How Saudi Arabia is building cyber resilience while accelerating digital transformation

RIYADH: The internet is home to some extremely malevolent behavior. A range of bad actors is intent on stealing people’s money, information and identities, and on crippling essential services.

Of the countless entities and individuals targeted, some of the more prominent are Saudi Aramco, Bangladesh Bank, Colonial Pipeline, the Democratic Party of the US, and the UK’s House of Commons. In 2015, the self-proclaimed Yemen Cyber Army attacked the Saudi Arabia’s Ministry of Foreign Affairs.

In common with other GCC states, Saudi Arabia is a prime target of cybercrime, for several reasons. It is a wealthy country with a digitally active population, is positioned at the center of the global energy sector, and located in a region with no shortage of geopolitical tensions. It is also home to Saudi Aramco, among the world’s most valuable companies.

The Kingdom’s vulnerable position was highlighted in 2012 when the Shamoon virus crippled a significant portion of Saudi Aramco’s IT network. Shamoon was one of the most destructive cyberattacks on any business up to that time, and forced Aramco to shut down and literally replace a large proportion of its computers. The same malware has resurfaced over the years, causing further mayhem in every case.

Identifying perpetrators is fraught because they take great effort to conceal identities, and typically adopt the techniques, procedures and languages of other suspect actors. And when a virus is brought under control, a new one, or a more destructive mutation of the original, may be unleashed on unsuspecting populations and underprepared corporations.

Shamoon was highly publicized, but many GCC companies and organizations continue to face similar attacks from the likes of Morris Worm, Nimda, Iloveyou, Slammer and Stuxnet.

As the internet claims an ever-greater share of people’s daily lives, the opportunity for cybercrime increases exponentially. The Internet of Things (IoT) may enable a fridge to order fresh milk from the supermarket automatically, and an expat’s currency to arrive in the form of blockchain, but this only broadens the range of potential cyber targets.

Khalid Al-Harbi, Saudi Aramco’s chief information security officer, was quoted by Reuters as saying: “The pattern of cyberattacks is cyclical. We are seeing that the magnitude is increasing, and I would suspect that this will continue to be a trend.”

Meanwhile, the COVID-19 pandemic has led to a surge in cybercrime. As the contagion forced many companies to introduce working from home, malicious actors were able to take advantage of the typically reduced IT security of remote workers. The global police body Interpol reported a spike in both malware and spam in the months after the pandemic took hold — affecting the GCC as much as the rest of the world.

Remote staff are the weakest link of any network. No matter how many millions an organization may spend on developing a robust IT firewall at the office, that advanced security can be undone by the easy or predictable password of a negligent individual working from home, the click on a dubious link, or the unwise sharing of personal data on social media.

In a white paper released by the International Data Corporation, Uzair Mujtaba, its program manager for Saudi Arabia, observed that “as endpoints become increasingly disparate, the attack surface will expand significantly, and this is compelling technology and security leaders to adopt innovative approaches to cybersecurity.”

According to a new report by VMware, an American cloud computing and virtualization technology company, nearly 93 percent of the 252 organizations it surveyed in Saudi Arabia experienced a cyberattack in the past year.

The findings, a part of VMware’s Global Security Insights Report, came from an online survey conducted in December 2020 of 3,542 chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs).

The average number of breaches suffered by each organization was 2.47 over the past year, while 11 percent of respondents said their organizations had been breached between 5 to 10 times.

Some 80 percent of respondents agreed that they need to view security differently than they did in the past due to an expanded attack surface prompted by the pandemic.

Responding to this growing threat, the Kingdom has positioned itself at the global forefront of cyber defense. The Shamoon incident of 2012 was a wake-up call, leading the Saudi government to focus and mobilize resources for the creation of an entire cybersecurity ecosystem to confront both local and foreign adversaries.

This is a key element of Vision 2030. The National Cybersecurity Authority (NCA) was established by a royal decree in October 2017 and is mandated with implementing the National Information Security Strategy — formalizing a Kingdom-wide framework for cybersecurity, risk mitigation, and resilience via governance policies, standards, cyber-defense operations, and development of human capital and local industry capabilities.

The NCA’s stated mission is to “work closely with public and private entities to improve the cybersecurity posture of the country in order to safeguard its vital interests, national security, critical infrastructures, high-priority sectors, and government services and activities in alignment with Vision 2030.”

That sounds like a tall order, but the Kingdom is already a leader in terms of cyber vigilance, with a formidable knowledge base. Indeed, in 2020, the World Competitiveness Center ranked Saudi Arabia as second globally in “the field of continuous improvement of corporate cybersecurity.”

Speaking to Arab News, Haider Pasha, chief technology officer at Symantec Middle East, said: “You need to really understand where your sensitive data is, where the assets are, and have a robust strategy or framework that you can abide by. I see that happening more and more in Saudi Arabia.”

An example of this combination of transformation and high-tech is the Kingdom’s push toward “smart cities” — in which citizens have online access to most, if not all, private and public services, and can easily interact with various government agencies.

Riyadh is one such place, while NEOM, the $500 billion development in the northwest of the Kingdom, is emerging as the first large-scale urban project to be designed and built from the ground up in the era of artificial intelligence.

NEOM, slated as a Belgium-sized cluster of smart urban spaces, can leapfrog older cities by using cutting-edge and integrated technologies, specifically in the realm of cyberspace.

“New smart megacities, such as NEOM, have the advantage of no legacy systems,” Mike Loginov, NEOM’s chief information security officer, told Arab News. “When you start from scratch, you can build in security functionality from the very beginning in every element that you need.”

Cyber resilience is critical to the ambitions of NEOM and other developments, whose expected dependence on AI, e-commerce, IoT and blockchain technology means that the Internet will remain a battleground in which national authorities must constantly enhance the defense of their populations from an evermore sophisticated criminal underworld.

Fortunately, the decision-makers of Saudi Arabia are doing just that.