Last week, the Saudi Data and Artificial Intelligence Authority (SDAIA) launched a nationwide awareness campaign called “Ask Before”, intended to educate the public about the significance of personal data ahead of the implementation of a new national personal data protection system.
Emphasizing responsible data handling, privacy preservation, and fostering trust and collaboration between commercial entities and private individuals, “Ask Before” supports KSA’s new Personal Data Protection Law (PDPL), which became enforceable on September 14th.
The need for such a campaign stems from the fact that the PDPL is the first regulation of its kind rolled out in the kingdom, activated five years after Europe’s General Data Protection Regulation (GDPR). The new law is noteworthy, because it is yet further evidence of the accelerating maturity of Saudi Arabia’s digital economy, closely tied to the digitally-enabled developments of Vision 2030.
KSA’s ambitious plan to turn its nation into the model of a progressive 21st-century society places a significant emphasis on digital transformation. This is exemplified in the smart design approaches underpinning the super-project NEOM, and its various sub-projects like THE LINE, Oxagon, Trojena, and Sindalah. Deeply networked and resting on cutting-edge cyber-physical and AI-enabled technologies, these new environments will create numerous points of vulnerability, necessitating robust cybersecurity to protect critical systems and ensure public safety.
But, even beyond these high-profile, media-grabbing ventures, it’s clear that safeguarding digital assets, critical infrastructure, and sensitive data is going to be paramount to the success of Vision 2030. One such developmental area is the planned overhaul of government services which, though lacking the sexy bells and whistles of NEOM, will deliver significant social impact and represent a major security priority.
Saudi Arabia is investing heavily in e-government services to enhance citizen engagement and streamline administrative processes. More than 6,000 governmental services – representing 97% of services – have already been digitized, and as more government functions move online, the protection of sensitive citizen data becomes paramount to maintaining public trust and ensuring the efficient functioning of state institutions. As reflected in the new PDPL, the kingdom is also actively promoting the localization of data within its borders to ensure data sovereignty and enhance national security.
Multiple digital health projects, such as the deployment of electronic health records and telemedicine services, rely increasingly on secure data sharing and storage. Cybersecurity safeguards are vital to protect patient privacy and maintain the integrity of healthcare systems. And, as the country moves further ahead with its plans to transform the health sector, flagship developments like the SEHA Virtual Hospital – the largest of its kind in the world – are likely to increasingly incorporate bio-digital devices and approaches like remote surgery into medical diagnosis and treatment. Cyber-physical solutions such as these are set to revolutionize healthcare in general but, as we have already seen in other parts of the world, security of these systems is an existential necessity.
Finally, the expansion of the financial sector through initiatives like the Financial Sector Development Program (FSDP), also demands strong cybersecurity practices. Fundamental to Vision 2030’s goal of achieving greater economic diversification, protecting financial institutions and data is critical to ensure economic stability and investor confidence. This is an especially important point because, while elevated cybersecurity is necessary to protect citizen wellbeing, foreign investment is strategically crucial to delivering the multiplicity of KSA’s developmental objectives, and investors need to feel secure too.
On the one hand, the country’s digital transformation journey appears to be progressing well. Alibaba Cloud, one of the world’s largest cloud computing companies, is the latest big name to open shop in Saudi Arabia, which should give a boost to the Saudi government’s ambitions of claiming a greater share of the Middle East cloud market, predicted to reach $9.8 billion by 2027, and growing at a CAGR of 21 percent. The National Development Technology Program (NTDP) is also on track to support IT startups, entrepreneurs, and investors with an estimated budget of SR2.5 billion, mirroring massive growth in VC investments.
The risk with so much digital development taking place on so many fronts is that gaps begin to appear and entire systems become vulnerable to cyber attack. It seems, though, that the country is cognizant of the potential pitfalls in this expansion and is taking appropriate steps to secure the economy against domestic and international cyber threats.
Saudi Arabia’s social and economic evolution over the past 100 years has been rapid and, especially more recently, been defined by a leap in technological development. As one may expect in such circumstances, growth has not always been accompanied by parallel progress in security.
Cyber risk was not something Saudi companies used to worry about. That changed with the 2012 massive Saudi Aramco hack that acted as a digital wake-up call, jolting the nation into recognizing the stark reality of cyber risks. Between 2016 and 2018, Saudi Arabia was among the most affected countries in the world when it came to cyberattacks. In 2019, it shared the less-than-desirable distinction of having the second-highest average cost per data breach with the UAE, while these Gulf nations also witnessed the highest average number of breached records. In the past, Saudi’s industrial sector has also shown itself to be vulnerable to cyber attacks, with 88% of organizations reporting ransomware attacks and incidents spiking whenever the country or surrounding region experiences geopolitical disruption.
But, these records are changing quickly. This year, the kingdom ranked second in the global Cybersecurity Index in the World Competitiveness Yearbook (WCY), and took 17th place – up seven places from 2022 – in the overall competitiveness ranking.
Inconsistent cybersecurity measures might be seen as the growing pains of a fast-growing digital economy – what matters is how policymakers and industry players respond. Given the number of cybersecurity measures being rolled out in KSA, and the speed with which they are being deployed, it appears the Saudi government has recognized this area as a strategic priority, while businesses are responding with their own investments in advanced security measures.
