Kingdom of Saudi Arabia Cyber Readiness at a Glance

KINGDOM OF SAUDI ARABIA CYBER READINESS AT A GLANCE

Melissa Hathaway, Francesca Spidalieri, and Fahad Alsowailm

September 2017

AC INST M IT O U T B T O E

Published by Potomac Institute for Policy Studies

Potomac Institute for Policy Studies 901 N. Stuart St, Suite 1200 Arlington, VA 22203 www.potomacinstitute.org Telephone: 703.525.0770; Fax: 703.525.0299

Email: [email protected]

Cover Art by Alex Taliesen.

Acknowledgements

The authors would also like to thank Alex Taliesen for cover art and Sherry Loveless for editorial and design work. KINGDOM OF SAUDI ARABIA CYBER READINESS AT A GLANCE

TABLE OF CONTENTS INTRODUCTION ...... 2 1 . NATIONAL STRATEGY ...... 8 . . 2 . INCIDENT RESPONSE ...... 10. . 3 . E-CRIME AND LAW ENFORCEMENT ...... 13 . 4 . INFORMATION SHARING ...... 17. . 5 . INVESTMENT IN RESEARCH AND DEVELOPMENT . . . . 18 6 . DIPLOMACY AND TRADE ...... 21. . 7 . DEFENSE AND CRISIS RESPONSE ...... 22 CRI 2 .0 BOTTOM LINE ...... 23 . . ENDNOTES ...... 24 . . ABOUT THE AUTHORS ...... 29 . . KINGDOM OF SAUDI ARABIA CYBER READINESS AT A GLANCE

Country Population 31 .54 million

Population Growth 2 1%.

GDP at market prices (current $US) $646 .002 billion

GDP Growth 3 5%.

Year Internet Introduced 1994

National Cyber Security Strategy 2013 (not published yet)

Internet Domain .sa

Internet users per 100 users 69 .6

Fixed broadband subscriptions per 100 users 11 .9

Mobile cellular subscriptions per 100 users 177

Information and Communications Technology (ICT) Development and Connectivity Standing

International Telecommunications World Economic Forum’s Union (ITU) 45 33 Networked Readiness Index (NRI) ICT Development Index (IDI)

Sources: World Bank (2015), ITU (2016), NRI (2016), and Internet Society.

1 INTRODUCTION owned Internet back- bone and other Internet The Internet was first introduced in the Service Providers (ISPs). Kingdom of Saudi Arabia in 1993 as an aca- In 1998, Internet gov- demic project at the King Fahd University of ernance fell under the Petroleum and Minerals (KFUPM) in Dhahran, purview of the Internet with the first connections made available at Service Unit (ISU), a de- the College of Computer Sciences and Engi- partment of the KACST neering.1 This connection used a satellite link reporting directly to Saudi Arabia Internet to Bethesda, Maryland, and the limited Saudi KACST Vice President Penetration: 69.6% Internet infrastructure was managed by the for Scientific Research Washington Coordinating Center. It also host- Support.3 In 1999, the ed official Saudi government websites in the ISU officially opened its networks to licensed United States.2 At that time, only email service commercial ISPs, although STC remained the was available to University staff due to limited only ISP available in Saudi Arabia until 2005. international bandwidth and slow connection KACST – through the ISU – became the coun- speed. Access to the Internet remained lim- try’s single Internet exchange point and gate- ited to selected staff at academic, medical, way between the international Internet and research, and government institutions through the national intranet.4 The ISU controlled the the 1990s. These organizations – almost all based in the capital of Riyadh – were using a 64kbps channel provided by the King Fahd Specialist Hospital and Research Center (KF- SHRC) and administered by the King Abdulaziz Internet access became available City for Science and Technology (KACST) – the to all citizens in the Kingdom country’s national center for science, technol- of Saudi Arabia in 1999. ogy, and innovation. KFSHRC was connected to the Internet via a proprietary satellite link, and KACST was linked to KFSHRC via micro- wave. In 1994, KACST became the manager of the country’s Internet domain .sa and was country’s Internet services, operated the Saudi tasked with coordinating all Internet services domain name (.sa), and formulated rules and within the Kingdom. regulations to govern the use of the Internet in the country, including access control and In 1997, after several years of study and de- filtering of “harmful,” “illegal,” “anti-Islamic,” liberations, the Saudi Council of Ministries au- or “offensive” online material. As part of this thorized KACST to expand Internet access and responsibility, the ISU implemented a content services to the rest of the country. It also tasked control system (filtering both incoming and the Saudi Telecommunications Company (STC) outgoing traffic) in order to balance its desire – at that time, a government-owned company to facilitate public access to the Internet while and the sole provider of telecom services – with at the same time ensuring the content is in line building the domestic infrastructure necessary with the country’s conservative values and Is- to facilitate interconnection between the state- lamic teachings.5

2 In 2003, the Saudi Communications Commis- bracing the opportunities associated with the sion was renamed the Communications and Internet and setting the example for the rest of Information Technology Commission (CTIC) the Arab states.8 In addition, the Saudi people and was tasked with licensing, monitoring, are among the most active social media users and filtering processes previously managed by in the world – and largest adopters of Twitter KACST. In addition, it provides Internet access in the Arab region. Moreover, their high rate of to the private sector and resolves disputes mobile phone ownership (177 percent market among private telecommunication compa- penetration) is driving up Internet usage and nies.6 The ISU continues to provide Internet increasing the demand of mobile broadband access to government departments, as well as services. Finally, a large number of the popu- Saudi research and academic institutions, but lation is increasingly turning to circumvention Saudi Arabia is now connected to the Internet tools, such as Hotspot Shield, to access banned through two country-level data services pro- content and services. viders – the Integrated Telecom Company and Bayanat al-Oula for Network Services. These Saudi Arabia has the largest ICT market in ISPs must follow the same protocols as the the Middle East by both capital volume and state-run service (e.g., filtering content).7 spending, and this market is quickly becoming one of the most coveted by local and Since the Internet became widely available international companies. In fact, while the to the public in 1999 and the demand for In- Saudi IT industry currently contributes only to ternet services started to increase, especially a modest 0.4 percent of the country’s gross from the commercial sector, the number of In- domestic product (GDP) and the Kingdom’s ternet users in Saudi Arabia rapidly expanded ICT market continues to be import-driven – (from 100,000 in 1999 to one million in 2001, with over 80 percent of ICT expenditure by and to more than 16.5 million by the end of foreign companies9 – the IT sector is consid- 2016). In 2016, nearly all colleges and univer- ered one of the fastest growing industries, sities in the country offered free Internet ac- offering massive development opportunities. cess to faculty and students. Hospitals, banks, The cyber security market alone is expected and companies within the country also used to reach more than $3.4 billion by 2019.10 the Internet to provide citizen-facing services. More recently, the Saudi government placed The highly profitable STC, now a publicly increased emphasis on Internet uptake as a traded company, is still the dominant ISP in catalyst for economic growth, more efficient the country and among the largest operators government operations, and increased access in the Middle East, offering the majority of to education and public services. The govern- mobile, landline, Internet, and television ser- ment also viewed this as a means to diversify vices in Saudi Arabia.11 However, the compa- from an oil-dependent economy. ny lost its monopoly on mobile and Internet services when other ISPs, such as Mobily and Today, Saudi Arabia connects 21 million or Zain, entered the market place in the mid to nearly 70 percent of its population to the Inter- late 2000s. In 2008, STC began implementing net. While other Gulf countries like the United 3G technology, allowing for increased digital Arab Emirates, Qatar, and Kuwait have higher communications as well as greater reliability penetration rates, the Saudi population is em- and speed. That same year, Zain entered the

3 Saudi Arabian mobile market with 4G Long of ICT, it must also facilitate the access to and Term Evolution (LTE) services. use of technologies such as cloud computing, and expand the variety of Internet-facing ser- Despite the 70 percent Internet penetration vices provided to citizens. The plan rests on and expanded mobile use, e-commerce is three main pillars: (1) Saudi Arabia’s position still under developed. There are at least three as the heart of the Arab and Islamic worlds; contributing factors to this delay. First, it is dif- (2) its role as an investment powerhouse; and ficult to start a new business in the Kingdom. (3) its strategic location as the hub connecting Second, ICT costs are still high (Saudi Arabia Asia, Europe, and Africa.15 This plan, like many ranks 101st in the world for ICT affordability12), other past efforts to move the Saudi economy and businesses often prefer to avoid the costly away from its reliance on oil production, tries investments required to embed ICTs into their to balance religious conservativism with mod- business operations. Third, the oil economy still ernization. This creates tension regarding how dominates the economy, representing more modern technology and the Internet should be than 90 percent of government revenues, with appropriately used and harnessed to enhance companies largely focusing on the extraction, the economic wellbeing of the Kingdom.16 refinement, and distribution of oil and liquid natural gas (LNG). Vision 2030 is aligned with the priorities already highlighted in the National Transfor- The Saudi government recognizes that to mation Plan (NTP) 2020, and underscores the improve the country’s economic strength, importance of increasing the private sector’s it must diversify its reliance on oil. As such, role by diversifying into service sectors such as Crown Prince Muhammad bin Salman – next healthcare, education, infrastructure construc- in line to the throne after King Salman bin tion, recreation, and tourism. Other goals of Abdulaziz Al-Saud – has laid out his vision to Vision 2030 include: boosting foreign direct revolutionize the Saudi economy by ending investments; reducing the role of the public its dependency on oil and building a “strong, sector and bureaucracy while empowering the thriving, and stable Saudi Arabia that provides private sector to become the main employer; opportunities for all,” and that is never “at the creating better job opportunities and develop- mercy of commodity price volatility or exter- ing relevant skills in the workforce; provisioning nal markets.”13 This vision was set forth in the outstanding healthcare; and enhancing gov- 2016 “Saudi Arabia Vision 2030,” an economic ernment spending on military manufacturing reform agenda that provides the country with a equipment and ammunitions. roadmap of goals and objectives for the future improvement of Saudi Arabia.14 The Saudi Council of Economic and Devel- opment Affairs has been tasked with setting Although this ambitious economic and devel- up the necessary mechanisms and measures opment strategy includes digital development to implement this vision, coordinate efforts as one of its objectives, it is not the primary among all relevant stakeholders, and monitor focus. However, the plan does recognize that progress. The Council established a number in order to fully realize the economic benefits of bodies, including a National Center for Per-

