Kingdom of Morocco Cyber Readiness at a Glance

KINGDOM OF MOROCCO CYBER READINESS AT A GLANCE

Melissa Hathaway and Francesca Spidalieri

December 2018

AC INST M IT O U T B T O E

F O G S E R I P D O U LICY ST Copyright © 2018, Cyber Readiness Index 2.0, All rights reserved. Published by Potomac Institute for Policy Studies Potomac Institute for Policy Studies 901 N. Stuart St, Suite 1200 Arlington, VA 22203 www.potomacinstitute.org Telephone: 703.525.0770; Fax: 703.525.0299 Email: [email protected]

Cover Art by Alex Taliesen.

Acknowledgements The Potomac Institute for Policy Studies and the authors would like to thank the following individuals and organizations for their contributions: Suzanne Moyer-Baazet, Co-founder of Nevo Technologies; Ghita Mezzour, Assistant Professor, International University of Rabat; and senior officials at the Gener- al Directorate of Information Security Systems (DGSSI), the Moroccan Royal Armed Forces (FAR), and the US Embassy in Rabat. The authors would also like to thank Alex Taliesen for cover art and Sherry Loveless for editorial and design work. KINGDOM OF MOROCCO CYBER READINESS AT A GLANCE

TABLE OF CONTENTS INTRODUCTION ...... 2 1 . NATIONAL STRATEGY ...... 10. . 2 . INCIDENT RESPONSE ...... 13. . 3 . E-CRIME AND LAW ENFORCEMENT ...... 16 . 4 . INFORMATION SHARING ...... 18. . 5 . INVESTMENT IN RESEARCH AND DEVELOPMENT . . . . 19 6 . DIPLOMACY AND TRADE ...... 22. . 7 . DEFENSE AND CRISIS RESPONSE ...... 23 CRI 2 .0 BOTTOM LINE ...... 25 . . ENDNOTES ...... 27 . . ABOUT THE AUTHORS ...... 31 . .

KINGDOM OF MOROCCO CYBER READINESS AT A GLANCE

Country Population 35 .740 million

Population Growth 1 3%.

GDP at market prices (current $US) $109 .140 billion

GDP Growth 4 1%.

Year Internet Introduced 1993

National Cyber Security Strategy 2013

Internet Domain .ma

Internet users per 100 users 58

Fixed broadband subscriptions per 100 users 3 56.

Mobile cellular subscriptions per 100 users 118

Information and Communications Technology (ICT) Development and Connectivity Standing

International Telecommunications World Economic Forum’s Union (ITU) 100 78 Networked Readiness Index (NRI) ICT Development Index (IDI)

Sources: World Bank (2017), ITU (2017), NRI (2016).

1 Internet Assigned Numbers Authority (IANA) INTRODUCTION to become the administrative and technical The Kingdom of Morocco regained its inde- contact and operate the .ma Internet do- pendence from France in 1956 and obtained main in the country. In 1995, the technical most of the territories under Spanish control management of the .ma domain was taken shortly thereafter. In 2011, King Mohammed over by state-owned National Posts and VI announced a series of reforms to Mo- Telecommunications Board (Office National rocco’s 15-year-old constitution in response des Postes et Télécommunications, ONPT), to the wave of pro-democracy movements which in 2008 was divided into two entities: that were sweeping through the Middle East Maroc Telecom (Ittisalat Al Maghrib or IAM and North Africa. The new constitution ef- in Arabic) for telecommunications – which fectively made the country a constitutional remains the main telecommunications pro- monarchy and elevated the role of the prime vider in Morocco – and Poste Maroc (Barid 3 minister to head of government, selected Al-Maghrib in Arabic) for postal services. through party election rather than chosen Morocco was one of the first countries in by the King. However, the King remains the the Middle East and North Africa (MENA) supreme commander of the military and region to set up a regulatory environment continues to chair the Council of Ministers for the ICT sector as a means of fostering a and the Supreme Security Council – the key level playing field for private operators. In councils that make security policy. Morocco 1996, the government adopted Law n°24-96, has positioned itself as the strategic partner which made it possible to launch the first and leader in the region, embracing inter- stage of liberalization of the telecommunica- national standards and becoming the de tions sector and make the Internet publicly facto getaway to Africa. The Internet was first introduced in Morocco between 1992-1993 thanks a United States (U.S.) government sponsored project called Internet access became available the “Leland Initiative” — a five-year, $15 to all citizens in Morocco in 1996. million effort to extend full Internet connectivity to more than 20 African countries.1 In Morocco, the initiative was carried out by MTDS, a technology and development available — officially ending the monopoly consulting company operating in Africa and of ONPT. In May 2006, IANA re-designat- headquartered in Morocco. Its engineers ed the administrative and technical contact were essential to the inauguration of eight for the .ma Internet domain and made the Internet Gateways in Sub-Saharan Africa from Moroccan National Telecommunications 1997-2002. In 1993, MTDS became Moroc- Regulatory Agency (Agence Nationale de co’s first Internet Service Provider (ISP).2 In Réglementation des Télécommunications, parallel, during 1993, the Ecole Mohammadia ANRT) the only official domain registrar in the d’Ingénieurs obtained permission from the country. In 2015, ANRT took control of .ma

2 and launched new automatic provisioning to promote the digitalization of its society of .ma domains. and to advance its digital economy. Since the Internet became widely avail- The liberalization of the telecommunications able to the public58.00% in the42.00% early 2000s and sector at the end of the 1990s was followed the demand for Internet services started by the publication of several digital strategies to increase, the num- aimed at positioning Morocco among the ber of Internet users in dynamic emerging countries in the ICT sec- Morocco has increased tor.6 These strategies included the following: exponentially, from • the “Morocco 1999-2003,” which out- less than 14 percent in lined the country’s vision for ICT and its 2008 to about 58 per- potential; cent of the population in 2017 (or about 20 Morocco's Internet • the “E-Morocco 2010,” which covered million users).4 To fa- Morocco’sPenetration rate: Internet58% from 2005-2010 and promoted remov- cilitate further Internet Penetration: 58% ing barriers via digital inclusion and ICT penetration, Morocco sector competitiveness; implemented a national broadband plan (as • the 2009-2015 National Pact for Indus- part of Digital Morocco 2013) to close the trial Emergence (Pacte Nationale pour connectivity gap across the country. Howev- l’Emergence Industrielle, PNEI), which er, Morocco still struggles to reach the “last looked to support export-oriented indus- mile” of rural areas, and therefore, the digital tries – in this case with offshoring and ICT divide persists in the country – affecting the services – through incentives, targeted quality of services and accentuating differ- training and support measures; ences between household income levels.5 In fact, household Internet access remains • the “Digital Morocco 2013” Strategy, which limited to a minority of Moroccans, with less covered from 2009-2013 and focused on than 4 percent of the population having fixed making the IT sector a cornerstone of broadband subscriptions. Mobile-cellular the economy – turning the country into subscriptions dominate the market and the a regional technology hub while at the high rate of mobile phone ownership (118 same time driving the development of percent market penetration) is driving up technical talent; Internet usage and increasing the demand for • and the latest “Digital Morocco 2020,” mobile services. The Moroccan government which covers from 2017-2020 and aims clearly supports increased Internet uptake to accelerate Morocco’s digital transfor- as a catalyst for economic growth. Morocco mation, encouraging ICT entrepreneur- has passed five digital strategies since 1999 ship, boosting its international position promoting electronic government services in cost-competitive IT services, and rein- and operations and increasing access to ed- forcing the country’s status as a regional ucation and public services. Additionally, the leader and gateway to Africa. government has put forward several reforms

