Cybersecurity in Morocco (SpringerBriefs in Cybersecurity) 3031184777, 9783031184772

Table of contents :
Preface
Acknowledgment
Contents
About the Authors
Chapter 1: Introduction
1.1 Introduction
1.2 Economic Context
1.3 Digitalization in Morocco
1.4 Cybersecurity Laws in Morocco
1.5 Creation of DGSSI
1.6 Creation of the DNSSI
1.7 Structure
References
Chapter 2: Understanding Cybersecurity Standards
2.1 Introduction
2.2 Framework vs. Standard: What Is the Difference?
2.3 Cybersecurity Standards
2.4 NIST Framework
2.4.1 Implementation Levels of the Framework
2.4.2 Framework Profile
2.4.3 Baseline Review of Cybersecurity Practices
2.5 International Organization for Standardization ISO
2.5.1 Overview of ISO 27K Standards
Panorama of ISO 2700x Standards
Structure of ISO/IEC 27001
ISO/IEC 27002:2005 (Revised by ISO/IEC 27002:2021)
ISO/IEC 27032
Purpose of ISO/IEC 27032
Structure and Content
2.6 Conclusion
References
Chapter 3: The African View on Cybersecurity
3.1 Introduction
3.2 Africa’s Cybersecurity Gap
3.2.1 The African Union Convention on Cybersecurity and Protection of Personal Data 2014
3.2.2 Reminder of the Recommendations of the First Ordinary Session of the STCCICT-1 2015
3.2.3 Lomé Declaration on Cybersecurity 2022
3.3 Cybersecurity Policy Priorities in Africa
3.3.1 Strategic Approach
3.3.2 National Cybersecurity Framework
3.3.3 Personal Data Protection (PDP)
3.3.4 Capacity Building and Awareness
3.3.5 Strengthening Regional and International Cooperation
3.3.6 The Role of the Private Sector in Cybersecurity
3.4 Conclusion
References
Chapter 4: The Moroccan View on Cybersecurity
4.1 Introduction
4.2 Morocco: A Target for Cyber Hackers
4.3 The Global and Moroccan Cybersecurity Market
4.4 Political and Regulatory Concepts
4.4.1 Main Steps of Cybersecurity in Morocco
4.5 Advantages and Disadvantages of the Moroccan Approach: A Preliminary Balance
4.6 Conclusion
References
Chapter 5: Morocco National Cybersecurity Strategy
5.1 Strategic Foundations
5.2 The Strategic Committee for the Security of Information Systems
5.3 The National Cybersecurity Strategy
5.4 Moroccan Cybersecurity Strategy: Opportunities and Challenges
5.4.1 Insufficient Investment
5.4.2 The Need for More International Cooperation
5.4.3 COVID-19 and the Challenges of Cybersecurity
5.4.4 Towards a Moroccan Defense Agency
5.5 Conclusion
References
Chapter 6: National Cyber Resilience Strategy in a Post-COVID-19 World
6.1 Introduction
6.2 Cybersecurity and Cyber Resilience Challenges
6.2.1 Resilience: Maintain Activity During the Crisis by Managing Risks
6.2.2 Security Operation Center (SOC)
6.2.3 Reestablish an Appropriate Cybersecurity System When the Crisis Is Over
6.2.4 Adapt to the Post-Crisis Environment and Guarantee That the Company’s Strategy Is Aligned with the New Reality
6.3 Cybersecurity Strategy and Cyber Resilience in Morocco
6.4 Conclusion
References
Chapter 7: Cyber Sovereignty in Morocco
7.1 The Concept of Digital Sovereignty
7.2 The Realities of Digital Sovereignty
7.3 Digital Sovereignty in the Time of COVID-19
7.4 Cyber Threats and Digital Sovereignty
7.5 The Possibilities of Digital Sovereignty in Morocco
7.6 Cyber Sovereignty Challenges in Morocco
7.7 Conclusion
References
Chapter 8: Conclusion
References
Glossary
Index

Citation preview

SpringerBriefs in Cybersecurity Yassine Maleh · Youness Maleh

Cybersecurity in Morocco

SpringerBriefs in Cybersecurity Editor-in-Chief Sandro Gaycken, Digital Society Institute,  European School of Management and Technology (ESMT),  Stuttgart, Baden-Württemberg, Germany Series Editors Sylvia Kierkegaard, International Association of IT Lawyers,  Highfield, Southampton, UK John Mallery, Computer Science and Artificial Intelligence, Massachusetts Institute of Technology, Cambridge, MA, USA Steven J. Murdoch, University College London, London, UK Kenneth Geers, Taras Shevchenko University, Kyiv, Kievs’ka, Ukraine Michael Kasper, Department of Cyber-Physical Systems Security,  Fraunhofer Institute SIT, Darmstadt, Hessen, Germany

Cybersecurity is a difficult and complex field. The technical, political and legal questions surrounding it are complicated, often stretching a spectrum of diverse technologies, varying legal bodies, different political ideas and responsibilities. Cybersecurity is intrinsically interdisciplinary, and most activities in one field immediately affect the others. Technologies and techniques, strategies and tactics, motives and ideologies, rules and laws, institutions and industries, power and money – all of these topics have a role to play in cybersecurity, and all of these are tightly interwoven. The SpringerBriefs in Cybersecurity series is comprised of two types of briefs: topic- and country-specific briefs. Topic-specific briefs strive to provide a comprehensive coverage of the whole range of topics surrounding cybersecurity, combining whenever possible legal, ethical, social, political and technical issues. Authors with diverse backgrounds explain their motivation, their mindset, and their approach to the topic, to illuminate its theoretical foundations, the practical nuts and bolts and its past, present and future. Country-specific briefs cover national perceptions and strategies, with officials and national authorities explaining the background, the leading thoughts and interests behind the official statements, to foster a more informed international dialogue.

