Last week, the Saudi Data and Artificial Intelligence Authority (SDAIA)ย launched a nationwide awareness campaignย called โ€œAsk Beforeโ€, intended to educate the public about the significance of personal data ahead of the implementation of a new national personal data protection system.

Emphasizing responsible data handling, privacy preservation, and fostering trust and collaboration between commercial entities and private individuals, โ€œAsk Beforeโ€ supports KSAโ€™s new Personal Data Protection Law (PDPL), which became enforceable on September 14th.

The need for such a campaign stems from the fact that the PDPL is the first regulation of its kind rolled out in the kingdom, activated five years after Europeโ€™s General Data Protection Regulation (GDPR). The new law is noteworthy, because it is yet further evidence of the accelerating maturity of Saudi Arabiaโ€™s digital economy, closely tied to the digitally-enabled developments of Vision 2030.

Guarding the Kingdomโ€™s Digital Future

KSAโ€™s ambitious plan to turn its nation into the model of aย progressive 21st-century societyย places a significant emphasis on digital transformation. This is exemplified in the smart design approaches underpinning the super-projectย NEOM, and its various sub-projects like THE LINE, Oxagon, Trojena, and Sindalah. Deeply networked and resting on cutting-edge cyber-physical and AI-enabled technologies, these new environments will create numerous points of vulnerability, necessitating robust cybersecurity to protect critical systems and ensure public safety.

But, even beyond these high-profile, media-grabbing ventures, itโ€™s clear that safeguarding digital assets, critical infrastructure, and sensitive data is going to be paramount to the success of Vision 2030. One such developmental area is the planned overhaul of government services which, though lacking the sexy bells and whistles of NEOM, will deliver significant social impact and represent a major security priority.

Saudi Arabia is investing heavily in e-government services to enhance citizen engagement and streamline administrative processes. More than 6,000 governmental services โ€“ representing 97% of services โ€“ย have already been digitized, and as more government functions move online, the protection of sensitive citizen data becomes paramount to maintaining public trust and ensuring the efficient functioning of state institutions. As reflected in the new PDPL, the kingdom is also actively promoting the localization of data within its borders to ensure data sovereignty and enhance national security.

Multiple digital health projects, such as the deployment of electronic health records and telemedicine services, rely increasingly on secure data sharing and storage. Cybersecurity safeguards are vital to protect patient privacy and maintain the integrity of healthcare systems. And, as the country moves further ahead withย its plans to transform the health sector, flagship developments like the SEHA Virtual Hospital โ€“ the largest of its kind in the world โ€“ are likely to increasingly incorporate bio-digital devices and approaches like remote surgery into medical diagnosis and treatment. Cyber-physical solutions such as these are set to revolutionize healthcare in general but, as we have already seen in other parts of the world, security of these systems is an existential necessity.

Finally, the expansion of the financial sector through initiatives like theย Financial Sector Development Program (FSDP), also demands strong cybersecurity practices. Fundamental to Vision 2030โ€™s goal of achieving greater economic diversification, protecting financial institutions and data is critical to ensure economic stability and investor confidence. This is an especially important point because, while elevated cybersecurity is necessary to protect citizen wellbeing, foreign investment is strategically crucial to delivering the multiplicity of KSAโ€™s developmental objectives, and investors need to feel secure too.

On the one hand, the countryโ€™s digital transformation journey appears to be progressing well. Alibaba Cloud, the worldโ€™s largest cloud computing company, is the latest big name toย open shop in Saudi Arabia, which should give a boost to the Saudi governmentโ€™s ambitions of claiming a greater share of the Middle East cloud market, predicted to reach $9.8 billion by 2027, and growing at a CAGR of 21 percent.ย The National Development Technology Programย (NTDP) is also on track to support IT startups, entrepreneurs, and investors with an estimated budget of SR2.5 billion, mirroringย massive growth in VC investments.

The risk with so much digital development taking place on so many fronts is that gaps begin to appear and entire systems become vulnerable to cyber attack. It seems, though, that the country is cognizant of the potential pitfalls in this expansion and is taking appropriate steps to secure the economy against domestic and international cyber threats.

Taking necessary action

Saudi Arabiaโ€™s social and economic evolution over the past 100 years has been rapid and, especially more recently, been defined by a leap in technological development. As one may expect in such circumstances, growth has not always been accompanied by parallel progress in security.

Cyber risk was not something Saudi companies used to worry about. That changed with the 2012 massive Saudi Aramco hackย that acted as a digital wake-up call, jolting the nation into recognizing the stark reality of cyber risks. Between 2016 and 2018, Saudi Arabia was amongย the most affected countries in the worldย when it came to cyberattacks. In 2019, it shared the less-than-desirable distinction of having theย second-highest average cost per data breachย with the UAE, while these Gulf nations also witnessed the highest average number of breached records. In the past,ย Saudiโ€™s industrial sector has also shown itself to be vulnerable to cyber attacks, with 88% of organizations reporting ransomware attacks and incidents spiking whenever the country or surrounding region experiences geopolitical disruption.

But, these records are changing quickly. This year, the kingdomย ranked second in the global Cybersecurity Indexย in the World Competitiveness Yearbook (WCY), and took 17th placeย  โ€“ up seven places from 2022 โ€“ in the overall competitiveness ranking.