4 formance Measurement, a Delivery Unit, and a stroyed data, and damaged almost three-quar- Project Management Office, to initiate, man- ters (or 75 percent) of the company’s IT infra- age, monitor, and evaluate the various current structure assets.19 It took the company weeks proposals as well as future programs. to fully restore its business operations. This was seen as a direct attack against the King- Although Saudi Arabia’s Vision 2030 promises dom since Saudi Aramco is a state-owned en- to open up many economic opportunities for terprise and represents over 80 percent of the investors and move the country toward radical government’s revenues. It is also the world’s transition, the ambitious economic plan does largest oil producer and represents over 10 not address political or social reforms, and percent of the global oil supply and at least does not account for the requisite additional 25 percent of the supply of LNG. The malware foreign skilled labor. It is also unclear whether was intended to migrate from the business the Vision 2030 accounts for the country’s abil- systems into the oil and gas production and ity to generate the sustained revenues to fund distribution networks. Even a partial disruption the infrastructure development needed for of the oil production facilities could have had the new service-enabled economy.17 The per- an immediate impact on oil supplies and pric- sistent decline in oil prices is already curtailing es and subsequently, on the global economy. revenue generation required to implement the This event raised awareness across the entire proposed changes. Saudi government regarding cyber threats and renewed its concerns about the country’s resil- Moreover, the Kingdom remains afflicted by ience to future cyber attacks.20 complex and dynamic security challenges that have led to increased regional instabili- Following the 2012 Saudi Aramco incident, the ty. 18 These challenges include costly military Saudi government started investing significant operations in Yemen and Syria, increasing vi- resources toward advancing its cyber security olent extremism from the Islamic State of Iraq capabilities and implementing both domestic and Levant (ISIL) and other extremist groups, and international measures to address its cyber mounting tensions with Iran, and an ongoing insecurity. Domestically, Saudi Arabia began diplomatic crisis with Qatar. The government’s developing a “National Information Security intentions to attract foreign direct invest- Strategy (NISS)” – a first attempt at creating ments and increased participation by private a national framework for cyber security, risk sector companies in their economy may also mitigation, and resilience, which focuses on be jeopardized by the increasing number of people, processes, and technology.21 The draft cyber attacks against critical infrastructures document recognizes the “complexity of to- and private corporations. day’s interconnected computer networks [and] the rapidly growing dependence of econom- In August 2012, Saudi Arabia’s state-run oil ic and financial activity on ICTs,” and tries to company Saudi Aramco suffered a serious and provide “an integrated strategy designed to destructive cyber attack. The Shamoon mali- meet the Kingdom’s national information and cious software corrupted tens of thousands of ICT security objectives,” while also supporting hard drives, shut down employee email, de- the Kingdom’s long-term national econom-

5 Despite the draft NISS strategy, the majority of security institutions and ministries in the The draft National Information country have developed their own rules and Security Strategy and Vision infrastructures, and operate their own security 2030 stress the need for Saudi systems and measures with little to no central Arabia to advance the overall coordination. These separate and isolated ef- security and resilience of the forts are further compounded by the lack of a clear, competent authority responsible for the country and “provide an effective overall cyber security of the nation. and secure foundation for the Kingdom’s evolution to a Yet, in July 2017, King Salman issued a series knowledge-based economy.” of royal decrees that most notably established a Presidency of State Security – a new state security agency responsible for counter-terrorism and domestic intelligence efforts. This agency will include departments that were formerly ic vision and strategic plans.22 Both the NISS part of the Ministry of Interior (MoI), such as and the national economic agenda – Vision special emergency forces, technical affairs, se- 2030 – stress the need for Saudi Arabia to ad- curity aviation, civil and military personnel, and vance the overall security and resilience of the other divisions responsible for fighting terror- country and “provide an effective and secure ism and addressing other security issues. The foundation for the Kingdom’s evolution to a decrees directed also that the National Cyber knowledge-based economy.” Security Center (NCSC) be repositioned from the MoI to the Presidency, perhaps as early as However, the NISS is mainly focused on cre- January 2018. The NCSC will become the focal ating a centrally-managed information se- point for cyber security in the Kingdom. Finally, curity environment along with the necessary the string of decrees ordered changes in po- policies, regulations, and a skilled workforce, sitions for senior personnel of the elite royal and it leaves out other critical aspects of national cyber security and Critical Infrastructure Protection (CIP). The NISS calls for the development of separate strategies for cyber security and CIP as “outside the scope of NISS” In July 2017, King Salman but as “important complements to the NISS issued a series of royal decrees and necessary for comprehensive protection that established a Presidency of the Kingdom’s vital national interests and assets.”23 It also warns that the effective im- of State Security, repositioning plementation of such strategies will require the National Cyber Security the Kingdom’s top leadership consensus, and Center under the Presidency recognizes that one of the main challenges to become the focal point for will be convincing government agencies to cyber security in the Kingdom. unanimously agree on a centralized national information security environment.

6 guard and the MoI, and elevated the head of content will be essential components on the the newly-created Presidency of State Security, path toward achieving the ambitious goals set Abdulaziz bin Mohammed al-Howairini, and forth in its Vision 2030 strategy and reaping his deputy to the rank of ministers. The moves the benefits associated with being part of the are aimed at centralizing authority in security global Internet economy. matters, including cyber security, counter-terrorism, and domestic intelligence, and posi- The Cyber Readiness Index (CRI) 2.0 has been tioning them under the authority of a single employed to evaluate Saudi Arabia’s current body, which will respond directly to the King preparedness levels for cyber risks. This anal- and Crown Prince.24 ysis provides an actionable blueprint for Saudi Arabia to better understand its Internet-infra- As the Kingdom stands up this new organiza- structure dependencies and vulnerabilities and tion and reorganizes its leadership and initia- assess its commitment and maturity to closing tives in the coming months, it must address the gap between its current cyber security pos- the fragmented nature of the country’s cyber ture and the national cyber capabilities needed security responsibilities that have contributed to support its digital future. A full assessment to its lack of strategic cyber security planning of the country’s cyber security-related efforts so far, as well as ensuring that it invests its and capabilities based on the seven essential limited amount of resources to identify imme- elements of the CRI 2.0 (national strategy, diate and long-term cyber threats to improve incident response, e-crime and law enforce- the country’s overall cyber security posture.25 ment, information sharing, investment in R&D, Understanding the risks and opportunities af- diplomacy and trade, and defense and crisis forded by ICT innovations while at the same response) follows: time tempering its approach to filtering online

National Strategy

Defense & Crisis Incident Response Response

Cyber Ready

Saudi Arabia E-Crime & Law Diplomacy & Trade Enforcement

Cyber R&D Information Sharing

Kingdom of Saudi Arabia Cyber Readiness Assessment (2017)

7 1. NATIONAL STRATEGY The Saudi Ministry of In 2011, the Ministry of Communications and Information Technology (MCIT) – one of the Communications and Information government agencies responsible for cyber Technology (MCIT) drafted security and digitization of government ser- the first National Information vices in Saudi Arabia – began developing the Security Strategy in 2011. country’s first “National Information Security Strategy (NISS).” 26 The 90-page draft, developed and produced by a group of international senior consultants and national experts, is currently in its seventh iteration. eration; (4) supporting e-government services and infrastructures that meet the Kingdom’s se- The need to articulate a national cyber security curity objectives and ICT plans and strategies; strategy emerged from the recognition that the and (5) promoting economic growth through Kingdom faces growing, diverse threats to its research and development as well as entrepre- national security, economic wellbeing, and cul- neurial efforts. Further, the NISS is built around tural values. According to the NISS, “national ten general objectives that encompass and and international interconnectivity creates sig- support the five broad goals stated above, nificant new vulnerabilities and presents new including: (1) developing appropriate and con- types of threats to the Kingdom’s economic sistent information security policies, directives, and cultural activities. These new threats could guidance, and practices; (2) enhancing the in some cases shutdown, corrupt or even de- security, reliability, availability, and resilience stroy critical information and communications of the Kingdom’s information systems and ICT technologies (ICT) systems.”27 Such threats infrastructure; (3) improving human resourc- include the possibility that an adversary might es; (4) establishing information security threat “seize control and use an ICT system to directly analysis and mitigation capability; (5) reducing harm or go against the Kingdom’s interests.”28 and preventing ongoing ICT exploitation; (6) implementing information security compliance The strategy articulates a clear vision for Sau- and tracking processes; (7) fostering research, di Arabia, stating that its goals are to provide innovation, and entrepreneurship; (8) ensuring a secure and robust digital environment that adequate information security protection of es- incorporates best practices from around the sential ICT infrastructure and systems; (9) pro- world and that relies on highly qualified Saudi moting national and international cooperation experts and practitioners. The draft strategy and information sharing; and (10) increasing has five main goals, namely: (1) developing a awareness of security risks and individual re- secure, reliable, and resilient information in- sponsibilities.29 However, despite these broad frastructure; (2) training a professional cyber goals and general objectives, the document security workforce; (3) creating an information is still aspirational and does not offer a clear security environment that inspires trust and implementation plan or specific guidelines to confidence through transparency and coop- achieve the desired goals.