Yassine Maleh • Youness Maleh

Cybersecurity in Morocco

Yassine Maleh University Sultan Moulay Slimane Beni Mellal, Morocco

Youness Maleh University Moulay Ismail Meknes, Morocco

ISSN 2193-973X     ISSN 2193-9748 (electronic) SpringerBriefs in Cybersecurity ISBN 978-3-031-18477-2    ISBN 978-3-031-18475-8 (eBook) https://doi.org/10.1007/978-3-031-18475-8 © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

The outlook for risks and conflicts in cyberspace of national interest in the years 2020 and 2021 is, as in almost all areas, marked by the COVID-19 pandemic. This does not mean that many aspects that characterize cybersecurity during this period do not originate from other factors. Based on this starting point, we intend to offer a global analysis of the results of this report, considering not only the current context but also factors that are exogenous to it. A joint and delimited perspective of the main themes allows for a vision that is deemed more coherent on the subject, namely highlighting the most relevant threats, the risk perception that has developed, and the trends that are required, as in the case of the COVID-19 pandemic. It should be noted that the term “cybersecurity” emerged and found its application in the world’s major developed countries in the late 1990s and early 2000s. Subsequently, it found its recognition and application in the international communication environment during the development and signing of some international standards, declarations, appeals, and other documents in the field of international security. Major foreign countries have seen it as a substantial new essence in the national and international security field, have given it importance, and have developed and shaped its disclosure and conceptual apparatus to ensure clear understanding and communication. In this light, recognizing the paramount importance of national security, most major foreign countries have developed and promulgated several fundamental doctrinal documents on national security, such as Cybersecurity Concept, Strategy, and Policy, and others more specific. In this context, Morocco has become more attractive to foreign investment in Africa and the MENA region. All of these factors make Morocco an attractive location for cyber-attacks. Securing and controlling the information conveyed by information systems is becoming an increasingly pressing issue, given the growing number of cyber-attacks worldwide. How can we explain this increase in cybercrime? What are the challenges of cybersecurity in Morocco? What are Morocco’s vision and strategy for cyber security and cyber defense? And finally, what is Morocco’s vision for cyber resilience and cyber sovereignty? This Springer brief has a discussion character and aims to draw attention to the need for effective implementation and development of cybersecurity in Morocco to v

vi

Preface

ensure national security in the context of the current and developing information confrontation in the international community. However, it cannot promise to provide an in-depth examination. The issue of cybersecurity is simply too wide-ranging for our purposes. This acknowledgment is meant to encourage more detailed research into the broader topics covered in this brief to better inform current approaches to national cybersecurity performance evaluation. This SpringerBrief contains eight chapters, which are intended to be a relevant reference for diplomats, executives, CISOs, cybersecurity professionals, engineers, and researchers interested in exploring and understanding Morocco and its efforts in implementing its national cybersecurity strategy. Beni Mellal, Morocco Meknes, Morocco 

Yassine Maleh Youness Maleh

Acknowledgment

The authors would like to acknowledge the support of the African Center for Information Technology and Cybersecurity ARCIC. University Sultan Moulay Slimane Beni Mellal, Morocco University Moulay Ismail Meknes, Morocco

Yassine Maleh Youness Maleh

vii

Contents

1

Introduction������������������������������������������������������������������������������������������������   1 1.1 Introduction����������������������������������������������������������������������������������������   1 1.2 Economic Context������������������������������������������������������������������������������   3 1.3 Digitalization in Morocco ������������������������������������������������������������������   3 1.4 Cybersecurity Laws in Morocco ��������������������������������������������������������   6 1.5 Creation of DGSSI������������������������������������������������������������������������������   7 1.6 Creation of the DNSSI������������������������������������������������������������������������   8 1.7 Structure����������������������������������������������������������������������������������������������  10 References����������������������������������������������������������������������������������������������������  11

2

Understanding Cybersecurity Standards������������������������������������������������  13 2.1 Introduction����������������������������������������������������������������������������������������  13 2.2 Framework vs. Standard: What Is the Difference? ����������������������������  14 2.3 Cybersecurity Standards ��������������������������������������������������������������������  15 2.4 NIST Framework��������������������������������������������������������������������������������  16 2.4.1 Implementation Levels of the Framework������������������������������  21 2.4.2 Framework Profile������������������������������������������������������������������  22 2.4.3 Baseline Review of Cybersecurity Practices��������������������������  22 2.5 International Organization for Standardization ISO ��������������������������  23 2.5.1 Overview of ISO 27K Standards��������������������������������������������  23 2.6 Conclusion������������������������������������������������������������������������������������������  26 References����������������������������������������������������������������������������������������������������  27

3

The African View on Cybersecurity ��������������������������������������������������������  29 3.1 Introduction����������������������������������������������������������������������������������������  29 3.2 Africa’s Cybersecurity Gap����������������������������������������������������������������  30 3.2.1 The African Union Convention on Cybersecurity and Protection of Personal Data 2014������������������������������������  32 3.2.2 Reminder of the Recommendations of the First Ordinary Session of the STCCICT-1 2015��������������������������������������������  34 3.2.3 Lomé Declaration on Cybersecurity 2022������������������������������  34

ix

x

Contents

3.3 Cybersecurity Policy Priorities in Africa��������������������������������������������  35 3.3.1 Strategic Approach������������������������������������������������������������������  35 3.3.2 National Cybersecurity Framework����������������������������������������  36 3.3.3 Personal Data Protection (PDP)����������������������������������������������  36 3.3.4 Capacity Building and Awareness������������������������������������������  37 3.3.5 Strengthening Regional and International Cooperation����������  38 3.3.6 The Role of the Private Sector in Cybersecurity��������������������  39 3.4 Conclusion������������������������������������������������������������������������������������������  39 References����������������������������������������������������������������������������������������������������  40 4

 The Moroccan View on Cybersecurity����������������������������������������������������  41 4.1 Introduction����������������������������������������������������������������������������������������  41 4.2 Morocco: A Target for Cyber Hackers������������������������������������������������  42 4.3 The Global and Moroccan Cybersecurity Market������������������������������  44 4.4 Political and Regulatory Concepts������������������������������������������������������  45 4.4.1 Main Steps of Cybersecurity in Morocco ������������������������������  47 4.5 Advantages and Disadvantages of the Moroccan Approach: A Preliminary Balance������������������������������������������������������������������������  48 4.6 Conclusion������������������������������������������������������������������������������������������  49 References����������������������������������������������������������������������������������������������������  50

5

 Morocco National Cybersecurity Strategy����������������������������������������������  51 5.1 Strategic Foundations��������������������������������������������������������������������������  51 5.2 The Strategic Committee for the Security of Information Systems ����������������������������������������������������������������������������������������������  52 5.3 The National Cybersecurity Strategy��������������������������������������������������  54 5.4 Moroccan Cybersecurity Strategy: Opportunities and Challenges������������������������������������������������������������������������������������  60 5.4.1 Insufficient Investment������������������������������������������������������������  61 5.4.2 The Need for More International Cooperation ����������������������  61 5.4.3 COVID-19 and the Challenges of Cybersecurity ������������������  63 5.4.4 Towards a Moroccan Defense Agency������������������������������������  65 5.5 Conclusion������������������������������������������������������������������������������������������  66 References����������������������������������������������������������������������������������������������������  66

