On the front lines: Enhancing the Kingdom’s cybersecurity readiness

The growing security threat posed by cyber-attacks as Saudi Arabia becomes ever more reliant on IT has led to the development of a national information security strategy (NISS) and increasing investment in cyber-security. Demand for cybersecurity products comes from both the government and private sectors. “Cyber-security is big business in Saudi Arabia. All the major companies have dedicated significant budgets to ensuring they have the proper protection,” Jean Yves Tolot, CEO of the electronic security firm Thales, told OBG.

This has drawn a large number of multinational IT and security companies to the market, with some of them forming innovative partnerships with local IT and telecommunications firms. Meanwhile, one challenge for the Saudi cybersecurity industry will be training sufficient numbers of people to meet the growing demand for technical experts in the field.

In 2011 the Ministry of Communications and Information Technology began developing the NISS. Its objectives include increasing the security and integrity of online information; promoting greater use of IT; developing resilience in information systems; increasing awareness of security risks; and creating national guidelines for information security management based on international standards and best practices.

Threat

The need for such a strategy emerged from the recognition that the Kingdom faces growing, diverse threats to its cybersecurity. According to the NISS, “National and international interconnectivity create significant new vulnerabilities and present new types of threats to the Kingdom’s economic and cultural activities. These new threats could in some cases shutdown, corrupt or even destroy critical information and communication technologies (ICT) systems.” Such threats include the possibility that an adversary might “seize control and use an ICT system to directly harm or go against the Kingdom’s interests”.

To support the NISS aims, a royal decree was issued in 2013 establishing the National Centre for Electronic Security (NCES) under the Ministry of Interior. The NCES is responsible for devising national standards, rules and regulations to protect the country’s information infrastructure. Its broader role also includes coordinating the response to any breach of security on a national level, and facilitating the flow of information and security warnings between different sectors.

Computers Attacked

Among the most serious cybersecurity incidents in recent years was the August 15, 2012 cyber-attack on Saudi Aramco, which damaged 30,000 of the firm’s computers. According to Saudi Aramco executives and the Ministry of Interior, the attack was designed to hurt the Saudi economy by shutting down Saudi Aramco’s exports and imports of oil and gas. In May 2014, General Keith Alexander, the former director of the US National Security Agency, highlighted the significance of the Saudi Aramco attack, calling it a “wake-up call for everybody”.

Growing Market

These threats also represent a business opportunity for companies selling cybersecurity products. “The opportunities in cyber are enormous, both in the defence and commercial sectors,” Andy Carr, CEO of BAE Systems Saudi Arabia, told OBG. Indeed, Saudi Arabia’s cybersecurity market is predicted to expand by 30% between 2014 and 2016 to $37.5bn, according to a 2014 study by the George Mason University School of Public Policy.

Besides the Ministry of Defence and Aviation, other ministries investing heavily in cyber programmes include the Saudi Arabian National Guard, which is developing an electronic warfare capability estimated to cost between $300m and $500m, and the Ministry of Interior, which plans to create a new cybercrimes unit that as of early 2015 was at the requirements analysis stage.

In terms of the supply of cybersecurity-related products and services to Saudi Arabia, the US International Trade Administration has highlighted various good opportunities for companies in the fields of surveillance technology, advanced communication systems, electronic detection equipment, cyber-attack alarms, cyber intrusion prevention technology and biometrics.

Civilian Market

As the 2012 Saudi Aramco attack demonstrated, the need for such products extends beyond the military and security services to civilian institutions as well, in both the government and private sectors. Non-military branches of government investing in cybersecurity range from city administrations to the Capital Market Authority. For instance, government cybersecurity spending in 2013 included $20m at the Saudi Arabian Monetary Agency, $8.7m at the Ministry of Petroleum and Mineral Resources, over $10m at Saudi Airlines, and $12m at the King Abdulaziz City for Science and Technology, according to the conveners of the Digital Security Summit.

A 2014 study by the George Mason University School of Public Policy described the Saudi civilian cybersecu-rity market as centred around protection of energy systems and the e-commerce space, with the provision of data management and cyber-attack detection and prevention services critical to the former. According to the same study, the Kingdom’s e-government campaign to streamline and construct electronic databases also offers foreign firms opportunities to enter the Saudi cybersecurity market. Potential partners in this area include the Saudi Electronic Data Interchange, which manages government transactions; the eGovernment Service Bus Programme, which is centralising online government databases; and Tabadul, the Saudi Arabian Electronic Info Exchange Company, which manages public investment in IT infrastructure.

Foreign Expertise

The foreign companies already active in the Saudi cybersecurity market range from some of the world’s largest defence contractors, such as Lockheed Martin, Raytheon, BAE Systems (through its subsidiary BAE Systems Applied Intelligence) and Finmeccanica (through its subsidiary Selex ES) to IT firms such as Microsoft, Symantec and IBM.

Smaller, more specialist firms are also finding opportunities. For instance, companies like AirPatrol Corporation, DataLocker, FireEye and Glimmerglass Optical Cyber Solutions have targeted the market with niche products ranging from secure cloud storage facilities and programmes designed to acquire intelligence from electronic and optical signals to systems for monitoring and managing the behaviour of smartphones, tablets, laptops and other mobile devices.

IBM-Mobily Partnership

Among the most eyecatching cybersecurity partnerships between a foreign and Saudi firm in recent years is the global security operations centre (SOC) set up in Riyadh jointly by IBM and Saudi Arabian mobile operator Mobily in July 2013. The centre is located inside Mobily’s data centre, which has been granted tier IV design and construction certification by Uptime Institute, the data centre authority. According to IBM, the SOC is completely self-contained and its activity logs never leave Saudi Arabia. The centre uses IBM security services infrastructure to assist analysts with the aggregation, correlation, analysis and prioritisation of security logs and events.

The SOC will draw on IBM’s expertise in analysing over 15bn daily security events from devices located in more than 140 countries. Khalid Al Kaf, CEO of Mobily at the time of the SOC’s opening, said that the SOC had been conceived as a response to the “increasing security threats [arising] globally from the adoption of new and existing technologies”. He said that cybersecurity was increasingly important to the business sector in Saudi Arabia as companies viewed securing their data as critical to protecting their reputation and value.

In May 2014, the alliance between IBM and Mobily was selected by the Ministry of Education to help boost the ministry’s information security. Under the agreement, IBM and Mobily will provide services including real-time analysis and an early warning system for potential threats, development of security correlation and analytics capabilities, and protection against third parties gaining access to the ministry’s data from abroad.

Training Opportunities

The involvement of foreign firms like IBM has enabled Saudi Arabia to catch up rapidly with other countries in the field of cybersecurity. Eugene Kaspersky, CEO and chairman of Kaspersky Lab, commented in August 2014, “I believe Saudi Arabia is on par with many other countries regarding the level of its cyber defences.” However, at the same time Kaspersky noted that Saudi Arabia has “a deficit of highly skilled software engineers in IT security”.

The NISS considers human resources a key pillar of its strategy and has proposed several schemes to promote training in cybersecurity. For example, programmes have been developed to identify women who are capable in IT and who, with additional training, could quickly meet some of the Kingdom’s immediate information security needs. The NISS also suggested that unemployed young people, who have no formal credentials but have strong computer skills, could be vetted and employed. Additionally, the NISS proposed a programme beginning in primary school that encourages children to acquire computer, analytical and information skills from an early age and pairs them with a mentor who supports them through their schooling and into employment. These young people look set to play an important role in maintaining the Kingdom’s future security.