3 As a result of the early push to develop the 1. consolidate ICT industries with a focus country’s ICT sector in the mid-1990s, Morocco on excellence niches such as offshoring; has become one of the leading destinations 2. support the automation of small and me- for investment – mostly from francophone dium-sized enterprises (SMEs); countries – in the field of call centers, IT offshoring, electronic payments, and the out- 3. boost e-government services; and sourcing of other business processes. Today, 4. foster the dissemination of ICT usage Morocco’s economy is highly dependent on a among Moroccan households.9 well-functioning and advanced ICT sector and over 3 percent of its gross domestic product (GDP) depends on contributions from the ICT Similar to earlier strategies, it continued to sector.7 The offshoring business, in particular, promote the need for “digital trust” as an attracts significant foreign direct investments, essential component for Morocco to create and several multinational companies have confidence in the digital economy. The strat- established operations in the country. egy intended to increase public access to broadband connectivity and transform the In 2009, the ANRT in coordination with the country’s ICT sector into one of the econo- Ministry of Industry, Commerce, Investment my’s main pillars and source of productivity, and Digital Economy (Ministère de l’Industrie, competitiveness, and added-value. It also du Commerce, de l’ Investissement et de allocated 5.2 billion MAD ($546 million) over l’Economie Numérique, MCINet) launched five years (2009-2013) to implement the ini- the wide-ranging National Strategy for Infor- tiatives and measures proposed, with over 80 mation Society and Digital Economy 2009- percent of the budget dedicated to “socially 2013 (Digital Morocco 2013). Its goal was transform” and create “user-oriented public to position Morocco as a strategic ICT hub services.” The strategy also named government in the MENA region and ARNT and MCINet agencies to govern and provide direction solicited input from the industry association for the strategy’s implementation, including Moroccan Federation of IT, Telecommunications the National Council of Digital Economy and and Offshoring (Fédération Marocaine des Information Technologies (CNTI), responsible Technologies de l’ Information, des Télécom- for elaborating policies related to the protec- munications et de l’Offshoring, APEBI) to in- tion of critical information infrastructure in the crease the likelihood of success.8 This digital country, and an inter-ministerial committee in plan recognized that the ICT sector already charge of steering e-government programs accounted for 7 percent of the world GDP, (CIGOV). The document, however, was not attracting 25 percent of the world economic supplemented by sectoral action plans spec- growth as well as 60 percent of jobs in the ifying desired outcomes and timelines for the industrialized world. The strategy articulated projects and actions proposed. Despite the 51 ambitious objectives to transform Morocco best of intentions, the strategy did not meet into an information society and promote its the government’s ambitious expectations. digital economy and national competitiveness. More than half of the e-government projects It set four strategic priorities for the country: in the plan were either not completed (e.g.,

4 healthcare, local government, capital markets Moroccan households, improve its regional procurements, and tenders) or were insuffi- competitiveness, and boost its digital econ- ciently implemented (e.g., judicial system, omy.11 In particular, the new digital strategy regional portals, land purchasers). Less than aimed at reinforcing Morocco’s status as a 1/3 of the initiatives had successful outcomes.10 regional digital hub in French-speaking Africa, One of the main reasons for this was the while continuing to promote it as an attractive absence of an effective coordination mech- destination for outsourcing services, offshoring, anism among ministries. Each ministry had electronic payment, and software development. its own IT security department and pursued These efforts have helped transform Moroc- the strategy’s initiatives according to its own co into one of the top performing countries mandate or mission. in the region in terms of ICT infrastructure In 2015, the Ministry of Industry, Commerce, and favorable business environment. Digital Investment and Digital Economy in collabora- Morocco 2020 allocated 7.146 billion MAD tion with other relevant departments launched ($750 million) to reduce the digital divide the updated “Digital Morocco 2020” strat- by 50 percent via the following: the digiti- egy. This strategy is built upon the lessons zation of administrative services, improved learned and advancements of the previous access to the Internet through free Wi-Fi in digital strategies and articulated a vision to public spaces, the creation of digital literacy accelerate Morocco’s digital transformation, programs, and training of over 30,000 ICT 12 foster the dissemination of ICT usage among professionals a year by 2020.

PILLAR I: DIGITAL TRANSFORMATION PILLAR II: REGIONAL DIGITAL HUB OF THE NATIONAL ECONOMY As part of this strategy, the government

1 4 Strategic Revitalization of BPO in E-Government Europe

2 3 5 Integrated Digital Divide Digital Hub in French-speaking Africa Sectoral Shifts

6 National Digital Ecosystem

PILLAR III: DIGITAL POSITIONING OF MOROCCO

7 8 9 HR Expansion in Morocco and Datacom Infrastructure Digital Regulation Across Africa

Figure 1: Pillars of the 2020 Morocco Digital Strategy.

5 launched several initiatives in parallel to pro- for technology companies trying to expand mote Moroccan innovation. The initiatives their presence in French-speaking Africa. promoted collaborative efforts domestical- In 2013, the Moroccan ICT sector achieved ly and abroad to strengthen digital trust in ICT export revenues of 9.5 billion MAD ($1 e-commerce, enforce legislation to protect billion) and was ranked the best in Africa for personal data and e-commerce transactions, business process outsourcing.15 This success and encourage entrepreneurship. To increase has been facilitated by the establishment Morocco’s competitiveness, the government of dedicated technology parks (e.g., Casa- eliminated a ban enacted by the ANRT re- nearshore,16 Rabat Technopolis,17 Tangiers garding voice over Internet protocol (VoIP) Technical Park,18 etc.), which operate under services, which only lasted 10 months (and offshore status and attract companies using was ended just a few days ahead of the 2016 a variety of tax incentives. United Nations Climate Change Conference Yet, despite the growing ICT and cyber se- held in Marrakech, Morocco). Previously, ANRT curity demands by private sector compa- had blocked and taxed VoIP providers. In nies, the industry is still highly dependent the first half of 2016, the operating costs of on public sector tenders. The e-government companies in the ICT sector had been neg- initiatives, smart cities projects, renewable atively impacted by at least $320 million.13 energy projects, and transportation infra- These new reforms helped the ICT sector structure upgrades that were called for (and to grow steadily. funded) in the Digital Morocco 2020 strategy Domestic and foreign investments have grown — are government-led procurements and in the areas of IT security, mobile services, represent the majority of the ICT spending social networks, big data, and cloud comput- in Morocco. ing. These new investments built upon the With increased ICT uptake and Internet con- foundations of Morocco’s well-established ICT nectivity, Morocco is gaining a deeper appre- industry in the areas of electronic payments, ciation of the risks and challenges associated software development, and IT offshoring. with cyber crime, cyber fraud, and cyber ter- Morocco also recognized that cyber security rorism. While only a few incidents have been products and services are a growing oppor- officially reported, as the country becomes tunity in Africa. The market opportunity is set more connected, so too are the instances to grow from 12.7 billion MAD ($1.33 billion) of identity theft, bank-card theft, fraud, illicit in 2017, to 22.1 billion MAD ($2.32 billion) money transfers, phishing scams, malware by 2020.14 Morocco’s regionally competitive targeting critical infrastructure, distributed ICT infrastructure and the structural and sec- denial of service (DDoS) attacks, “sextortion” torial reforms undertaken in recent years to cases, and even “cyberterrorism.” In response improve the digital economy have enabled to increasing cyber threats and recognizing Morocco to become one of the top performing the importance of protecting and securing countries in the region in terms of favorable information systems of administrations, public business environment and a preferred location

6 bodies, and infrastructures of vital importance, • regional forensics laboratories for digital the 2009 National Strategy for Information and anti-cyber crime trace analysis (lab- Society and Digital Economy (Digital Mo- oratoires régionaux d’analyse de traces rocco 2013) called for the development of a numériques et anti-cybercriminalité), a national cyber security strategy (policy) and division under the Moroccan Directorate provided the first national governance road- General for National Security (Direction map for cyber security focused on enhancing Générale de la Sûreté Nationale, DGSN) security capabilities, securing critical infor- that deals with cyber crimes. mation infrastructures, and combating cyber In addition, the ANRT was elevated as the crime.19 Several institutions and organizational government authority with a close relation- structures were established to support these ship with telecommunications operators and goals, including: Internet Service Providers (ISPs). Morocco • the Strategic Committee for the Security of also started to update and strengthen its Information Systems (Comité Stratégique legal and regulatory framework to address de la Sécurité des Systèmes d’Informa- cyber crime and data protection. tions, CSSSI); In 2012, CSSSI adopted Morocco’s first • the General Directorate of Information national cyber security strategy (Stratégie Security Systems (Direction Générale de nationale en Sécurité des Systèmes d’Infor- la Sécurité des Systèmes d’Information, mation) built on the Digital Morocco 2013 DGSSI) – created in 2011 within the Admin- strategy and focused on four main strategic istration of National Defense (ADN) and priorities, namely: under the supervision of CSSSI to serve 1. evaluating risks to information systems as the competent authority responsible within government and in vital infrastruc- for developing and implementing the tures; national cyber security strategy, policy, and roadmap of the country; 2. protecting the information systems of government agencies, public organiza- • the National Control Commission for Pro- tions, and vital infrastructures; tection of Personal Data (Commission Nationale de Contrôle de la Protection 3. strengthening the foundations of infor- des Données, CNDP) responsible for the mation systems security (legal framework, protection and processing of personal sensitization, training, research and de- data; velopment); and • the Moroccan Computer Emergency Re- 4. promoting national and international sponse Team (ma-CERT), established under cooperation.20 the direction of ADN and responsible for responding and mitigating cyber security incidents of national importance; and

