Preparedness of Saudi Arabia to Defend Against Cyber Crimes: An Assessment with Reference to Anti-Cyber Crime Law and GCI Index

With the increasing popularity of ICT, cyber-crimes have increased rapidly. Countries across the globe have made the necessary interventions to ensure cyber-security. Saudi Arabia has been the worst victim of cyber-crimes in the Gulf region. This article investigates the preparedness of Saudi Arabia to defend itself against cyber-crimes. In order to combat against cyber-crimes, Saudi Arabia formed the anti-cybercrimes law in 2007. Global Cyber-security Index of 2017 has placed Saudi Arabia in the maturing stage behind the leading nations. Anti-cybercrimes law covers essential areas to fight against cyber-crimes and states their punishments. However, it is found to be deficient to protect against identity theft, invasion of privacy, cyber-bullying etc. This research finds Saudi Arabia semi-prepared to defend itself against cyber-crimes. In order to be among the leading nations of cyber-security; Saudi Arabia needs to strengthen its anticybercrimes law, cyber-security regulations and national cyber-security authority. It needs to develop cyber-security strategy, standards, metrics and R&D programs. It should promote home-grown cyber-security industry, incentivize cyber-security companies and enter into multi-lateral agreements.

In order to recover from the attack, Aramco has to restrict remote internet access to its online resources for 10 days (Bronk & Tikk-Ringas, 2013). Shamoon 2.0 Variants of Shamoon virus attacked Saudi Arabia on 17 th November 2016, 29 th November 2016 and 23 rd January 2017. It was called Shamoon 2.0. It was estimated that this virus affected 15 Saudi government agencies and organizations (Smith, 2017). StoneDrill While investigating Shamoon 2.0 malware, Kaspersky Lab discovered a previously unknown wiper malware, called StoneDrill. StoneDrill had several style similarities to Shamoon 2.0. However, it had multiple embedded factors and techniques to allow for invasion of detection. Along with Shamoon 2.0, this malware also targeted Saudi organizations (Kaspersky Lab, 2017).

Cyber of emotion
On 15 th August 2015, a Saudi group called "cyber of emotion" hacked more than 24 government websites over a period of 2 hours. Prior to hacking the websites, the hackers warned the administrators about the lack of security in websites and asked them to improve websites security. The websites that were hacked included those of government hospitals, municipalities, education departments, social development offices and health departments (HackRead, 2015). APT On 20 th November 2017, Saudi Arabia's National Cyber Security Centre (NCSC) detected a Advanced Persistent Threat (APT) targeting Saudi Arabia. APT used spear phishing attacks to infiltrate computers in Saudi Arabia. Emails were found to contain infected Microsoft Office files (Walker, 2017). Triton In August 2017, a cyber-attack was launched against a petrochemical plant of Saudi Arabia. The attack caused the abrupt disruption of plant operations. Due to a flaw in the coding of the malware, it could not cause the intended damage (Sutton 2018).

