By defining the realities and challenges of cybersecurity in the Arab States, we can consider some achievements that could form the basis of the strategic vision:

• The trend of many Arab States towards adopting a national cybersecurity strategy 
• The trend of many Arab States towards the adoption of general cybersecurity legislation 
• The importance of Arab initiatives in bringing Arab national legislation closer together and developing joint action in the area of cybersecurity 
• Most Arab States rely on the best legislative practices of the world to develop either the strategy or the national cybersecurity legislations. 
• Value the role of initiatives of global international and Arab organizations in developing effective national strategies and legislations.

The Arab States lack National cybersecurity policies, which reflects the lack of a clear or far-reaching view of cyber risks and the strategic objectives to be achieved. The development of a strategy for cybersecurity is the first step towards achieving a secure digital space for any institution or State. Undoubtedly, the path of this strategy begins after each State has defined its own vision and message regarding the management of the cybersecurity and the impact of its risks. One of the most important and best global references in this regard is the International Telecommunication Union “GUIDE TO DEVELOPING A NATIONAL CYBERSECURITY STRATEGY.” 

Once the vision and the message had been defined, the analysis of the gap between the gap and the desired situation should begin to be completed, and the strategy should then be developed to serve as the road map towards moving to the desired situation. The cybersecurity strategy must be implemented within a framework of institutional governance that ensures that risks are reduced and resources are well exploited, that initiatives and projects are in line with the objectives to deliver expected outputs, and those Indexes for measuring performance are developed at all stages.

A global cybersecurity framework is also strongly recommended, representing the best global practices for managing this important topic. One of the best known models is the NIST Cybersecurity Framework, which operates on five parallel hubs in order to have full cybersecurity capabilities, which are:

• Identify the digital assets and the associated risks 
• Protect and Secure 
• Detect cybersecurity events 
• Respond to cybersecurity incidents 
• Recover from cybersecurity incidents

It should be noted that the ACSS encompasses a general framework that can be used anywhere and in any of the different business sectors. It is not linked to specific technology, but is compatible and integrated with a very large number of the most popular global standards and frameworks associated with cybersecurity. The implementation of this framework shall be linked to the existence of several mechanisms, including, but not limited to:

• Mechanisms for determining the critical digital assets of an enterprise
• Mechanisms for risk assessment 
• Mechanisms for assessing impact on businesses 
• Mechanisms to support the principle of continuous improvement

One of the most important factors and axes supporting tangible success in possessing cyber capabilities, whether in defense or cyberattack, is research and development. The level of success in achieving the required capabilities is linked to the volume of expenditure and logistical support available to research and development operators, whose branches and disciplines are very numerous, for example (cloud computing • mobile phones systems - systems and virtual applications - embedded systems and Internet of Things applications).

In that regard, it is important to highlight the opportunities for the required partnership between the private and the governmental sector. This could promote investment in that area, with a view to achieving many objectives, not only supporting research and development, but also creating opportunities for the development of solutions and applications or processes that support cybersecurity and enrich the technology market in the Arab States.

The ACSS should identify and evaluate the evolving cyber threat environment and potential impact and consequences on critical infrastructures and essential services. The ACSS should first identify the country’s domestic critical infrastructures and services – those physical and cyber systems and assets that are vital to the proper functioning of society and economy, and whose incapacitation or destruction would have a debilitating impact of the physical or economic security or public health or safety of the country. A cyber threat landscape assessment should be conducted to identify the specific cyber threats and risks page critical infrastructures and services, as well as the individuals who use and rely upon them, and to help prioritize resources to protect them. Such an assessment would also inform and help align cyber risk management strategies with the country’s crisis management plan. It can also help harness the necessary capabilities/capacities, people, funding, and strategies to strengthen the overall cybersecurity posture of the region.