7 As part of the national cyber security strate- the intrusion attempts coming from Algeria gy, CSSSI also developed an action plan for and many more from other countries. These DGSSI “to operationalize the guidelines and events, however, show that there is more work directives included in the strategy.”21 One of to be done to secure the country’s critical the main actions prescribed was to develop digital infrastructure and services upon which and implement a National Directive on Infor- its digital future depends. mation Systems Security (Directive Nationale Awareness of the digital exposures and risks de la Sécurité des Systèmes d’Information, presented by ICT is still low among small DNSSI) and other specific directives aimed and medium enterprises (SMEs) – the core at “raising and homogenizing the level of of Morocco’s private sector. Moreover, the protection and maturity of the security of cyber-related threats to Morocco’s compa- the information systems of administrations, nies, assets, infrastructures, and services public entities, and infrastructures of vital are not publicly discussed, so funds are not importance.”22 The directives that have been sufficiently allocated for risk reduction mea- enacted by decree, reaffirm the responsi- sures.24 As Morocco embraces the digital bility of DGSSI to establish specific security transformation of its agriculture and energy rules and standards for critical infrastructures (solar fields) sectors and prepares to have and ensure their compliance. Each entity the second largest port (Tanger-Med port) affected by these laws is required to devel- in the Mediterranean soon, it will have to op additional necessary organizational and promote a better understanding of the risks technical security measures to be adopted and opportunities of this modernization. and subsequently shared with DGSSI, carry Raising awareness regarding the need for out audits of their information systems, and infrastructure resilience and data protection report all significant incidents to ma-CERT. are foundational components of Morocco’s Finally, these entities are required to sub- strategies. Morocco is well positioned “as a mit annual reports to DGSSI indicating the ‘best cost’ country...with proximity to Euro- degree of security maturity achieved and pean markets and very competitive costs,”25 detailing progress made in implementing and is on a path toward reaping the benefits the directives. associated with being part of the global digital In 2013, hackers working on behalf of the economy. Its journey will be enhanced by Algerian regime attempted to gain access to increasing the number of personnel that are and sabotage the Moroccan government’s proficient in digital risk management across information systems, national databases, and every sector, not just ICT. public administration websites.23 Because The Cyber Readiness Index (CRI) 2.0 has been of the security measures the Ministry of De- employed to evaluate Morocco’s current pre- fense had put in place to counter attacks to paredness levels for cyber risks. This analysis critical infrastructures and vital services, the provides an actionable blueprint for Morocco DGSSI was able to detect and block most of

8 to better understand its Internet-infrastructure efforts and capabilities based on the seven dependencies and vulnerabilities and assess essential elements of the CRI 2.0 (national its commitment and maturity to closing the strategy, incident response, e-crime and gap between its current cyber security posture law enforcement, information sharing, in- and the national cyber capabilities needed vestment in R&D, diplomacy and trade, to support its digital future. A full assess- and defense and crisis response) follows: ment of the country’s cyber security-related

Essential Element Cyber Ready Morocco National Strategy National 5Strategy 3 Incident Response 5 1.3 E-Crime & Law Enforcement 5 2.4 InformationDefense Sharing & Crisis 5 1.2 Incident Response Cyber R&D Response 5 1.4 Diplomacy & Trade 5 1.5 Defense & Crisis Response 5 2.1

Cyber Ready Morocco E-Crime & Law Diplomacy & Trade Enforcement

Cyber R&D Infor mat ion Sh ar ing

Kingdom of Morocco Cyber Readiness Assessment (2018).

9 research and development (R&D); and 4) pro- 1 . NATIONAL STRATEGY moting national and international coopera- 26 In December 2012, the Strategic Commit- tion. However, the strategy only provided tee for the Security of Information Systems an overview of the programs and projects (CSSSI), which is composed of representa- to be implemented, suggesting that specific tives from 13 ministries chaired by the ADN, operational action plans were still necessary and is responsible for setting information for each of those programs — including con- security directives and guidelines for all key crete measures implemented according to government entities and approving fund- a predefined timeline and determination of ing, adopted Morocco’s first National Cyber which actors should contribute to the achieve- Security Strategy. The document was built ment of specific and quantifiable objectives. upon the Digital Morocco 2013 strategy and In order to create the right conditions for the outlined programs and projects aimed at implementation of those action plans, the “ensuring the protection of the information strategy also called for the key organizations that developed the national cyber security strategy (CSSSI, DGSSI, etc.) to be involved in defining the relative action plans in accordance with the country’s needs, priorities, The first Morocco National Cyber and constraints. The national cyber security Security Strategy was published strategy concludes with a commitment to be in 2012 and was called for by periodically revised and adapted, as needed, the Digital Morocco strategy. to reflect new realities and requirements, but no new version has been published, to date. The strategy did identify the key government entities involved in the cyber security systems of government agencies, public or- architecture of the country and recognized ganizations, and vital infrastructures, […] as DGSSI as the competent authority respon- well as creating the conditions for a trusted sible for the cyber security of the nation and and secure environment conducive of the development of an information society.” It highlighted four main strategic priorities: 1) The General Directorate of evaluating risks to information systems of Information Security Systems government agencies, public organizations, and infrastructures of vital importance; 2) pro- (DGSSI) is the competent tecting and defending information systems of authority responsible for government agencies, public organizations, the national cyber security and vital infrastructures; 3) strengthening the of Morocco and the foundations of information systems securi- operationalization of the strategy. ty (legal framework, sensitization, training,

10 Similar to the National Council for Sets vision, strategy, and NATIONAL STRATEGIC COMMITTEE IT and Digital Economy (TIEN) ? approves funding for the security of information systems (CSSSI) Decree no 2-08-444 of May 21st 2009

Inter-ministerial Coordinates/Oversees development (13 ministries) entity chaired by the GENERAL DIRECTORATE FOR and execution of the National National Administration INFORMATION SYSTEMS SECURITY Strategy for Information Systems of Defense (ADN) Security (cyber security policy) (DGSSI)

Directorate Directorate Directorate Directorate Strategy and Assistance, Training, Secured Information Detection and Response Regulation and Expertise Systems to Attacks Center

15 CRITICAL INFRASTRUCTURE SECTORS

Figure 2: Morocco Cyber Security Organizational Chart (2018). operationalization of the strategy. This joint • devising standards and specific rules for inter-ministerial coordination body sits under the security of national information sys- the supervision of CSSSI and is composed of tems and critical infrastructure; four directorates: 1) the Strategy and Regula- • creating an annual action plan for all tion Directorate; 2) the Assistance, Training, ministries to ensure vital national infra- Monitoring and Expertise Directorate; 3) the structures have robust Internet access Secured Information Systems Directorate; and and are more resilient; 4) the Detection and Response to Attacks Center Directorate. • assisting and advising public and private sector entities about the safety of their DGSSI operates out of the capital Rabat, and information security; is tasked with a number of responsibilities, including: • establishing a monitoring system to detect and warn of events affecting or likely to • ensuring the implementation of the di- affect national information security; rectives and guidelines set out by CSSSI; • developing scientific and technical ex- • operationalizing the national cyber se- pertise in the IT security field; curity strategy;

11 • ensuring that security audits of information directive, the covered entities are required systems are carried out in accordance with to adopt basic organizational and technical the scope and terms set by the CSSSI; security measures and report to DGSSI any additional procedures and action plans they • organizing capacity building training require to implement precautions for their courses and awareness actions through information systems. The covered entities the development of international coop- are also required to submit annual reports eration relations in the field of computer describing the maturity level achieved and security; progress made toward implementing the • ensuring that Morocco meets its policy standards required by the directive. DGSSI objectives in international treaties; and then consolidates and summarizes the results • issuing licenses, managing declarations for CSSSI, which can recommend further ac- concerning means and cryptographic ser- tions and audits by DGSSI. DGSSI has also vices, certifying devices for the creation the authority to compel government entities, and digital signature verification, and National Critical Infrastructures (NCIs), and approving service providers for digital commercial-sector entities to conduct security certification. audits of their information systems. In Octo- ber 2018, a new national decree authorized Some of these responsibilities, however, are DGSSI to certify private auditors to conduct still maturing and at different stages of op- such audits.29 erational effectiveness. In the event of a national-level digital crisis, Following the commitments made in the DGSSI leads the coordination and response. national cyber security strategy, CSSSI de- In May 2017, DGSSI had to activate this co- veloped a 2013 action plan for DGSSI “to ordination mechanism because Morocco was operationalize the guidelines and directives one of at least 100 countries affected by a included in the strategy.”27 One of the main global ransomware attack, known as Wanna- actions prescribed was to further develop Cry. The coordination cell includes the Royal and implement a National Directive on Infor- Moroccan Armed Forces (Forces Armées Roy- mation Systems Security (Directive Nationale ales, FAR), ADN, and other Ministries, and is de la Sécurité des Systèmes d’Information, broken down into two branches – operations DNSSI) aimed at “raising and homogenizing and decision-making. In addition to DGSSI, the level of protection and maturity of the the FAR is responsible for safeguarding and security of the information systems of adminis- ensuring the resilience and availability of the trations, public entities, and infrastructures of country’s military operation networks (i.e., air vital importance.”28 This is modeled after the defense and surveillance, ground surveillance, European Union’s Network and Information and special communications) as well as the Security (NIS) Directive that requires businesses exchange of data among the three military to establish minimum standards of care for components (i.e., army, navy, and air force). their critical services. As part of Morocco’s

