Class 5 Standards and Cybersecurity in Saudi Arabia

Cybersecurity Policy and Law
Dr. Moneer Alshaikh

Assistant Professor, CCSE, University of Jeddah
What are we going to study in this course?*
• Class 1: Policies, Types and Implementation – Part I
• Class 2: Policies, Types and Implementation – Part II
• Class 3: Policy & Laws Documents to Support Cybersecurity
• Class 4: International perspective on cybersecurity policy and law
• Class 5: Saudi Arabia’s cybersecurity policies & laws
• Class 6: Cybersecurity Policy “Issues”
• Class 7: Case Studies, Cyber Warfare and SANS cybersecurity policies
* I may update this regularly.

International Law and Cybersecurity Background
• The area of cybersecurity law is much newer than cybersecurity

itself*.
• Most countries have some laws in place …
• Collaborative effort of nations ? (next slide)
* Cisco NetAcad
• The International Multilateral Partnership Against Cyber Threats

(IMPACT*) is the first, international public-private partnership that is
focused on cyber threats.
• IMPACT is a global partnership of world governments, industries, and

academia dedicated to improving global capabilities when dealing
with cyber threats.
* http://www.impact-alliance.org/home/index.htm
• IMPACT
• Based in Cyberjaya, Malaysia
• IMPACT is the operational home of International Telecommunication Union

(ITU)’s Global Cybersecurity Agenda (GCA).
• As ITU’s cybersecurity executing arm, IMPACT provides ITU’s 193 Member

States access to expertise, facilities and resources to effectively address cyber
threats.
• IMPACT
• IMPACT officially became the cybersecurity executing arm of the United

Nations’ (UN) specialised agency - ITU.
• As the world’s first comprehensive alliance against cyber threats, IMPACT
brings together governments, academia and industry experts to enhance the
global community’s capabilities in dealing with cyber threats.
For details: https://www.itu.int/ITU-D/cyb/publications/2012/IMPACT/IMPACT-en.pdf

• Its nation’s right to defend itself—when attacked—in accordance with Article 51

of the UN Charter.
• The right to self-defense is legitimate in the context of preemptive self-defense.
• That right, in accordance with an enhanced understanding of Article 51, is

predicated (confirmed) on the availability of intelligence information indicating
that an attack is imminent (about to happen). (Limited to specific individual)?
This and next slides are extracted from the contents of the book:
Cybersecurity: Geopolitics, Law, and Policy by Amos N. Guiora
• Thus:
• An important question to ask is:
• Whether or not the law applies to cybersecurity, and if the law applies, what
are the relevant legal structures?
• Cyber attacks target the infrastructure—whether the nation-states or

the individuals
• Example:
• Targeting a municipality’s water system has significant consequences, even though the
physicality of the attack is not equated to a suicide bombing.
• Self-defense is in accordance with Article 51 of the UN Charter

assuming an attack is imminent.
• Discussion points:
• Does it allow “preemptive strikes” e.g. by using drones?
• Or it depends on “How imminent the threat is?”

• Scenario 1:
• “Imagine that a suicide bomber successfully executes his or her plan and
kills himself or herself, and several others, in a busy marketplace near a
city center. With surveillance, if military intelligence was aware of the
plot, knew the individual executing the plot, and saw him or her walking
to the city center with a bomb, few would argue that the military did not
have the right to eliminate the threat at that point.”
• It is clear, at this point, that without a preemptive act of self-defense, there

will be casualties.
• Thus, pursuant to Article 51 of the UN Charter, self-defense is not only

appropriate but expected.
• Scenario 2:
• “Imagine that at the same city center there is a busy sidewalk café. Within
that café, a lone individual is sitting at a table typing on his laptop.
Throughout the café, several others are doing the same, typing on their
laptop intensely. Is it easy to predict who, if any, of those are a threat?”
• At this point, is there a way to eliminate any threat?

• Is there a need for a preemptive act of self-defense?
• Difference: a suicide bomber is manifestly intent on killing as many people

as possible.
• Conversely, a cyber attacker is not focused on killing people, whereas
deaths may be a by-product of the cyber attack.
Nation-state’s right to preemptive measures is based on

“imminence analysis”
• For something to be viable, it means

something must be feasible, or
capable of happening.
• A threat that is set to occur 10 years

down the road is likely not considered
imminent compared to a threat that is
set to occur tomorrow. (time relevant)
• Monitoring the chatter among the

individuals involved (corroboration).
• Often, surveillance teams can ascertain

critical information through phone wires,
e-mail chains, or social media accounts.
Corroboration = confirmation, verification

• Reliability of the threat, and the

source presenting the threat,
emphasizes the necessity to
corroborate.
• In order to corroborate, the first step

would be to determine the source’s
reliability.
• Questions/Discussion:
1. Is a cyber attack by nation-state directed at another nation-state akin to

