The Saudi Arabian government has recently drafted tough new laws targeting electronic crimes; NME spoke to Dr Abdulrahman Al-Shenaifi, senior advisor on IT and security to the Saudi interior ministry.
Network Middle East: Looking at the cybercrime laws, what are you involved in at the moment in Saudi Arabia – what is your main focus with the laws?
The cybercrime unit is part of the security organisation – the public security section of the Ministry of the Interior of Saudi Arabia – within the investigations unit. I’m in charge of building this unit to fit in with the direction of the MoI (Ministry of the Interior), and we will be closing the RFP in a few weeks; it’s the newest addition to the public security system for fighting crimes. It’s going to be very challenging work – we will be establishing our forensic labs, we will be training our staff to manage this technology, and also training investigative officers in cybercrime. In the end, we’d like to create what I call cyber-cops – to fight cyber-crooks. This unit is going to be built on advanced technology, with a vision put forward to really achieve the highest mode of fighting crimes in cyberspace. We will create a data centre specially to host the system, and to support the unit’s efforts in fighting crimes.
NME: Is this the project you’re working on with HP ProCurve?
We are adopting ProCurve networking technologies in our organisation. We found that the ProCurve integrated solution fits our vision very well, in addition to its security and reliability properties. And I found the staff of ProCurve to be very forthcoming – they like to assist in every way they can, and also to enhance our credibility as an organisation. They also like to work as a partner, combining our vision with their technologies, so that we could adopt a progressive mode in adopting a lot of different technologies. They add a touch of humanity to technology.
NME: One of the problems with cybercrime is much of it tends to occur outside of the target country – how will you be liasing with other police organisations?
The world is fighting cross-border crimes through Interpol, the international police organisation. In cybercrime – borders do not exist, but with the help of a lot of friendly countries, Interpol can coordinate their activities to fight a lot of such crimes. Of course, we will look forward to seeking a lot of assistance from advanced countries in the East and the West, to assist in fighting crime that does not happen on Saudi soil. And they will use our abilities to fight crime committed from within Saudi Arabia in another country. We have to coordinate, because this is the new theatre of war – there is information warfare going on. A lot of people can see this.
NME: A lot of enterprises are becoming increasingly worried about security, but many of them still do not have dedicated IT security people. What advice would you give to enterprise network and IT managers on how they should tackle their security infrastructure at the moment?
My advice would be simple – stop buying stuff for coffee and tea, and start buying a lot of software and hardware to protect your organisation. Any organisation which does not allocate enough resources to protect its vital assets – its information – deserves to be hacked, in my opinion. Because they should take care of their information, which is their asset, especially when looking at organisations which deal in research, laboratories, developing new products; they generate a lot of classified information which belongs to the organisation. They should create awareness programmes, they should hire a professional information security officer to draft an effective policy on how to handle information. They also need to involve top management with the issue – once they involve top management, they will get a lot more resources. Technical staff should raise the level of their concerns about securing their assets to the top.
NME: Sometimes CEOs are not technical at all, and don’t see IT as relevant or important – is there any way to demonstrate the threat
Do penetration testing, to show them how weak their systems are – bring the senior management in to see the reality they are facing, see their systems are not completely secure. We are not protecting a physical environment, with high walls and guards – we are protecting a system which is connected to the outside world, through networking and the internet and a lot of media. Show them their system is vulnerable. Awareness programmes are one way, but if they don’t work , break the system! Penetrate it, and tell them that’s the weak spot – that will attract their attention.
NME: At the moment it is very hard to hire security professionals in the region; what is your organisation doing to promote training of security professionals in the Middle East?
We are concentrating on training our staff, in relation to managing our systems and securing our systems. The first step in securing your systems is securing your network, from inside and outside – that is why we are introducing new software from Sphere networks. This is already installed, and it is facilitating the job of the network managers to see the environment around the network. So any penetration that gives them an edge on detecting a threat before it gets into the system. Besides this, having a good staff which really knows what they’re doing in security. You also need vision and leadership – a lot of technical projects cannot be achieved, because they lack vision and leadership. If you have those, I think you will end up by having good and secure systems. You cannot assess security as ever being 100%, but what security means is you have barriers, just like a country having an army, an air force, a missile defence system, an intelligence system, a counter-insurgency system – just like that. But this is a different world, this is a world that you cannot see, going into the network environment. My network, or any network, can be used by my adversaries – I don’t know whether the guy using the network is a friendly neighbour, or a hacker sitting in a dark room.
NME: In terms of getting leadership and technical vision, do you think organisations should consider investing in specialists from abroad and import someone who has had experience in enterprise security?
Of course, absolutely – if you don’t have the skills, bring in someone who has and have them train your staff. I know it’s very costly to bring in security experts, but you have to put the resources in. Then you need to have this knowledge transferred to your staff, and your staff can pick it up from that point. But you have to keep on training them, because the weapons are changing – if you can use a gun, the bad guy might have a missile. You should have a system that defends you. All the time the systems are changing, and you need to keep up-to-date, on the threats and the defence mechanisms. The market is full of weapons – information warfare weapons. But these are virtual weapons – you cannot see them, they are signals. There are surveillance weapons, weapons that can track, sniffing concepts, even physical weapons based on magnetic field concepts – EMP (electro-magnetic pulse) that are extremely dangerous, and could burn out every chip in an organisation. These are not in the hands of everybody, because there are thousands of viruses and programs on the internet – take one, and send it – that’s all you have to do.
NME: A significant number of people in the Middle East don’t think security is something which affects them – that it’s only the US and Europe that are targeted; what would you say to that?
I think they are fooling themselves. They should see reality as it is – once you connect, you are not alone, whether you tap in in England, in America, in the Middle East, anywhere. Once you connect to an outside network, you are not safe – you need to put up barriers, protect your network inside and outside, and watch what’s going on. Create an environment to secure your system, your network, through professionalism and training – raise the level of awareness, in both technology and security. Everything can be open.