Strong partnerships, information sharing essential for Saudi’s new Cyber Security Authority
Saudi Arabia’s National Cyber Security Authority is a first step towards fulfilling the aims of Vision 2030. However, it cannot succeed without stronger public-private partnerships, better information sharing, and clear legal frameworks regarding data security and privacy.
Saudi Arabia recently announced the creation of a National Authority for Cyber Security. The Authority will be chaired by the Minister of State Musaed Al-Aiban. Also heading the Authority will be the Saudi President of State Security, Chairman of General Intelligence, Deputy Minister of Interior, and Assistant Minister of Defense. According to Minister Al-Aiban, the Authority aims to enhance the protection of networks, IT systems, and data through regulatory and operational tasks. The Authority will also seek to attract human resources in the cybersecurity field and build partnerships with the private sector.
Cybersecurity: a strategic national interest
The National Cyber Security Authority continues an ongoing trend by the Kingdom of elevating the issue of cybersecurity to national importance. Saudi Arabia’s Vision 2030 agenda called for diversifying its economy away from oil and gas and promoting growth in its so-called ‘knowledge economy’. Much of this growth will be fueled by digitization – including IT innovation, big data projects, smart city initiatives, and cloud-based services.
Crown Prince Mohammad bin Salman al-Saud discusses the Kingdom’s Vision 2030 agenda
Yet technologically-oriented growth will generate a new set of heightened cybersecurity risks. The Kingdom is already the most-targeted country in the Middle East when it comes to malicious cyber activity. The Saudi government is particularly vulnerable, as demonstrated this year by the Shamoon 2.0 virus, which penetrated state-owned energy enterprises, as well as a range of cyber-attacks that targeted the National Aviation Authority, the Saudi healthcare sector, and other public sector institutions.
Developing capabilities
In February 2017, the Kingdom launched the Saudi National Cyber Security Center (SNCSC), which sought to improve government- and critical national infrastructure resilience to cyber threats, as well as develop internal capabilities. Through the SNCSC, the Kingdom has also aimed to attract cyber expertise and technologies from abroad. The new Cyber Security Authority likely aims to complement the SNCSC’s tactical enhancements by generating broader national strategies and regulatory frameworks.
The National Cyber Security Authority is a welcome development. Attracting human capital is clearly necessary – the Middle East ranks in the bottom half of regions globally for cyber education and training, despite MENA countries having some of the highest Internet and smartphone penetration rates worldwide.
Creating a centralized national institution regarding cybersecurity is also needed. Saudi Arabia has tended to focus on investing in national cybersecurity technologies without producing clear strategies to deter, detect, and mitigate genuine cyber threats to public institutions. The Authority should accordingly encourage inter-agency information-sharing and planning regarding imminent cyber threats to national infrastructure.
The private sector’s need for regulation
The ability of the Authority to improve cybersecurity outside the public sector will not be significant in the short term. Saudi Arabia’s strategies and laws affecting data security in the private sector are vague and antiquated. The term “personal data” remains undefined in Saudi law, and private institutions are forced to create their own ad-hoc rules regarding data security. Most legal frameworks affecting private sector cybersecurity focus on discouraging online activism or insults to religious and moral tenets, and do not offer standards to deter and mitigate genuine cyber threats.
The Authority’s aim to build relationships with the private sector has the potential to follow in the footsteps of Dubai’s 2017 Cyber Strategy, which relies on collaboration between international, public and private sector stakeholders to create national cybersecurity laws and standards that are universally implementable. However, there are obstacles to fostering such collaboration within Saudi Arabia.
Central to any public-private cybersecurity cooperation must be information-sharing, and the Saudi government – like many states in the region – is likely to initially resist exposing internal cyber breaches and vulnerabilities out of fear of signaling weakness to the public. The legacy of the Saudi government’s robust surveillance presence and use of cyber power against journalists, activists, and private entities may also breed distrust among companies to cooperate with the government on cybersecurity. This is augmented by private companies’ existing fear of unilaterally exposing their own IT weaknesses to competitors. Ultimately, the public-private partnerships called for by the Authority will require concerted effort on the Saudi government’s part.
For the Kingdom’s National Cyber Security Authority to be effective, the Saudi government must foster trust within the private sector and create incentives for public-private information sharing. It must then build upon that collaboration to generate clear laws and regulatory frameworks that promote sound cybersecurity practices throughout the country. As Saudi Arabia advances towards its digitized future outlined in Vision 2030, the success of the Kingdom’s cybersecurity strategy will depend on whether the Saudi government’s partnership with the private sector can be realized.
