The field of communications and information technology has recently developed in its diversity, nature and its versatility. These developments have led to increased global technological exchange and movement. This in turn has given many countries more responsibility to safeguard their national security and the security of their citizens since these new technologies can be utilized for both peaceful uses as well as malicious non-peaceful ones.
Cyberwarfare, the act of launching cyberattacks targeting information networks and online control systems, have emerged to become one of the most important issues that concerns the international community as a whole. Saudi Arabia has realized this and has therefore mentioned it in its Vision 2030 initiative, whichincluded an important pillar that focused on the development of digital infrastructure as the basis for the success of all the Kingdom’s aspects and fundamental objectives. This means that there is an increasing necessity to protect this digital infrastructure from cyberattacks by rival countries or terrorist organizations that aim to sabotage Saudi national security and stability.
To secure its national cybersecurity, Saudi Arabia needed to establish a national body which can detect, deter and protect it from such attacks.
King Salman issued a royal decree in October 31, 2017, ordering the establishment of the National Cybersecurity Authority (NCA). Minister of State and cabinet member Dr. Mohammad al-Ayban serves as head of the NCA’s Board of Directors; furthermore the NCA’s members include head of the state’s security, chief of general intelligence, deputy interior minister and assistant defence minister. The NCA aims to promote and protect the networks, IT systems and software in the Kingdom.
It is nevertheless important to note that Saudi Arabia has shown its cybersecurity capabilities even before the establishment of the NCA, as it protected its national institutions from malicious attacks. For instance, it countered an attack targeting Aramco’s e-system in August 2017.
In order to carry out its tasks successfully, NCA issued a document in October 2018, titled “Basic Controls to Enhance Cybersecurity” which aimed to set minimum standards to be applied in various national bodies in order to minimize cyber threats. This will contribute to enhancing the Kingdom’s cyberspace security and its vital economic interests and capabilities.
In this context, the document reviews the role of the NCA in addition to the most important institutions that assist it in its work. The roles of the NCA can be summarized as the following:
First: Saudi National Cybersecurity Authority… Its Tasks and Efforts
Securing cyberspace is a fundamental element for the 2030 Vision. This is especially true with the increase of cyber-threats which have increased the need to protect the information and communication systems. It is also paramount to maintain the confidentiality and integrity of information and enable vital national bodies to access infrastructure assets in a smooth and safe manner.
It is for these reasons that a royal decree was issued to establish the NCA, the decree also included the NCA’s regulatory and operational terms of reference in the area of cybersecurity. It called for the enhancement of the protection of networks, IT systems and systems of operational technologies along with their hardware and software components and data. The decree ordered taking into consideration the growing importance of national cybersecurity and called for the establishment of a stable national cybersecurity system, which can help the Kingdom become a leader in global cybersecurity.
Accordingly, the NCA prioritized attracting competent and ambitious national cadres, building partnerships with public and private entities, stimulating innovation and investment in cybersecurity to contribute to achieving a technological renaissance that serves the future of the Kingdom's national economy.
The fact that King Salman bin Abdulaziz Al Saud owns the NCA is evidence that the Kingdom prioritizes information security and quick responses to cyber-attacks.
It is important to note, however, that the NCA operates independently as to allow its experts to come up with the best and most efficient cyber security strategies. Thus, emphasizing the status and independence of this body to enact cybersecurity regulations and measures, the NCA has been able to apply these regulations on other government agencies and follow-up their application. That way, the NCA ensures all government agencies that work with it, work in a cooperative manner that ensures data protection throughout Saudi Arabia.
It is for the reason stated above, that the NCA established the National Cyber Security Center (NCSC) to build a secure and flexible e-space sphere to protect the priorities of the country and its citizens. The NCSC will also be boosting the economy through enhancing cooperation with government agencies and vital installations that are sensitive to cyber-threats, responding to cyber-incidents and activating security knowledge of the situation.
The NCSC’s objectives are aimed at enabling government agencies and vital installations to better prepare themselves against cyber-attacks. Thus they will be enhancing the overall status of cyberspace while also building and strengthening the Center's internal capabilities.