8 The draft NISS recognizes that its vision is far security environment.31 However, it is unclear from being realized. For instance, there is cur- what the NISE organization will look like, what rently no uniform set of cyber security policies its positional authority will be, and what other and standards, and individual organizations cyber security responsibilities will be assigned and ministries have generally developed their to existing, combined, or new organizations in own approaches to cyber security and set the country. The draft strategy states that “the up their own security environment with little appropriate authority in the Kingdom shall commonality. Similarly, risk and threat assess- decide which entities and sub-entities to es- ments are lacking in standards, which makes it tablish, [and that] the specific roles for existing difficult for government organizations to com- government agencies concerned with informa- pare perceived threats in a coherent manner tion security [still] need to be determined.”32 consistent with developing effective strategies In July 2017, King Salman issued a series of and policies. There is also a lack of sophisti- royal decrees establishing a Presidency of cated and comprehensive disaster recovery State Security – a new state security agency planning procedures that incorporate cyber responsible for counter-terrorism, domestic insecurity. In addition, the draft strategy does telligence efforts and cyber security. The Presi- not clarify the Saudi cyber security national ar- dency will position these responsibilities into a chitecture and does not identify a competent single body reporting directly to the King and authority responsible and accountable for the Crown Prince.33 It is unclear whether the draft overall cyber security posture of the country. NISS will change and these recommendations Finally, the biggest challenge to closing the reprioritized. Nonetheless, currently Saudi Ara- gap between where the Kingdom’s cyber se- bia does not have a published cyber security curity posture currently is and where the NISS strategy or policy. envisions it to be, is the lack of a sufficiently skilled and qualified cyber security workforce In 2013, a royal decree established the Na- – the country currently has a shortage of over tional Centre for Electronic Security (NCES) 50,000 ICT specialists according to the Minis- under the MoI. The NCES was later renamed ter of Communications and Information Tech- the National Cyber Security Center (NCSC), nology, Abdullah Al-Swaha.30 and the 2017 royal decrees elevated it and repositioned it under the Presidency of State In order to address these shortcomings, the Security, which may also become responsible draft NISS includes numerous recommenda- for the next iteration and formalization of the tions including the creation of a centrally-man- NISS. In addition, the royal decrees estab- aged organizational structure by 2020 – a Na- lished that the NCSC will become the focal tional Information Security Environment (NISE) point for cyber security in the Kingdom, per- – that incorporates all relevant stakeholders haps as early as January 2018. Currently, the in the country and that will be “responsible responsibilities for cyber security in Saudi Ara- for the detailed implementation of the NISS bia are shared among the MCIT, the MoI, and objectives and initiatives,” and the establish- other government ministries and agencies. ment of a national risk assessment framework NCSC acts like a government computer emer- to support an effective and secure information gency response team (CERT) and is charged

9 with protecting the Saudi government and between Saudi Arabia and comparable de- Critical National Infrastructure (CNI) opera- veloped countries. While Saudi Arabia has tors’ information and communication systems put forward several cyber security-related and networks.34 The NCSC operates out of Ri- initiatives and intends to invest in innovative yadh and is tasked with a number of responsi- cyber security technologies, the country still bilities including: devising national standards, lacks an overall cyber security strategy, a set rules, and regulations to protect the country’s of common cyber security policies and stan- information infrastructure and critical assets; dards, and a consistent national architecture identifying risks and producing threat intelli- for cyber security. In upcoming months, the gence; coordinating efforts to respond and Presidency of State Security will have an recover from cyber incidents at the national opportunity to set Saudi Arabia on a path level; and facilitating the flow of information toward becoming more cyber ready by de- and security warnings between different sec- veloping and formalizing a national cyber tors. For example, the NCSC has developed security framework and strategy. recognized expertise in information assurance and end-to-end cyber defense capability, with 2. INCIDENT RESPONSE both analytics and forensics components, and shares threat intelligence with government In 2016, Saudi Arabia experienced a new agencies and a number of CNIs in the King- wave of cyber attacks that affected govern- dom. Some of these missions, however, are ment agencies and private sector compa- still maturing and at different stages of opera- nies, and placed renewed urgency on the tional effectiveness. need for the country to develop cyber security capacity and resilience. These attacks The financial commitments are unclear for used a malicious software similar to the one each of the proposed initiatives within the in the 2012 Saudi Aramco attack and caused NISS. The national budget, negotiated bilat- widespread disruption of critical infrastruc- erally between the Ministry of Finance and tures by rendering them inoperable.35 During the Saudi government’s various line agencies, the 2nd Annual International Cyber Security is not subjected to legislative review and, Conference held in Riyadh in February 2017, therefore, is not publicly available. Estimated the Director General of the Saudi National spending for different sectors are available, Cyber Security Center (NCSC), Saleh Ibrahim but they do not contain a detailed breakdown Al-Motairi, stated that the Kingdom had sus- of cyber security expenditures. tained almost 1,000 cyber security attacks targeting critical infrastructure, seeking to Despite some notable progress in increased steal data, and causing services interruption, cyber security awareness and capability, in 2016 alone.36 there is still a substantial gap in terms of national-level preparedness for cyber risks

10 Cyber incidents of national interest like these fall under the responsibility of the Saudi Com- puter Emergency Response Team (CERT-SA), In 2006, Saudi Arabia established which was established in 2006 to serve as “the its first Computer Emergency trusted authoritative reference for information Response Team (CERT-SA) to 37 security.” In 2007, CERT-SA started provid- serve as the trusted authoritative ing incident handling consultancy services, in addition to detection, prevention, awareness reference for information security. raising, educational, and training functions. Overall, the CERT-SA offers multiple services, including: (1) helping organizations contain and manage security threats and, if asked, emergencies and crisis. CERT-SA is still largely respond to national-level cyber incidents; (2) perceived as a reactive organization, mostly fo- promoting cyber security awareness through cused on providing press releases, advisories, online resources and ongoing awareness and information on current threats, and offer- campaigns and seminars; (3) offering educa- ing ad hoc incident response support. At this tion and training activities, including work- time, they have not developed the capability ing with universities to develop customized for coordinated responses to full-scale cyber training courses for government agencies and attacks and dissemination of timely and ac- businesses; (4) publishing threat warnings, tionable information. The 2012 Saudi Aramco intrusion alerts, and advisories; (5) assisting attacks led to renewed emphasis on the role of stakeholders in developing and implementing national computer emergency response teams, their own security procedures and processes; such as CERT-SA, in responding to and mitigat- and (6) providing feedback and information ing the effects of cyber incidents of national on how to handle specific cyber security-relat- interest. After that damaging cyber attack, ed issues.38 In addition, CERT‑SA collects in- CERT-SA increased its efforts to disseminate formation about specific events and response relevant information to detect and prevent cy- efforts, and conducts post-event analysis ber attacks, but there is still not a coordinated and reporting. If asked, CERT-SA will analyze effort to develop mechanisms to effectively and then develop prevention and detections and expeditiously share threat intelligence and solutions to cyber incidents. It may also try situational awareness with government agen- to quantify the extent/cost of the damage cies and organizations in order to prevent and caused by a cyber incident.39 mitigate cyber threats.