Inconsistent cybersecurity measures might be seen as the growing pains of a fast-growing digital economy โ€“ what matters is how policymakers and industry players respond. Given the number of cybersecurity measures being rolled out in KSA, and the speed with which they are being deployed, it appears the Saudi government has recognized this area as a strategic priority, while businesses are responding with their own investments in advanced security measures.

In addition to the newly enforceable Personal Data Protection Law, some of the key developments in Saudiโ€™s cybersecurity journey include:

The National Cybersecurity Authority (NCA)

Established in 2017, the NCA oversees the National Cybersecurity Strategy, a framework focused on effective cybersecurity governance, while managing cyber risks, and strengthening national defense capabilities. The NCA also plays a pivotal role in setting minimum cybersecurity standards for national and government agencies, and provides comprehensive policies and frameworks to assist organizations in safeguarding their data and networks.

The NCAโ€™s 2023 National Plan for Cyber Assessments maps out a rigorous approach to regulating cybersecurity standards across national entities. Extensive assessments, compliance audits and cyber reviews of critical systems will help enforce the authorityโ€™s standards and manage cyber risk nationally.

Local legislation sets tough guardrails for cyber activity within KSA. With broader scope than the PDPL, the Anti-Cyber Crime Law combats cyber crimes, protects information security, and promotes legitimate computer and information network usage, while defining cyber crime and its punishments. The Electronic Transactions Law is a legal framework for electronic transactions that controls and regulates the safe conduct of digital transactions.

2023 National Plan for Cyber โ€‹โ€‹Assessments

As part of its move to standardize cybersecurity quality across national authorities, the NCA has this year been following a programme of technical and compliance assessments to ensure entities are up to the standards required to ensure cyber safe institutions. The project also includes the establishment of an inventory of sensitive national assets and review systems to ensure adherence to the NCA cybersecurity provisions.

The Haseen Initiative

Officially known as the National Portal for Cyber Security Services, Haseen was developed by the NCAโ€™s technical division, the Saudi Information Technology Company (SITE), as a holistic cyber management platform. It has a broad-spectrum role in supporting national entities as they increase resilience against cyber attacks, helping authorities assess and raise their cybersecurity capabilities. Key domains within Haseen relate to compliance management, information sharing, email authentication and verification of files and links, all intended to lift the overall level of national cyber safety.

The Global Cybersecurity Forum Institute

As part of Saudi Arabiaโ€™s growing cybersecurity leadership in the Middle East and beyond, the GCF Institute was founded in Riyadh earlier this year, bringing together international experts from government, the private sector, academia and interest groups to develop strategies for tackling global cybersecurity challenges. The institute enables KSA to access best practices from around the world, and share lessons learned in, for example, repelling theย 110 million cyber threats detected in Saudia Arabia during 2022.

Council of Ministers for Cybersecurity

Based on a Saudi proposal at the recent 160th session of the Council of Arab Foreign Ministers of the Arab League,ย a regional body was formedย to drive collaboration and coordination between Arab countries in all cybersecurity-related matters. Operating out of Riyadh and driven by KSA, the Council of Ministers for Cybersecurity has objectives of strengthening cybersecurity across the Arab world, recognizing that sustainable social development in this area will be impossible without cybersecure environments.

Forum of Incident Response and Security Teams

Just a few days ago, Saudiโ€™sย Human Resources Development Fund (also known as HADAF) was accepted into the Forum of Incident Response and Security Teams (FIRST), a US-based cybersecurity association widely recognized for its industry-leading incident response. For the KSA public sector, inclusion in this group of 656 businesses and government organizations across 101 countries promises a step change in cybersecurity capability. HADAF is the Kingdomโ€™s 11th FIRST member and, with its governmental mandate, the fund will be able to significantly improve the efficiency of national organizations in safeguarding their systems and data.

This is a small selection of initiatives currently shaping the Saudi cybersecurity landscape. Aside from HADAF and NCA, bodies such as the Saudi Federation for Cybersecurity, Programming and Drones, and the Ministry of Communications and Information Technology are also having a significant influence on the accelerated evolution of regulations, systems maturity and skills availability in the country.

Further projects supporting this transformation include the National Cybersecurity Center to raise awareness of cybersecurity efforts; the founding of the National Academy of Cybersecurity to develop cybersecurity skills and capabilities in the Kingdomโ€™s workforce; and the rolloutย  of a National Cybersecurity Awareness Program to educate citizens and residents.

Conclusion

As Saudi Arabia steers towards its Vision 2030 goals of diversification and knowledge-based economic growth, the emphasis on cybersecurity is not just relevant; itโ€™s fundamental. Digital enablement of the economy, governmental services, health sector and private business means, as it does in most countries across the world today, that cybersecurity translates into national security.

But in KSA, where bold development plans includeย smart cities, smart ports, AI-integrated infrastructure and digital technologies at the core of all services, the stakes are raised. With such a radical expansion of the digital landscape, the attack surface increases dramatically too, but this does not appear to be slowing the Kingdom down. As with the challenges that inspired Vision 2030 in the first place, cybersecurity appears to be just one more puzzle that Saudi Arabia seems hungry to solve.

Avatar of Marin Ivezic
Marin Ivezic
Website |  Other articles

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.