CYBER CRIMES AND LEGAL FRAMEWORK
The incidents of cyber-crime have increased around the globe. So, it is necessary to ensure cyber-security. Developing adequate technological arrangements for cyber-security is essential. However, developing a legal framework that enables cyber-security is also essential. Every country should develop basic criminal laws against cyber-crimes in order to promote the trust and confidence of users in cyberspace. Since, there are many types of cyber-crimes, so it is difficult to draft legislations for each of them. However, any cyber-security legislation should cover some essential areas. Sadowsky et al. (2005) contributed a paper to the United Nations ICT Task Force Global Forum on Internet Governance (New York, 25 -26 March 2004). According to Sadowsky et al. (2005), countries cyber-security legal system should broadly address data interception, data interference, system interference and illegal access. So, any anti-cybercrime legislation should address each one of them. These are discussed below: • Data interception -It should be prohibited to intentionally intercept non-public transmission of computer data without authorization. This crime violates the confidentiality of communications and causes individuals to loose trust. It should be illegal to intercept the email and other electronic communications of another person. In some countries, interception of telephonic conversations (without prior legal sanction by a court order) is illegal (e.g., USA). The same laws may be extended to interception of electronic data. • Data interference -No one should intentionally delete, damage, alter, degrade or suppress data in someone else's computer without authorization. So, intentionally sending viruses that delete files, hacking a computer, changing or deleting data without authorization, or hacking a web site and changing its appearance, would be examples of cyber-crimes. Here, the element of intentionality is important. Otherwise producing defective software or unintentionally forwarding a virus would be a cyber-crime. • System interference -No one should input, transmit, damage, delete, deteriorate, alter or suppress data in another person's computer without right. If anyone causes serious hindrance in the working of a computer system without right, it should be a cybercrime. So, denial of service attacks or introducing viruses into a system to disrupt its normal functioning are cyber-crimes. It is important that this offence is invoked when there is a significant harm (e.g., a certain threshold of monetary loss). Otherwise, ordinary online behavior, such as sending one or few unsolicited e-mails would also be a crime. • Illegal access -This crime involves intentionally accessing other person's computer system without having rights. It is the cyberspace equivalent of trespassing. Illegal access compromises the confidentiality of the stored data and therefore is analogous to illegal interception. This crime must be carefully defined, otherwise it may include common and harmless activities. In the most serious cases, the act of illegal access is part of other crimes, such as data interference.
Common concepts of the criminal law such as "attempt" or "aiding and abetting" can also be applied to anti-cybercrime law. For example, launching a virus with intent to disrupt service might be a crime under the concept of "attempt" even if the virus didn't work as intended.
Similarly, if a nation's law has the concept of "aiding and abetting", it might be applied to cybercrime. For example, if a person intentionally produces a virus and provides it to another person knowing that it will be used to destroy data or interfere with a system. Then first person may be guilty of data or network interference caused by the virus even if the virus was introduced into a network by someone else.

SAUDI LAW ON CYBER CRIMES
Saudi Arabia formed the Anti-Cyber Crime Law (ACCL) in March 2007. ACCL defines unauthorized access as the deliberate, unauthorized access by any person to computers, websites, information systems and computer networks. This law identifies certain cyber-crimes and determines their punishments. The salient features of Saudi Anti-Cyber Crime Law (ACCL) along with its legal provisions are shown in Table 2 (ACCL, 2007): Spying on, interception or reception of data transmitted through an information network or a computer without legitimate authorization is a cyber-crime (Article 3(1)). Article 3 states the punishment for this offence as "imprisonment for a period not less than one year and a fine not exceeding five hundred thousand Saudi riyals or either punishment." Prevention of data interference Hacking a website with the intention to change its design, destroy, modify or occupy its URL is a cyber-crime (Article 3(3)). Article 3 requires its punishment as "imprisonment for a period not less than one year and a fine not exceeding five hundred thousand Saudi riyals or either punishment." It is a cyber-crime to halt an information network, or destroy, delete, leak or alter existing or stored programs or data (Article 5(2)). Article 5 specifies the punishment for this offence as "imprisonment for a period not exceeding four years and a fine not exceeding three million Saudi riyals or either punishment." Prevention of system interference Unlawful access to an information system with the intention to obtain data to jeopardize the internal or external security of the state or its national economy is a cyber-crime (Article 7(2)). Article 7 states the punishment for this cyber-crime as "imprisonment for a period not exceeding ten years and a fine not exceeding five million riyals or either punishment." Prevention of illegal access Unlawful access to computers with intention to threaten or blackmail any person to compel him to take or refrain from taking any action is a cyber-crime (Article 3(2)). Article 3 stipulates the punishment for this crime as "imprisonment for a period not less than one year and a fine not exceeding five hundred thousand Saudi riyals or either punishment." Illegally accessing bank or credit data or data pertaining to ownership of securities with the intention of obtaining data, information, funds or services is a cyber-crime (Article 4(2)). Article 4 specifies punishment for this cyber-crime as "imprisonment for a period not exceeding three years and a fine not exceeding two million Saudi riyals or either punishment." Unlawful access to computers with intention to delete, erase, destroy, leak, damage, alter or redistribute private data is a cyber-crime (Article 5(1)). Article 5 states punishment for this cyber-crime as "punishment for a period not exceeding four years and a fine not exceeding three million Saudi riyals or either punishment."