Although CERT-SA provides incident re- Moreover, there have been planning efforts sponse support and additional services, it is to establish a formal threat intelligence shar- not seen as the central authority responsible ing platform under the NCSC, which would for whole-of-government and whole-of-soci- support the security of CNIs and government ety incident response coordination and has entities, as well as provide additional proactive yet to develop an incident response plan for and reactive services, such as: cyber incident

11 response planning, supervision, and consul- ria to evaluate risks and assess their level of tation; malware analysis; compromise assess- seriousness/urgency. The NISS recognizes that ments; and cyber incident remediation.40 How- the problem is two fold. First, in the current ever, this platform has yet to be fielded. approach, senior management “must evaluate and make high-level risk mitigating decisions In addition, the draft NISS calls for the estab- on issues that cut across traditional ministry lishment of a “national Security Operations or organization boundaries,” but they lack “a Center (SOC), which would collect and dissem- common risk assessment framework to enable inate threat and intelligence information, an- them to make informed decisions involving alyze attacks, recommend mitigation actions, risk in the context of current and future priori- coordinate a national response [and serve] as ties, finite resources, and global complexity.”44 a resource to assist decision makers in under- Second, the various ministries have a tendency standing the impacts of ICT exploitation and to work separately in their respective mission deciding how best to address and reduce [cy- areas and have not yet recognized their digital ber] risks.”41 However, the NISS does not spec- dependency and need for common practices ify whether the SOC would replace, support, in cyber security. To address these problems, or work alongside CERT-SA and the NCSC to the NRAF would establish “selected, risk-ed- share more immediate or urgent threat infor- ucated, and trained senior Saudi executives,” mation. NISS only mentions that the national and would “have the authority to oversee se- SOC would sit under the new National Infor- curity risk assessment of various national inte- mation Security Environment (NISE) organi- grated information infrastructures (N3i) within zation to support Saudi national-level crisis the Kingdom.”45 However, this organization management efforts, and “would work with has not been established and the NISS strate- existing centers and capabilities to facilitate gy recognizes that the biggest challenge to its national information sharing and coordinate effectiveness will be getting N3i senior man- mitigation and incident response actions.”42 agement to collaborate on risk assessments The new Presidency of State Security will need and management functions, since the fear of to clarify the roles and responsibilities of each exposures of organizational weaknesses and of these centers in order to maximize resources lack of trust among key stakeholders still ham- and increase their overall effectiveness. pers effective collaboration.

In an effort to begin assessing national-level In the absence of more formal mechanisms for cyber risks and developing a consistent na- threat monitoring and analysis and in response tional cyber risk assessment and management to an increase demand for cyber security prod- process, the NISS calls for the creation of a ucts, foreign private firms have started provid- dedicated National Risk Assessment Function ing cyber security services, including threat (NRAF) under NISE, which in turn would “help monitoring and data management services, in implement a national Risk Process Manage- both the government and commercial sectors. ment System that provides a common risk This has attracted many multinational IT and framework for the Kingdom.”43 Currently, nei- security companies to the Saudi market, with ther the processes nor organizations exist and some of them forming innovative partnerships the entities in Saudi Arabia use different crite- with local IT and telecommunications firms. For

12 Proposed NISS Risk Assessment and Management Cycle. *

example, a foreign-Saudi partnership between Despite all of these initiatives, the Saudi ap- IBM and Saudi Arabian mobile operator Mobi- proach to incident response remains largely ly established a global SOC in Riyadh, which reactive. Recent attacks have sparked renewed uses IBM security services infrastructure to interest in accelerating planned initiatives to- assist analysts in collecting, analyzing, correlat- ward becoming more proactive and resilient to ing, and prioritizing security logs and events. In cyber incidents. 2014, this global SOC was selected by the Sau- di Ministry of Education to help strengthen its 3. E-CRIME AND LAW cyber security posture by conducting real-time ENFORCEMENT analysis, creating an early warning system for potential threats, and protecting the ministry Saudi Arabia is a signatory of the “Arab Con- data from foreign third-party access.46 vention on Combating Information Technology Offenses” (commonly known as the Arab Con- The MCIT recognizes the need to conduct reg- vention).49 This international legal framework ular national-level cyber security exercises that among the League of Arab States was enacted test response, recovery, and restoration plans, in 2010 with the aim of enhancing coopera- but it is unclear whether those exercises are tion between the Arab countries “to combat consistently taking place, if at all.47 The only information technology offences threatening type of cyber security exercise reported oc- their security, interests, and the safety of their curred during the 2014 Saudi military exercises communities,” and enabling parties to “adopt dubbed “Sword of Abdullah,” which included a common criminal policy aimed at protecting training on electronic warfare.48 the Arab society again information technolo-

* Image adapted from the draft National Information Security Strategy, produced by the Saudi Ministry of Communications and Information Technology, http://www.mcit.gov.sa/Ar/MediaCenter/PubReqDocuments/NISS_Draft_7_EN.pdf.

13 Domestically, Shari’a law is the official basis of Saudi Arabia is one of criminal justice in Saudi Arabia. Saudi Arabia the 18 members to sign has enacted two major cyber-related laws – the the Arab Convention on Electronic Transaction Act and the Anti-Cyber Combating Information Crime Law. Together these laws address cyber crime and cyber security issues, while also Technology Offences, but attempting to encourage and regulate the it has yet to ratify it. use of e-commerce and other Internet-facing services.

The 2007 Electronic Transaction Act regulates gy offences.”50 Saudi Arabia is one of the 18 e-commerce and establishes a legal regime for member states to sign the Arab Convention, electronic transactions and digital signatures in but is the only country that has not yet ratified Saudi Arabia.53 This Act consolidates the use it. Moreover, the convention is quite vague in of electronic transactions in the public and pri- its definitions and provisions to combat cyber vate sectors, at local and international levels, crime and, despite its wide acceptance, it has and advocates their use in commerce, medi- not been formally activated. In fact, there is no cine, education, e-government, e-payment reference to its provisions in any of the Arab systems, and other applications. In addition, nations’ cyber crime laws, and coordination be- the law seeks to protect digital records, and tween the 18 state parties remains ineffective.51 limit and prevent potential abuse, fraud, and embezzlement. It recognizes the equal validity In addition, Saudi Arabia is not a party to nor of transactions carried out online and those is in the process of joining any of the global carried out in a physical space, and regards the anti-cyber crime agreements, like the Council legal equivalence of electronic signatures and of Europe’s “Convention on Cybercrime” (com- written signatures. monly known as the Budapest Convention) or the Shanghai Cooperation Organisation’s (SCO) The Communications and Information Tech- “Agreement on Cooperation in the Field on En- nology Commission (CTIC), created under the suring International Information Security.” Act, is responsible for the implementation of the law, including issuing licenses to authenti- Saudi Arabia does participate in some inter- cation services providers (ASPs); verifying com- national dialogues and strategic partnerships pliance by ASPs; and guaranteeing continuity to increase cooperation on cyber crime. It has of services and suspending or canceling licens- developed bilateral relationships and informal es. The MoI and MCIT are jointly responsible channels such as police-to-police and agen- for issuing general policies and developing cy-to-agency cooperation, and is committed plans and programs for electronic transac- to further expanding international collabora- tions and signatures. The MoI established the tion on international standards development, National Information Centre (NIC) to provide global ICT security policy, and cyber crime services for exchanging and storing informa- initiatives and research.52 tion on a matrix of interconnected branches

14 throughout Saudi Arabia, offering operations crime is related to public influence, if minors in the regions and supporting the Hajj (i.e., are involved, or if it is a repeated offense.57 the pilgrimage to Mecca). Moreover, the Act mandated the creation of a National Center In addition, the ACCL provides a legal frame- for Digital Certification (NCDC), which pro- work to prosecute cyber crimes such as theft of vides an integrated system for managing the sensitive data and cyber disruption, but it does Public Key Infrastructure (PKI) that enables In- not address prevention, detection or collab- ternet users to perform secure e-transactions. oration either inside the Kingdom or with in- In association with the Ministry of Finance, the ternational partners, thus making prosecution NCDC operates the Saudi Electronic Data In- of cross-sector and cross-border crimes partic- terchange (Saudi EDI) project to facilitate quick ularly difficult. In the case of the 2012 Saudi and transparent business transactions.54 While Aramco attack, for example, the ACCL would the Act was originally perceived as a way to im- have been extremely hard, if not impossible, to prove the environment for e-commerce – im- apply since the threat actor was believed to be port and export electronic transactions – much a proxy of the Iranian government. Moreover, of its emphasis so far has been on government there is still a lack of sufficiently trained court transactions, and the law has not been updat- judges, prosecutors, lawyers, and law enforce- ed in over ten years. There is now increased ment officials to address different elements of pressure to update the law to keep pace with cyber crime and successfully investigate and the changing economic and technological en- prosecute offenders. vironment and international standards.55 Moreover, the ACCL has triggered widespread In 2007, the Anti-Cyber Crime Law (ACCL) was criticism by legal experts and human right ac- passed. It had four primary objectives: (1) main- tivists for what is being perceived as an overly taining data security; (2) increasing IT employ- zealous use of the “moral” violations to fine, ment; (3) providing protection for intellectual arrest, or prosecute activists, bloggers, and property across networks; and (4) protecting Saudi citizens for political or religious purpos- the public interest and morals.56 While this law es, rather than using the law to prosecute actu- is designed to protect users from cyber crimes, al cyber crimes and protect digital assets. For it also contains clauses that limit freedom of example, in 2015, a 32-year old Saudi woman expression. For example, the ACCL criminaliz- was sentenced to jail for two months and fined es “producing something that harms public or- more than $5,000 for using WhatsApp to, in der, religious values, public morals, the sanctity the opinion of the court, defame another Saudi of private life, or authoring, sending, or storing citizen. In 2016 – as punishment for defaming it via an information network.” It also imposes the Ministry of Health on Twitter – one physi- penalties, including up to ten years in prison cian was sentenced to 6 months in prison and and fines up to five million riyals (~$1.3 million) a pharmacist received 4 months in prison.58 In depending on the severity of violation or crime 2016, changes were made to the ACCL giving committed. Additional penalties can be added officials greater latitude not to prosecute cyber if the crime is part of an organized crime syn- crimes that cause damage to networks, but to dicate, if the violator is a public official and the publicly name offenders after final rulings have

