Saudi Arabia strives to improve its cyber-readiness: Potomac assessment
Saudi Arabia strives to improve its cyber-readiness: Potomac assessment

Saudi Arabia's efforts to achieve cyber-readiness are well underway, following a range of external threats, from the 2012 Aramco attack to the more recent Iranian hacking team APT33, as well as significant attacks in 2016 (see below) in addition to internal cyber-threats faced by the regime – including perceived ‘moral' threats.

The country has started to make considerable progress in improving its overall cyber-security and in achieving the ambitious goals set forth in its Vision 2030 strategy – the new national economic reform agenda, according to the recently published “Saudi Arabia Cyber Readiness at a Glance” report from The Potomac Institute for Policy Studies (PIPS).  This is the ninth study in a series of country reports assessing national-level preparedness for cyber-risks based on the Cyber Readiness Index (CRI) 2.0 methodology. It covers Saudi Arabia's current cyber- security posture and its efforts to strengthen the country's security and resilience in the wake of significant cyber- threats to the nation.

According to the CRI 2.0 assessment, Saudi Arabia's newly-established Presidency of State Security – the new state security agency responsible for counter-terrorism, domestic intelligence efforts, and cybersecurity – is seeking to enhance the country's cyber-readiness by developing and formalising a national cyber-security framework and strategy; clarifying cyber-related roles and responsibilities of different ministries and organisations within the country; enhancing information sharing and cooperation; and increasing cyber-security awareness and capability.

Back in 2011, the Ministry of Communications and Information Technology (MCIT) – one of the government agencies responsible for cyber-security and digitisation of government services in Saudi Arabia – began developing the country's first “National Information Security Strategy (NISS).” The draft strategy – currently in its seventh iteration – articulates a clear vision for Saudi Arabia, stating that its goals are to provide a secure and robust digital environment that incorporates best practices from around the world and that relies on highly qualified Saudi experts and practitioners. The biggest challenge to closing the gap between where the Kingdom's cyber-security posture currently is and where the NISS envisions it to be is the lack of a sufficiently skilled and qualified cyber-security workforce.

Last year Saudi Arabia experienced a new wave of cyber-attacks that affected government agencies and private sector companies and placed renewed urgency on the need for the country to develop cyber-security capacity and resilience. The Kingdom sustained almost 1,000 cyber-security attacks targeting critical infrastructure, seeking to steal data, and causing services interruption in 2016. Cyber-incidents of national interest fall under the responsibility of the Saudi Computer Emergency Response Team (CERT-SA), which was established in 2006. In an effort to begin assessing national-level cyber-risks and developing a consistent national cyber-risk assessment and management process, the NISS calls for the creation of a dedicated National Risk Assessment Function (NRAF) to provide a common national risk framework.

Saudi Arabia is a signatory of the “Arab Convention on Combating Information Technology Offences” (commonly known as the Arab Convention). One of the 18 member states to sign the Arab Convention, Saudi Arabia is the only country that has not yet ratified it. Moreover, there is no reference to the convention's provisions in any of the Arab nations' cyber-crime laws, and coordination between the 18 state parties remains ineffective. In 2007, a broad Anti-Cyber Crime Law (ACCL) was passed, but it has sparked widespread criticism by legal experts and human rights activists for what is being perceived as an overly zealous use of “moral” violations to fine, arrest, or prosecute activists and Saudi citizens for political or religious purposes, rather than using the law to prosecute actual cyber-crimes and protect digital assets.

While Saudi Arabia does not have a national information sharing policy, the draft NISS strategy highlights the importance of national and international information sharing and cooperation, and is committed to expanding information exchanges on emerging threats and vulnerabilities, and appropriate mitigation technologies. The National Cyber Security Center (NCSC) shares threat intelligence with government agencies, critical national infrastructure (CNI) operators, and other stakeholders in the Kingdom, but this capability is still maturing. Saudi Arabia is also a member of the Organisation of Islamic Conference-Computer Emergency Response Team (OIC-CERT), a group of 18 countries including Egypt, Iran, Turkey, and Nigeria. This group includes national CERTs from the various countries and is intended to facilitate information sharing among Islamic countries.

The draft NISS identifies some initial projects that are designed to expand existing capability, including providing support to researchers and innovators to translate successful ideas and research into patents and commercialised products, but does not clearly state how the government would support, advance, and sustain these efforts. To address the cyber-security labour shortage, the MCIT has launched talent development programmes and partnerships with global IT companies to train more than 56,000 Saudi youths on key ICT skills between 2017 and 2020, and has set up a National Information Technology Academy in collaboration with Saudi Aramco to train and develop Saudi talent.

Following the 2012 Saudi Aramco attack, the Saudi government started to increase its spending for cyber-security technology solutions and services. Recently, the Saudi Arabia Military Industries – a state-owned defence enterprise – partnered with United States' defence contractor Raytheon to cooperate on defence-related projects and technology development, including cyber-security. The partnership will contribute to the goals highlighted in the Vision 2030 strategy of developing a Saudi localised defence ecosystem with expert capabilities and new job opportunities.

Saudi Arabia does not consider cyber-security a top tier foreign policy issue and has not prioritised this area within its Ministry of Foreign Affairs. However, Saudi Arabia is assuming a much more assertive role within the Gulf Cooperation Council (GCC), especially given the increased tensions with Iran and the cyber-attacks emanating from Iran's territory. In addition, Saudi Arabia has been involved in high-level bilateral dialogues with countries including the United States and India aimed at fostering information exchanges related to terrorism financing, money laundering, and the use of cyber-space by terrorist and criminal groups. Vision 2030 emphasises Saudi Arabia's strategic location as the hub connecting Asia, Europe, and Africa. Balancing the twin goals of economic prosperity and national security requires a sophisticated diplomatic corps and a commitment to leading the region to realise the Vision 2030 goals.

There are several ministries within the Saudi government with cyber-security mandates that incorporate cyber-defence of the nation, including the Ministry of Defence and Aviation and the Ministry of the Interior. These and other government agencies are beginning to invest in cyber-technologies and in advancing their cyber-capabilities. In addition, Saudi Arabia seeks to equip other defence forces, including the National Guard, with dedicated cyber-capabilities. There is no evidence that the Kingdom has formalised the military or the intelligence services' cyber-security mission in a policy or decree.

The Cyber Readiness Index 2.0 shows that few countries have aligned their national economic vision (digital agenda) with their national security agenda, and seeks to incentivise this alignment by bringing attention to each country's Internet-infrastructure dependencies and vulnerabilities, and the national economic erosion caused by cyber-insecurity. The CRI 2.0 builds on the Cyber Readiness Index 1.0 and provides a comprehensive, comparative, experience-based methodology to evaluate countries' commitment and maturity to closing the gap between their current cyber-security posture and the national cyber-capabilities needed to support their digital future.

The CRI 2.0 methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is currently being applied to 125 countries. The resulting country reports are based on over seventy individual indicators across seven essential elements to discern operationally ready activities and identify areas for improvement in the following categories: national strategy, incident response, e-crime and law enforcement, information sharing, investment in research and development (R&D), diplomacy and trade, and defense and crisis response.  CRI country profiles for France, Germany, India, Italy, Japan, the Netherlands, the United Kingdom, and the United States are currently available.