Prevention of invasion of privacy
Invasion of privacy through the misuse of camera-equipped mobile phone and other equipments is a cyber-crime (Article 3(4)). For this cyber-crime, article 3 stipulates the punishment for this cyber-crime as "imprisonment for a period not less than one year and a fine not exceeding five hundred thousand Saudi riyals or either punishment." Maintenance of public order and morals Production, preparation, transmission, or storage of electronic material which has a negative effect on public order and public morality is a cyber-crime (Article 6(1)). The construction of any website that promotes or facilitates human trafficking is a cyber-crime (Article 6(2)). The preparation, publication and promotion of material for pornographic or gambling sites that violates public morals is a cyber-crime (Article 6(3)). The construction of any website that demonstrates methods of use or facilitates dealing in narcotic or psychotropic drugs in a cyber-crime (Article 6(4)). Article 6 determines the punishment of these crimes as "imprisonment for a period not exceeding five years and a fine not exceeding three million riyals or either punishment." Prevention of cyberterrorism The construction of a website to facilitate communication among members of terrorist organizations, financing them, promoting their ideologies etc. is a cybercrime (Article 7(1)). Article 7 stipulates the punishment for this cyber-crime as

Feature(s)
Legal Provision(s) in Saudi Anti-Cyber Crime Law of 2007 "imprisonment for a period not exceeding ten years and a fine not exceeding five million riyals or either punishment." Prevention of attempt to commit cyber-crime Any person who attempts to do any cyber-crime mentioned in Saudi ACCL shall be subject to a punishment not exceeding half of the maximum punishment designated for that crime (Article 10). So, Saudi ACCL prevents the attempt to commit cyber-crimes even if they were unsuccessful. Investigation and prosecution bodies According to Article 14 of the Saudi ACCL, the Communications and Information Technology Commission will provide the assistance and support to competent security agencies during the investigation and trial of cyber-crimes. The Bureau of Investigation and Public Prosecution will carry out the investigation and prosecution of cyber-crimes (Article 15).
From Table 2, it is clear that Saudi ACCL has the necessary features to ensure cyber-security. However, there are still areas of improvement for the Saudi ACCL to become more effective. They are discussed in Table 3 (ACCL, 2007):  (Almerdas, 2014). ACCL of 2007 does not criminalize transferring and possessing of data and programs for the purpose of identity theft. So, ACCL cannot deal with those who transfer or sell credit card details of individuals (Almerdas, 2014).

Privacy of data
The term "personal data" is not defined by the ACCL. There are no formal registration requirements before the processing of data. Also, it does not define data controller. So, the provisions to protect the privacy of data are inadequate. Cyber bullying Saudi Arabia faces the problem of cyber bullying. However, it is not defined in ACCL of 2007. Aiding and abetting Saudi ACCL does not contain provisions related to "aiding and abetting" to commit cyber-crimes.

COMPARISON OF SAUDI CYBER SECURITY PREPAREDNESS WITH LEADING COUNTRIES
All countries face the threat of cyber-crimes. However, all countries are not equally prepared to counter cyber-crimes. There are differences among countries in terms of awareness, understanding, knowledge, strategies, capabilities and programs for cyber security. So, International Telecommunication Union (ITU) with help of international partners in public and private sectors has prepared the Global Cyber-security Index (GCI) in 2017. Each country's level of preparedness for cyber-security is assessed by commitment to 5 pillars given in GCIlegal, technical, organizational, capacity building and cooperation (GCI, 2017).
GCI has classified countries into 3 categories based on their cyber-security preparedness. It is shown below (Financial Express, 2017): • Saudi Arabia is in the maturing stage and ranked 46 in the GCI (2017). It needs to further strengthen its cyber-security mechanisms to be among the leading nations.

ASSESSMENT OF SAUDI ARABIA'S PERFORMANCE ON 5 PILLARS OF GLOBAL CYBER SECURITY INDEX
The performance of Saudi Arabia is assessed on the 5 pillars of cyber-security of GCI index. The best practices adopted by the countries that are leading in the particular indicator of the respective cyber-security pillar are investigated. Subsequently, the performance of Saudi Arabia in each indicator of the respective cyber-security pillar is compared with leading nations.