15 been issued in cases involving religious values sulting the reputation of the state,” “harming and public morals. These changes are divert- public order,” or “shaking the security of the ing attention and resources away from cyber state.”63 The Anti-Terrorism Law effectively crimes and may negatively affect the country’s criminalizes all content questioning Islamic ability to attract foreign direct investment and religious doctrine or expressing support for consequently, its ability to diversify from an oil- any type of “banned groups” or political based economy.59 reforms.64

Internet use is persistently monitored by the Aside from the aforementioned laws and a CITC, which employs strict filtering on online general right to privacy contained in the Ba- content and social media posts considered sic Law of Governance, there are few privacy “harmful,” “illegal,” “anti-Islamic,” or “offen- protection regulations associated with per- sive,” and consistently blocks websites related sonal privacy and personal data. For example, to pornography, gambling, drugs, extremist a national data protection regulator does not ideology, as well as pages belonging to human exist. Furthermore, there is no formal customer rights or political organizations.60 Saudi Arabia notification or registration requirement before publicly acknowledges censoring morally in- the government or a company can collect or appropriate and religiously sensitive material, process data. The lack of data governance pro- consistent with Shari’a law. Yet, in recent years cesses or regulations leaves data transfer and law enforcement agencies expanded inspec- data residency requirements ambiguous. There tion and interception by breaking or bypassing is no clear definition of “personal data,” and no encryption to inspect political, social, and reli- requirement to notify data security breaches to gious content on websites, blogs, chat rooms, any individual or entity in Saudi Arabia.65 social media sites, emails, and phone text messages in the name of protecting national Finally, the draft NISS strategy does not include security and maintaining social order.61 any mention of human or financial resources allocated to support additional legal and pol- Moreover, the Ministry of Culture and Informa- icy initiatives to protect society against cyber tion requires that blogs, forums, chat rooms, crime, to reduce criminal activity emanating and other popular sites obtain a license from from the country, or to promote coordination the ministry to operate, while CITC requires mechanisms to address international and na- mobile network operators to register sub- tional cyber crime. The draft NISS strategy scribers’ real names, identity numbers, and does not clarify how it plans to expand law en- now even their fingerprints in order to “limit forcement capacity. As Internet use becomes the negative effects and violations in the use more widespread and as more connected of communication services.”62 Users have devices become avenues for infection and ex- become particularly careful about what they ploitation, Saudi Arabia will need to increase post, share, or “like” especially after the pas- the capacity of its law enforcement agencies sage of the 2014 Anti-Terrorism Law, which and commit resources to effectively respond defines terrorism in such vague terms as “in- to increased cyber crime and reduce infrastructure weaknesses.

16 4. INFORMATION SHARING

While Saudi Arabia does not have a nation- While Saudi Arabia does not al information sharing policy, the draft NISS have a national information strategy highlights the importance of nation- sharing policy, the draft al and international information sharing and “National Information Security cooperation, and is committed to expanding information exchanges on emerging threats Strategy” does highlight the and vulnerabilities, and appropriate mitiga- importance of information tion technologies. sharing and cooperation as a key strategic area. The NCSC shares threat intelligence with government agencies, a number of CNIs, and other interested stakeholders in the Kingdom, but this capability is still maturing. There have been planning efforts to establish stronger Nonetheless, Saudi Arabia does not have a information sharing mechanisms, including a strong tradition of sharing information inter- threat intelligence sharing platform under the nally, let alone with international agencies. NCSC that would further support the security Rivalries and jealousy among ministries guard- of the CNIs as well as government entities. ing their own bureaucratic institutions and Early warning of threats and malicious activ- missions, compounded by the rapid rise of ities occurring in CNIs or other parts of the technology, have made it difficult for a single world are important and necessary compo- strategy to take hold effectively with regard to nents of a strong national cyber security pos- sharing cyber security information. The King- ture. For example, the May and June 2017, dom has also been reluctant to share informa- cyber incidents that exploited vulnerabilities tion on an international level; while it shares in Microsoft’s software sparked global infor- economic interests with other countries in the mation sharing and threat response activities. region, military tensions and competing po- As one nation or industry became victim of litical interests have hindered the free flow of those cyber incidents, others were able to information across borders. The establishment quickly learn from the events, shut off vulnera- of the Gulf Cooperation Council (GCC), which ble components of their networked infrastruc- includes Saudi Arabia, the United Arab Emir- tures, and communicate the software patch- ates, Bahrain, Kuwait, Qatar, and Oman, may es needed to protect their infrastructures be a venue by which greater trust and increased and enterprises.66 Indeed, the NISS strategy information sharing could be explored.68 emphasizes that “the equation is simple. As cooperation, collaboration, and information Saudi Arabia is also a member of the Or- sharing (both within the country and across ganisation of Islamic Conference-Computer borders) increases, the risk of information loss Emergency Response Team (OIC-CERT), a and ICT systems exploitation decreases.”67 group of 18 countries, including Egypt, Iran,

17 Turkey, and Nigeria, as well as Saudi Arabia. future information security needs by stimulat- This group includes national CERTs from the ing and directing the Kingdom’s information various countries and is intended to facilitate security research and innovation programs that information sharing among Islamic countries. have high potential for commercialization and The OIC-CERT organizes training, workshops, information security breakthroughs, including and exercises designed to provide real-time cryptographic interoperability, supply chain experience in addressing cyber threats and integrity, computer security, and rapid and ef- crises, including timely and actionable infor- fective access control.”71 mation sharing.69 The document identifies some initial projects The NISS recognizes that the Kingdom re- that are designed to expand existing capabil- quires much progress in this area. The NCSC ity, including providing support to researchers and the new Presidency of State Security now have an opportunity to enhance and expand the exchange of actionable information both inside and outside the government. Each ministry, CNI, business, and international partner Saudi Arabia recognizes that is in need of information that can improve their it must develop additional security posture. Currently, the only mecha- capability in the ICT and cyber nisms used for sharing information within the security sectors, and has made government and across critical industries are offered by CERT-SA and the NCSC. In the this a key pillar of its National coming months, however, as the government Information Security Strategy. considers standing up a national SOC and formalizes the NCSC’s new role, timely and actionable information sharing can become a reality for the country. and innovators to translate successful ideas 5. INVESTMENT IN and research into patents and commercialized RESEARCH AND products, but does not clearly state how the DEVELOPMENT government would support, advance, and sus- tain these efforts. Instead, the strategy proposes the development of a “technology roadmap The draft NISS states a clear intent to create for research” to guide the country as a whole “a flourishing and continuing information se- with input from cyber security communities, curity economic sector of research, innovation other governments and industry from around and entrepreneurial activities,” and recognizes the world. In addition, it calls for the creation of the need to “expand research and innovation “a centralized funding advisory capability” to through international cooperation” in order to ensure that research and development efforts help the country develop additional capability are aligned with strategic goals and objectives. in the ICT and cyber security sectors.70 In par- To this end, the NISS proposes the creation of ticular, the strategy stresses the need to “meet a Research and Innovation Function that will

18 oversee grants and funding for specific secu- courses and degree programs on ICT and rity programs. This is to be part of the KACST, information security, such as the Masters of and will be coordinated with the MCIT.72 Science program in Security and Information Assurance at King Fahd University of Petro- The draft NISS considers human resources a leum & Minerals in Dhahran. In addition, the “key pillar” of its strategy and has proposed KACST’s Communication and Information several schemes to “expand the capability of Technology Research Institute (CITRI) in Saudi information security practitioners, re- Riyadh is involved in several research and searchers, innovators and entrepreneurs,” and development projects, spanning from the promote cyber security training and aware- design of digital and analog integrated cir- ness.73 For example, programs have been de- cuit chips and integrated electronic systems, veloped to identify women who are competent to the development of communications and in IT and cyber security, and who, with additional wireless security, robotics and intelligent sys- training, could quickly meet some of the King- tems, radar and defense systems, advanced dom’s immediate information security needs. technology for electronic warfare, applied The NISS also suggested that “unemployed scientific research on lasers and optical fi- young people, who have no formal credentials bers, and other prototypes according to but have strong computer skills, could be vet- the latest international specifications and ted and employed.”74 To respond to this need, standards. CITRI plays also a leading role in the MCIT has launched other talent develop- making KACST the national hub for cyber ment programs and partnerships with global IT crime prevention and digital crime forensic companies to train over 56,000 Saudi youths research. The Institute provides expertise, on key ICT skills between 2017 and 2020, and consultation, and studies on a variety of has set up a National Information Technology topics for government agencies, universi- Academy in collaboration with Saudi Aramco ties, and companies in order to support their to train and develop Saudi talent.75 Addition- research and technology needs, toward the ally, the NISS proposed a program beginning realization of the national plan objectives for in primary school that encourages children to science, technology and innovation.77 Finally, acquire computer, analytical, and cyber securi- CERT-SA provides additional technical train- ty skills from an early age, and pairs them with ing, organizes cyber security awareness cam- a mentor who supports them through their paigns, and works with universities, govern- schooling and into employment.76 The hope is ment agencies, and businesses to develop that these young people will be able to play custom training courses and seminars as part an important role in maintaining the Kingdom’s of its security quality management function. future security. Saudi Arabia has the largest ICT market in While the Saudi government has not devel- the Middle East by both capital volume and oped a formal program or set of incentives, spending, and, in 2016, it was estimated that to encourage basic and applied cyber secu- the country invested as much as $14 billion in rity research at universities and academic in- the ICT sector, including cyber security. In ad- stitutions, it does support and fund all public dition, there is an increased interest by local universities. Many of these universities offer and international companies in the Internet