(similar) a traditional act of war?
2. Follow-up question is, whether the counterattack would be limited to a

cyber counterattack, or would international law tolerate an armed attack in
response to a cyber attack?
• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL LAW
1. The nation-state has the right to protect itself against both an attacking nation-state and non-state actor
responsible for a cyber attack;
2. Attacking a nation-state’s infrastructure justifies a response; the operative question is whether the
legitimate response is restricted to a cyber counter attack against the attacking state’s Internet
infrastructure or physical engagement targeting the state specifically identified as responsible for the
cyber attack;
3. The conduit, acting on behalf of the nation-state, presents a dilemma distinct from the non-state actor
and more akin with the nation-state model; operational decision making regarding the conduit, in the
context of self-defense, is dependent on a number of factors including whether the Internet
infrastructure is a readily identifiable target, the degree of determinable involvement by specific
individuals, and the damage caused to the nation-state.
Paradigm: pattern,
• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL

LAW
• First paradigm:
• Nuclear weapon vs cyber attack

• First, let us assume, for assumption sake only, Russia launches a nuclear weapon
against the United States.
• It seems very few people, if anyone, would argue that the United States now has the
right to a proportional response in self-defense.
• First paradigm:
• “Now, let us assume, Russia has launched a cyber attack against the United
States;
• specifically, it has shut down all computer systems at air traffic control
towers at every airport in America.
• None of the flight technicians is able to direct the airplanes taking off,
landing, or flying in the sky.
• This is a significant risk.

LAW
• First paradigm:
• Without the air traffic control tower, planes do not know whether they
can land successfully, if they are flying on the same flight path as
another plane, or whether they are cleared for take off.
• This could result in a significant number of deaths.
• Thus, just as the nuclear weapon justifies a proportional response in self-
defense, so does the shutting down of air traffic control towers.
• Second paradigm:
• Now, let us assume for the sake of example:
• the air traffic control towers were shut down, not by Russia …
• “but by an independent agency operated in Russia, with Russian employees,

but acting independently”.

LAW
• Second paradigm:
• Important Questions/discussion:
• Is the United States justified in a counter cyber attack against Russia?
• Is it justified in a counter cyber attack against the independent agency?
• Does it have to be one or the other, or is the United States justified in a cyber
counterattack against either Russia, the independent agency, or both?
• Is a physical act of war a proportional response to a cyber attack?
Difficult questions to answer !

LAW
• Third paradigm:
• What if, after the attack on the air traffic control towers, it is determined that the
independent agency was acting on behalf of Russia.
• Questions/Discussion
• Can the United States engage in a proportional counterattack against Russia? OR
• does it have to be against the independent agency?
• Further, can the United States engage in a physical attack, either against Russia, or the
independent agency, or must it stick with a proportional counter cyber attack?
• Response Criteria against cyber attack:
1. In accordance with international law, the response to a cyber attack must be proportional
2. the intelligence information must indicate that an attack is imminent, and
3. the nation-state must demonstrate there were no alternatives to physical engagement.
• If these criteria are met in their entirety, then the nation-state has the ability to physically
engage someone who has the potential to cause physical harm to the nation’s civilian
population including a cyber attack.
• Important questions / Discussion points
1. Does international law apply to cybersecurity?

2. Does international law allow nation-states to protect themselves from cyber attacks?
3. Is an attack on a corporation the same as an attack on a nation-state?
4. How is a legitimate target defined in a cyber attack?
5. Should a certain level of cooperation exist among government entities, local law
enforcement, and corporate bodies?
6. Do countries have an obligation to share relevant information regarding cyber security
concerns or attacks with one another?
General international law and
cyberspace
Ref: Tallinn Manual 2.0

The Tallinn Manual (originally entitled, Tallinn Manual on the International Law
Applicable to Cyber Warfare) is:
- an academic, non-binding study on how international law (in particular the

jus ad bellum and international humanitarian law) applies to cyber conflicts and
cyber warfare.
- Between 2009 and 2012, the Tallinn Manual was written at the invitation of the
Tallinn-based NATO Cooperative Cyber Defence Centre of Excellence by an
international group of approximately twenty experts. In April 2013, the manual was
published by Cambridge University Press.
Jus ad bellum (Latin for "right to war") is a set of criteria that are to be
consulted before engaging in war in order to determine whether entering into war is
permissible, that is, whether it is a just war.
International humanitarian law (IHL) is the law that regulates the conduct of war (
jus in bello). It is that branch of international law which seeks to limit the effects of
armed conflict by protecting persons who are not participating in hostilities, and by
restricting and regulating the means and methods of warfare available to combatants.
General international law and cyberspace
(Rules)
• Sovereignty (general principle)
• Sovereignty is a foundational principle of international law.
• It refers to the supreme authority of the prince or king or, applied to modern
international law, the State.
• In particular, States enjoy sovereignty over any cyber infrastructure located on

their territory and activities associated with that cyber infrastructure.
• Sovereignty = authority
• Sovereignty (general principle)
• The physical, logical, and social layers of cyberspace are encompassed in the
principle of sovereignty.
• The physical layer comprises the physical network components (i.e., hardware and other
infrastructure, such as cables, routers, servers, and computers).
• The logical layer consists of the connections that exist between network devices. It
includes applications, data, and protocols that allow the exchange of data across the
physical layer.
• The social layer encompasses individuals and groups engaged in cyber activities.
• Violation of sovereignty
• A State must not conduct cyber operations that violate the sovereignty of
another State.
• Due diligence
• A State must exercise due diligence in not allowing its territory or cyber
infrastructure under its governmental control, to be used for cyber operations
that affect the rights of, and produce serious adverse consequences for, other
States.
• Jurisdiction
• Subject to limitations set forth in international law, a State may exercise territorial and
extraterritorial jurisdiction over cyber activities.
• Jurisdiction refers to the competence of States to regulate persons, objects, and conduct
under their national law, within the limits imposed by international law. It grants States
authority over the full scope of civil, administrative, and criminal matters.
• Jurisdiction: the official power to make legal decisions and judgements.

