Blogs

The Importance of Learning from the Saudi Experience to Develop a Comprehensive Information Security Strategy in Syria

The Importance of Learning from the Saudi Experience to Develop a Comprehensive Information Security Strategy in Syria

The cyber world is an exceptional domain that does not adhere to the traditional rules governing the physical world. It cannot be understood through conventional human concepts. For instance, in the physical world, power is the opposite of weakness—an individual becomes stronger by overcoming their weaknesses. However, in the cyber world, the more advanced a state’s cyber capabilities and digital governance become, the more security vulnerabilities it faces. Despite the rapid advancement of modern technology, establishing a quick cybersecurity framework in a country like Syria today would only lead to temporary, emergency measures that may provide short-term solutions at best.

It is also crucial to recognize that fixing a flawed cyber infrastructure is often more costly than building it from scratch, in terms of financial resources, human capital, and time. Cybersecurity, by its nature, does not adhere to conventional logic; it is largely the result of accumulated expertise and learning from the experiences of others. This is why allied nations often share their cybersecurity expertise.

In this article, I recommend that the Syrian government work towards establishing a comprehensive information security strategy for all government institutions, agencies, and companies operating with the government. It should also draw on the expertise of Arab nations, particularly Saudi Arabia.

My choice of the Saudi information security model is based on two key factors: a geopolitical reason and a practical analytical reason.

The Geopolitical Factor

Saudi Arabia has been subjected to intense cyberattacks aimed at sabotage, data theft, and espionage, primarily from Iran and Israel. These are the same two nations that have a vested interest in cyber sabotage and espionage in Syria. Saudi Arabia appears to have developed significantly advanced cyber capabilities to counter Iran and Israel, both of which possess highly sophisticated cyber arsenals.

In addition to state-sponsored attacks, Saudi Arabia also faces financially motivated cyberattacks, with hackers seeking financial gains from a wealthy nation. This has placed Saudi Arabia at the top of the list of countries targeted by ransomware attacks.

The Practical Factor

Two years ago, I conducted a comparative study of the Saudi and Dutch information security models. My motivation for this comparison was that both countries faced cyberattacks from the same adversary—believed to be Iran—around the same time.

In June 2011, the Dutch company DigiNotar, which issued digital security certificates for major websites worldwide, was hacked. The breach resulted in the issuance of over 500 fraudulent security certificates for untrusted websites, leading to many Dutch government websites being classified as unsafe.

A few months later, Saudi Aramco was targeted in a cyberattack that disabled approximately 35,000 of its computers. At the time, this was described as the largest cyberattack in history. While Iran did not officially claim responsibility for either attack, U.S. intelligence reports, based on government investigations, confirmed that Iran was behind them.

My goal in comparing the Saudi and Dutch approaches was to understand how each government developed its cybersecurity strategies and the measures taken after these breaches. Despite ongoing cyberattacks against both countries, particularly from Iran, we rarely hear of major security breaches like those of the past.

Key Findings

• Saudi Arabia established a unified information security strategy for government institutions in 2014. Before this, cybersecurity policies were left to individual ministries and agencies. The 2014 framework was made mandatory for all government institutions and designed flexibly to serve as an overarching guideline. Each institution could then develop its own security measures under this framework, tailored to its size, scope, workforce, and risk level.

• The Netherlands implemented its mandatory government-wide information security framework in 2019. This model categorizes security measures into three levels—low, medium, and high—allowing each institution to adopt a suitable level based on a comprehensive risk assessment, which is periodically reviewed.

• Saudi Arabia’s approach treats information security as a continuous process rather than a one-time project. It integrates cybersecurity into ongoing operational workflows while applying structured project management principles for implementation.

• The Saudi model prioritizes human factors in cybersecurity. Recognizing that people drive technology, it mandates awareness and training programs tailored to employees’ roles and responsibilities.

• Saudi Arabia’s framework incorporates diverse international expertise. While aligning with global cybersecurity standards, it also integrates best practices from U.S. federal security policies and their German counterparts, alongside Saudi national regulations derived from local experience.

Conclusion

It is beyond the scope of a single article to provide a comprehensive analysis of the strengths and weaknesses of government cybersecurity models. However, I want to highlight a deliberate choice I made in this discussion: I have blurred the lines between information security and cybersecurity. This is because, in advanced nations, cybersecurity strategies are built upon well-defined and comprehensive information security frameworks.

In Syria’s case, it is likely that successive governments under the Assad regime have never seriously pursued such an initiative. This leaves the current government with an urgent responsibility to establish a comprehensive information security strategy without missing the opportunity to learn from countries with similar geopolitical challenges and strategic visions.

Hassan Al-Khatib – Syria TV

12-02-2025