12 The FAR reports directly to the King, who is also the Supreme Commander and Chief of 2 . INCIDENT RESPONSE General Staff of the FAR. The 2009 National Strategy for Information Despite the notable progress in increased Society and Digital Economy (Digital Mo- cyber security preparedness and capability rocco 2013) called for the establishment of that has made Morocco one of the more a national Computer Emergency Response advanced countries in the region, the vari- Team (CERT) with the primary responsibility ous digital strategies, economic initiatives, to “respond to security incidents, coordinate and national cyber security policies are not responses at the national level and propose aligned. The digital economy only represents different services related to the handling of 7 percent of Morocco’s current GDP. Its econ- these incidents, the analysis of their vulner- omy is primarily fueled by agriculture and ability and the restoration of systems under textile exports and is a hub for Mediterranean attack.”31 shipping. Morocco is also set for online de- It was not until 2011, however, that Morocco ployment of the world’s largest concentrated was able to develop a national CERT (ma- solar power plant— the Noor Complex — that CERT). First, the International Multilateral will produce enough energy to power over Partnership Against Cyber Threats (IMPACT) 30 one million homes. Of course, Morocco’s – a key partner of the ITU (the United Nations’ share of the digital economy will grow as specialized agency for ICTs) – conducted an more of its businesses become digital and initial baseline assessment and outlined the as broadband becomes more affordable and requirements for standing up a CERT. Then, capable in reaching rural areas. As Moroc- Morocco received both financial support and co embraces the digitization of its critical technical expertise from the Korea Internet infrastructures, services, and companies, it will need to align its risk reduction measures and set policies and standards. The public is largely unaware of the cyber threats to society and the digital economy, so they are In 2011, Morocco established unprepared for major digital crises incident its first Computer Emergency response and recovery. Finally, the Moroccan Response Team (ma-CERT), government should further empower DGSSI to realize the vision that the digital economy under the supervision of DGSSI, requires trust, and that it cannot be achieved and responsible for cyber without the twin objectives of security and incident response and analysis resilience at its core. of threats and vulnerabilities.

13 & Security Agency (KISA), an ICT-focused illicit money transfers, phishing scams, malware organization within South Korea’s Ministry targeting critical infrastructure, DDoS attacks, of Science.32 Thanks to these initiatives, “sextortion” cases, and even “cyberterror- ma-CERT was established and it joined the ism.” Yet, the DGSSI or ma-CERT do not international Forum of Incident Response publish national cyber threat assessment(s) to and Security Teams (FIRST) in April 2013. government agencies, critical infrastructure, and critical commercial services networks. It Today, ma-CERT sits under the supervision is unclear how the different Ministries work of DGSSI, and is responsible for responding together to evaluate risks and assess their to cyber security incidents, coordinating re- level of severity/urgency across organizations. sponses at the national level, and providing According to Moroccan security practitioners, different services related to incident handling the country still lacks strong expertise in cyber and vulnerability analysis, and the restoration security and cyber defense and has yet to of systems under attack. Although its oper- establish a centralized system to effectively ations are 24x7 and it is providing incident and expeditiously access and share threat response support and additional services to intelligence information and situational the government, ma-CERT has insufficient awareness with government agencies and capacity to support a whole-of-government institutions.33 and whole-of-society incident response coordination and containment. It still needs to Nonetheless, the government has taken steps identify a network of authoritative national to increase its security posture. Two directives contact points within both the government in particular aim to increase the level of pro- and critical infrastructure sectors responsi- tection and security of the information systems ble for the operation and recovery of critical of government agencies, public entities, and services in the event of a full-scale national entities of vital national importance. They digital incident (like WannaCry). were adopted by decree between 2014 and 2016 — the National Directive on Information Additionally, there is no evidence of an emer- Systems Security (Directive Nationale de la gency and crisis national incident response Sécurité des Systèmes d’Information, DNSSI) plan or an effective information warning and and the Decree on the Protection of Sensi- alert system that can be used to receive, tive Information System and Infrastructures address, and transmit urgent information of Vital Importance.34 in a timely manner. Ma-CERT is still largely perceived as a reactive organization, mostly The DNSSI describes basic organizational focused on providing advisories, bulletins, and and technical security measures that must information on current threats, and offering be applied by public administrations and ad hoc incident response support. agencies as well as infrastructures of vital importance. The directive requires these covered As stated earlier, Morocco is seeing increasing entities to develop their own action plans, instances of identity theft, bank-card theft,

14 establish risk governance mechanisms and As a result of this decree, DGSSI, in consul- technical security measures, and submit to tation with the National Defense Adminis- DGSSI their plans and an annual report doc- tration (Administration de la Défense Na- umenting their actions and progress toward tionale, ADN), identified 15 specific NCIs the reduction of risks to their enterprises. and established specific certification schema DGSSI then consolidates and summarizes for them. NCIs are required to implement the results of those reports for CSSSI, which the necessary resources for supervision and can recommend further actions and audits detection of cyber attacks, to develop con- by DGSSI. tingency plans to protect critical functions from the negative effects of major information The second decree complements the DNSSI system failures or disasters, and to ensure and names the activities and entities of vital operational continuity. There is a cross-bor- importance that DGSSI is tasked to oversee der data flow determination in this decree. and protect. These sectors are defined as For example, entities are required to ensure “those relating to the production and dis- their sensitive data remains within the na- tribution of goods and services essential to tional territory of Morocco. They are also satisfy the needs of people’s lives, or to the required to establish a security operations exercise of the prerogatives of the State, center (SOC) and submit to a security audit or to the functioning of the economy, or to program carried out by DGSSI or by certified the maintenance of the country’s security private auditors of information systems under capabilities.” They include: public safety, DGSSI supervision. In addition, entities must financial,35 manufacturing, transportation, report all significant cyber incidents “affecting production and distribution of energy and the security or operations of their sensitive mining, water supply and distribution, telecom- information systems” and within 48 hours munications and postal services, audio-visual of an event, communicate to ma-CERT all and communication, healthcare, justice, and information and technical data generated by legislation. DGSSI determines the specific any major security event targeting its sensitive security standards and requirements that information systems. Despite this, there are these sectors must meet.36 The detailed list no standardized reporting and notification of “infrastructures of vital importance holding protocols in place. Within a month after any sensitive information systems” is kept secret major security incident, DGSSI must then by the government. However, the decree transmit a summary of its investigation and intends to cover all “installations, networks its recommendations to the affected entity.38 and systems essential for the maintenance of the critical functions of society, healthcare, Morocco has recognized the importance of safety, security, and the economic and social conducting regular national and sector-spe- well-being,” and that if damaged, rendered cific benchmarking exercises to measure the unavailable, or destroyed would cause the failure of these essential functions.37