6

 National Cyber Resilience Strategy in a Post-COVID-19 World����������  67 6.1 Introduction����������������������������������������������������������������������������������������  67 6.2 Cybersecurity and Cyber Resilience Challenges��������������������������������  68 6.2.1 Resilience: Maintain Activity During the Crisis by Managing Risks ����������������������������������������������������������������  69 6.2.2 Security Operation Center (SOC) ������������������������������������������  70 6.2.3 Reestablish an Appropriate Cybersecurity System When the Crisis Is Over����������������������������������������������������������  70 6.2.4 Adapt to the Post-Crisis Environment and Guarantee That the Company’s Strategy Is Aligned with the New Reality ������������������������������������������������������������������������������������  71

Contents

xi

6.3 Cybersecurity Strategy and Cyber Resilience in Morocco ����������������  72 6.4 Conclusion������������������������������������������������������������������������������������������  74 References����������������������������������������������������������������������������������������������������  75 7

 Cyber Sovereignty in Morocco ����������������������������������������������������������������  77 7.1 The Concept of Digital Sovereignty ��������������������������������������������������  77 7.2 The Realities of Digital Sovereignty��������������������������������������������������  79 7.3 Digital Sovereignty in the Time of COVID-19����������������������������������  81 7.4 Cyber Threats and Digital Sovereignty����������������������������������������������  81 7.5 The Possibilities of Digital Sovereignty in Morocco��������������������������  83 7.6 Cyber Sovereignty Challenges in Morocco����������������������������������������  87 7.7 Conclusion������������������������������������������������������������������������������������������  88 References����������������������������������������������������������������������������������������������������  88

8

Conclusion��������������������������������������������������������������������������������������������������  91 References����������������������������������������������������������������������������������������������������  92

Glossary��������������������������������������������������������������������������������������������������������������  93 Index��������������������������������������������������������������������������������������������������������������������  95

About the Authors

Yassine  Maleh  is an associate professor of cybersecurity and IT governance at Sultan Moulay Slimane University, Morocco. He is a PhD in Computer Sciences from Hassan 1st University, Morocco, since 2017. He is the founding chair of IEEE Consultant Network Morocco and founding president of the African Research Center of Information Technology and Cybersecurity. He is a senior member of IEEE and a member of the International Association of Engineers IAENG and the Machine Intelligence Research Labs. He has made contributions in the fields of information security and privacy, Internet-of-things security, and wireless and constrained networks security. His research interests include information security and privacy, Internet of Things, network security, information system, and IT governance. He has published more than 140 papers (book chapters, international journals, and conferences/workshops), 17 edited books, and 3 authored books. He is the editor-in-chief of the International Journal of Information Security and Privacy and the International Journal of Smart Security Technologies (IJSST). He serves as an associate editor for IEEE Access (2019 Impact Factor 4.098), the International Journal of Digital Crime and Forensics (IJDCF), and the International Journal of Information Security and Privacy (IJISP). He is a series editor of Advances in Cybersecurity Management by CRC Taylor & Francis. He was also a guest editor for many prestigious journals, such as IEEE Transactions on Industrial Informatics, IEEE Engineering Management Review, Big Data Journal, and Sensors. He has served and continues to serve on executive and technical program committees and as a reviewer of numerous international conferences and journals such as Elsevier Ad Hoc Networks, IEEE Network Magazine, IEEE Sensor Journal, ICT Express, and Springer Cluster Computing. He was the Publicity Chair of BCCA 2019 and the General Chair of the MLBDACP 19 symposium and ICI2C’21 Conference. He received Publons Top 1% Reviewer Award for the years 2018 and 2019. Youness  Maleh  holds a doctorate in public law and political science from Mohammed V University in Rabat, since 2020. He is an assistant professor of political sciences at the University Moulay Ismail of Meknes, Polydisciplinary Faculty of Errachidia. He was member of the Executive Board of the Al-Manara Study and xiii

xiv

About the Authors

Research Center in Morocco; Secretary General of the African Center for Information Technology and Cyber Security in Morocco; founding member and editor-in-chief of the Moroccan Journal of Financial and Fiscal Sciences; member of the editorial board of the Masalek Journal of Thought, Politics and Economics; and member of the editorial board of International Law and Business Journal. He has published numerous books and scientific articles. Opinion writer for a group of Moroccan, Arab and international newspapers.

Chapter 1

Introduction

1.1 Introduction In 1956, Morocco recovered its independence from France, and within a few years, it had reclaimed control of most of the regions formerly occupied by Spain. In reaction to the wave of pro-democracy uprisings spreading across the Middle East and North Africa in 2011, King Mohammed VI promised several constitutional revisions. By adopting the new constitution, the kingdom became a constitutional monarchy, with the prime minister now serving as the country’s head of government and being chosen by his party rather than the King. Despite this, the King retains his position as the supreme military commander and presides over important security policy-making institutions, the Council of Ministers and the Supreme Security Council. With its embrace of international norms and status as Africa’s de facto retreat, Morocco has solidified itself as a key regional strategic partner and leader. An American-sponsored initiative named the “Leland Initiative,” a 5-year, $15 million endeavor to bring complete Internet access to more than 20 African nations, first brought the Internet to Morocco in 1992–1993 (USAID, 2006). MTDS, a technology and development consultancy firm based in Morocco, was responsible for the effort in Morocco. They helped launch eight Internet Gateways in Sub-Saharan Africa between 1997 and 2002. The first Internet Service Provider in Morocco was MTDS (ISP) (MTDS, 2018). Simultaneously, IANA granted authority to the Ecole Mohammadia d’Ingénieurs to serve as the administrative and technical point of contact for the .ma domain and run it in the nation during the year 1993. State-owned National Posts and Telecommunications Board took over the technical management of the .ma domain in 1995. ONPT split into two separate entities in 2008: Maroc Telecom (Ittisalat Al-Maghrib or IAM), Morocco’s primary telecommunications provider, and Poste Maroc (Barid Al-Maghrib in Arabic), which is Morocco’s primary postal service provider. MENA nations such as Morocco were early pioneers in creating a legislative framework for the information © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_1