• International cooperation in law enforcement
• Although as a general matter States are not obliged to cooperate in the

investigation and prosecution of cyber crime …
• Such cooperation may be required by the terms of an applicable treaty or

other international law obligation.
Law of international
responsibility
Ref: Tallinn Manual 2.0

Law of international responsibility
• Internationally wrongful cyber acts
• A State bears international responsibility for a cyber-related act that is

attributable to the State and that constitutes a breach of an international
legal obligation.
• Peaceful settlement of disputes
• States must attempt to settle their international disputes involving cyber

activities that endanger international peace and security by peaceful means.
• If States attempt to settle international disputes involving cyber activities that

do not endanger international peace and security, they must do so by
peaceful means.
• Attribution of cyber operations by State organs
• Cyber operations conducted by organs of a State, or by persons or entities empowered

by domestic law to exercise elements of governmental authority, are attributable to
the State.
• Such as the military or intelligence agencies, commit the wrongful acts.
• For instance, all cyber activities of US Cyber Command, the Netherlands Defense Cyber
Command, the French Network and Information Security Agency (ANSSI), the Estonian
Defense League’s Cyber Unit, the People’s Liberation Army cyber unit, and Israel’s Unit
8200 are fully attributable to the respective States.
• Attribution of cyber operations by non-State actors
• Cyber operations conducted by a non-State actor are attributable to a State

when:
• engaged in pursuant to its instructions or under its direction or control; or
• the State acknowledges and adopts the operations as its own.

• Attribution of cyber operations by non-State actors
• As an example of effective control, consider a case in which one State plans

and oversees an operation to use software updates to implant new
vulnerabilities in software widely used by another State in its governmental
computers.
• The former State concludes a confidential contract to embed the exploits with
the company that produces the software and then directs the process of
doing so.
• Such being the case, the company’s behaviour is attributable to the
controlling State.
• Limitations on countermeasures
• Countermeasures, whether cyber in nature or not, may not include actions
that affect fundamental human rights, amount to prohibited
• Cessation, assurances, and guarantees

• A responsible State must cease an internationally wrongful act committed by
cyber means and, if appropriate, provide assurances and guarantees of non-
repetition.
• Proportionality
• A cyber attack that may be expected to cause:
• incidental loss of civilian life
• injury to civilians
• damage to civilian objects, or
• a combination thereof …
• which would be excessive in relation to the concrete and direct military
advantage anticipated is prohibited.
• Proportionality
• Example:
• Consider the case of a cyber attack on the Global Positioning System.
• The system is dual-use and thus a lawful target.
• However, depriving the civilian users of key information such as navigational data is likely
to cause damage to, for instance, merchant vessels and civil aircraft relying on Global
Positioning System guidance.
• If this expected harm is excessive in relation to the anticipated military advantage of the
operation…
• the operation would be forbidden.
• United Nations Security Council
• Should the United Nations Security Council determine that a cyber operation
constitutes a threat to the peace, breach of the peace, or act of aggression, it
may authorize non-forceful measures, including cyber operations, in
response.
• If the Security Council considers such measures to be inadequate, it may

decide upon forceful measures, including cyber measures.
• Verification of targets
• Those who plan or decide upon a cyber attack shall do everything feasible to
verify that the objectives to be attacked are …
• … neither civilians nor civilian objects and are not subject to special
protection.
• Choice of means or methods
• Those who plan or decide upon a cyber attack shall take all feasible
precautions …
• … in the choice of means or methods of warfare employed in such an attack …
• … with a view to avoiding, and in any event to minimizing:
• … incidental injury to civilians, loss of civilian life, and damage to or

destruction of civilian objects.
• Cancellation or suspension of attack
• Those who plan, approve, or execute a cyber attack shall cancel or suspend
the attack if it becomes apparent that:
• the objective is not a military one or is subject to special protection; or
• the attack may be expected to cause, directly or indirectly, incidental loss

of civilian life, injury to civilians, damage to civilian objects, or a
combination thereof that would be excessive in relation to the concrete
and direct military advantage anticipated.
Reduce your cyber risk
with ISO/IEC 27001
How to implement best-practice cybersecurity
with ISO 27001
© IT Governance USA Inc. 2018 3 Reduce_Cyber_Risk_With_ISO_27001_Sept2017v1.1
ISO/IEC. International Organization for Standardization/International

Electrotechnical Commission
IT Governance Green Paper: (ITU-T M 3000)
ISO/IEC 27001
• Cyber crime is a sophisticated and developed threat
• The fastest way to develop a response is to collaborate with and learn

from others.
• There is an international standard and a supporting body of good

practice that focus on helping organizations tackle and contain cyber risk.
• This standard is ISO/IEC 27001

