Electronic frontier: Cybersecurity is becoming recognised as a key aspect of national defence

There is a growing awareness in Saudi Arabia that cybersecurity is a major global priority, and that the Kingdom needs to be adequately prepared to deal with advanced cyberattacks. In August 2015 Saudi government websites, including state education, health, sports and municipal sites, were targeted and breached over the course of two hours. While the breaches, which were orchestrated by a Saudi national, did not result in any data being stolen, and access was restored shortly afterwards, it reaffirmed the need for the Kingdom to be more vigilant in the face of computer-based attacks, as well as the need to have more sophisticated defensive systems and technology in place.

“Understandings of new and complex technologies are also important; cybersecurity, for example, is not like Norton Anti-Virus, where you can click a button and be protected – it is an aggressive game of cat and mouse,” Tarik Solomon, director of international business development at Shamis Technologies, told OBG. “Saudi Arabia is putting a lot of money towards it, and at the same time it really needs to raise awareness.”

Growing Cyberthreats

Every year cyberattackers are getting more sophisticated, and the threat that they pose is rising as people increasingly rely on interconnected technologies for every aspect of life. For governments the threat is even larger, with ministries, state-owned companies and the military apparatus all potentially vulnerable to well-placed attacks.

The largest cyberattack to date in Saudi Arabia took place in August 2012, when an estimated 30,000 hard drives belonging to state energy giant Saudi Aramco were infected. The attack disabled many of the company’s workstations and compromised strategic information, leading to costly updates in its IT infrastructure. In May 2014 General Keith Alexander, the former director of the US National Security Agency, called the Saudi Aramco attack a “wake-up call for everybody”.

Regulatory Response

A year earlier the Saudi Ministry of Communications and Information Technology had begun to develop the National Information Security Strategy, aimed at improving IT security and the integrity of online information, as well as creating a set of national guidelines for information security management, based on the best international standards and practices.

In addition, under a royal decree issued in 2013 the National Centre for Electronic Security (NCES) was established under the Ministry of Interior, charged with devising rules and regulations to better protect the Kingdom’s IT infrastructure. The NCES has also become active in promoting conversation and improving awareness. In January 2016 it held an International Cyber Security Conference in Riyadh, under the sponsorship of Crown Prince Mohammed bin Naif Al Saud, who is minister of the interior, with the aim of sharing cybersecurity experiences as well as reviewing the Kingdom’s successes and failures in electronic security to date. The two-day conference also saw presentations related to important initiatives for improving security systems.


Saudi Arabia has long been a major investor in its military capacity, devoting large sums to hardware acquisitions for its air force, navy and land forces. With the need for stronger, more robust cybersecurity defences thrown into sharper focus in recent years, this trend looks set to continue.

According to the organisers of the second Cyber Security Summit, which was held in Riyadh in April 2016, the Saudi cybersecurity market is expected to grow more than $3.5bn by 2019, an annual growth rate of 14.5%. That scale of spending and the opportunities on offer to cybersecurity firms have drawn in an increasing number of international IT and security companies.

Multinational IT and security companies such as Lockheed Martin, the UK’s BAE Systems – through its subsidiary BAE Systems Applied Intelligence – Raytheon and Leonardo-Finmeccanica, through its subsidiary Selex ES, are present and active in the Saudi cybersecurity market, along with IT firms like Microsoft, IBM and Symantec.

In 2013 the US Department of Commerce led a delegation of 13 US companies on a cybersecurity and critical infrastructure protection trade mission to Saudi Arabia and Kuwait. The specialised cyber companies on the trip included Air Patrol Corporation, Datalocker, Emagine IT, Fire Eye and GlimmerGlass Optical Cyber Solutions, as well as larger defence contractors like Lockheed Martin.

Global Operations Centre

One major partnership that is already up and running in Saudi Arabia is the global security operations centre established by IBM and Saudi mobile operator Mobily in Riyadh. Set up in 2013, the centre, which is located inside Mobily’s data centre and conceived as a response to the growing number of global security threats, works with IBM to analyse over 15bn daily security events from more than 140 countries around the world.

The partnership brings cloud-based solutions built locally and designed to address specifically the needs of Saudi clients, and aids analysts in the aggregating, correlating and prioritising of cybersecurity issues and events. In May 2014 the partnership was chosen by the Saudi Ministry of Education to improve the ministry’s own information security, with IBM and Mobily providing an early warning system and real-time analysis, as well as protection against cyberattackers gaining access to the ministry’s data from overseas.

Other opportunities are believed to exist for cybersecurity-related firms in areas such as advanced communication systems, cyberattack alarms, electronic detection equipment and cyberintrusion prevention technology, as well as in fields like biometrics. “There is a big gap in cybersecurity, and this leads to a lot of opportunities to develop,” Solomon told OBG.

Energy Infrastructure

According to Cisco’s annual security report for 2015, the energy sector was among the top-five most at-risk industries for malware in 2014, with a 300% higher malware encounter rate than the industry median. With the energy sector playing such a large part in the Saudi economy, it is critical for the Kingdom to build up its cyberdefences to be able to protect its key energy infrastructure and assets.

There is no one solution to this issue, or one system that is able to protect all assets, so to defend itself from cyberattacks the Kingdom will be required to constantly invest in order to stay at the forefront of technology. This will lead to a wealth of opportunities for those able to provide the technology or training expertise, whether they are Saudi or international companies.

Private Sector

The need to better secure IT infrastructure and improve overall protection and awareness of electronic risks also extends to the private sector. Previous attacks across the world have shown that the vast majority of companies that fall victim to a successful attack had poor or ineffective management practices, or a lack of awareness and proper cybersecurity systems in place. A growing awareness around cyber security began in earnest in Saudi Arabia around the time of the Saudi Aramco attacks.

Some sectors of the economy are thought be better prepared for cyberattacks than others. The financial sector, for example, is generally thought to be well protected at present, but even so, the Kingdom’s banks and financial institutions will need to be constantly evaluating their technologies and existing systems in order to stay ahead of the ever changing threat.

Human Resources Requirements

A key part of cybersecurity is having the right personnel to deal with any future attacks or threats to the IT systems in place. At present, the general consensus is that Saudi Arabia is lacking the necessary number of skilled cybersecurity experts and IT professionals, and as the demand for cybersecurity grows, both in the governmental sector and the private sector, the shortage of skilled local cybersecurity experts could become more pronounced and affect the Kingdom’s ability to protect itself from malware and other attacks.

Using foreign companies and systems is a passable solution in the short term. Nonetheless, eventually the Kingdom will want and need to have indigenous cyberdefences in operation. This shortage of skilled personnel, however, is also likely to lead to several opportunities for training.