SAUDI ARABIA’S VISION 2030
Through Vision 2030, the Kingdom of Saudi Arabia (KSA) intends to reduce dependence on oil, diversify its economy, and develop public service sectors, such as health, education, infrastructure, recreation, and tourism. Underpinning this initiative is a focus on technology, digital transformation, and the development of digital infrastructure. However according to Cybersecurity Challenges of the Kingdom of Saudi Arabia, Past, Present & Future, “The Kingdom of Saudi Arabia averagely faces 160,000 cyberattacks daily.” And, the KSA recognizes their digital transformation will require reinforcing and supporting cybersecurity to protect the Kingdom’s vital interests, national security, critical infrastructures, high-priority sectors, and government services and practices.
NATIONAL CYBERSECURITY AUTHORITY
A Royal Decree, dated 31 October 2017, established the National Cybersecurity Authority (NCA). The Kingdom considers cybersecurity a shared responsibility, and Royal Decree No. 57231 states that “all government organizations must improve their cybersecurity level to protect their networks, systems, and data, and comply with NCA’s policies, framework, standards, controls, and guidelines.” NCA developed the Essential Cybersecurity Controls (ECC-1: 2018) to help organizations meet their obligations and to set a framework of minimum cybersecurity requirements.
Essential Cybersecurity Controls
Intended to ensure the confidentiality, integrity, and availability of an organization’s information, the Essential Cybersecurity Controls are organized into five domains:
- Third-Party and Cloud Computing
- Industrial Control Systems and Devices (ICS) Cybersecurity
And the ECC document is a live document in that “NCA will periodically review and update the ECC as per the cybersecurity requirements and related industry updates.” This is critical. Analysts at Thales have noted when reviewing the cybersecurity regulations of other countries that they rarely are specifically prescriptive beyond the need to:
- Control access to sensitive data;
- “Pseudonymize” sensitive data, so the data is worthless if retrieved by a cybercriminal; and,
- Maintain complete control cryptographic keys.
Our understanding is that regulations remain vague, because cybercriminals are constantly finding new ways to obtain sensitive data. So, what constitutes a reasonable defense today may not tomorrow. Consequently, for cybersecurity guidelines to be effective over time, they need to be responsive to changes in the cybersecurity environment. Consider, for example, the shift to cloud computing and the recent rise in working remotely driven by the COVID-19 pandemic. Both have changed the parameters of data security in terms of where and how data is stored and used. Data security policies need to keep pace.
Indeed, according to Cybersecurity Challenges of the Kingdom of Saudi Arabia, Past, Present & Future, “Cyber-attacks in the past have coerced the [KSA] decision makers to reassess the existing ICT infrastructure, underlying cyber capabilities both offensive and defensive, to cope with the elevating frequency and sophistication.”
This is also why it is important to use best-practice data security solutions rather than those that are simply good enough. Good enough might meet today’s standards, but it is less likely to meet tomorrow’s.
The Importance of Strong Cybersecurity Solutions
Cybersecurity governance is about effectively deploying, monitoring, and managing data security. In addition to offering professional services to help cybersecurity professionals working in and with the Kingdom, Thales can also help enterprises working with Saudi Arabia on the ECC’s five domains. Specific technology areas include:
- Protection for data at rest and in motion on premises, in the cloud, and in hybrid and multi-cloud environments, including bring your own key (BYOK) service
- Encryption key protection and management
- Public key infrastructure (PKI) services and hardware security modules (HSMs)
- Identity and access management
For more information on ECC and how your organization can comply with it, see Saudi Arabia Essential Cybersecurity Controls.