It issued a statistical report on threats and cyber risks during the first quarter of 2018, which included the following:
- During the period between January and March 2018, there was an increase in the number of attacks and cyber-threats compared to the fourth quarter of 2017 (which was at 5.13%) as malware and hacking attempts represented most of the cyber-threats. This indicates that the attackers wanted to stay within the affected networks for as long as possible, and there was a gradual decrease in hacking attempts since the third quarter of 2017. However, the diagram shows a significant increase in the use of malware, indicating that the hackers were using new tools and methods to access and damage sensitive information.
- During the same period, government agencies were the most targeted, followed by institutions within the education sector and the telecommunications sector. These results reflect the hackers’ desire to affect the national economy as these sectors are among the most important as shown in the figure. These agencies would have been severely affected if the hackers were to obtain the sensitive information they sought.
The NCA’s efforts were not limited to establishing the NCSC. It also carried out many tasks as specified in its terms of reference. Among most of its prominent achievements are the following:
- Issuance of the national manifesto, which is known as "Strengthening Cybersecurity" with its binding rules for all parties to protect their security especially their data security. Notably, the NCA is responsible for cybersecurity in the Kingdom and is set to develop policies, governance mechanisms, frameworks, standards and guidelines related to cybersecurity in order to provide them for relevant parties. The NCA would then follow up these parties’ compliance with these guidelines and update them if deemed necessary.
- The launch of programs aimed at building national capacities in the field of cybersecurity. These programs include:
- Cybersecurity Training Program (CyberPro), which aims at raising the competency of public sector employees working in the cybersecurity field and recent university graduates in majors related to cybersecurity. In its first year, NCA aims to provide some 800 training opportunities to Saudi young men and women in this field with the help of international specialist companies under NCA’s supervision.
- Cybersecurity Scholarship initiative in partnership with the Ministry of Education via the Custodian of the Two Holy Mosques’ Foreign Scholarship Program. NCA reached an agreement with the ministry to increase the number of places for foreign scholarships for the first year from 200 to 540 for both genders. The objective is to meet the need to build national capabilities in cybersecurity and cover shortages in the labor market in both public and private sectors to protect networks and IT systems.
- Organization of many partnership workshops in cooperation with government agencies to raise awareness, readiness, maturity and sharing of information in the field of protection against cyber-threats at the national level. In this regard, the NCA organized a workshop in Riyadh in November 8, 2018 on the national situation of cybersecurity in the Kingdom and the most important projects and initiatives launched by the NCA. The workshop was attended by more than 200 governmental and vital sectors' representatives. The workshop discussed the most significant challenges and cyber-threats as well as the means of dealing with them. It also discussed the necessary preventive measures against these threats, assuring the NSA and other parties’ capabilities in enhancing their cybersecurity.
Second: Strengthening Cybersecurity Agenda’s Objectives
The NCA has issued a document entitled "Strengthening Cybersecurity", which aims to develop policies, governance mechanisms, frameworks, standards and guidelines related to cybersecurity in order to provide them for relevant parties, follow up their compliance with them and update them all.
This step comes as a response to the royal decree issued in July 2018, which ordered all government agencies to raise their cybersecurity level to protect their networks, systems and e-data in accordance to NCA policies, frameworks, standards and guidelines.
The decree also included the private sector entities that have, operate or host sensitive national infrastructure.
These regulations aim at supporting basic cybersecurity controls and minimum cybersecurity requirements for sensitive information networks. Thus, meeting current security needs and increasing the entities’ readiness within the scope of these controls. The regulations would therefore protect sensitive systems and prevent unauthorized access which would result in costly risks and losses at the national level.
The controls adopted are based on five key components that focus on cybersecurity governance, enhancement and resilience in addition to cybersecurity on foreign parties, cloud computing, and industrial control systems. The manifesto document included 114 main controls.
Notably, these controls have been prepared through several stages. A survey of the visions of more than 260 national bodies was carried out; a study on the national decisions, standards, frameworks and controls was prepared by local and international bodies. Best practices and experiences in the field were extrapolated in addition to analyzing incidents and cyber-attacks at the level of government agencies and other sensitive parties during the past periods.
