:
- National cyber security drill (STAR-3) exercises, an annual program - nearly 50 organizations from diverse critical sectors assessed their cybersecurity preparedness.
- Setting up a Common Criteria Lab (among the first in the region) for Information Technology Security Evaluation and the companion Common Methodology for Information Technology Security Evaluation to be technically qualified for an international agreement, the Common Criteria Recognition Arrangement. The purpose is to evaluate products to determine fulfilment of particular security properties. This enables issuing certification, recognized by all CCRA signatories.
- Initiated projects to scale up and integrate our threat intelligence services offered to stakeholders. Developed in-house tools like DNS log analysis, malware Analysis Lab to help them get early warning on the potential attacks and conduct post-incident activities.
2016 will bring new challenges due to the evolution of IoT, given there are no more air-gapped zones - systems not connected to the Internet - even in critical areas like industrial control systems. The challenge is to find that right balance between business enablement by technology adoption and mitigating risks it exposes the businesses to.
We work toward creating awareness among stakeholders in building resilient infrastructure.
NANDIKOTKUR: What are the new trends which help security practitioners meet your objectives?
AI HASHMI: Technology trends are similar to those we see in other regions, including SMART ICT trends driving cloud, mobility, crowd sourcing, etc. We're working with critical stakeholders in manufacturing risk management tools to establish cybersecurity as organizations adopt new technologies.
Organizations are interested in maximizing profits and reducing cost of operations. We wish to ensure that the decision is well-informed, not based solely on financial ROIs. Qatar is also working towards a law on CIIP.
Risk Framework and Data Privacy Bill
NANDIKOTKUR: What's the progress on QCERT's plans to develop a national CII risk management framework and rolling out the Data Privacy Bill?
AI HASHMI: The National Information Risk Framework's ready. It's undergone an exhaustive review by internal and external stakeholders. The data privacy bill is in the final review. The draft bill has undergone external/public consultation. Some of its highlights include:
- Promote protection of personal privacy of individuals, including children, regarding processing of personal information in the State of Qatar;
- Adhere to international obligations accepted by the State of Qatar and promote global privacy interoperability for free flow of information;
- Promote trust in interaction with digital environments;
- Minimize and simplify regulations to benefit businesses and consumers, encouraging self-regulation through mutual industry codes of conduct;
- Protect the rights of individuals to object to processing of any personal information about that individual for a primary purpose; withdraw consent to processing personal information about that individual for a secondary purpose; remove or erasing personal information about that individual; correct, remove or erase inaccurate personal information.
Incident Response Mechanism
NANDIKOTKUR: What incident response mechanism does QCERT recommend to enterprises for beefing up cybersecurity?
AI HASHMI: All organizations must build capacities and have the necessary skill sets to detect and provide a minimum first level of incident response. QCERT's training them to build capability; we work with stakeholders to build Computer Security Incident Response Teams (CSIRT).
A key aspect - organizations should focus on sharing skills with peers within and outside their sectors. We will provide timely alerts/advisories, preparing them to handle future threats.
While we have an allocated budget for tasks related to risk assessment, the conclusion of a proper assessment will result in how much an organization's willing to invest in cybersecurity.
Skill Development and PPP
NANDIKOTKUR: Can you elaborate on the skill development plans and private/public partnership model to involve the stakeholders?
AI HASHMI: We've a multi-pronged strategy to bridge the skill gap. We've tied up with an international provider for niche security training for stakeholders, free for Qataris. We've developed our own training portfolio in NIA policy implementation training, NIA policy audit training, training for building CSIRT, incident management etc.
We've trained hundreds in cybersecurity skills and NIA policy implementation. We work with colleges and universities to help students consider careers in cybersecurity.
We've succeeded hugely in our Information Risk Expert Committee initiative, a PPP model, bringing together critical sector organizations and regulators, identifying common issues and finding solutions. Another success was working with the Qatar BCI Forum to develop the Qatar Business Continuity Guidelines.