15 cyber security preparedness of the country, to cyber crime, it has passed or updated but the only programs that have been ini- several related domestic laws, including: tiated so far are the initiatives highlighted • Law 07-03 introducing for the first time above for identification and classification of the notion of cyber crime to the Moroccan sensitive information systems of vital infra- penal code, defined as “offenses related structures, measuring the level of security to automated data processing systems”; maturity achieved by these critical infrastructures, and the progress made to implement • Law 53-05 related to e-signatures and the DNSSI. electronic exchange of legal data to facilitate the use of encryption means 3 . E-CRIME AND LAW and electronic certification; ENFORCEMENT • Law 31-08 related to the protection of Morocco has been working to reinforce its online consumers; and legal and regulatory framework to better • Law 09-08 regarding automated process- protect its society from cyber crime and har- ing of personal data. monize it with partner countries. The country In 2011, the National Control Commission has updated its penal code and legislation for Protection of Personal Data (CNDP), responsible for ensuring data protection in Morocco, established a Data Protection Morocco has been working Authority and law to bring Morocco in line to reinforce its legal and with European regulations. In 2016, a decree regulatory framework to was issued on the Protection of Sensitive better protect its society from Information System and Infrastructures of cyber crime and harmonize Vital Importance, which imposed strict data protection requirements, including limiting it with partner countries. the cross-border data flows and establishing data residency requirements. For example, governing ICT, implemented new decrees and laws to combat cyber crime and protect personal information, and ratified internation- Morocco has ratified both the al conventions like the Council of Europe’s Council of Europe’s Convention Convention on Cybercrime and its Additional on Cybercrime and the Arab Protocol on cloud infrastructures,39 and the Convention against Information Arab Convention against Information Tech- Technology Crimes. nology Crimes. While the Moroccan government does not publish statistics pertaining

16 before any transfer of personal data to a for- include issues of malware within critical infra- eign state, it must first receive authorization structures, DDoS, bank-card theft, phishing from the CNDP. Moreover, the decree states: attacks, illegal use of cryptocurrencies, cloud- based incidents, online terrorist propaganda, “[the] person/entity in charge of the and “sextortion” cases.41 Investigations into processing operation can transfer these types of crimes, however, are often personal data to a foreign state only hindered by the absence of a formal, legal if the said state ensures under its ap- cooperative relation with ISPs. If an incident or plicable legal framework that it has an issue is considered a national security matter, adequate level of protection for the than ISPs are compelled to provide support. privacy and fundamental rights and freedoms of individuals regarding the Penal proceedings in the case of cyber crimes processing to which these data is or are limited and the country still lacks sufficient- might be subject.”40 ly-trained legal professionals to effectively address different elements of cyber crime This, of course, affects e-commerce and and successfully investigate and prosecute other transactions that utilize e-platforms. offenders. To respond to this need, the DGSN Therefore, the CNDP has designated a list has established 29 units specialized in the of countries with acceptable laws and data fight against cyber crime, 19 regional com- can move across borders for only CNDP-ap- mands with about 10 cyber specialists at proved countries. There are many sectors each location, and regional forensics labo- that collect and process sensitive information ratories for digital and anti-cyber crime trace (e.g., healthcare, finance, national security) analysis. DGSN is also providing dedicated and they are working to comply with the training programs on cyber security for legal requirements of this new law. professionals (e.g., court judges, prosecu- The Moroccan General Directorate for National tors, law enforcement). Other offices within Security (DGSN) is the entity responsible for DGSN also deal with cyber-related issues, combating and investigating cyber-related including the offices of immigration, eco- crimes. It has two broad cyber-related mis- nomic/financial crimes, counter-narcotics, sions. First, it is charged with protecting and counter-terrorism. its own systems and networks that contain In July 2016, the Ministry of Justice, together sensitive information, such as the national with the Council of Europe, organized an identity database that has been classified international workshop in Rabat on best prac- as a “critical infrastructure.” Secondly, it tices regarding cyber crime legislation and conducts investigations about cyber crime electronic evidence. Morocco also participates and other crimes that use new technology, in an anti-cyber crime initiative sponsored such as cryptocurrency, and can investigate by the EU called the Action Global sur la incidents of national interest in collaboration Cybercriminalité Elargie (GLACY+).42 with DGSSI, if needed. DGSN’s investigations

17 Morocco has tried but did not succeed private sector and international partners, it in establishing successful anti-botnet and has recognized the importance of national malware remediation initiatives to reduce and international information sharing and infections and criminal activity emanating cooperation and regularly participates in ef- from its own infrastructures and networks. forts to exchange information, expertise, and As Internet use becomes more widespread training with European and North Atlantic and as more connected devices become ave- Treaty Organization (NATO) allies.43 nues for infection and exploitation, Morocco Currently, the only mechanisms used for will need to further increase the capacity sharing information within the government of its law enforcement agencies, establish and across critical industries are offered by a coordinating agency responsible for en- ma-CERT and DGSSI. Ma-CERT is also a mem- suring that all its international cyber crime ber of the Organisation of Islamic Confer- requirements are being met domestically and ence-Computer Emergency Response Team across jurisdictional lines, and commit more (OIC-CERT), a group of 18 countries, includ- human and financial resources to effectively ing Egypt, Iran, Nigeria, Saudi Arabia, and respond to increased cyber crime and reduce Turkey. This group includes national CERTs infrastructural weaknesses. from the various countries and is intended to facilitate information sharing among Islamic 4 . INFORMATION SHARING countries. The OIC-CERT organizes training, workshops, and exercises designed to While Morocco does not have a national provide real-time experience in addressing information sharing policy and has yet to cyber threats and crises, including timely establish a centralized system to effectively and actionable information sharing.44 and expeditiously access and share threat intelligence information and situational aware- In addition, the country has established a ness within government agencies or with the Moroccan Academic Computer Emergency Response Team (EDU-CERT), which facilitates information sharing and incident response activities across the academic community. It also provides services to the Moroccan While Morocco does not have Academic Research Wide Area Network.45 a national information sharing policy, it has recognized the Morocco recognizes that it requires much progress in this area. Ma-CERT and DGSSI importance of national and have an opportunity to enhance and expand international information the exchange of actionable information both sharing and cooperation. inside and outside the government. Each ministry, CNI, business, and international partner needs information that can improve their

18 security posture, and DGSSI should prioritize Morocco’s regionally competitive ICT in- the need for timely and actionable informa- frastructure, recent structural and sectorial tion sharing within government agencies and reforms to foster its digital economy, and across critical industries, the private sector, its talented, multilingual workforce have and international partners. enabled the country to become a leader in outsourcing services, offshoring, electronic 5 . INVESTMENT IN RESEARCH payment, and software development. It is AND DEVELOPMENT one of the top performing countries in the region in terms of business environment. While Morocco does not have an officially In 2013, the Moroccan ICT sector achieved recognized national or sector-specific R&D IT export revenues of $1 billion and was program dedicated to cyber security or ad- ranked the best in Africa for business pro- vanced technology development, the “Dig- cess outsourcing.48 In 2015, the ICT sector ital Morocco 2013” strategy stated a clear contributed to over 3 percent of Morocco’s intent to make the ICT sector a cornerstone GDP, bolstered by the diversification and of the Moroccan economy and a driver for internationalization of large sections of the human development. It also emphasized the software industry. The government’s Digital importance of cyber security training and Morocco 2020 strategy provided resources awareness programs, and human skills devel- to further build on the country’s international opment to analyze and understand advanced position providing cost-competitive IT ser- coding, programming, and IT development vices and emphasized greater diversification techniques.46 The “Digital Morocco 2020” and entrepreneurship. This success has been strategy reiterated these objectives and set facilitated by the establishment of dedicat- the ambitious goal of reducing the digital ed technology parks which operate under divide in the country by half and increasing offshore status and attract companies using training to 30,000 ICT professionals a year a variety of tax incentives. For example, in by 2020.47 2006, Morocco launched its first and largest technology park – the Casanearshore Park, in Casablanca. It became the incubator of over 100 businesses and attracted interna- Morocco has become a regional tional technology companies including Dell, leader in digital services and IBM, Accenture, Atos, HP, and Logica. Its one of the top performing development was the result of a $341 million-dollar investment by MEDZ Sourcing – a countries in Africa in terms state-driven development company that also of business environment. operates technology parks throughout the country. MEDZ Sourcing facilitates access to land for export-oriented IT activities and