ISO/IEC 27001
• The Standard is like a blueprint for cybersecurity
• It is now globally recognized for cyber resilience*
• Governments and many larger organizations now require evidence

from their suppliers of ISO 27001 implementation
* Cyber resilience refers to an entity's ability to

continuously deliver the intended outcome despite adverse
cyber events. Cyber resilience is an evolving perspective that
ISO/IEC 27001
• How does ISO 27001 work?
• ISO 27001 is technology-neutral

• it sets out the specifications for implementing a best-practice Information
Security Management System (ISMS).
• An information security management system (ISMS) is a set of policies and procedures for
systematically managing an organization's sensitive data. The goal of an ISMS is to minimize
risk and ensure business continuity by pro-actively limiting the impact of a security breach.
https://whatis.techtarget.com/definition/information-security-management-system-ISMS
ISO/IEC 27001
• What is ISO/IEC 27001?
• ISO/IEC 27001 (ISO 27001) is an international standard
• It describes best practice for an ISMS (information security management system).
• Achieving accredited certification to ISO 27001 demonstrates that your company

is following information security best practice and …
• … provides an independent, expert verification that information security is

managed in line with international best practice and business objectives.
https://www.itgovernance.eu/en-ie/iso-27001-ie
ISO/IEC 27001
• ISO 27001 says that, in preserving the CIA of the organization’s information and
information assets …
• … the ISMS must address issues in relation to people, processes, and

technology
• (because) cybersecurity threats are not solely technological in nature, but take
advantage of a wide range of weaknesses and can affect the whole organization
ISO/IEC 27001
• We think we’re already secure; what else do we need to do for ISO 27001?
• Of course, you already have a number of cybersecurity measures – policies,

practices, procedures, control technologies – in place. What you don’t know is
whether or not those measures are appropriate for your risk environment.
• That’s the big issue that ISO 27001 helps you address.
ISO/IEC 27001
• ISO 27001 helps organizations:

• improve their security
• comply with cyber security regulations, and
• protect and enhance their reputation.
• But implementing the Standard takes a lot of time and effort.
* https://www.itgovernance.eu/blog/en/9-steps-to-implementing-iso-2
9 steps to implementing
ISO 27001*
* https://www.itgovernance.eu/blog/en/9-steps-to-implementing-iso-2
9 steps to implementing ISO 27001
1. Project mandate
• The project should begin by appointing a project leader, who will work with
other members of staff.
• This is essentially a set of answers to these questions:

• What are we hoping to achieve?
• How long will it take?
• What will it cost?
• Does it have management support?
2. Project initiation
• Organizations should use their project mandate to build a more defined
structure e.g.
• specific details about information security objectives and
• the project’s team,
• plan and
• risk register.
3. ISMS initiation
• The next step is to adopt a methodology for implementing the ISMS.
• ISO 27001 recognizes that a “process approach” to continual improvement is

the most effective model for managing information security.
• However, it doesn’t specify a particular methodology, and instead allows

organizations to use whatever method they choose
3. ISMS initiation
• Process approach
• An activity used to manage & transform input to output is called a
“process”
• The output from one process can directly form the input to another
process.
• The application of a system of processes within an organization, together
with the identification and interaction of these processes, and their
management, can be referred to as a “process approach”
• https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_2018_
4. Management framework
• At this stage, the ISMS will need a broader sense of the actual framework.
• Also involves identifying the scope of the system, which will depend on the
context.
• PM Framework examples: PRINCE2, Critical Chain Project Management

(CCPM) , Lean, Extreme Project Management/Megaproject (XPM), Scrum etc.
5. Baseline security criteria
• Organizations should identify their core security needs.
• These are the requirements and corresponding measures or controls that are
necessary to conduct business.
6. Risk management
• ISO 27001 allows organizations to broadly define their own risk management
processes.
• There are five important aspects of an ISO 27001 risk assessment:
1. Establishing a risk assessment framework (e.g. NIST RMF)
2. Identifying risks
3. Analyzing risks
4. Evaluating risks
5. Selecting risk management options (e.g. avoid, mitigate, transfer, …)
7. Risk treatment plan
• This is the process of building the security controls that will protect your
organization’s information assets.
• To ensure these controls are effective, you will need to check that staff are
able to operate or interact with the controls, and that they are aware of their
information security obligations.
Security controls are safeguards or countermeasures to avoid, detect,

counteract, or minimize security risks to physical property,
information, computer systems, or other assets.
7. Risk treatment plan
https://en.m.wikipedia.org/wiki/I
SO/IEC_27001
8. Measure, monitor and review
• Organizations need to measure, monitor and review the system’s

performance.
• This will involve identifying metrics or other methods of gauging the

effectiveness and implementation of the controls (KPIs & KRIs)
9. Certification
• Once the ISMS is in place, organizations should seek certification from an
accredited certification body.
• The certification process will involve a review of the organization’s
management system documentation to check that the appropriate controls
have been implemented.
• The certification body will also conduct a site audit to test the procedures in
practice. (Stage 1 audit & Stage 2 audit)
Choosig a certification body:

https://www.iso.org/certification.html
Microsoft Cybersecurity Policy Framework
A practical guide to the
development of
national cybersecurity policy
• How to use the Cybersecurity Policy Framework?
• The Cybersecurity Policy Framework is designed for policy-makers
Policies are rules that are made by organizations, to achieve their aims and goals.
A regulation has the effect of a law and is considered as a restriction that is imposed by
authorities, to make people follow the desired code of conduct. ...Policy cannot
supercede regulation.
https://www.rallypoint.com/answers/what-is-the-difference-between-a-policy-and-a-regulatio
n-in-regards-to-the-navy
5
1
• National Cybersecurity Strategy
• What?
• A national cybersecurity strategy outlines a country’s cybersecurity vision and sets out
the priorities, principles, and approaches to understanding and managing cybersecurity
risks at a national level.
• Why?
• Essential for managing national-level cybersecurity risks and for developing appropriate
regulation to support those efforts.
1
• Three characteristics:
• First, they are embedded in “living” documents that have been

developed and implemented in partnership with key public and private
stakeholders.
• They are sufficiently flexible to adapt to the changing cybersecurity

landscape.
1
• Second, they are based on clearly articulated principles that reflect

societal values, traditions, and legal principles.
1
• Third, the strategies are based on a risk-management approach where

governments and private sector partners agree on the risks that must be
managed or mitigated, and even those that must be accepted.
1
• Key Policy Principles:
• The national cybersecurity strategy should set out the key principles that will guide the
preparation and enforcement of cybersecurity policies. Microsoft recommends the
following six foundational principles as the basis for cybersecurity policy:
1. Risk-based and proportionate.
2. Outcome-focused
3. Prioritized
4. Practicable and realistic.
5. Respectful of privacy, civil liberties, and rule of law.
6. Globally-relevant
2
• Establishing and empowering a national cybersecurity agency
• These agencies have unique authorities

• that allow them to address cybersecurity directly, but
• also perform an essential function in coordinating across different
organizations
2
• Establishing and empowering a national cybersecurity agency
• Recommendations for structuring an effective national cybersecurity agency

• Appoint a single national cybersecurity agency
• Provide the national cybersecurity agency with a clear mandate & powers
• Five-part agency structure
• Policy & planning unit
• Outreach and partnership unit
• Communications unit
• Regulatory unit
3
• Developing and updating cybercrime laws
• Dependent on the country’s existing laws, legal structures and traditions.
• Could be stand-alone cybercrime laws
• Could be incorporated into existing legal frameworks

3
Six objectives for

developing
cybercrime laws
3
• Developing and updating cybercrime laws
• Budapest Convention
• The Convention on Cybercrime of the Council of Europe (CETS No.185)
• It serves as a guideline for any country developing comprehensive national legislation

against Cybercrime
• Further details: https://www.coe.int/en/web/cybercrime/the-budapest-convention

4
• Developing and updating critical infrastructure protection laws
• Wide-ranging set of functions, services, systems, and assets, commonly

referred to as infrastructures.
• Communications, banking, energy, transportation, and healthcare are

considered critical infrastructure
• since their disruption, destruction, or loss of integrity can impact a nation’s stability
4
• Developing and updating critical infrastructure protection laws
• Best Practices
• Identify critical infrastructures

• Understand the scope and status of existing policies and capabilities
• Empower a central authority to implement critical infrastructure protection policies
• Clarify the respective responsibilities of owners and operators of critical infrastructure
• Introduce minimum security baselines for critical infrastructure
• Encourage information sharing
• Create public private partnerships
5
• An international strategy for cybersecurity
• A country’s national policies must enable the country to collaborate

effectively with international partners and
• to design and comply with international obligations.
• Policy-makers must therefore keep the goal of international norms in mind

when developing their national-level cybersecurity strategy and associated
policies.
Saudi Arabia’s
cybersecurity
Authorities, frameworks, Strategies, policies and laws
KSA Perspective on
• NCA
• National Cybersecurity Authority (newly established: 2017-2018)
• A new commission to boost cybersecurity
• NCSC
• National Cyber Security Center
• Under MOI (Ministry of Interior)
• Anti-Cyber Crime Law (Royal Decree No. M/17 dated 8 Rabi1 1428)
www.ncsc.gov.sa
https://twitter.com/ncsc_sa?lang=en
KSA Perspective on
• NCSC BCSC (old)
• BCSC: Basic Cyber Security Controls
• https://www.ncsc.gov.sa/wps/wcm/connect/ncsc/380ec471-5680-4e85-b5a5-1a852b14
8577/NCSC+Basic+Cyber+Security+Controls+%28BCSC%29+-+V1.0.pdf?MOD=AJPERES&
CVID=m2.QEkl
• NCSC ECC (new: 2018)

• ECC: Essential Cybersecurity Controls
• https://www.ncsc.gov.sa/wps/wcm/connect/ncsc/e35e8644-b781-460e-a149-11633e83
f2c7/ECC+-+English.pdf?MOD=AJPERES&CVID=mDyXCZ1
KSA Perspective on
• NCSC ECC (new: 2018)
• The Essential Cybersecurity Controls consist of the following:
• 5 Cybersecurity Main Domains
• 29 Cybersecurity Subdomains
• 114 Cybersecurity Controls
• These cybersecurity controls are linked to related national and international law and
regulatory requirements.
KSA Perspective on
• NCSC ECC
Main Domains of ECC