1

2

1 Introduction

and communications technology sector to ensure that private businesses could compete on an equal footing. In 1996, the government passed Law no. 24-96, allowing the telecommunications industry to begin its first stage of liberalization and opening up the Internet to the general public, effectively breaking ONPT’s monopoly on the service. When IANA redesignated the administrative and technical contact for the .ma Internet domain in May 2006, the Moroccan National Telecommunications Regulatory Agency (Agence Nationale de Régulation des Télécommunications [ANRT]) was the only official domain registrar in the nation. The ANRT was given control of the dot ma in 2015 and has since introduced the .ma domain auto-provisioning (Word Bank, 2022). Toward the end of the 1990s, Morocco published various digital plans to present the country as one of the most active rising nations in the ICT industry. With the “e-Maroc 2010” plan, “Digital Morocco 2013,” followed by “Digital Morocco 2020,” and finally “Horizon 2025,” the Kingdom of Morocco committed itself very early on to its digitalization objective and now aims to become one of the major digital players on the African continent. And if the pandemic has, of course, affected its ambition, it has also allowed increasing the use of digital tools and services for professional or social purposes, notably thanks to telecommuting, which has developed in many sectors, and to e-commerce, among others. The following were some of how they were implemented: • The “Morocco 1999–2003” provided an overview of the country’s ICT strategy and potential. • The “e-Morocco 2010,” digital inclusion, and ICT industry competitiveness were the main goals of the program, which ran from 2005 to 2010 (Ministry of Economic and General Affairs, 2007). • The “2009–2015 National Pact for Industrial Emergence” (Pacte Nationale pour l’Emergence Industrielle [PNEI]), via which incentives, specific training, and other forms of support were sought to help export-oriented companies, such as offshore and ICT services. • The “Digital Morocco 2013” strategy, the goal of which was to make the country into a regional technology center while also encouraging the growth of technical skills in the years 2009–2013 (Maroc Numérique, 2013). • The “Digital Morocco 2020,” from 2017 to 2020 (UNESCO, 2020), to hasten the country’s digital transformation, stimulating ICT entrepreneurship, raising the country’s worldwide standing in low-cost IT services, and cementing its position as a regional leader and gateway to Africa (Maroc Numérique, 2013). • The latest “Note of General Orientations for Digital in Morocco to 2025” is structured around three strategic axes and four cross-cutting pillars. The first axis, “Digital Administration,” brings together the various initiatives to ensure the Moroccan administration’s digital transformation. The second pillar, “Digital Ecosystem and Innovation,” aims to ensure the accelerated development of the digital economy in Morocco. Finally, the third axis “Social inclusion and human development,” aims to improve citizens’ quality of life through digitalization (ADD Morocco, 2020).

1.3  Digitalization in Morocco

3

1.2 Economic Context Morocco is located northwest of the African continent, barely 15 kilometers from Europe. It is classified as a developing country. Morocco’s GDP grew at a 2.5% rate in 2019. Morocco’s population is 36 million people. The GDP per capita changes depending on the agriculture sector’s performance and nonagricultural industries’ value-added. It has increased from $2000  in 2001 to more than $3400  in 2019. Morocco has free trade agreements with various nations, notably the European Union, with whom it signed an association agreement in 1996. Morocco also has FTAs with the United States, the European Free Trade Association members, Turkey, and the United Arab Emirates. It also belongs to the Agadir Group, an Arab free trade zone that includes Egypt, Jordan, and Tunisia. Morocco and Canada have a long-standing trading connection. In 2019, bilateral trade was CAD 916 million. Various Moroccan companies have effectively positioned themselves across Africa during the last decade as part of Morocco’s south-south cooperation (Department of financial studies and forecasting morocco, 2022). In terms of investments in Africa, the telecommunications industry trails only the banking and insurance sectors, having a presence in around ten Sub-Saharan nations. Morocco’s foreign direct investment (FDI) stock reached USD 66 billion in 2019, an increase of more than USD 20 billion from 2010. Manufacturing receives the most FDI, followed by real estate, telecommunications, tourism, and energy. Morocco was named Africa’s most appealing country for foreign investment by the Quantum Global Research Lab in 2018. According to the World Bank’s Doing Business 2020 report, Morocco ranks 53rd out of 190 countries in the business climate, a seven-place gain over the previous year (ITU, 2022). Most of the output and jobs lost during the COVID-19 crisis have been recovered thanks to a robust economic resurgence in 2021. Real GDP, on the other hand, is still 6.4% below the pre-pandemic trend; potential growth has been declining since the early 2010s; volatile precipitations are increasingly affecting the economy; and the combined effect of the drought, rising international food and energy prices due to the war in Ukraine, and the lasting impact of the COVID pandemic may leave socioeconomic scars if properly treated (Word Bank, 2022).

1.3 Digitalization in Morocco Digitalization in Morocco has undergone a great evolution, especially in recent years. But although it has become an essential means of economic development and social transformation, digitization has its dark side (Bennis Nechba et al., 2022). Indeed, the economic opening and the transformation toward an information and communication society rhyme with cybercrime. Aware of the harmful capacities of this threat, which defies geographical limits, Morocco has set up a national strategy for cybersecurity and security of information systems, promoting the

4

1 Introduction

transformation toward the digital economy and the information and communication society. To promote this strategic choice, several projects have been carried out at the organizational and regulatory level in the digital world, which has been translated into the establishment of new structures, namely, the Directorate General of Information Systems Security (DGSSI) and also the Moroccan Center for Alert and Management of Computer Incidents (MA-CERT) under the direction of the National Defense and regional laboratories for analysis of digital traces and anti-cybercrime, to name a few (Maleh, 2021). The efforts seem to bear fruit. This is at least what the International Telecommunication Union reveals, which has just released the 2020 edition of its Cybersecurity Index (GCI). Aiming to serve as a roadmap to guide national strategies, the 172-page document places Morocco in 50th place out of 194 countries, scoring 83.65 points out of 100. In detail, the kingdom obtained a score of 18.40 for legal measures, 17.94 for technical measures, 12.37 for organizational measures, 15.24 for capacity building, and 18.46 for cooperation measures. Morocco has ranked in the top 5 of the most secure countries regarding cybersecurity. The top 5 are Mauritius, Tanzania, Ghana, and Tunisia. The kingdom is well ranked in the MENA region and occupies eighth place behind Saudi Arabia, the United Arab Emirates, the Sultanate of Oman, Egypt, Qatar, Israel, and Tunisia. Morocco is also second in the Maghreb, ahead of Algeria, Libya, and Mauritania. Unsurprisingly, the United States is ranked first on a global scale with a total score of 100 points. Next are Great Britain and Saudi Arabia with 99.54 points each, followed by Estonia with 99.48 points. The Global Cybersecurity Index 2020 notes a “growing commitment around the world to combat and reduce cybersecurity threats,” underscoring that “countries are striving to improve their cybersecurity and the rapid transition of everyday activities and socio-economic services to the digital sphere.” Globally, “half of the countries reported forming a national cyber incident response team, with an 11% increase since 2018.” Sixty-four percent of countries have adopted a national cybersecurity strategy, while more than 70% conducted cybersecurity awareness campaigns in 2020, up from 58% and 66% in 2018. In the same vein, the report points out that many challenges are eroding online trust and preventing the digital society from operating at its full potential, hence the need to establish strategies and mechanisms to build capacity and help governments and businesses better prepare for and mitigate rapidly growing cyber risks. The Ministry of Industry, Trade, Commerce, Investment, and Digital Economy and other relevant agencies released the revised “Digital Morocco 2020” policy in 2015 (UNESCO, 2020). This plan builds on the previous digital strategies’ lessons learned and accomplishments, articulating a vision to speed up Morocco’s digital transformation, encourage the spread of ICT use among Moroccan families, increase regional competitiveness, and promote its digital economy. The new digital strategy aims to consolidate Morocco’s position as a regional digital center in French-­ speaking Africa while continuing to market Morocco as an attractive location for outsourced services, offshore, electronic payment, and software development (McKinsey Global Institute, 2013). Moroccan ICT infrastructure and a friendly