19 firms.50 Since its launch, it has invested in a range of wide-range of start-ups, including Morocco has five technology the cyber security firm, Netpeas; the online parks – developed and managed invoicing platform, Greendizer; and e-com- by state-driven company merce platforms like Soukaffaires and Mydeal. MEDZ Sourcing – dedicated to One of the Kingdom’s digital success stories is the company, Involys SA, a software and advancing innovation and the information technology services provider. country’s position as a leader Involys SA greatly benefited from the gov- in the outsourcing industry. ernment’s commitment to promote the digitalization of small and medium enterprises to increase productivity, support local organizations to develop IT markets, and build has established other technology parks at greater potential for the exports in the ICT Technopolis in Rabat, Tetouan Shore near sector. Another successful start-up is HPS, Tangiers, Fès Shore in Fez, and Oujda Shore an innovative payment solutions company, in Oujda. Each park caps income tax at 20 which is providing secure payment services percent, although lower tax rates are avail- to issuers, acquirers, card processors, inde- able in certain circumstances, and they offer pendent sales organizations (ISOs), retailers, training programs in order to meet demand and national and regional switches all over for skilled IT workers.49 Africa.51 Aside from these success stories, In July 2013, IBM created a service center however, the start-up scene in Morocco is with 400 employees at Casanearshore to currently still very limited. serve Moroccan and other African markets. In October 2018, Orange Cyberdefense As part of a government agreement, IBM is announced the launch a new state-of-the- collaborating with Moroccan academic insti- art cyber security center in Casablanca that tutions in growing technologies such as cloud would help Orange build a strong position in computing, big data, system integration, and the Moroccan market, expand its presence outsourcing. The Moroccan authorities have in French-speaking Africa, and bring through also set up funding mechanisms designed a next generation of cyber security experts to encourage entrepreneurship and boost to Morocco. The new operations center will the development of start-ups. The most draw on the assistance of Orange’s Cyber notable initiative is the Moroccan Digital Security Centre of Excellence in France and Fund (Maroc Numeric Fund, MNF), which plans to forge partnerships with universi- was established in 2010 by the state-owned ties in Morocco to make the new center Deposit and Management Fund (Caisse de its main tech hub to serve businesses in Dépôt et de Gestion) and the country’s three French-speaking African countries.52 largest commercial banks – Attijariwafa Bank, BMCE, and Banque Central Populaire. MNF Morocco is seeking new pathways to develop provides seed funding and other technical and retain its highly skilled professionals (e.g., and financial assistance to local technology IT and medicine). In the 1980s, Morocco moved

20 away from the French educational system and security framework for the certification and embraced a classical approach. Today, there accreditation of national agencies and pub- is discussion of using English as the primary lic sector professionals. The framework is language at the university level, recogniz- called the Project of professional master for ing that English is the preferred language of training and certification of professionals in research.53 Yet, the Moroccan government the public sector. has not developed a formal program or set In February 2016, the Moroccan Ministry of of incentives (e.g., grants or scholarships) Industry, Commerce, Investment and Digital, to accelerate cyber security education pro- in partnership with Moroccan universities, grams or incubate basic and applied cyber public and private organizations, launched the security research initiatives at universities and “National Campaign to Fight Cybercrime.” academic institutions. However, some of the This initiative, led by the Moroccan Centre for scientific and technical schools and univer- Polytechnic Research and Innovation (CMRPI) sities in Morocco have started to integrate in Rabat, is an annual campaign designed to courses in cyber security into their comput- increase private sector awareness about cyber er science programs and other curricula to crime and promote security in society’s use meet the growing demand for a national-level of technology by incorporating international professional workforce. There are even some best practices.56 The campaign is the first of certificate and degree programs emerging. its kind and scale in Africa – incorporating For example, Al Akhawayn University offers seminars, training workshops specifically a cyber security certificate program and the designed for Moroccan public and private International University of Rabat created a sector organizations, and hosting a national master’s program in cyber security. symposia on cyber security and cyber crime. The government did recognize that it also In addition, DGSSI organizes a large annual needed to update the skills of its workforce national seminar to raise awareness across and train information systems managers in the Ministries. cyber security. Therefore, the ANRT has start- In April 2018, the country partnered with ed funding an executive master’s program Trend Micro to host the Morocco National in cyber security at the National Institute Cybersecurity Competition (CTF) with the of Posts and Telecommunications (Institut intention of attracting more people into the National des Postes et Télécommunications, field of cyber security. The winners of the INPT) for public sector employees with the competition would represent Morocco in the support of DGSSI,54 and the Bureau of Profes- Arab Regional Cybersecurity competition sional Training and Employment Promotion that took place in Egypt in August 2018. The (Office de la Formation Professionnelle et de CTF was a Jeopardy-style CTF where every la Promotion du Travail, OFPPT) created a team was presented with a list of challenges training academy dedicated to promoting in different technical categories like reverse mid-career professional skills development engineering, web security, digital forensics, in IT and information security.55 It also ap- network security, etc. The teams that could proved a national (and sector specific) cyber

21 both attack and defend were rewarded with hosts cyber security-related events for the advancement to the next level of competition. World Bank, ITU, and NATO’s Science for Peace and Security (SPS) Program. Addition- Morocco has made progress toward achieving ally, the Moroccan Ministry of Foreign Affairs the goals set forth in their digital strategies. – Diplomatic Academy provides training to The initiatives launched in recent years to partner countries including Benin, Central encourage entrepreneurship, boost the devel- African Republic, Chad, Gabon, Guinea, and opment of starts-up companies through the Madagascar. technology parks, and promote cyber security education and training are important and are Morocco has also been involved in a num- helping to attract foreign investment, further ber of high-level dialogues with European positioning Morocco as a strategic partner countries, the U.S., and members of the Gulf in the MENA region. Morocco, however, is Cooperation Council (GCC) on security issues, also experiencing a “brain drain” as many counter-terrorism operations, and the use of highly skilled professionals, including ICT cyberspace by terrorist and other criminal experts, decide to leave the country to find groups. Its strategic value, not only for its better opportunities abroad. Therefore, the location between Europe and Africa, but also country must focus on the development and for its importance within the Maghreb area retention of technical talent to fuel the growth and ties to the greater Arab world, makes it a of its digital economy. In 2018, less than 20 key security partner in the region. Moroccan percent of Moroccan students pursued tech- agencies and their European counterparts, nical subjects at the university level. Perhaps especially in Spain and France, regularly co- as the Moroccan government demonstrates operate and exchange information and best its leadership in fielding the first high-speed practices on security issues, including cyber rail line in Africa — connecting the economic security, and consider Morocco their most hubs of Tangier and Casablanca — it can also reliable ally in the area.57 set a priority toward closing the talent gap.

6 . DIPLOMACY AND TRADE Morocco does not consider cyber security a top Morocco is assuming a more tier foreign policy issue and has not prioritized prominent role in promoting this area within its Ministry of Foreign Affairs regional cyber security and Cooperation. However, Morocco has cooperation and awareness, identified ICT and cyber security as important but has not prioritized elements of its national security and economic cyber security as a top tier prosperity, including in international trade foreign policy issue within its and commerce negotiations, and is assuming Ministry of Foreign Affairs. a more prominent role in promoting regional cyber security cooperation and awareness. As part of these efforts, Morocco regularly

22 The Digital Morocco 2020 strategy empha- Sahel and sub-Saharan region. Therefore, sizes Morocco’s strategic location as a re- U.S., European countries, and the GCC have gional digital hub and gateway to Africa. a strong interest in understanding security The Moroccan government should use the threats that emanate from North Africa and country’s key position in the region to further in working with North African countries to promote the free flow of goods, services, address them. In particular, Morocco’s relative data, and capital across borders. Cyber di- political stability, economic development, plomacy is not just about rules of engage- and regional integration in Africa and the ment and constraining behaviors, it is also Middle East has made the country one of about promoting trade through the free flow Europe and U.S.’ key security partners in of information. Balancing the twin goals of the region.58 economic prosperity and national security Morocco is also working with NATO, as part requires a sophisticated diplomatic corps of the “Mediterranean Dialogue,” to explore and a commitment to leading the region cooperation in cyber defense, notably through to realize the Digital Morocco 2020’s vision the exchange of expertise and training,59 and goals. and it participates in several exercises with international partners, including the Med- 7 . DEFENSE AND CRISIS iterranean Naval Exercise called “Phoenix RESPONSE Express.” This exercise is designed to improve regional cooperation, increase maritime do- The Kingdom of Morocco plays a crucial role main awareness, information-sharing prac- in maintaining security and stability in the tices, and operational capabilities in order northern African region and works closely with to enhance efforts to promote safety and European countries, the U.S., and members of security in the Mediterranean Sea. More- the GCC on security issues and counter-terror- over, Morocco has been hosting the annual ism operations. The security dilemmas facing joint military exercise “African Lion” since at this region are abundant. There is a growing least 2005. This is the largest (land) regional influence – albeit weakened – of Daesh (one exercise in the area and in 2018 it involved of the terrorist organizations affiliated with 15 countries, including Burkina Faso, Can- the Islamic State group) and other terrorist ada, Chad, Egypt, France, Germany, Italy, organizations. There have been connections to Mali, Mauritania, Senegal, Spain, Tunisia, North African terrorists who have carried out the U.K., and the U.S. This exercise was attacks within Europe. The region continues designed to improve the interoperability to be plagued by Libya’s collapsing econo- and mutual understanding of each nation’s my and local militias competing for power. tactics, techniques, and procedures, and it Algeria is viewed as a threat to Morocco’s plans to incorporate cyber security injects stability as it is not governing its western and and planning in future iterations. southern borders and is destabilizing the