KSA Perspective on
• NCSC ECC
One of the sub-domains and relevant controls

KSA Perspective on
• NCSC ECC
One of the sub-domains and relevant controls

KSA Perspective on
• NCSC Services
• Variety of tests and assessment reports for:
• Information Assurance
• Incident Response
• Situational Awareness
• For further information: visit “services” menu at the main webpage of www.ncsc.gov.sa
KSA Perspective on
• CITC
• Communications and Information Technology Commission
• http://www.citc.gov.sa/en/Pages/default.aspx
KSA Perspective on
• Information Security Policies and Procedures Development
Framework*
• This document describes that how Govt. Agencies can use this cybersecurity
framework to develop their own cyber policies
• Developed by “Computer Emergency Response Team – Saudi Arabia (CERT-

SA)”
* CITC manual: (July 2016)

http://www.citc.gov.sa/en/new/publicConsultation/Documents/143703_en.pdf#search=cyber%20
security
KSA Perspective on
• Information Security Policies and Procedures Development
Framework*
• It should be noted that there is no single method for developing an

information security policies and procedures.
• Many factors must be taken into account, including audience type and
Government Agency business and size, all of which are considered in this
Framework.
* CITC manual: (July 2016)

http://www.citc.gov.sa/en/new/publicConsultation/Documents/143703_en.pdf#search=cyber%20security
KSA Perspective on
• This framework has considered input from:
• ISO/IEC 27001
• ISACA CoBiT
• Saudi Laws
• Input from government agencies
• US- Federal Information Processing Standards FIPS
• US-National Institute of Standards & Technology
• NIST PUB 80053--Recommended Security Controls for Federal IS
• Germany- Federal Office for Information Security (BSI) Baseline Protection
Manual
KSA Perspective on
• CITC Framework:
• This framework classifies the development of information security policies into:
1. Common Information Security Policies
• based on the Control Group (e.g. Access Control, Business Continuity, Acceptable use
Policy etc).
• These policies address the typical information security risk applicable to most of the
organizations
KSA Perspective on
• CITC Framework:
• This framework classifies the development of information security policies into:
2. System specific Information Security Policies
• based on specific types of systems identified in this document (i.e. Application, IT

System, Networking and Physical Infrastructure).
• Where applicable, the information security system specific policies support maximum
three levels (High, Medium and Normal) of information security requirements.
KSA Perspective on
• CITC Framework Components:
• 1. Development Process for Information Security Policies and procedures
Process.
• a. Repository of Common Policies.
• b. Repository of System Specific Policies.
• c. Repository of Common Procedures.
• d. Information Security Department Placement Options.
• 2. Implementation of Information Security Policies and Procedures.
• a. Sample Awareness Plan.
• b. Information Security Audit Process.
KSA Perspective on
• Common Information Security Policies Example:
• Policy Title: Corporate Information Security Policy
• Purpose: To communicate the management commitment and key goals for establishing risk based
information security controls in the <Organization Agency Name>.
• Policy Applicability: applies to all temporary or permanent <Organization Agency Name> employees,
vendors, business partners, and contractor personnel and functional units regardless of geographic
location.
• Executive Owner: IS Officer
• Custodian: Head of IT
• Enforcement: Any employee or third party (vendors, business partners, and contractor personnel etc)
found to have violated this policy may be subjected to disciplinary actions as per the organization’s
policies and Saudi Arabia’s laws and regulations including but not limited to Labour Laws, Anti e-
Crimes Law and e-Transaction Law...
• Information Security Policy Statements
• Corporate Security Key Objectives
• “Government Agency” information systems shall be used only for authorized business purpose and limited personal
usage as per organization’s information system acceptable usage policy.
KSA Perspective on
• System Specific Information Security Policies Example:
• Policy Area: Information Security Awareness
• Standard Area: Information Security Awareness Sessions
• Detailed standard statements:
1. Awareness programs must focus on end user security responsibilities.
2. The programs must be conducted periodically at least once every 6 months.
3. Its effectiveness must be measured and suitably corrected and improved over time.
4. All new hires must undergo Security Awareness training as part of the induction process.
5. Awareness programs must use methods such as Email, Posters, Video or Classroom
training.
• Applicability: Agencies with Risk Rating of - High, Medium, Normal
KSA Perspective on
Additional Reading:
• For further details about the Development Process for Information Security
Policies, Procedures and Standards
• http://www.citc.gov.sa/en/new/publicConsultation/Documents/143703_en.pdf#search=cyber%20security
• NISS by MCIT (Ministry of Communication and Information Technology)

• Developing National Information Security Strategy (NISS) for the Kingdom of
Saudi Arabia
• https://www.itu.int/en/ITU-D/Cybersecurity/Documents/National_Strategies_Repository/SaudiArabia_NISS_Draft_7_EN.pdf
KSA Perspective on
• Cyber Crimes are broadly categorized into three categories
• Cybercrime against individuals
• Cybercrime against property
• Cybercrime against Government
• Cyber crime against government is called cyber terrorism