In addition to the newly enforceable Personal Data Protection Law, some of the key developments in Saudi’s cybersecurity journey include:
The National Cybersecurity Authority (NCA)
Established in 2017, the NCA oversees the National Cybersecurity Strategy, a framework focused on effective cybersecurity governance, while managing cyber risks, and strengthening national defense capabilities. The NCA also plays a pivotal role in setting minimum cybersecurity standards for national and government agencies, and provides comprehensive policies and frameworks to assist organizations in safeguarding their data and networks.
The NCA’s 2023 National Plan for Cyber Assessments maps out a rigorous approach to regulating cybersecurity standards across national entities. Extensive assessments, compliance audits and cyber reviews of critical systems will help enforce the authority’s standards and manage cyber risk nationally.
Local legislation sets tough guardrails for cyber activity within KSA. With broader scope than the PDPL, the Anti-Cyber Crime Law combats cyber crimes, protects information security, and promotes legitimate computer and information network usage, while defining cyber crime and its punishments. The Electronic Transactions Law is a legal framework for electronic transactions that controls and regulates the safe conduct of digital transactions.
2023 National Plan for Cyber Assessments
As part of its move to standardize cybersecurity quality across national authorities, the NCA has this year been following a programme of technical and compliance assessments to ensure entities are up to the standards required to ensure cyber safe institutions. The project also includes the establishment of an inventory of sensitive national assets and review systems to ensure adherence to the NCA cybersecurity provisions.
The Haseen Initiative
Officially known as the National Portal for Cyber Security Services, Haseen was developed by the NCA’s technical division, the Saudi Information Technology Company (SITE), as a holistic cyber management platform. It has a broad-spectrum role in supporting national entities as they increase resilience against cyber attacks, helping authorities assess and raise their cybersecurity capabilities. Key domains within Haseen relate to compliance management, information sharing, email authentication and verification of files and links, all intended to lift the overall level of national cyber safety.
The Global Cybersecurity Forum Institute
As part of Saudi Arabia’s growing cybersecurity leadership in the Middle East and beyond, the GCF Institute was founded in Riyadh earlier this year, bringing together international experts from government, the private sector, academia and interest groups to develop strategies for tackling global cybersecurity challenges. The institute enables KSA to access best practices from around the world, and share lessons learned in, for example, repelling the 110 million cyber threats detected in Saudia Arabia during 2022.
Council of Ministers for Cybersecurity
Based on a Saudi proposal at the recent 160th session of the Council of Arab Foreign Ministers of the Arab League, a regional body was formed to drive collaboration and coordination between Arab countries in all cybersecurity-related matters. Operating out of Riyadh and driven by KSA, the Council of Ministers for Cybersecurity has objectives of strengthening cybersecurity across the Arab world, recognizing that sustainable social development in this area will be impossible without cybersecure environments.
Forum of Incident Response and Security Teams
Just a few days ago, Saudi’s Human Resources Development Fund (also known as HADAF) was accepted into the Forum of Incident Response and Security Teams (FIRST), a US-based cybersecurity association widely recognized for its industry-leading incident response. For the KSA public sector, inclusion in this group of 656 businesses and government organizations across 101 countries promises a step change in cybersecurity capability. HADAF is the Kingdom’s 11th FIRST member and, with its governmental mandate, the fund will be able to significantly improve the efficiency of national organizations in safeguarding their systems and data.
This is a small selection of initiatives currently shaping the Saudi cybersecurity landscape. Aside from HADAF and NCA, bodies such as the Saudi Federation for Cybersecurity, Programming and Drones, and the Ministry of Communications and Information Technology are also having a significant influence on the accelerated evolution of regulations, systems maturity and skills availability in the country.
Further projects supporting this transformation include the National Cybersecurity Center to raise awareness of cybersecurity efforts; the founding of the National Academy of Cybersecurity to develop cybersecurity skills and capabilities in the Kingdom’s workforce; and the rollout of a National Cybersecurity Awareness Program to educate citizens and residents.
As Saudi Arabia steers towards its Vision 2030 goals of diversification and knowledge-based economic growth, the emphasis on cybersecurity is not just relevant; it’s fundamental. Digital enablement of the economy, governmental services, health sector and private business means, as it does in most countries across the world today, that cybersecurity translates into national security.
But in KSA, where bold development plans include smart cities, smart ports, AI-integrated infrastructure and digital technologies at the core of all services, the stakes are raised. With such a radical expansion of the digital landscape, the attack surface increases dramatically too, but this does not appear to be slowing the Kingdom down. As with the challenges that inspired Vision 2030 in the first place, cybersecurity appears to be just one more puzzle that Saudi Arabia seems hungry to solve.
For 30+ years, I've been committed to protecting people, businesses, and the environment from the physical harm caused by cyber-kinetic threats, blending cybersecurity strategies and resilience and safety measures. Lately, my worries have grown due to the rapid, complex advancements in Artificial Intelligence (AI). Having observed AI's progression for two decades and penned a book on its future, I see it as a unique and escalating threat, especially when applied to military systems, disinformation, or integrated into critical infrastructure like 5G networks or smart grids. More about me, and about Defence.AI.