1.3  Digitalization in Morocco

5

business climate are among the best in the area, thanks to these initiatives. With 750 million MAD, Digital Morocco 2020 aims to eliminate the digital gap by half through the digitalization of administrative services, free public Wi-Fi, digital literacy initiatives, and annual training of over 30,000 ICT workers by 2020, in tandem with other programs to boost Moroccan creativity and innovation. The programs supported cross-border cooperation to improve digital confidence in e-commerce, enforce privacy laws, and boost entrepreneurship in e-commerce. To improve Morocco’s competitiveness, the government lifted a restriction on VoIP services imposed by the ANRT, which had only been in place for 10 months (and ended just a few days before the 2016 United Nations Climate Change Conference held in Marrakech, Morocco). ANRT had previously restricted and taxed VoIP service providers before. The ICT sector’s operational expenses were cut by at least $320 million in the first half of 2016. The ICT sector grew thanks to these new reforms steadily. IT security, mobile services, social networks, big data, and cloud computing have increased domestic and international investment. Morocco’s well-established IT industry was bolstered by these new investments in electronic payments, software development, and IT outsourcing. Cybersecurity goods and services are also a developing possibility in Africa, which Morocco has also noticed. The market is expected to grow at a CAGR of 12.7% per year, from $1.33 billion in 2017 to $2.32 billion in 2020.14 When it comes to a favorable business climate for technology businesses looking to extend their operations into French-speaking African nations, Morocco’s ICT infrastructure and recent structural and sectorial changes have made it one of the region’s top performers. It was estimated that Moroccan ICT exports amounted to MAD 9.6 billion ($1 billion) in 2013 and that Morocco was the best African country for BPO. Success in this area has been aided by the construction of specific technology parks (such as Casanearshore and Rabat Technopolis), which function as offshore entities while attracting enterprises with a wide range of financial benefits (e.g., low tax rates). Private sector enterprises have increased their ICT and cybersecurity needs, although the industry remains heavily dependent on government procurement (MEDZ, 2016). A large portion of Morocco’s ICT investment comes from government procurements, including e-government efforts, smart city projects, renewable energy projects, and transportation infrastructure enhancements. Moroccans are becoming more aware of the dangers and difficulties that come with engaging in online fraud, identity theft, and other forms of cyberterrorism as their use of ICT grows. Only a few incidents have indeed been reported, but with an increasingly interconnected country comes an increasing number of incidents involving “cyberterrorism,” “sextortion,” “bank card fraud,” “irregular money transfers,” “phishing scams,” and other forms of malware that target critical infrastructure. For the first time in Morocco, the 2009 National Strategy for the Information Society and Digital Economy (Digital Morocco, 2013) called for developing a national cybersecurity strategy (policy). It provided the first national governance roadmap for cybersecurity, focusing on increasing security capabilities (Hathaway & Spidalieri, 2018). To

6

1 Introduction

achieve these objectives, a number of institutions and organizations were founded, including the following: • The Strategic Committee for the Security of Information Systems (Comité Stratégique de la Sécurité des Systèmes d’Informations [CSSSI]). • The General Directorate of Information Systems Security (Direction Générale de la Sécurité des Systèmes d’Information [DGSSI]) was created in 2011 within the Administration of National Defense (ADN) to act as a competent authority for establishing and executing the country’s national cybersecurity strategy and policies. • The National Control Commission for the Protection of Personal Data (Commission Nationale de Contrôle de la Protection des Données, CNDP) in charge of ensuring personal data privacy. • The Moroccan Computer Emergency Response Team (ma-CERT), under the command of the ADN, is tasked with addressing and mitigating national-level cybersecurity occurrences. • The regional forensics laboratories for digital and anti-cybercrime trace analysis (laboratoires régionaux d’analyse de traces numériques et anti-cybercriminalité), a division under the Moroccan General Directorate for National Security (Direction Générale de la Sûreté Nationale, DGSN) that deals with cybercrimes.

1.4 Cybersecurity Laws in Morocco Also, faced with the emergence of the risk of cybercrime and its growing threats, Morocco has adopted the law 50-20 on cybersecurity (DGSSI, 2020). This law provides that administrations, local authorities, public establishments, and companies, as well as any other legal entity under public law and, in the same way, telecommunication network operators, Internet service providers, cybersecurity service providers, and digital service providers, will be required to comply with a series of security standards when they provide digital services or handle digital data. It also aims to develop digital confidence and the digitalization of the economy and, more generally, to ensure the continuity of economic and societal activities in our country. And all this is in order to promote the development of a national cybersecurity ecosystem. In detail, the law will allow the creation of two institutions. Firstly, it is the establishment of the Strategic Commission for Cybersecurity, whose mission will be, among other things, to set the broad direction of the state in cybersecurity. The second institution that will be created is called the National Authority for Cybersecurity, whose mission will be, among other things, to execute the guidelines set by the commission.