23 Although Morocco has developed several cyber-related capabilities, there is no evidence that it has formalized the military or the The Royal Moroccan Armed intelligence services’ cyber security mission Forces (FAR) is responsible for in a policy or decree. The Royal Moroccan overseeing the development Armed Forces (FAR) is responsible for over- of cyber security and cyber seeing the development of cyber security and cyber defense capabilities and for en- defense capabilities and for suring the resilience and availability of the ensuring the resilience and country’s military operational networks (i.e., availability of the country’s air defense, air surveillance, ground surveil- military operational networks. lance, and special communications). It is also responsible for securing the networks and exchange of data among the three military components (i.e., army, navy, and air force). While its top mission is border security — institute for its military officers — has started tracking sub-Saharan illegal immigrants, to include lectures on cyber security and terrorist movement, and drug movement, cyber defense in their curricula. CREMS is also it is unclear whether the FAR has a broader working to incorporate cyber exercises into cyber mandate for the country or if it would their Joint Theatre Level Simulation (JTLS). be mobilized to restore services if Morocco Currently, their cyber education is limited to faced a digital national crisis. FAR reports tactical level planning and has yet to expand directly to the King — its Supreme Com- to broader cyber defense/security issues at mander and Chief of General Staff — and the strategic and operational levels. views its responsibilities and capabilities as It is difficult to determine the level of fund- distinctive from those of DGSSI. ing dedicated to further developing cyber The FAR recently created a Cyber Center of capabilities within Morocco’s military or in- Excellence. It reports to the FAR’s Communi- telligence services because the budget is cations and Information Systems Protection not publicly available. However, the country Entity and is responsible for multiple initia- is credited with operating a tight and effec- tives. It designs and executes at least two tive security program through an extensive cyber defense exercises annually and pro- network of security officials, informants, and vides technical support and incident response advanced signal intelligence including pre- services. It is also charged with R&D and is emptive digital surveillance techniques and currently working on the development of monitoring of digital platforms for signs of new applications that will support the SOCs. radicalization and terrorism. For example, the DGSSI is responsible for securing and The Royal Military Education College of Mo- monitoring cyber traffic and web activities.60 rocco (CREMS) — Morocco’s higher education In November 2017, Morocco became the first

24 North African country to launch a high-reso- its national economic vision with its national lution surveillance satellite (named after King security priorities, updates to this country Mohammed VI) that is capable of providing profile will reflect those changes and monitor, multi-purpose images.61 In November 2018, track, and evaluate substantive and notable Morocco launched a second satellite (named improvements. Mohammed VI B) that aims to provide Mo- The CRI 2.0 offers a comprehensive, com- rocco with a more robust capability to gather parative, experience-based methodology to intelligence, monitor its borders, map land help national leaders chart a path toward a and survey activities, prevent and manage safer, more resilient digital future in a deeply natural disasters, and monitor environmental cybered, competitive, and conflict prone world. changes and desertification.62 The CRI 2.0 methodology is available in Ar- CRI 2 .0 BOTTOM LINE abic, Chinese, English, French, Russian, and Spanish. The CRI country profiles of France, According to the CRI 2.0 assessment, Morocco Germany, India, Italy, Japan, the Netherlands, is still in the early stages of developing a path Saudi Arabia, the United Kingdom, and the toward cyber resilience and cyber readiness, United States can be found at the following and is currently partially operational only in link: http://www.potomacinstitute.org/aca- one of the seven CRI essential elements. The demic-centers/cyber-readiness-index. findings in this analysis represent a snapshot in time of a dynamic and changing land- scape. As Morocco continues to implement its Digital Agenda 2020, empowers DGSSI to address the nation’s security, and aligns

Legend Fully Operational

Partially Operational

Insufficient Evidence

IDI Rank NRI Rank GDP Rank National StrategyIncident ResponseE-Crime & Law EnforcementInformation SharingInvestment in R&DDiplomacy & TradeDefense & Crisis Response

26 11. Ministry of Industry, Trade, Invest- ENDNOTES ment and of the Digital Economy, 1. USAID, “USAID Leland Initia- “Stratégie Maroc Digital 2020,” tive,” https://web.archive.org/ UNESCO, https://en.unesco.org/ web/20011109164754/http:/ creativity/periodic-reports/measu- www.usaid.gov/leland/. res/strategie-maroc-digital-2020. 2. MTDS, “About MTDS,” https:// 12. “The Development of Morocco’s www.mtds.com/about-us/. IT Sector,” Info Mineo, 27 February 2017, https://infomineo.com/the-de- 3. Rachid Amaoui, “L’opérateur Ma- velopment-of-moroccos-it-sector-2/. roc Telecom,” https://www.tic-maroc.com/p/maroc-telecom.html. 13. Ibid. 4. World Bank, “Individuals using 14. Chris Kelly, “Orange launches the Internet (% of population),” cyber security centre in Moroc- 2016, https://data.worldbank. co,” Total Telecom, 29 Octo- org/indicator/IT.NET.USER.ZS. ber 2018, https://www.totaltele. com/501453/Orange-launches-cy- 5. World Bank, “Kingdom of Mo- ber-security-centre-in-Morocco. rocco: Governing Towards Ef- ficiency, Equity, Education and 15. McKinsey Global Institute, “Lions Endurance,” June 2018: 20. go digital: The Internet’s transformative potential in Africa,” (November 6. Oxford Business Group, “New 2013): 4, 22, https://www.mckinsey. plan and updated legislation com/~/media/McKinsey/Industries/ provide a boost for Morocco’s High%20Tech/Our%20Insights/ IT sector,” https://oxfordbusi- Lions%20go%20digital%20The%20 nessgroup.com/overview/build- Internets%20transformative%20po- ing-new-plan-and-updated-legis- tential%20in%20Africa/MGI_Lions_ lation-have-provided-boost-0. go_digital_Full_report_Nov2013.ashx. 7. Ibid. 16. “Casanearshore,” Med Sourc- 8. Kingdom of Morocco, “Digital Mo- ing, https://www.medz-sourcing. rocco 2013,” https://www.ccdcoe. com/en/our-parks/casanear- org/sites/default/files/strategy/Ma- shore-park-outsourcing-offshor- roc_Cyber security_2013_ENG.pdf. ing-casablanca-morocco.html. 9. Ibid. 17. “Rabat Technopolis,” Med Sourcing, https://www.medz-sourcing.com/ 10. Maroc Cour des Comptes, “As- en/our-parks/technopolis-rabat-off- sessment of ‘Digital Morocco 2013’ shore-activities-morooco.html. Strategy,” February 2014, http:// www.courdescomptes.ma/upload/ 18. “Morocco to launch Chinese in- MoDUle_20/File_20_418.pdf. dustrial city in Tangiers,” Afri-

27 ca News, 21 March 2017, http:// https://www.news24.com/Africa/ www.africanews.com/2017/03/21/ News/moroccos-tanger-med-port- morocco-to-launch-chinese-in- running-at-full-speed-20180404. dustrial-city-in-tangiers//. 26. Kingdom of Morocco, “Straté- 19. Kingdom of Morocco, “Dig- gie nationale en matière ital Morocco 2013.” de cybersécurité,” 3. 20. Kingdom of Morocco, General Di- 27. Kingdom of Morocco, “Direc- rectorate of Information Systems, tive Nationale de la Sécurité des “Stratégie nationale en matière Systèmes d’Information.” de cybersécurité,” 5 December 28. Ibid. 2012, https://www.dgssi.gov.ma/ sites/default/files/attached_files/ 29. Interview with Maj. Chergaoui strategie_nationale.pdf. Mouhssine, Forces Armées Roy- ales (FAR), 7 December 2018. 21. Kingdom of Morocco, General Di- rectorate of Information Systems, 30. Phoebe Parke and Chris Giles, “Mo- “Directive Nationale de la Sécurité rocco’s megawatt solar plant powers des Systèmes d’Information,” https:// up,” 17 May 2018, https://www.cnn. www.dgssi.gov.ma/fr/node/33.html. com/2016/02/08/africa/ouarzaza- te-morocco-solar-plant/index.html. 22. Ibid. 31. Kingdom of Morocco, “Dig- 23. Sophia Akhmisse, “Le Maroc dé- ital Morocco 2013,” 86. joue des cyberattaques di régime Algérien,” Le 360, 12 November 32. Interview with Marco Obiso, Inter- 2013, http://fr.le360.ma/politique/ national Telecommunication Union, le-maroc-dejoue-des-cyberat- Head of ICT Applications and Cyber- taques-du-regime-algerien-5787. security Division, 19 November 2018. 24. Youssef Bentaleb, “Fighting Cyber- 33. Anthony Dworking and Fatim-Zohra crime in Morocco: Achievements El Malki, “The Southern front line: and Some Challenges,” Moroccan EU counter-terrorism cooperation Centre for Polytechnic Research with Tunisia and Morocco,” Euro- and Innovation, 9 January 2017, pean Council on Foreign Relations, https://observatoire-fic.com/en/ 15 February 2018, https://www. fighting-cybercrime-in-moroc- ecfr.eu/publications/summary/ co-achievements-and-some-chal- the_southern_front_line_eu_count- lenges-by-prof-youssef-bental- er_terrorism_cooperation. eb-moroccan-centre-for-polytech- 34. Kingdom of Morocco, General Di- nic-research-and-innovation/. rectorate of Information Systems, 25. “Morocco’s Tanger-Med port running at full steam,” News 24, 4 April 2018,