• Criminals hack government portals, military websites or circulate propaganda.
• The perpetrators can be terrorist, or unfriendly governments of other nations.
https://www.stalawfirm.com/en/blogs/view/atthack-anti-cyber-crime-law-in-saudi-arabia.html
KSA Perspective on
• The Legal System in Saudi Arabia
• Revealing sensitive information may be punishable by a fine that a judge, in his discretion,
deems appropriate and equitable.
• Such penalty may attract a fine, charge the offender with imprisonment or deprivation of
specific rights such as suspension of a practicing license.
• Saudi Anti-Cybercrimes Law was issued by Royal Decree Number M/17, dated 26th March
2007.
KSA Perspective on
• Additionally, Arab Cybercrime Agreement Number 126 of 2012* approved in

the year 2012.
• The Agreement primarily addresses the rise in electronic crime which embraces such
crimes as credit card frauds, internet crimes, cyber terrorism, creation and distribution of
viruses, hacking, system interference, illegal access and interception, and so on.
• The Agreement also aims at strengthening cooperation between Arab countries in

combating cyber crimes.
*
http://www.sabaip.com/en/News/Saudi-Arabia-Arab-Cybercrime-Agreemen
KSA Perspective on
• The Agreement further signifies the importance of enforcing the Copyrights Law.
• The proposed amendment to Article 6 of the Law that could allow offenders to be
publicly named and shamed.
• Cyber crime attracts severe punishment by the Saudi Ministry of Interior and the CITC,
and penalties exacted for identity theft, defamation, electronic piracy, email theft and
other unlawful activities.
KSA Perspective on
• Known Cases of Cyber Crimes and Cyber Attacks in Saudi Arabia
• The unethical and illegal cyber attack on Aramco Company in August 2012 by a group
calling itself "Cutting Sword of Justice" claimed responsibility. In a matter of hours,
30,000 computers got partially wiped or wholly destroyed by a virus resulting in the
deletion of data on the company’s hard-drives. Saudi Aramco's ability to supply 10% of
the world's oil was suddenly at risk.
• In January 2012, the official Website of King Saud University (KSU) got hacked by some
unknown Hacker, and a database of 812 Users got exposed included phone numbers,
addresses, and passwords.
KSA Perspective on
• Known Cases of Cyber Crimes and Cyber Attacks in Saudi Arabia
• Saudi hacker, 0XOMAR, published over 400,000 credit cards online and threatened Israel
to release 1 million credit cards in the future. In response to that incident, an Israeli
hacker published over 200 Saudi's credit cards online.
• In December 2016, cyber criminals attacked various departments of Saudi Government.

These included the Saudi’s General Authority of Civil Aviation. Thousands of computers
got destroyed in the Saudi air office in the so-called “digital bomb” detonation which
leads systems of several agencies to wipe out at once.
Saudi Arabia
anti cyber crime laws
http://www.citc.gov.sa/en/RulesandSystems/CITCSystem/Pages/CybercrimesAct.aspx
Saudi Arabia Anti-Cyber Crime Laws
• Royal Decree No. M/17
• 8 Rabi-1 / 1428, 26 March 2007
• There are 16 Articles in this document
• Article 1: describes definitions of certain words e.g.
• Person
• Information System
• Information Network
• Data
• Computer Programs
• Unauthorized Access
• Cyber Crime etc.
• Article 2: describes the purpose of the law e.g.
• Enhancement of information security.
• Protection of rights relevant to computers and networks.
• Protection of public interest, morals, and common values.
• Protection of national economy.
• Article 3: describes cyber crimes and punishment (1)
• Cyber crimes
• Spying on, interception or reception of data …
• Unlawful access to computers with the intention to threaten or blackmail …
• Unlawful access to a web site, or hacking a web site …
• Invasion of privacy through the misuse of camera-equipped mobile phones …
• Defamation and infliction of damage upon others using various IT devices
• Punishment:
• Fine: <=500,000 SR
• Imprisonment: <=1 year
• Cyber crimes
• Acquisition of movable property or bonds for oneself or others OR
• Signing such bonds through fraud or use of false name or identity
• Illegally accessing bank or credit data …
• Punishment:
• Fine: <=2 Million SR
• Imprisonment: <=3 years
• Cyber crimes
• Unlawful access to computers with the intention to delete, erase, destroy, leak,
damage, alter or redistribute private data.
• Causing the information network to halt or breakdown, or destroying, deleting,
leaking or altering existing or stored programs or data.
• Obstruction of access to, distortion, and causing breakdown of services by any
means.
• Punishment:
• Cyber crimes
• Production, preparation, transmission, or storage of material impinging on public order, religious
values, public morals, and privacy, through the information network or computers.
• The construction or publicizing of a web site on the information network or computer to promote
or facilitate human trafficking.
• The preparation, publication, and promotion of material for pornographic or gambling sites which
violates public morals.
• The construction or publicizing of a web site on the information network or computer to trade in,
distribute, demonstrate method of use or facilitate dealing in narcotic and psychotropic drugs
• Punishment:
• Cyber crimes
• The construction or publicizing of a web site on the information network or on a computer for
terrorist organizations to facilitate communication with leaders or members of such
organizations, finance them, promote their ideologies, publicize methods of making incendiary
devices or explosives, or any other means used in terrorist activities.
• Unlawful access to a web site or an information system directly, or through the information
network or any computer with the intention of obtaining data jeopardizing the internal or
external security of the State or its national economy.
• Punishment:
• The imprisonment and the fine may not be less than half the maximum if the
crime is coupled with one of the following:
• The crime is perpetrated through organized crime.