19 of Things (IoT) enabled by high-speed broadband connectivity, as well as in stronger cyber Saudi Arabia has the largest security measures that facilitate resilience in the wake of potentially damaging cyber ICT market in the Middle threats. Building trust among stakeholders East by both capital volume and strengthening confidence in the security and spending, and, in 2016, efforts undertaken by participants in the online it was estimated that the marketplace have been key topics of several country invested as much as workshops and conferences held around the Kingdom, including the most recent IDC CIO $14 billion in the ICT sector, Summit of 2016. This conference brought to- including cyber security. gether government officials, Saudi commercial officials, and experts from around the world to explore ICT trends, including cyber security threat solutions for Internet connected and of innovation hubs across Saudi Arabia aimed dependent infrastructures.78 at developing and showcasing technological innovation addressing regional or local eco- A significant portion of the $14 billion invested nomic challenges and promoting economic in ICT in Saudi Arabia in 2016 was dedicated growth in different sectors. For example, the to expanding the telecommunication infra- Saudi Basic Industries Corporation (SABIC) is structure – especially high-speed broadband. the principle investor in the Riyadh’s Techno Today, revenues are largely driven by commu- Valley innovation hub. This regional inno- nications, with an estimated 20 percent coming vation hub – the Home of Innovation – is from increased connectivity. These revenues dedicated to technology innovations in the are expected to rise steadily in this area in petrochemical and gas industry, and its goals coming years. This will require additional infra- are aligned with the objectives of the Vision structure investments, which may include some 2030 economic strategy of promoting local security provisions, however, cyber security or downstream industry growth, realizing effi- resilience is not currently considered a key ciencies for the companies involved, and cre- focus. Both the dominant ISP in the country ating a diverse and sustainable economy for and one of the largest operators in the Middle the country. However, cyber security has not East, STC, and competitors Mobily and Zain typically been addressed in these initiatives as are investing in connectivity. However, each of a distinct area of focus.80 these ISPs mainly focus on providing greater access, while data security procedures and Following the 2012 Saudi Aramco attack, the processes often take a backseat. Moreover, Saudi government started to increase its spend- there is currently little cooperation between ing for cyber security technology solutions and these companies.79 services, especially in surveillance technology; advanced communication systems; electronic Private industry and private-public partner- detection equipment; cyber attack detection ships are starting to collaborate on the launch systems; cyber attack prevention technology;

20 and biometrics. These areas combine physical groups as part of the May 2015 Camp David security with infrastructure and internal network accord, in which the GCC agreed to meet at security strategies. Collaboration with and least twice annually to advance partnership on funding from international partners, including counter-terrorism and streamline the transfer the United States, have received increased in- of critical defense capabilities, missile defense, terest from the government in recent years.81 military preparedness, and cyber security.85 Recently, the Saudi Arabia Military Industries – a state-owned defense enterprise – partnered In addition, Saudi Arabia has been involved with United States’ defense contractor Raythe- in a number of high-level bilateral dialogues on to cooperate on defense-related projects with countries like the United States and In- and technology development, including in the dia aimed at fostering information exchanges area of cyber security. As part of this agree- related to terrorism financing, money launder- ment, the Saudi government will be able to ing, and the use of cyberspace by terrorist and acquire additional cyber security solutions for criminal groups. defense systems and platforms, and Raytheon will establish a new organization (Raytheon Through the NCSC, Saudi Arabia is also pro- Arabia) located in Riyadh and responsible for moting regional cyber security cooperation implementing programs to create indigenous and awareness. As part of these efforts, the defense, aerospace, security capabilities in the Kingdom regularly hosts cyber security-relat- Kingdom.82 The partnership will therefore con- ed events such as the annual Cyber Security tribute to the goals highlighted in the Vision Forum, which brings together government 2030 strategy of developing a Saudi’s localized officials and industry experts from around the defense ecosystem with expert capabilities Arab world and beyond to explore ways to and new job opportunities, which will provide improve cyber security, enhance threat intelli- a long-term foundation for the country’s eco- gence capability, and support its Vision 2030 nomic development in this sector.83 goals.86 In addition, the Kingdom hosts a government-endorsed annual International Cyber 6. DIPLOMACY AND TRADE Security Conference, which is attended by the

Saudi Arabia does not consider cyber security a top tier foreign policy issue and has not prioritized this area within its Ministry of Foreign Affairs. However, Saudi Arabia is assuming a Saudi Arabia is assuming a much more assertive role within the Gulf Co- much more assertive role within operation Council (GCC), especially given the the Gulf Cooperation Council increased tensions with Iran and the cyber at- on cyber issues, but has not tacks emanating from Iran’s territory. In partic- prioritized cyber security as a top ular, Saudi Arabia is leading conversations with the GCC to expand cooperation on cyber secu- tier foreign policy issue within rity and endorse peacetime cyber norms.84 It is its Ministry of Foreign Affairs. also working with the GCC to establish working

21 highest levels of the MoI, as well as cyber secu- that incorporate cyber defense of the nation, rity experts from around the world.87 including the Ministry of Defense and Aviation and the Ministry of the Interior. These and Vision 2030 emphasizes Saudi Arabia’s stra- other government agencies are beginning to tegic location as the hub connecting Asia, invest in cyber technologies and in advancing Europe, and Africa. The Presidency of State their cyber capabilities. In particular, in 2017, Security should use its newly established pow- ers and responsibilities to set a vision for the free flow of goods, services, data, and capital across those borders. It should leverage Saudi Cyber defense has taken on Arabia’s G-20 position and influence to facili- heightened urgency in Saudi tate trusted transactions in the digital econo- Arabia due to the increased my. Cyber diplomacy is not just about rules of number of destructive cyber engagement and constraining behaviors. It is also about promoting trade through the free attacks the country has flow of information. Balancing the twin goals endured in recent years. of economic prosperity and national security requires a sophisticated diplomatic corps and a commitment to leading the region to realize the Vision 2030 goals. Saudi Arabia increased its cooperation with the United States through a Security Cooperation 7. DEFENSE AND CRISIS Agreement aimed at improving training for RESPONSE special operations and counter-terrorism forces, integrating air and missile defense systems, Saudi Arabia plays a crucial role in maintaining strengthening cyber defenses, and bolstering security and stability in the region due to its maritime security.89 economic, political, and cultural importance, as well as its strategic location. Given the com- In addition, Saudi Arabia seeks to equip other plex and dynamic security challenges facing defense forces, including the National Guard, the region – especially the increasing tensions with dedicated cyber capabilities. For instance, with Iran – the new Crown Prince stated that the Saudi National Guard is investing nearly the Kingdom “will not wait until the battle is in half a billion dollars to develop an electronic Saudi Arabia but will work so the battle is there warfare capability. in Iran.”88 Moreover, as a result of the cyber attacks Saudi Arabia endured in recent years There is no evidence that the Kingdom has for- originating from Iran’s territory, cyber security malized the military or the intelligence services’ and cyber defense have taken on heightened cyber security mission in a policy or decree. urgency in Saudi Arabia. Moreover, because the Kingdom’s budgets are not publicly available, it is difficult to determine There are several ministries within the Saudi the level of funding dedicated to developing government with cyber security mandates cyber capabilities within these institutions. It is

22 also unclear whether the Ministry of Defense scape. As Saudi Arabia continues to develop and Aviation is conducting government-wide and update is economic (digital agenda) and or military-specific exercises that demonstrate national cyber security strategies, policies, and national cyber defense readiness. Nonethe- initiatives to reflect a more balanced approach less, Saudi Arabia is at least an active mem- that aligns its national economic visions with ber of the OIC-CERT, which is committed to its national security priorities, updates to this organizing joint cyber exercises, although it is country profile will reflect those changes and not clear that any such exercises have actually monitor, track, and evaluate substantive and taken place so far.90 notable improvements.