1.5  Creation of DGSSI

7

1.5 Creation of DGSSI In Morocco, the General Directorate of Information Systems Security (DGSSI) is responsible for providing the necessary support to government agencies, public organizations, and critical infrastructures to upgrade the security of their information systems. The General Directorate of Information Systems Security (DGSSI) was created by decree no. 2-11-509 on September 21, 2011. It is attached to the National Defense Administration of the Kingdom of Morocco (DGSSI, 2013a). It is responsible, among other things, for monitoring technological developments and proposing the necessary innovations in information systems (IS) security. The DGSSI works to develop secure systems for the benefit of public administrations and organizations. In the same sense, the assistance and consulting activity carried out by this department include the support of the project owner in various projects, such as risk analysis, asset classification, or the development of IS security policies. This department also has a division in charge of conducting studies and research in cybersecurity-­ related areas and collaborates with national and international universities. The aim is to propose innovative solutions based on the feedback from scientific research and to contribute to open research in the field of information systems security. Moreover, the DGSSI conducts academic research in cryptography, intrusion detection, and electronic exchange security. It should also be noted that this department is supported by the Strategic Committee for the Security of Information Systems (CSSSI), which is the authority responsible for defining strategic orientations in the area of information systems security, thus ensuring the protection of sovereign information and the continuity of operation of information systems of vital infrastructures. This committee approves the General Directorate of Information Systems Security (DGSSI) action plan and assesses and evaluates its results. DGSSI is responsible for the following: • Coordinate interdepartmental work relating to the development and implementation of the state’s information systems security strategy • Ensure the application of the directives and orientations of the Strategic Committee for Security of Information Systems • Certify devices for the creation and verification of electronic signatures and approve service providers for electronic certification • Carry out security audits of the information systems of public administrations and organizations, the scope and methods of which will be determined by the Strategic Committee for the Security of Information Systems • Initiate, with the ministerial departments, a system of monitoring, detection, and alert of events affecting or likely to affect the security of the state’s information systems and coordinate the measures to be taken to this effect

8

1 Introduction

The General Directorate of Information Systems Security comprises four (04) directorates: 1. Management of the Monitoring, Detection and Response Center For Computer Attacks (maCERT): This department is in charge of implementing, in conjunction with the other administrations, systems for monitoring, detecting, and alerting events likely to affect the security of the state’s information systems and for coordinating the reaction to these events. 2. The Strategy and Regulation Department: This department is responsible for proposing draft laws and regulations relating to the security of information systems, examining files relating to declarations and authorizations of regulated products, and certifying devices for the creation and verification of electronic signatures. 3. The Assistance, Training, Control and Expertise Department: This department is in charge of proposing recommendations, technical guidelines, and methods to be used to improve the level of security and to ensure the audits of the information systems of public administrations and organizations. 4. The Information Systems Department: This department is responsible for developing devices necessary to implement secure systems for public administrations and organizations

1.6 Creation of the DNSSI The National Directive on the Security of Information Systems (DNSSI) is a document developed by the DGSSI and published on its portal (DGSSI, 2013b). In the preamble to the DNSSI, the author explains, “The DNSSI describes the organizational and technical security measures that must be applied by public administrations and public bodies as well as vitally important infrastructures” (DGSSI, 2013b). The DNSSI consists of two parts and a glossary, an extract of which is included in the appendix. The first part of the DNSSI includes a set of provisions, the extracts of which are given below: (a) Fundamental Principles The DNSSI is based on the following guiding principles, which stem from the National Strategy for Cybersecurity, validated by the CSSSI on December 05, 2012: P1. Organizational Structure Establish an organizational structure dedicated to ISS at the level of each entity to include the preventive and reactive components necessary for cybersecurity. P2. Information Systems Mapping Maintain and update an accurate mapping of entity information systems. P3. Information Systems Security Budget Quantify and plan the budget dedicated to information systems security for each entity, both in terms of each entity, both in terms of investments and human resources, and its relationship to the overall information systems budget.

1.6  Creation of the DNSSI

9

P4. Administrator Control Control and trace the management and administration operations of entity of the entities’ information systems P5. Information Protection Protect information by following a set of security rules specified in this document. P6. Training and Awareness Train and make staff, including system and network administrators and users of information systems, of their rights and duties. P7. National Hosting of Sensitive Data Host on national territory the entities’ information, which is sensitive in terms of its confidentiality, integrity, or availability. (b) Field of Application The DNSSI applies to all the information systems of administrations, public organizations, and infrastructures of vital importance. The DNSSI applies to all personnel of these entities and third parties (employees, contractors, service providers, etc.). (c) Implementation of the DNSSI The DNSSI came into force as soon as it was published on December 31, 2013. As of this date: • Each entity had 1 year to establish its action plan compliance. • Entities’ IS must be in full compliance within 3  years. In addition, each entity must: • Designate an Information Systems Security Officer (ISSO) • Establish an inventory of its information systems and assess their sensitivity • Conduct a risk analysis for its information systems and ensure the definition of applicable security measures • Conduct awareness and training activities on information system security and participating in actions undertaken by the DGSSI information systems and participating in the actions undertaken in this sense by the DGSSI • Conduct regular monitoring of the level of security of information systems and their perimeters and implement the necessary corrective actions • Measure the resilience of their information systems through internal audits and, if necessary, simulation of exercises, Proof of concept, etc. To monitor the application of the DNSSI: • The DGSSI provides each entity with a dashboard for monitoring the application of the DNSSI as well as the technical guides for implementing the various security rules. • Each entity draws up its annual report on the application of the DNSSI based on the aforementioned and submits it annually to the DGSSI. • The annual report summarizes the state of progress of the organization and the application of the rules issued by the DNSSI. This report also includes a sum-

10

1 Introduction

mary of the actions to ensure compliance with the DNSSI, the incidents handled, any audits carried out, and exercises carried out. (d) Exemptions to the DNSSI It may be necessary, in certain specific cases, to derogate from the rules set out by DNSSI. It is then up to the authority of the entity concerned to formally replace them with specific rules. For each of these rules, the derogation, motivated and justified, must be expressly granted by the CISO of the entity concerned. The decision to grant a waiver, together with the justification, is kept at the disposal of the DGSSI.

1.7 Structure This Brief analyses public perspectives on cybersecurity, government strategies, national organizational aspects, and an outlook on gaps and priorities in Morocco’s cybersecurity policy. The remaining chapters are structured as follows: • Chapter 2 investigates international cybersecurity standards and frameworks for organizations. The objective is to assess the state of cybersecurity in organizations and focus on best practices that can improve cybersecurity strategy. • Chapter 3 provides an overview of the various conventions and initiatives launched by African states to address cybersecurity issues, as well as the intra-­ African cooperation envisaged to provide a sovereign response to cyber issues and cybersecurity policy priorities in Africa. • Chapter 4 discusses the public perspective on the challenges, strategies, and instruments of cybersecurity in Morocco. It presents the global and Moroccan cybersecurity market and discusses the advantages and disadvantages of the Moroccan cybersecurity approach. • Chapter 5 analyzes the growth of Moroccan cybersecurity strategy over the last two decades. It describes and evaluates a variety of cybersecurity strategies and policy laws. As a result, the chapter demonstrates the increasingly broad reach of Moroccan cybersecurity strategy, which has shifted in recent years from focusing on civilian defense to including international diplomatic and strategic military dimensions. • Chapter 6 discusses cyber resilience in post COVID-19 era and how a country like Morocco considers the cyber resilience component in its national cybersecurity strategy. • Chapter 7 assesses the current gaps in the Moroccan cybersecurity strategy that the government will need to address in the coming years, most notably Morocco’s vision for the issue of cyber sovereignty. • Chapter 8 provides concluding remarks to this Brief.