• The offender holds a public office and the crime perpetrated relates to this office, or if he
perpetrates the crime using his power or influence.
• The luring and exploiting of minors and the like.
• The offender has been previously convicted of similar crimes within or outside the Kingdom.
• Any person who attempts to commit any of the crimes stipulated in this Law shall
be subject to a punishment not exceeding half the maximum punishment
designated for said crimes.
• The competent court may exempt an offender from such punishments if he

informs the competent authority of the crime prior to its discovery and prior to
the infliction of damage.
• If the culprit informs the competent authority after the occurrence of the crime,
the exemption from punishment shall be granted if the information he provides
eventually leads to the arrest of the other culprits and the seizure of the means
used in the perpetration of the crime.
• Article 12:
• Application of this Law shall not prejudice (conflict with) the provisions of relevant
laws, especially those pertaining to intellectual property rights, nor relevant
international agreements to which the Kingdom is party.
• Article 13:
• … the web site or the venue where the service is provided may be shut down
permanently or temporarily if it is the source for perpetrating the crime and the
crime is committed with the owner's knowledge.
• Article 14:
• The Communications and Information Technology Commission (CITC), pursuant to

its powers, shall provide the assistance and technical support to competent
security agencies during the investigation stages of such crimes and during trial.
• Article 15:
• The Bureau of Investigation and Public Prosecution shall carry out the investigation
and prosecution of crimes stipulated in this Law.

Class 5 Standards and Cybersecurity in Saudi Arabia

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Class 5 Standards and Cybersecurity in Saudi Arabia

Uploaded by

Copyright:

Available Formats

Cybersecurity Policy and Law

Dr. Moneer Alshaikh

* I may update this regularly.

• The area of cybersecurity law is much newer than cybersecurity

• Most countries have some laws in place …

• Collaborative effort of nations ? (next slide)

• The International Multilateral Partnership Against Cyber Threats

• IMPACT is a global partnership of world governments, industries, and

• Based in Cyberjaya, Malaysia

• IMPACT is the operational home of International Telecommunication Union

• As ITU’s cybersecurity executing arm, IMPACT provides ITU’s 193 Member

• IMPACT officially became the cybersecurity executing arm of the United

For details: https://www.itu.int/ITU-D/cyb/publications/2012/IMPACT/IMPACT-en.pdf

• Its nation’s right to defend itself—when attacked—in accordance with Article 51

• The right to self-defense is legitimate in the context of preemptive self-defense.

• That right, in accordance with an enhanced understanding of Article 51, is

• An important question to ask is:

• Cyber attacks target the infrastructure—whether the nation-states or

• Self-defense is in accordance with Article 51 of the UN Charter

• Does it allow “preemptive strikes” e.g. by using drones?

• Or it depends on “How imminent the threat is?”

• It is clear, at this point, that without a preemptive act of self-defense, there

• Thus, pursuant to Article 51 of the UN Charter, self-defense is not only

• At this point, is there a way to eliminate any threat?

• Difference: a suicide bomber is manifestly intent on killing as many people

Nation-state’s right to preemptive measures is based on

• For something to be viable, it means

• A threat that is set to occur 10 years

• Monitoring the chatter among the

• Often, surveillance teams can ascertain

Corroboration = confirmation, verification

• Reliability of the threat, and the

• In order to corroborate, the first step

1. Is a cyber attack by nation-state directed at another nation-state akin to

2. Follow-up question is, whether the counterattack would be limited to a

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL LAW

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL

• Nuclear weapon vs cyber attack

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL LAW

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL LAW

• Now, let us assume for the sake of example:

• “but by an independent agency operated in Russia, with Russian employees,

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL

• THREE PARADIGMS: PRACTICAL APPLICATION OF INTERNATIONAL LAW

• Response Criteria against cyber attack:

• Important questions / Discussion points

1. Does international law apply to cybersecurity?

Ref: Tallinn Manual 2.0

- an academic, non-binding study on how international law (in particular the

• Sovereignty is a foundational principle of international law.

• In particular, States enjoy sovereignty over any cyber infrastructure located on

• Jurisdiction: the official power to make legal decisions and judgements.

• Although as a general matter States are not obliged to cooperate in the

• Such cooperation may be required by the terms of an applicable treaty or

Ref: Tallinn Manual 2.0

• A State bears international responsibility for a cyber-related act that is

• States must attempt to settle their international disputes involving cyber

• If States attempt to settle international disputes involving cyber activities that

• Cyber operations conducted by organs of a State, or by persons or entities empowered

• Such as the military or intelligence agencies, commit the wrongful acts.

• Cyber operations conducted by a non-State actor are attributable to a State