Any successful system is based on three main axes (individuals - regulations, policies and laws - technology). In the area of cybersecurity, human resources are among the most important and almost all-important components of the system. Whatever the ability of institutions and States to possess highly sophisticated techniques, the best possible performance of such techniques will continue to depend on the capacity to operate and manage them. Therein lies the critical importance of cadre development and human capacity building. It should be noted that the world is experiencing a significant shortage of trained and qualified personnel to secure thousands of technologies in the business sectors, such as: Education, health, e-government services and banking services of various kinds, regulated by industrial control and critical infrastructure management networks, which may be the most hazardous of all, since tampering with the settings of such networks or illegal communication with them may lead to complete paralysis of institutions and even States. 

In this regard, there are well-known models and global frameworks that can be relied upon or even adopted as they are for a vision of preparing specialists in various areas of cybersecurity. The most famous model is the National Initiative for Cybersecurity Education (NICE) developed by the American National Institute of Standards and Technology (NIST). This framework defines a number of workers in cybersecurity and sets out for each function a type of job description in addition to the capabilities and skills required for the job. Thus, enabling to develop specialized training programs for the preparation of specialists from various cybersecurity branches, such as a clear path to developing the capabilities of workers in this field from the earliest to the most advanced levels. Perhaps the best Arab initiatives in this context is the Saudi Arabia›s so-called: The “Saudi initiative for cybersecurity cadres (swords)».

While we are talking about the human factor as one of the most important factors supporting the success of the cybersecurity system, it does not stand within the limits of specialists and cybersecurity officials, but rather extends to every individual in the institution. It is very likely that an enterprise will be fully targeted by any employee or affiliate, or even by any individual who has dealt with it, such as suppliers, clients, partners and any other institution associated with the target to be breached. Hence cybersecurity awareness as a critical factor, as we always stand that the weakest link in the information security chain is the human factor.

Promoting security standards

The adoption of specific cybersecurity standards as a minimum for technological security controls is important. Many States in the world have developed binding standards and controls to achieve a minimum level of cybersecurity objectives, which would be enhanced but cannot be removed without them. One of the most famous global models 
in this regard is that of the United States of America. 

• FIPS Federal Information Processing Standards 
• CC Common Criteria 
• NIST 53-800 r5 (Security and Privacy Controls for Information Systems 

There are also many global models that represent public standards that are not linked to a State, but can be used as public references and accepted by all the world›s specialists: 

• CIS Controls - Top Critical Controls 
• ISO 27001 International Standard for Information Security 

Some Arab examples on this context are the United Arab Emirates, the Kingdom of Saudi Arabia and Qatar, where they have binding regulations over the various business sectors in order to achieve a minimum level of State-level cybersecurity. They are also established to develop more specialized regulations in each business sector, or more robust ones, in accordance with actual security requirements.

The ACSS should be accompanied by, or reference, an implementation plan that outlines in greater detail how its strategic objectives will be achieved. Effective implementation plans identify the accountable entity responsible for each task and objective, the resources required to execute them over time (near-term, mid-term, long-term), the processes that will be used, and the outcomes that are expected

The exchange of expertise and technical information related to the analysis of cyber-hacking mechanisms and the attempt to determine its source and objectives is an important and potentially useful outcome of joint Arab cooperation. Access to information and the timing of access to information are crucial in detecting or predicting cyber accidents. They may also be prevented or their effects to be reduced. The idea of cooperation and exchange of information is not new, and perhaps one of the strongest examples is the North Atlantic Treaty Organization (NATO) model that created a Centre of Excellence for Joint Cyber Defense from NATO member States. The Centre includes specialists from 25 different States, monitors cyber threats to any NATO State and attempts to repel such attacks in coordination with all concerned States in order to prevent or minimize their impact. In order to be productive and effective, this cooperation must cover the three axes.

• People
• Policies, procedures and laws
• Possession of the appropriate technologies

It is also possible to share some technical information because of this cooperation with the relevant research centres in the Arab States, thereby enhancing their research capacity and developing their tools in response to cyberattacks.