Legal Pillar
The legal pillar considers practices in national cyber-crime legislation regarding unauthorized access, data and system interference, and mis-use of computer systems. The performance of Saudi Arabia as per the indicators of legal pillar is assessed in Table 4 (GCI, 2017): . New Zealand has a developed a 3-tiered training programs for specialist cyber staff, investigators and frontline staff (New Zealand's Cyber Security Strategy, 2016). Saudi Arabia also has a good setup to provide training on regulations and laws. So, its performance is assessed as high in this indicator. 4 Overall High Overall, Saudi Arabia has performed satisfactorily in the legal pillar of cyber-security. However, it needs to strengthen its anticybercrimes legislation and cyber-security regulations.

Technical Pillar
The technical pillar illustrates practices in areas like existence of technical institutions, industry standards, certification, child online protection etc. In order to assess the performance of Saudi Arabia in technical pillar, we state a few terms used in Table 5. CERT stands for Computer Emergency Response Team. CIRT stands for Computer Incidence Response Team. CSIRT stands for Computer Security Incidence Response Team (Shierka et al., 2015). The performance of Saudi Arabia as per the indicators of technical pillar is shown in Table 5 (GCI, 2017):  , 2017). Saudi Arabia has adopted an executive resolution on child protection in 2015 (NATLEX, 2015). So, it has scored high in this indicator. 7 Overall High Overall, Saudi Arabia has performed satisfactorily in the technical pillar of cyber-security. However, it needs to establish sectoral specific CERTs as well as develop standards and certifications for professionals.

Organizational Pillar
The organizational pillar depicts practices in areas like existence of a cyber-security strategy, responsible agency and cyber-security metrics. The performance of Saudi Arabia as per the indicators of organizational pillar is shown in Table 6 (GCI, 2017):  (UK Government, 2016). Russia adopted its doctrine of information security in 2000 and updated it in 2016. Each government entity in Russia performs an annual audit of its networks and systems in line with this doctrine (MoFA, 2016). Canada also possesses a cyber-security strategy and updated it in 2016 using public consultation (Solomon, 2016). However, Saudi Arabia is still developing its national cyber-security strategy. So, it scores low in this indicator. 2 Responsible agency Average Singapore has established cyber-security council in 2015 to oversee the implementation of cyber-security strategy, operations, education, outreach and eco-system development (https://www.csa.gov.sg/#). Saudi Arabia has set up a national authority for cyber security to protect its networks, systems and data. The authority aims to defend national security and sensitive infrastructure. This authority is headed by the Minister of Interior (Reuters, 2017). However, Saudi Arabia needs to further strengthen this authority. So, Saudi Arabia scores average in this indicator. 3 Cyber-security metrics Low Netherland uses cyber-security metrics to annually review cyber-security threats and development of cyber-security counter measures. This review is published in the annual publication called Cyber Security Assessment Netherlands (2018). Saudi Arabia has yet to implement any such measure. So, it scores low in this indicator. 4 Overall Low Overall, Saudi Arabia has scored low in organizational pillar. It needs to develop its cyber-security strategy, strengthen its cyber-security authority and develop pertinent cyber-security metrics.

Capacity Building Pillar
The capacity building pillar involves technical elements and human resources to combat cybercrimes. It includes standardization bodies, best practices of cyber-security, research and development programs, raising public awareness, cyber-security education and training, cyber-security incentives for organizations etc. The performance of Saudi Arabia as per the indicators of capacity building pillar is shown in Table 7 (GCI, 2017):  (Esidross, 2018). According to "Kingdom of Saudi Arabia -Cyber Readiness at a Glance" report from the Potomac Institute of Policy Studies, Saudi Arabia has increased its cyber-security awareness and capability (Hathaway et al., 2017). So, it ranks high in this indicator. 5 Professional training courses High Bulgaria has established International Cyber Investigation Training Academy (ICITA) in 2009 to improve the qualifications of cyber-security specialists. ICITA has conducted a number of professional training courses to achieve its aims (https://e-crimeacademy.com/). Saudi Arabia has also made good progress in conducting professional training courses in cyber-security. So, it ranks high in this indicator. 6 National education programs and academic curricula High Germany has several education programs and academic curricula related to information security (IS Details has yet to establish such incentive programs for its companies. So, it ranks low in this indicator. 8 Home grown cyber-security industry Low Ireland has a favorable business environment, low taxes, talented pool of highly-skilled cyber-security individuals and good base for access to European markets. So, it has made a good progress in developing a home-grown cyber-security industry (Hunt, 2016). Saudi Arabia has yet to made progress in developing a home-grown cyber-security industry. So, it scores low in this indicator. 9 Overall High Overall, Saudi Arabia has scored high in capacity building pillar of GCI (2017). However, it needs to develop cybersecurity R&D programs. It needs to provide incentives to its companies to adopt cyber-security framework. Also, it needs to develop home-grown cyber-security industry.