Third: Cybersecurity is Everyone’s Responsibility
It wasn’t coincidental that the interest in cybersecurity extended to all areas in light of challenges facing the Kingdom to complete building its modern state in accordance with Vision 2030. It has realized that to achieve its desired renaissance it needs to protect its systems and information structure.
Therefore, all sectors joined forces to attain cybersecurity, starting with the education sector.
Most universities in the Kingdom are keen on teaching information security subjects in their computer faculties. Some of them have even set up postgraduate programs in this field through the establishment of centers and institutions concerned with cybersecurity in order to help the NCA achieve its tasks and objectives. Below are some of the most prominent centers:
1- The National Center for Security Operations in the Interior Ministry. The Center provides security service, including the information, statistics and reports for the security services associated with the Ministry. It also coordinates the efforts of these bodies, and if necessary, it coordinates between the security services and government or civilian sectors.
In addition, the Center also follows up security emergency cases to assess the situation and see whether there is need for its intervention in the case of the concerned body’s inability to deal with it or in the case that situation could pose a national level threat.
It consists of the main operations department and includes representatives from all security sectors and liaison officers from the Ministries of Defense and National Guard to easily receive and pass information. It also includes a number of departments: Department of Planning and Information, Department of Crisis and Disaster Planning, Department of Technical Support, Department of Television Monitoring, Department of Administrative Affairs and Emirates of Regions.
2- The National Center for Cybersecurity Technology in King Abdulaziz City for Science and Technology (KACST). It was established in the framework of KACST’s quest for Saudi society to rapidly transition to a technologically literate and tech savvy society. Moreover, it was founded on KACST’s goal of making Saudi Arabia a leader in the field of information technology through the application of the National Science Technology and Innovation Plan (NSTIP) during the next 20 years in addition to strengthening cooperation with the leading authorities in this field.
It also seeks to become a regional center for research in the field of cyber-crimes and digital forensics as to make strategic leads in the field of information security on regional and global levels.
In order to achieve all of these objectives, the Center organized a series of specialized training courses in several areas, namely: information security, encryption, digital analysis, reverse engineering, network security, application security and analysis of e-hacking.
3- Saudi Federation for Cybersecurity and Programming, which is a national institution that was established under the umbrella of the Saudi Arabian Olympic Committee. It aims to build national and professional capabilities in the fields of cybersecurity and programming in line with the established and internationally recognized practices and standards. This will in turn expedite the ascent of the Kingdom to the ranks of developed countries in the domain of technology innovation.
In this context, the institution’s work was specified as following:
- Establishing activities and programs that help increase society’s awareness of the importance of cybersecurity and programming and encouraging and supporting young people to become professional in these areas.
- Building and launching specialized educational and training initiatives to assist in educating society in modern threats and methods to counter them and building of distinctive national competencies.
- Establishing and organizing contests and encouraging the spirit of competition, in addition to supporting and qualifying young people to participate in local or global competitions specialized in cybersecurity and programming.
4- The Cybersecurity Unit at Prince Sultan University. It targets motivating, educating and training a new generation of cybersecurity researchers and professionals to produce experts in cyber-technologies and systems.
The unit fosters several collaborations with national and international security research groups and centers, governmental agencies, companies and academic institutions with the purpose of excellence in security solutions outcomes.
Overall, the Cybersecurity Unit aims to contribute significantly in providing educational, research, outreach, and partnering security services nationally and internationally.
Finally, building cybersecurity is the most important element to protect the Kingdom's projects and achievements as it enables the Kingdom to move forward towards establishing the rules of development and construction in all its aspects
These rules are defined as following:
- Preservation of the privacy and confidentiality of information by preventing access to information except by the authorized party.
-Verification of user identity, integrity, unity and homogeneity of information to prevent change and tampering.
-Readiness of information and equipment and availability upon request to the authorized party after verification of identity.
This is the essence of cybersecurity process, which the Kingdom successfully achieved to ensure the success of its Vision 2030.