CRI 2.0 BOTTOM LINE The CRI 2.0 offers a comprehensive, compar- ative, experience-based methodology to help According to the CRI 2.0 assessment, Saudi national leaders chart a path toward a safer, Arabia is still insufficiently prepared in all of more resilient digital future in a deeply cy- the CRI essential elements, although it has bered, competitive, and conflict prone world. made considerable progress in becoming For more information regarding the CRI 2.0, more cyber ready. please see: http://www.potomacinstitute.org/ academic-centers/cyber-readiness-index. The findings in this analysis represent a snap- shot in time of a dynamic and changing land-

Legend Fully Operational

Partially Operational

Insufficient Evidence

IDI Rank NRI Rank GDP Rank National StrategyIncident ResponseE-Crime & Law EnforcementInformation SharingInvestment in R&DDiplomacy & TradeDefense & Crisis Response

23 10. For more, see: “Saudi Arabia – Tele- ENDNOTES coms, Mobile and Broadband Sta- tistics and Analyses,” Paul Budde 1. Khalid M. Al-Tawil, “The Internet in Saudi Communication Pty Ltd, https://www. Arabia,” Telecommunications Policy, vol. budde.com.au/Research/Saudi-Ara- 25, issue 8-9, September 2001, 625-632. bia-Telecoms-Mobile-and-Broad- 2. The Mosaic Group, “The Global Dif- band-Statistics-and-Analyses. fusion of the Internet Project – The 11. Saudi Telecom Company, “Consolidated Internet in the Kingdom of Saudi Ara- Financial Statements for the Year ended bia,” (February 1999): 2, http://mosaic. December 31, 2016,” 2017, http://www. unomaha.edu/SaudiArabia_1999.pdf. stc.com.sa/wps/wcm/connect/english/ 3. Ibid. stc/resources/0/7/07a92210-58ff-4466- 9a23-f4fc4f14e559/STC+2016+Annu- 4. Hamed A. Alshahrani, “A Brief History al+Consolidated+FS+-English.pdf. of the Internet in Saudi Arabia,” Tech Trends 60, no. 1, 2016, https://link.spring- 12. World Economic Forum, “Saudi Arabia,” er.com/article/10.1007/s11528-015-0012-5. Networked Readiness Index, 2016, http://reports.weforum.org/global-in- 5. Mahdi Abu-Fatim, “Official on Introduc- formation-technology-report-2016/ tion of Internet Into Kingdom,” Al-Ri- economies/#economy=SAU. yadh, December 6, 1997: 27, as reported in FBIS-NES-97-348, Daily Report: 13. “Saudi Arabia Vision 2030,” Near East & South Asia, December 16, http://vision2030.gov.sa/en. 1997, via World News Connection. 14. Ibid. 6. Communication and Information Technol- 15. “Full Text of Saudi Arabia’s Vision 2030,” ogy Commission, http://www.citc.gov.sa/. Saudi Gazette, April 26, 2016, http:// 7. Freedom House, “Freedom on the Net saudigazette.com.sa/saudi-arabia/ 2016 – Saudi Arabia Country Profile,” full-text-saudi-arabias-vision-2030/. (2016), http://freedomhouse.org/report/ 16. Khalid M. Al-Tawil, “The Inter- freedom-net/2016/saudi-arabia. net in Saudi Arabia,” 625. 8. World Bank, “Internet Users (per 100 17. Hilal Khashan, “Saudi Arabia’s people),” 2015, http://data.worldbank. Flawed “Vision 2030”,” The Middle org/indicator/IT.NET.USER.P2. East Quarterly, vol. 24, no.1 (Winter 9. Eng. Abdullah Al-Swaha, “ICT Infrastruc- 2017), http://www.meforum.org/6397/ ture Targeted in 1,000 Cyberattacks in saudi-arabia-flawed-vision-2030. 2016,” The Business Year, https://www. 18. U.S. Department of State, “Fact Sheet: thebusinessyear.com/saudi-arabia-2017/ U.S. Security Cooperation With Saudi eng-abdullah-al-swaha-minister-com- Arabia,” January 20, 2017, https://www. munications-information-technology/ state.gov/t/pm/rls/fs/2017/266861.htm. vip-interview.

24 19. Melissa Hathaway et al., “Cyber Read- 28. Ibid, 1. iness Index 2.0 – A Plan for Cyber Readiness: A Baseline and An Index,” 29. Ibid, 2-3. Potomac Institute for Policy Studies, November 2015, http://www.potomac- 30. Ibid, 10, and Eng. Abdullah Al-Swaha, institute.org/images/CRIndex2.0.pdf. “ICT Infrastructure Targeted in 1,000 Cy- berattacks in 2016,” The Business Year. 20. Leon Panetta, speech given to Busi- ness Executives for National Security, 31. Ibid, 2. New York, October 12, 2012, http:// archive.defense.gov/transcripts/ 32. Ibid, 20. transcript.aspx?transcriptid=5136. 33. “Saudi Arabia forms new appara- tus of state security,” Arab News, 21. Ministry of Communications and In- July 21, 2017, http://www.arabnews. formation Technology, “Developing com/node/1132466/saudi-arabia. National Information Security Strategy for the Kingdom of Saudi Arabia – NISS, 34. National Cyber Security Cen- Draft 7,” 2013, https://www.enisa. ter, “About Us,” https://www. europa.eu/topics/national-cyber-secu- moi.gov.sa/wps/portal/ncsc/. rity-strategies/ncss-map/national-cyber-security-strategy-of-saudi-arabia/ 35. Raphael Satter, “Cyberattacks against at_download/file. Saudi Arabia continue,” Associated Press, April 26, 2017, and Agence 22. Ibid, 2. France Press, “Saudi computer systems vulnerable to ‘Shamoon 2’ 23. Ibid, 2. virus: telco chief,” Arab News, Jan- 24. “Saudi Arabia forms new appara- uary 26, 2017, http://www.arabnews. tus of state security,” Arab News, com/node/1044566/saudi-arabia. July 21, 2017, http://www.arabnews. 36. Aisha Fareed, “Saudi facilities sustained com/node/1132466/saudi-arabia. nearly 1,000 cyber attacks in 2016,” Arab 25. Azhar Unwala, “Cyber security in Sau- News, March 1, 2017, http://www.arab- di Arabia Calls for Clear Strategies,” news.com/node/1061151/saudi-arabia. July 27, 2016, http://globalriskinsights. com/2016/07/cybersecurity-sau- 37. Suliman Al Samhan, “Saudi Arabia Com- puter Emergency Response Team,” Com- di-arabia-calls-clear-strategies/. munications and Information Technology 26. Ministry of Communications and Commission, https://www.itu.int/ITU-D/ Information Technology, “Develop- cyb/events/2008/doha/docs/alsamhan-na- ing National Information Security tional-strategy-CERT-SA-doha-feb-08.pdf. Strategy for the Kingdom of Saudi 38. Computer Emergency Response Arabia – NISS, Draft 7,” 2013. Team – Saudi Arabia, “CERT-SA 27. Ibid, 1.

25 Services,” http://www.cert.gov.sa/ 49. “Arab Convention on Combating index.php?option=com_content&t Information Technology Offenses,” ask=view&id=186&Itemid=131. 2010, http://itlaw.wikia.com/wiki/ Arab_Convention_on_Combating_In- 39. Ibid. formation_Technology_Offences.

40. National Cyber Security Cen- 50. Ibid. ter, “Services,” https://www.moi. gov.sa/wps/portal/ncsc/. 51. Joyce Hakmeh, “Cybercrime and the Digital Economy in the GCC Coun- 41. Ministry of Communications and tries,” Chatham House, June 2017. Information Technology, “Develop- ing National Information Security 52. Ministry of Communications and Strategy for the Kingdom of Saudi Information Technology, “Develop- Arabia – NISS, Draft 7,” 13, 43. ing National Information Security Strategy for the Kingdom of Sau- 42. Ibid, 13. di Arabia – NISS, Draft 7,” 5.

43. Ibid, 13. 53. Kingdom of Saudi Arabia, “Elec- tronic Transactions Law,” March 26, 44. Ibid, 33-34. 2007, http://www.citc.gov.sa/en/Rule- sandSystems/CITCSystem/Documents/ 45. Ibid, 35. LA_003_%20E_E-Transactions%20Act.pdf. 46. “Enhancing Saudi Arabia’s cybersecurity 54. Ira Piltz, “Internet Law – Saudi Arabia’s readiness,” Oxford Business Group, Electronic Transaction Act,” Internet 2015, http://www.oxfordbusinessgroup. Business Law Services, http://www. com/analysis/front-lines-enhancing-king- ibls.com/internet_law_news_por- dom’s-cybersecurity-readiness. tal_view.aspx?s=articles&id=BDFDC- 5CD-61A1-40AF-99E7-45CD5E03C62B . 47. Ministry of Communications and Information Technology, “Develop- 55. Ministry of Communications and ing National Information Security Information Technology, “Develop- Strategy for the Kingdom of Saudi ing National Information Security Arabia – NISS, Draft 7,” 44. Strategy for the Kingdom of Saudi Arabia --NISS, Draft 7,” 26-29. 48. “What Message is Saudi Arabia sending with war games?” Al-Mon- 56. Ministry of Communications and itor, 2014, http://www.al-monitor. Information Technology, “Anti-Cy- com/pulse/originals/2014/04/sau- ber Crime Law,” 2016, http://www. di-military-maneuvers-sign.html#. mcit.gov.sa/En/AboutMcit/Regula- tions/Pages/CriminalLaws.aspx.