Cooperation Pillar
Cooperation pillar considers collaborative efforts in cyber-security among nations in national and international domains. It also considers collaborations between public and private sector, as well as inter-agency partnerships. The performance of Saudi Arabia as per the indicators of cooperation pillar is shown in Table 8 (GCI, 2017):

CONCLUSION
With the expansion of ICT networks, devices and services; cyber-crimes are also increasing. Cyber-crimes threaten any nation's financial position and security. Billions of dollars are lost each year globally in cyber-crimes. Millions of people world-wide have been the victims of various kinds of cyber-crimes. So, it is essential for countries to develop the necessary defense mechanisms against cyber-crimes. The countries need to ensure that they have the necessary technological and legal framework to protect themselves against cyber-crimes.
Over the years, Saudi Arabia has witnessed multi-fold increase in the number of internet users. It is also victim of rising cyber-attacks. Saudi Arabia has faced the highest number of cyberattacks among the Arab countries. Most Saudi institutions have experienced some form of cyber-crime.
In order to defend against cyber-crimes, Saudi Arabia formed the anti-cybercrimes law in 2007. This law identifies various cyber-crimes and determines their punishments. This law covers essential areas to combat cyber-crimes like prevention of data interception, data interference, system interference and illegal access. It also contains provisions to protect against invasion of privacy, maintenance of public order and morals, and prevention of cyberterrorism. At the same time, it penalizes attempt to commit cyber-crimes even if they were unsuccessful. It also states the investigation and prosecution bodies against cyber-crimes. However, this law does not protect adequately against identity theft in non-financial matters and transferring and possessing of data. It does not protect privacy of data sufficiently. Cyber bullying is not defined in this law. Also, it does not contain provisions regarding "aiding and abetting" to commit cyber-crimes.
In order to determine the preparedness of countries to defend against cyber-crimes, ITU has developed the Global Cyber-security Index (GCI). Singapore is ranked 1 st , US is ranked 2 nd and Saudi Arabia is ranked 46 th in GCI. Saudi Arabia is grouped in maturing stage of GCI. The performance of Saudi Arabia is assessed against the 5 pillars of cyber-security given by GCIviz. legal, technical, organizational, capacity building and cooperation. Saudi Arabia has performed satisfactorily in the legal, technical, capacity building and cooperation pillars. But its performance is assessed as low in the organizational pillar.
Saudi Arabia has set up good training programs on its cyber-security law and regulations. It has established a national CERT, developed cyber-security standards for organizations and adopted an executive resolution on child protection in 2015. It has developed a cyber-security framework, created cyber-security best practices, launched cyber-security public awareness campaigns, conducted cyber-security professional training courses, and created cyber-security national education programs and academic curricula. It has signed bilateral agreements on cyber-security with leading nations and participates actively in international forums. It is also developing public-private as well as inter-agency partnerships regarding cyber-security.
However, Saudi Arabia needs to improve in certain areas to be among the leading nations of cyber-security. It needs strengthen its anti-cybercrimes law and cyber-security regulations. It needs to establish sectoral CERTs, and develop standards and certifications for professionals. Further, it needs to create a national cyber-security strategy, strengthen its national authority for cyber-security and develop cyber-security metrics. It needs to develop R&D programs, provide incentives to its companies to enhance cyber-security, and promote home-grown cyber-security industry. Also, it should enter into multi-lateral agreements in cybersecurity.Based on the above, it can be stated that currently Saudi Arabia is semi-prepared to defend itself against cyber-crimes. By improving in the necessary areas, it can be among the leading nations of cyber-security.