The ACSS should specify the allocation of dedicated and appropriate resources for its implementation, maintenance, and revision. Sufficient, consistent and continuous funding provides the foundations for an effective national cybersecurity posture. Resources should be defined in terms of money (i.e., dedicated budget), people, and, materiel. Successful execution also requires political commitment and leadership, underpinned by trusted partnerships. The objectives and tasks within the ACSS should not be viewed as a one-time allocation of resources. Resourcing requirements should be revisited regularly based upon progress or shortfalls in the implementation of tasks or objectives of the ACSS. The government may also consider the establishment of a central budget for cybersecurity, managed by a central cybersecurity governance mechanism. Whether assembling disparate funding sources into a coherent, integrated program or creating a unified intra-governmental budget, the overall program should be managed and tracked by milestones to ensure successful implementation of the ACSS

National Cyber Incident Response Centres are the first line of defense or units for early detection of cyberattacks. They play an important role in trying to identify the sources and objectives of such attacks and in trying to analyze their methods of work and the gaps targeted by such attacks. At the very least, there should be at least one State-level Centre, preferably coordination between the Centre and similar centres, which operate within a limited scope at the level of a specific institution or one of the ministries. It is also recommended to establish specialized centres at the level of different business sectors, such as health, communications, critical infrastructure... There are different types of requirements from sector to sector and the priorities, means and objectives of cyberattacks vary from sector to sector and from enterprise to enterprise. The Cyber Incident Response Centres are located in many Arab States but vary in their capabilities and potentials they also lack mechanisms for joint Arab cooperation and exchange of experience and information. In a number of States, there are no such centres, which necessarily requires an urgent plan to support the establishment of their national cyber response centres and the training of their personnel. Several international references can be drawn upon in this regard, notably the ITU releases on these Centres, as well as the European Union Agency for Cybersecurity (ENISA), as well as the National Institute of Standards and Technology of the United States of America.

The ACSS should reflect an understanding of the dependencies that the government has on the private sector and other national non-governmental stakeholders (and vice-versa) in achieving a more secure, safe, and resilient ecosystem (Principle of Inclusiveness). To this end, the ACSS should articulate how the government will engage these different stakeholders and define their roles and responsibilities. For example, the ACSS should identify a network of authoritative national contact points for critical industries that are essential for the operation and recovery of critical services and infrastructures. The ACSS should be aligned with other national priorities, such as ensuring connectivity is affordable, available, and inclusive; advancing data protection and privacy while promoting innovation; strengthening infrastructures resilience and service availability to disasters, climate change, and pandemics; exploring new technologies like AI, blockchain, quantum computing; etc.

Largely, there is a significant gap between the technical or, if any, information security disciplines of university students and the actual needs of the labor market. One important step in providing trained cadres to fill the severe deficit between the needs of the labor market and the number of suitably qualified individuals to fill these posts will be to move towards the provision of cybersecurity-related disciplines. Large, well-trained numbers can be provided in a short period of time and at a small cost compared to specialized training costs or globally approved courses, which usually cost up to a few thousand dollars per course per trainee. 

It is also possible on the one hand, to develop content based on the preparation and supervision of selected academics and professionals in order to produce curricula at appropriate cost to prepare generations of cybersecurity specialists to meet the requirements of the labor market in the Arab region. On the other hand, to support scientific research efforts in this important area. With the exception of a very limited number of Arab universities, the vast majority of them lack cybersecurity specialties and perhaps some relevant subjects.

One of the greatest problems and challenges facing most Arab States is the lack of a definition of cybersecurity, as well as where the responsibility for securing information and systems lies. IT responsibility may be the responsibility of a single person within an IT department institution or task force, and in rare cases cybersecurity departments present and directly dependent on senior management. The latter model represents the global best practices in this regard. When it comes to developing a common vision for Arab States on cybersecurity, it is essential that all State bodies and institutions have an information security department with clear and specific tasks, as well as an administrative structure in this department with an appropriate job description so that each organization has an administration that secures all its digital assets. This Department and its staff are subject to performance evaluation through specific performance indicators and are constantly developing and improving. The Department shall be under the management of the highest authority within the institution to support its operational tools to activate cybersecurity policies, tools and controls.