26 57. Bureau of Experts at the Council 66. Melissa Hathaway, “Cybersecurity: The of Ministers, “Anti-Cyber Crime Intersection of Law, Policy and Technol- Law,” MCIT, 2009, http://www.mcit. ogy,” remarks given at the American gov.sa/Ar/MediaCenter/Download/ Bar Association meeting, June 1, 2017. Anti_Cyber_Crime_Law_En.pdf. 67. Ministry of Communications and 58. Freedom House, “Freedom Information Technology, “Develop- on the Net 2016 – Saudi Ara- ing National Information Security bia Country Profile,” (2016). Strategy for the Kingdom of Saudi Arabia – NISS, Draft 7,” 14. 59. Dino Wilkinson, “Saudi Arabia Updates Cybercrime Law to Include ‘Naming 68. Fariborz Ghadar and Heather Spin- and Shaming’ Penalty,” Data Protec- dler, “IT: Ubiquitous Force,” Indus- tion Report, June 8, 2015, http://www. trial Management, 2005, 14-20, dataprotectionreport.com/2015/06/sau- http://www.ghadar.byethost13.com/ di-arabia-updates-cybercrime-law-to-in- Images/IT-Ubiq_force.pdf?i=1. clude-naming-and-shaming-penalty/. 69. Rahayu Azlina Ahmad and Mohd Shamir 60. Freedom House, “Freedom Hashim, “The Organisation of Islamic on the Net 2016 – Saudi Ara- Conference - Computer Emergency bia Country Profile,” (2016). Response Team (OIC-CERT),” Cyber security Summit (WCS), 2011 Second 61. Ibid. Worldwide, 1-5, http://ieeexplore.ieee. org/stamp/stamp.jsp?arnumber=5978783. 62. “Communication Commission mandates companies to register fingerprints 70. Ministry of Communications and before issuing cards,” [in Arabic] Al-Ri- Information Technology, “Develop- yadh Newspaper, January 22, 2015, ing National Information Security http://www.alriyadh.com/1121516. Strategy for the Kingdom of Saudi Arabia – NISS, Draft 7,” 2 and 61. 63. Human Rights Watch, “Saudi Arabia: New Terrorism Regulations Assault 71. Ibid, 3. Rights,” March 20, 2014, https:// www.hrw.org/news/2014/03/20/ 72. Ibid, 61. saudi-arabia-new-terrorism-regulations-assault-rights. 73. Ibid, 3.

64. Ibid. 74. Ibid, 13.

65. Eyad Reda and Turki Alsheikh, 75. Eng. Abdullah Al-Swaha, “ICT Infra- “Data protection in Saudi Arabia,” structure Targeted in 1,000 Cyberat- Thomson Reuters, October 1, 2012, tacks in 2016,” The Business Year. https://uk.practicallaw.thomson- reuters.com/4-520-9455?transition- 76. Ibid, 13. Type=Default&contextData=(sc. Default)&firstPage=true&bhcp=1.

27 77. KACST, “Communication and Informa- 84. White House, “United States-Gulf Coop- tion Technology Research Institute,” eration Council Second Summit Leaders https://www.kacst.edu.sa/eng/RD/ Communique,” Riyadh, Saudi Arabia, CITRI/Pages/AboutCITRI.aspx. April21, 2016, https://obamawhitehouse. archives.gov/the-press-office/2016/04/21/ 78. Rabih Dabboussi, “DarkMatter to united-states-gulf-cooperation-coun- Underpin Importance of Digital Infra- cil-second-summit-leaders-communique. structure Resilience at IDC CIO Summit 2016, KSA,” DarkMatter, 2016, https:// 85. U.S. State Department, “Fact Sheet: darkmatter.ae/en/press_releases/48. US Security Cooperation with Saudi Arabia,” January 20, 2017, https://www. 79. Oxford Business Group, “Saudi Tele- state.gov/t/pm/rls/fs/2017/266861.htm. coms Companies Innovate in a Chal- lenging Market,” 2015, http://www. 86. Bill Leigher, “Saudi Arabia Springs oxfordbusinessgroup.com/overview/ into Cyber Action,” May 2015, finding-their-calling-companies-are-in- http://www.raytheoncyber.com/ novating-challenging-market. news/feature/saudi_cyber.html.

80. Mohammed Rasooldeen, “SABIC 87. Mark Sutton, “ICSC to Discuss launches innovation hub,” Arab News. Saudi Cybersecurity,” November May 28, 2016, http://www.arabnews. 6, 2016, http://www.itp.net/610073- com/node/930916/saudi-arabia. icsc-to-discuss-saudi-cyber%20 security. 81. Virginia Economic Development Partnership, Cyber Security Export 88. Karen Elliott House, “Saudi Arabia Market: Saudi Arabia, George Mason in Transition,” Belfer Center for University School of Public Policy, 2014, Science and International Affairs at http://exportvirginia.org/wp-content/ the Harvard Kennedy School, July uploads/2014/02/Saudi-Arabia.pdf. 21017, https://www.belfercenter.org/ publication/saudi-arabia-transition. 82. Raytheon Company, “Raytheon in Saudi Arabia,” http://www.raytheon. 89. Ministry of Foreign Affairs, “Saudi com/ourcompany/global/middle_east/ Arabia and the Visit of President raytheon_in_saudi_arabia/. Trump,” June 2017, https://www. saudiembassy.net/sites/default/files/ 83. Raytheon Company, “Raytheon and WhitePaper_TrumpVisit_June2017.pdf. Saudi Arabia Military Industries announce strategic partnership,” PR Newswire, May 90. Tan Sri Dato’ Seri Panglima Mohd 20, 2017, http://www.prnewswire.com/ Azumi, “OIC-CERT: Past, present news-releases/raytheon-and-saudi-ara- and future,” OIC-CERT, December bia-military-industries-announce-stra- 14, 2016, https://www.oic-cert.org/ tegic-partnership-300461082.html. event2016/files/Attachment%204%20 -%20Keynote%20Address.pdf.

28 ABOUT THE AUTHORS

Melissa Hathaway is a leading expert in cyberspace policy and cyber security. She served in two US presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. Today, she is a Senior Fellow and a member of the Board of Re- gents at Potomac Institute for Policy Studies. She is also a Senior Advisor at Harvard Kennedy School’s Belfer Center for Science and International Affairs, a Distinguished Fellow at the Centre for International Governance Innovation in Canada, a non-resident Research Fellow at the Kos- ciuszko Institute in Poland, and she is President of Hathaway Global Strategies LLC, her own consultancy. Melissa developed a unique methodology for evaluating and measuring national levels of preparedness for certain cyber security risks, known as the Cyber Readiness Index (CRI). The CRI methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is being applied to 125 countries. The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, Saudi Arabia, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index. Having served on the board of directors for two public companies and three non-profit organizations, and as a strategic advisor to a number of public and private companies, Melissa brings a unique combination of policy and technical expertise, as well as board room experience to help others better understand the intersection of government policy, developing technological and industry trends, and economic drivers that impact acquisition and business development strategy in this field. She publishes regularly on cyber security matters affecting companies and countries. Most of her articles can be found at the following website: http://belfercenter.ksg.harvard.edu/experts/2132/melissa_hathaway.html.

Francesca Spidalieri Francesca Spidalieri is the co-principal investigator on the Cyber Readiness Index Project at the Potomac Institute for Policy Studies. She also serves as the Senior Fellow for Cyber Leadership at the Pell Center, at Salve Regina University, as a Distinguished Fellow at the Ponemon Institute, and as 2017 Transatlantic Digital Debates Fellow at New America and at the Global Public Policy Institute. Her academic research and publications focus on cyber leadership development, cyber risk management, cyber education, and cyber security workforce development. In 2015, she published a report, entitled State of the States on Cybersecurity, that applies the Cyber Readiness Index 1.0 at the US state level. All her additional studies and academic articles can be found at the following link: http://pellcenter.org/cyber-leadership/.

Dr. Fahad Alsowailm is a senior researcher from Saudi Arabia focusing on foreign direct investments and national and international security-related issues. Fluent in both Arabic and English, he has traveled extensively and considers learning a lifelong activity. He received both his Bach- elor’s degree in Business Administration and his Master of Science degree from the American University in Washington, DC. He continued his studies at the University of Hull in the United Kingdom where he received his Doctorate in International Management. Dr. Alsowailm is also an alum of the John F. Kennedy School of Government and the London Business School’s Executive Education programs.

29 For more information or to provide data to the CRI 2.0 methodology, please contact: [email protected]

The CRI 2.0 methodology is available in Arabic, Chinese, English, French, Russian, and Spanish, and is currently being applied to 125 countries.

The CRI country profiles of France, Germany, India, Italy, Japan, the Netherlands, Saudi Arabia, the United Kingdom, and the United States can be found at the following link: http://www.potomacinstitute.org/academic-centers/cyber-readiness-index. POTOMAC INSTITUTE FOR POLICY STUDIES 901 N . Stuart St . Suite 1200, Arlington, VA 22203 www.potomacinstitute.org