Cybersecurity in Saudi Arabia calls for clear strategies

Cybersecurity in Saudi Arabia calls for clear strategies

When it comes to cyberattacks, Saudi Arabia is the most targeted country in the Middle East. While the Kingdom’s cybersecurity is improving, clear national strategies, policies, and legal frameworks are absent.

As part of its recent National Transformation Program and Saudi Vision 2030, Saudi Arabia aspires to rapidly develop its non-oil economic sectors and privatise state-owned enterprises. Central to these goals is a nationwide digital transformation initiative to improve the Kingdom’s technology infrastructure, drive innovation, and grow its high-skilled workforce.

Digitalisation in Saudi Arabia is already well under way

Evidence of Saudi Arabia’s digital transformation already exists. The Kingdom holds the highest number of fixed broadband Internet subscribers in the Arab world and internet access has increased nearly 30 percent since 2010. The government provides over 500 services through mobile and online platforms, and Saudi Arabia is home to over 40 percent and 10 percent of all Twitter and Facebook users in the Arab world respectively. Saudi energy, power, and water services are deploying smart grids and advanced digital meters, and e-commerce is projected to double by 2020.

… and demands cybersecurity to match

The Kingdom’s increasing reliance on digital technologies requires robust cybersecurity initiatives. In 2015, Saudi Arabia recorded over 160,000 offensive cyber actions a day, making it the most targeted country in the Middle East. Predictably, most of the targets were the Kingdom’s oil and gas, banking, and telecommunications sectors.

Saudi Arabia is the largest petroleum exporter worldwide and possesses the second largest banking sector in the Arab world. The country is also a key member of the Gulf Cooperation Council (GCC) and possesses a strong security relationship with the West, particularly the United States.

Cyber power is accordingly a useful asymmetric tool for Saudi Arabian adversaries to challenge the Kingdom’s growth and security. The most prominent example is the Iranian-attributed 2013 Shamoon virus against the Saudi oil giant Aramco, which wiped out the hard drives of 85 percent of the company’s devices and shut down the company’s operations for two weeks. In the past year, Iran has carried out cyber espionage campaigns against Saudi financial, defence, and technology institutions as well as shut down Saudi government websites.

Non-state cyber actors such as the Houthi-backed Yemen Cyber Army and ISIS affiliates have also hacked government-sponsored news sources, penetrated Saudi Foreign Ministry email correspondences, and acquired Saudi government employees’ personal data.

Aramco HQ in Dhahran, Saudi Arabia

Aramco HQ in Dhahran, Saudi Arabia

Cybersecurity is more than investment

Improving Saudi cybersecurity capabilities in the public and private sectors is clearly necessary. Investment in new capabilities is already occurring. The Saudi IT market is growing at 3.8 percent annually and the Kingdom’s cybersecurity market is projected to grow nearly 60 percent to $3.48 billion by 2019. The United States is also reportedly providing GCC governments with advanced cyber defence and intelligence technologies. Involvement of foreign investment and talent can further address Saudi Arabia’s cybersecurity skills shortage.

Yet fielding new capabilities will be insufficient without clear, national cyber strategies, policies, and laws. While Saudi Arabia produced a 2013 National Information Security Strategy recommending the development of cyber policy and legal frameworks, those have yet to be implemented. The Kingdom’s approach to cybersecurity is currently ad hoc, with businesses and government agencies individually fielding new capabilities and initiatives only after they have been targeted.

Ineffective strategies lead to ineffective security

Cyber crime provides an example of the Kingdom’s inadequate approach to cybersecurity. E-commerce’s growth has been accompanied by a comparable increase in cyber criminal activity–particularly through fraudulent financial transactions in online banking and retail. Some advanced operations utilise multiple cyber criminals to hack bank accounts from fake transactions, transfer and disperse money to their own accounts, and change names and credentials of original account owners.

Saudi Arabia’s regulatory approach toward cyber crime is grounded in Shari’a principles codified in the nation’s constitution. These principles broadly protect the right to individual privacy, which encompasses property, capital, and labour. Supplementing the Shari’a are the 2001 Telecommunications Act and 2007 Anti-Cybercrime Law, which prohibit breaches of privacy in the telecommunications sector and interception of private data on an information network respectively. The latter law further imposes penalties on cyber criminals of up to five years in prison and an $800,000 fine.

Yet this body of law has been ineffective. Specific government rules and regulations guiding e-commerce security are lacking. The term “personal data” is undefined in Saudi law, and the government requires financial institutions and online vendors to formulate in-house rules and guidelines to uphold their customers’ data security. This inconsistent approach fails to clearly stipulate the rights and privileges of customers and vendors. There is also no Saudi legal entity to notify if a data security breach occurs, which leaves Saudi Arabian courts to litigate data security measures based on general Shari’a principles.

Policy and legal frameworks aimed at combatting cyber crime have also largely been implemented to tackle internal threats and uphold religious and moral tenets. The Anti-Cybercrime Law claims to protect the legitimate use of computers and information networks as well as the public interest, morals, and common values. Under this framework, Saudi authorities have prosecuted online activists and social media users promoting adultery, homosexuality, and atheism. In 2010, the Saudi Commission for Promotion of Virtue and Prevention of Vice (the Hai’a) established a cybercrime-fighting unit, yet it predominantly blocked sexually explicit content and arrested individuals who “insulted Allah”.

While the Saudi government monitors the nation’s internet content through the Communications and Information Technology Commission (CITC), it does little to deter, detect, and mitigate cyber threats outside the scope of activism or immorality. The government often downplays a major breach’s effects, creating an impression that offensive cyber activity will be treated with impunity. Perfect cybersecurity is near impossible to achieve, yet clear national cyber strategies and laws can sufficiently raise the costs to cyber adversaries.

Looking ahead, Saudi Arabia will need comprehensive cybersecurity measures

While Saudi Arabian cybersecurity is improving, the country lacks clear national strategies, policies and laws to deter, detect, and mitigate cyber threats. This complicates public and private cybersecurity by forcing institutions to create ad hoc and inconsistent security measures that lack legal clarity or impact.

As Saudi Arabia diversifies, privatises, and digitises its economy in the coming years, comprehensive cybersecurity measures and actions that go beyond technological investment may be increasingly necessary.

About Author

Azhar Unwala

Azhar Unwala is an analyst for government and corporate clients in the Washington, D.C. area. He was formerly a researcher at a Department of Defense-sponsored think tank and the Editor-in-Chief of the Georgetown Journal of International Affairs' International Engagement on Cyber series. In addition to studying and extensively traveling in the Middle East, he holds a B.S. in International Politics and Arab Studies from Georgetown University's School of Foreign Service.