28 “Directive Nationale de la Sécurité regard to the processing of personal des Systèmes d’Information.” data and its implementation, De- cree n° 2-09-165 of 21 May 2009. 35. In addition to the specific security standards and requirements estab- 41. Sextortion is defined as a form of lished by DGSSI that the financial sexual exploitation wherein its per- sector must meet, the Central Bank petrators, usually through non-phys- of Morocco (Bank Al Maghreb) ical forms of coercion such as the has regulatory power over other Internet, extort money from their banks in regards to different as- victims by threatening to share pects including cyber security. their intimate photos and videos if they do not pay up. Thousands of 36. Kingdom of Morocco, General Di- ‘sextortionists’ are believed to be rectorate of Information Systems, living and operating out of the city “Directive fixant les règles de of Oued Zem, which has at least sécurité et les modalités de décla- fifty money transfer agencies. ration des systèmes d’information sensibles et des incidents de sécu- 42. “State of Privacy Moroc- rité applicables aux infrastructures co,” Privacy International. d’importance vitale,” https://www. 43. Anthony Dworking and Fatim-Zohra dgssi.gov.ma/fr/node/32.html. El Malki, “The Southern front line: 37. Ibid. EU counter-terrorism cooperation with Tunisia and Morocco.” 38. “State of Privacy Morocco,” Privacy International, January 2018, https:// 44. OIC-CERT, https://www.oic- privacyinternational.org/state-pri- cert.org/en/index.html. vacy/1007/state-privacy-morocco. 45. “EDU-CERT,” https://www. 39. Council of Europe Deputy Secretary educert.ma/index.php/. General, “Morocco joins the Bu- 46. Kingdom of Morocco, “Dig- dapest Convention on Cybercrime ital Morocco 2013.” and its Protocol on Xenophobia and Racism,” Council of Europe, 29 47. Ministry of Industry, Trade, Invest- June 2018, https://www.coe.int/en/ ment and of the Digital Economy, web/deputy-secretary-general/-/ “Stratégie Maroc Digital 2020.” morocco-joins-the-budapest-con- 48. McKinsey Global Institute, “Lions vention-on-cybercrime-and-its-pro- go digital: The Internet’s transfor- tocol-on-xenophobia-and-racism. mative potential in Africa,” 64. 40. Morocco’s Law No 09-08 relating 49. Oxford Business Group, “New plan to the protection of individuals with and updated legislation provide a boost for Morocco’s IT sector.”

29 50. “Morocco – Pioneering Econom- Science, 25 September 2017, http:// ic Growth,” Foreign Affairs, No- blogs.lse.ac.uk/mec/2017/09/25/ vember-December 2015: 11. morocco-inside-the-gcc-between-saudi-arabia-and-qatar/. 51. HPS, “Enabling Innova- tive Payments,” https://www. 58. Anthony Dworking and Fatim-Zohra hps-worldwide.com. El Malki, “The Souther front line: EU counter-terrorism cooperation 52. Chris Kelly, “Orange launches with Tunisia and Morocco,” Europe- cyber security centre in Moroc- an Council on Foreign Relations. co,” Total Telecom, 29 Octo- ber 2018, https://www.totaltele. 59. “Morocco, NATO to Cooperate in com/501453/Orange-launches-cy- Countering Cyber Security Risks,” ber-security-centre-in-Morocco. The North Africa Post, May 18, 2017, http://northafricapost.com/17912-mo- 53. Mohamed Chtatou, “A Moroccan rocco-nato-cooperate-counter- success story tainted with some ing-cyber-security-risks.html. shortcoming,” UNESCO (2015), http://unesdoc.unesco.org/imag- 60. Kingdom of Morocco, General Di- es/0023/002324/232463e.pdf. rectorate of Information Systems, “Stratégie nationale en matière 54. INPT, “Mastère Spécialisé en Tech- de cybersécurité” (2013). nologies du Web et Cyber Sécurité,” https://www.inpt.ac.ma/fr/technol- 61. Ghalia Kadiri, “Satellite marocain ogies-du-web-et-cyber-sécurité. en orbite: un lancement secret qui inquiète”, Le Monde, 19 No- 55. OFPPT, “Offre de formation: Technol- vember 2017, http://www.lemon- ogies de l’Information,” http://www. de.fr/afrique/article/2017/11/19/ ofppt.ma/index.php/offre-de-forma- satellite-marocain-en-orbi- tion2/secteurs-de-formation/27-tech- te-un-lancement-secret-qui-in- nologies-de-l-information. quiete_5217299_3212.html. 56. Ministry of Industry, Trade, Investment 62. “Morocco to foster Earth ob- and of the Digital Economy, “Cyber servation capabilities with sec- Security: National Campaign to Fight ond satellite,” The North Africa Cybercrime,” http://www.mcinet.gov. Post, 26 September 2018, http:// ma/en/content/cyber-security-na- northafricapost.com/25552-moroc- tional-campaign-fight-cybercrime. co-to-foster-earth-observation-capa- 57. David Hernádez Martínez, “Moroc- bilities-with-second-satellite.html. co and the GCC: between Saudi Arabia and Qatar,” The London School of Economics and Political

30 ABOUT THE AUTHORS

Melissa Hathaway is a leading expert in cyberspace policy and cyber security. She served in two US presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. Today, she is a Senior Fellow and a member of the Board of Regents at Potomac Institute for Policy Studies. She is also a Senior Advisor at Harvard Kennedy School’s Belfer Center for Science and International Affairs, a Distinguished Fellow at the Centre for International Governance Innovation in Canada, a non-resident Research Fellow at the Kosciuszko Institute in Poland, and she is President of Hathaway Global Strategies LLC, her own consultancy. Melissa developed a unique methodology for evaluating and measuring national levels of preparedness for certain cyber security risks, known as the Cyber Readiness Index (CRI). The CRI methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is being applied to 125 countries. The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, Saudi Arabia, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index. Having served on the board of directors for two public companies and three non-profit organizations, and as a strategic advisor to a number of public and private companies, Melissa brings a unique combination of policy and technical expertise, as well as board room experience to help others better understand the intersection of government policy, developing technological and industry trends, and economic drivers that impact acquisition and business development strategy in this field. She publishes regularly on cyber security matters affecting companies and countries. Most of her articles can be found at the following website: http://belfercenter.ksg.harvard.edu/experts/2132/melissa_hathaway.html.

Francesca Spidalieri Francesca Spidalieri is the co-principal investigator on the Cyber Readiness Index Project at the Potomac Institute for Policy Studies. She is also an As- sociate for Hathaway Global Strategies LLC, and serves as the Senior Fellow for Cyber Leadership at the Pell Center, at Salve Regina University, as a cyber security subject-matter expert for the UN International Telecommunications Union (ITU), and as a Distinguished Fellow at the Ponemon Institute. Her academic research and publications focus on cyber leadership development, cyber risk management, comparative organization analysis, and cyber security workforce development. In 2015, she published a report, entitled State of the States on Cybersecurity, that applied the Cyber Readiness Index 1.0 at the US state level. All her additional studies and academic articles can be found at the following link: http://pellcenter.org/cyber-leadership/.

For more information or to provide data to the CRI 2.0 methodology, please contact: [email protected]

The CRI 2.0 methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is currently being applied to 125 countries.

The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, Saudi Arabia, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index.

POTOMAC INSTITUTE FOR POLICY STUDIES 901 N . Stuart St . Suite 1200, Arlington, VA 22203 www.potomacinstitute.org