venerdì 10 febbraio 2017
excerpt from the "Cyber Strategy & Policy Brief (Volume 11/12 - November/December 2016)"
Despite hugely moving ahead with modernization and digitalization of its national infrastructures and relative procedures, Saudi Arabia still seems backward in its capacity to ensure high cyber security standards for its main strategic assets, turning out to be the main target of cyber attacks in the Middle East still now.
On the one hand, in fact, the ambitious aim of the recent "National Transformation Program 2030" is to create a long-term, real, cutting-edge digital ecosystem, active in all the 24 governmental agencies involved in Saudi economic development. To this end, the government intends to invest 268 billion Riyal (over 66.5 billion Euro) in the first five years of program implementation. Nevertheless, on the other hand, the Saudi government still seems to be highly backward in cyber security, from the technical, legal, policy and especially strategic standpoints.
The recent wave of cyber attacks undergone last mid-November by several Saudi governmental agencies is in fact a confirmation of what just said, with agencies included such as the Central Bank, the Ministry of Transportations and the General Authority for Civil Aviation, forced to stop their activities for some days further to massive cancellation of the data necessary to operate their information systems.
Although the information available is still very limited, the companies that have examined the malware used (Disttrack Wiper - W32.Disttrack.B) have highlighted its evident similarity with Shamoon: the malware probably used by Iran in 2012 to hit some Saudi companies active in the energy field - such as Saudi Aramco - that, even in that case, canceled the critical data necessary to operate information systems.
Such a similarity in objectives and means, together with the constant diplomatic tensions between Saudi Arabia and Iran, have led most of the analysts to point at the Iranian government once again.
After all, as examined in detail in February 2016 Cyber Strategy & Policy Brief, it is a long time since Saudi Arabia and Iran have been resorting to an equivalent retaliation strategy (also known as "Tit-for-Tat"), employing also cyberspace as a provocation or reaction tool.
The February issue, in fact, anticipated that, following the umpteenth interruption of diplomatic relations between the two countries, it was likely that the Iranian government could resort to its cyberspace as the main battlefield against Saudi Arabia in order to prevent excessive escalation.
Nonetheless, in light of the limited information currently available, such a preliminary examination phase cannot exclude a priori other theories.
Hence, it might as well be likely that third parties - almost certainly State actors or State-supported actors - simulated a cyber attack coming from Iran to try and jeopardize Iran-Saudi Arabia relationships in the lead-up to the deal to reduce daily crude oil production - the agreement was then actually signed by Saudi Arabia and Iran at the 171st meeting of the Organization of the Petroleum Exporting Countries (OPEC).
The following must be specified on this theory, though.
First, such a cyber attack - what´s more conducted against only one of the actors involved - would have unlikely undermined Saudi Arabia-Iran diplomatic relationships at such a point to make a deal on such a relevant matter fall through. As a confirmation of the above, the agreement has been reached in any case, despite what happened.
Secondly, instead, it seems difficult to find a third State that is not only prepared to conduct coordinated cyber attacks on several medium-high level Saudi targets, but is especially able to take advantage from the desired failure for the governments of the two countries to reach an agreement. Yet, an analysis of the scenario shows that United States, Russia and the other main players having both these features shall all take economic advantage from such a deal. This, in fact, makes a possible motive fail and the above-mentioned theory, maintained by most of the international media, sway even more.
Talking about further theories, the possibility that an attack has been carried out by groups supported by the Iranian government or someway linked to other countries opposing the Saudi government might be likely as well. Such individuals, in fact, might want to check abilities and highest capabilities of Saudi Arabia and its main public and private entities, so as to cause limited political and economic damages in the short term, and especially acquire valuable information for possible future warfare in and through the cyberspace.
To conclude, setting aside those who are really behind this last wave of cyber attacks, the overall analysis of the strategic and political activities carried out up to now by the Saudi government clearly shows that the several and huge economic investments Saudi Arabia has made actually lack a strategic and regulatory connection, able to play a fundamental boosting role for the public and private sector, as well as linking them in view of a mutual cooperation.
Although the Saudi government´s 2013 National Information Security Strategy clearly stressed the need to make up for such flaws, presently the advice above still seems to be far from being implemented.
This led the main public and private Saudi actors to develop protection systems and cyber security initiatives on their own and in a non-coordinated manner, only after being the target of a cyber attack.
It is indeed desirable that Riyadh focuses at soonest its efforts on the merely technical aspects of cyber security, as well as on its legal, policy and especially strategic aspects, in order to support its great economic commitment with a clear and pragmatic strategic vision to be of help to the whole sector.