References

11

References ADD Morocco. (2020). Note d’Orientations Générales pour du Digital au Maroc à horizon 2025. https://add.gov.ma/storage/pdf/Avril_NOG_ADD_fr_SITE_VF.pdf Bennis Nechba, Z., Boujibar, A., & Alj, A. (2022). Good governance and digitalization in Morocco: State of the art. International Journal of Business and Technology Studies and Research. www. ijbtsr.org Department of Financial Studies and Forecasting Morocco. (2022). Summary of the economic and financial report accompanying the 2022 finance bill (REF 2022). https://www.finances.gov. ma/Publication/depf/2022/En_DEPF_SyntheseREF2022.pdf DGSSI. (2013a). Directive Nationale de la Securite des Systemes d’Information. https://www. dgssi.gov.ma/sites/default/files/attached_files/directive_nationale_de_la_securite_des_ systemes_d_information.pdf DGSSI. (2013b). Directive Nationale de la Sécurité des Systèmes d’Information. https://www. dgssi.gov.ma/fr/directive-­nationale-­de-­la-­securite-­des-­systemes-­d-­information.html DGSSI. (2020). Presentation note of law N ° 05-20 on cybersecurity. https://www.dgssi.gov. ma/sites/default/files/attached_files/presentation_note_of_the_law_n_deg_05-­2 0_on_ cybersecurity_-­_english_version.pdf Digital Morocco. (2013). Stratégie nationale pour la société de l’information et l’économie numérique 2009 – 2013. Hathaway, M., & Spidalieri, F. (2018). Kingdom of Morocco cyber readiness at a glance. www. potomacinstitute.org ITU. (2022). National cybersecurity strategies repository. ITU. Maleh, Y. (2021). Digital transformation and cybersecurity in the context of COVID-19 proliferation. IEEE Technology Policy and Ethics, 6(5), 1–4. Maroc Numérique. (2013). Stratégie nationale pour la société de l’information et l’économie numérique 2009–2013. McKinsey Global Institute. (2013). Lions go digital: The Internet’s transformative potential in Africa. www.mckinsey.com/client_service/high_tech. MEDZ. (2016). Activity report. https://www.medz.ma/sites/default/files/2020-­03/RA%20 2016_0.pdf Ministry of Economic and General Affairs. (2007). e-Maroc 2010 strategy. http://www.albacharia. ma/xmlui/bitstream/handle/123456789/31117/0870Strat%c3%a9gie%20e-­Maroc%202010. pdf?sequence=1 MTDS. (2018). About MTDS. https://www.mtds.com/about-­us/ UNESCO. (2020). Ministry of Industry, Trade, Investment and of the Digital Economy. Stratégie Maroc Digital 2020. https://en.unesco.org/creativity/periodic-­reports/measures/ strategie-­maroc-­digital-­2020 USAID. (2006). USAID leland initiative. IT Governance Institute. https://doi.org/www.itgi.org Word Bank. (2022). World Bank, poverty & equity and macroeconomics, trade & investment global practices. https://thedocs.worldbank.org/en/doc/ed64b613ad013d98071dfcb7bfd12421­0280012022/original/mpo-­sm22-­morocco-­mar-­kcm5.pdf

Chapter 2

Understanding Cybersecurity Standards

2.1 Introduction Cybersecurity is a set of processes, technologies, and practices to protect digital people, infrastructure, and data accessible through cyberspace, against attacks, damage, and unauthorized access. Thus, cybersecurity is strategically important to move forward, with confidence, in the digital age. The general security objectives are the following: • Availability, which guarantees the accessibility of information systems by users • Integrity, which designates the authenticity of data • Proof, which guarantees the non-repudiation of a transaction with the possibility of auditing the results provided • Confidentiality, which prevents accidental or illicit access to confidential information Technology is always fragile because our societies increasingly rely on digital infrastructure. A wide range of cyber risks, including cyber fraud, theft of intellectual property and personally identifiable information, service interruptions, damage or destruction of property, and malware espionage, are constantly changing and putting the ICT infrastructure at risk. Security concerns about ICT use erode public and national faith in their revolutionary potential as a driver of economic and social progress (Elkhannoubi & Belaissaoui, 2016). Cybersecurity is the process of protecting systems, networks, and programs from digital attacks. These cyberattacks usually aim to access, modify, or destroy sensitive information, to extort money from users or disrupt normal business operations (Maleh, 2018). Whether a company is small or large, it must have a strategy for implementing and maintaining cybersecurity. A number of organizations and groups have defined the standards and procedures to be followed while building an IT infrastructure or © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_2

13

14

2  Understanding Cybersecurity Standards

enhancing its security to the bare minimum. Frameworks and standards are the names given to these rule books. These materials are compiled by a wide range of organizations worldwide. Take a look at how these different papers may assist everyone working in IT worldwide and why these standards and frameworks were essential in the first place. This chapter aims to investigate cybersecurity in organizations through international standards and frameworks.

2.2 Framework vs. Standard: What Is the Difference? The structure underneath or beyond a system is what a framework refers to by definition. A framework does not specify how a system will be implemented; it just describes it. As a result, a corporation can claim to follow whatever framework it chooses, as long as all of the standards of that framework are satisfied. A framework can be improved by adding it, but the basic structure remains the same. According to the term itself, a standard describes the stages and procedures involved in a piece of work, which is why it is so important. The adoption of an international standard ensures that the same approach is followed to complete a given task all over the globe. An organization can develop its own rules relevant to the organization or adhere to internationally recognized norms, rules, and standards. Numerous organizations have been working in recent years to standardize the fundamental security infrastructure of businesses that handle personally identifiable information (PII) or financial information to make it more difficult for unauthorized individuals to access. Thus, enterprises can rest assured that their data is safe from hackers and will only suffer a minor loss of information if a successful breach occurs. An important part of IT governance is establishing and enforcing cybersecurity guidelines. The company’s cybersecurity policies must be tightly integrated with and drive the standards to manage and mitigate risk effectively. A typical IT governance structure is shown in the diagram below. Cybersecurity standards are a vital link between the principles that guide policy and the realities of day-to-day operations. Standards are essential for future implementation activities, such as creating functional and technical requirements, developing architecture and design, and operational guidelines and procedures (CGI, 2019). Figure 2.1 shows cybersecurity standards in the IT governance hierarchy. Direct traceability is essential at every level of the IT governance process to assure compliance and to ensure effective management and auditing of IT resources. The company’s policies and external regulatory duties should be reflected in the company’s cybersecurity standards (e.g., external standards and controls, such as financial or privacy regulations).

2.3  Cybersecurity Standards

15

Fig. 2.1  Cybersecurity standards in the IT governance hierarchy

2.3 Cybersecurity Standards Compliance with external cybersecurity and privacy regulations can result in hefty penalties for businesses and governments that do not adhere to them. Here are a few examples: • NIST SP 800-53 Risk Management Framework (special publication) or ITSG-33. The federal governments of the United States and Canada have issued these management frameworks. Although they are primarily used in government, several enterprises have embraced these frameworks in the field. Using a catalog of 900 controls and control upgrades, it is possible to build practically any profile from the provided technique and catalog. • NIST Cybersecurity Management Framework. This “lighter” version of the NIST SP 800-53 management framework is intended for industry-wide adoption. • ISO/IEC 27001. The International Organization for Standardization (ISO) produced a collection of security standards implemented globally. As a result, firms must complement their internal control aims with external compliance duties. • GDPR. Companies that handle or process the personal data of residents of the European Union must adhere to strict privacy regulations. It is possible to face significant penalties for noncompliance or violation.

16

2  Understanding Cybersecurity Standards

• Cyber Essentials. An alternative to the NIST cybersecurity management framework or ISO 27001 is being embraced by enterprises that do business with the United Kingdom government. • PCI DSS. An alternative to the NIST cybersecurity management framework or ISO 27001 is being embraced more widely by enterprises doing business with the United Kingdom government. • SWIFT Customer Security Control Framework (CSCF). Financial institutions using the SWIFT network must have this architecture to conduct transactions.

2.4 NIST Framework Regarding cybersecurity risk management, any firm may apply this paradigm, regardless of sector or location. As a result, companies of any size and the degree of expertise in cybersecurity risk management may benefit from the framework’s risk management principles and best practices. The framework assembles standards, principles, and practices that are currently successful and provide an organizational structure for diverse approaches to cybersecurity. In addition, the framework can serve as a model for international collaboration in boosting cybersecurity in critical infrastructure and other sectors and communities since it references globally accepted cybersecurity standards. Using this paradigm, one may consider the impact of cybersecurity on all three spheres of life: the physical, digital, and human. IT, industrial control systems (ICS), cyber-­ physical systems (CPS), or networked devices such as the Internet of Things are all examples of technology-enabled enterprises that can benefit from this guideline (Stouffer et  al., 2011). Customers’, workers’, and other parties’ privacy may be safeguarded using the framework. As an added benefit, the framework’s outputs serve as benchmarks for efforts aimed at improving and evolving the workforce. Cybersecurity risk management for critical infrastructure cannot be based on a single framework. Organizations will continue to face various threats, vulnerabilities, and risk tolerances unique to them. Additionally, they will differ in the way they implement the framework’s practices in their way. Organizations should prioritize expenditures to optimize the effect of each dollar spent by identifying activities crucial to delivering key services. Ultimately, the framework’s goal is to lessen and better manage cyber risk (Yassine et al., 2017). These controls are intended to provide the minimum requirements for cybersecurity based on best practices and standards to reduce cyber risks to the parties’ information and technical assets from internal and external threats. Protecting the entity’s information and technical assets requires a focus on the fundamental objectives of protection which are as follows: • Confidentiality of information • Integrity of information • Availability of information

2.4  NIST Framework

17

These controls take into account the four fundamental axes on which cybersecurity is based, which are the following: • • • •

Strategy People Process Technology

These controls are applied to government departments, including ministries, agencies, institutions, their entities and affiliates, and private sector entities with Critical National Infrastructures (CNIs) that they operate or host. It also strongly encourages taking advantage of these controls to implement best practices for improving and developing cybersecurity within the relevant institutions (Sedgewick, 2014). The following details these fundamental cybersecurity controls: • Cybersecurity governance: It aims to ensure that cybersecurity action plans, objectives, initiatives, and projects within the entity contribute to the achievement of relevant legislative and regulatory requirements (Bowen et al., 2007). • Cybersecurity defense: It aims to ensure that the entity has an accurate and up-to-­ date asset inventory that includes relevant details of all information and technical assets available to the entity to support the entity’s business operations and cybersecurity requirements, to ensure the confidentiality, integrity, accuracy, and availability of the entity’s information and technical assets. • Cybersecurity resilience: It aims to ensure the availability of cybersecurity robustness requirements in managing the entity’s business continuity and to ensure the handling and minimization of the effects of disruptions to the entity’s critical electronic services and information processing systems and devices as a result of disasters resulting from cyber risks. • Third-party and cloud computing cybersecurity: It aims to ensure the protection of the entity’s assets from third-party cybersecurity risks, including outsourcing and managed services in accordance with the entity’s policies, organizational procedures, and relevant legislative and regulatory requirements. • Industrial control systems cybersecurity: It aims to ensure that cybersecurity is properly and effectively managed to protect the availability, integrity, and confidentiality of the entity’s ICS/OT device assets from cyberattacks (such as unauthorized access, sabotage, espionage, and tampering), in correlation with the entity’s cybersecurity strategy, cybersecurity risk management, and relevant legislative and regulatory requirements, as well as international regulatory requirements established on the entity for cybersecurity (Stouffer et al., 2011). Figure 2.2 below shows the main components of the controls. Subcomponents Table 2.1 shows the subcomponents of the controls. Cybersecurity framework (CSF) is the common name of the document “Framework for Improving Critical Infrastructure Cybersecurity,” published by the

18

2  Understanding Cybersecurity Standards

ICS Cybersecurity

Third-Party and Cloud Computing Cybersecurity

Cybersecurity Defense

Cybersecurity Governance and Compliance

Cybersecurity Resilience

Essential Cybersecurity Controls (ECC1:2018)

Third-Party and Cloud Computing Cybersecurity

Fig. 2.2  Essential cybersecurity components

National Institute of Standards and Technology (NIST) on February 12, 2014 (NIST, 2014). The cybersecurity framework was created after the 2013 US presidential decree to improve cybersecurity, initially aimed at US companies with critical infrastructures. However, it is also applicable to any company that faces security risks. Before this, President Obama issued an executive order aimed at critical infrastructure businesses in the United States called “Improving Cybersecurity for Critical Infrastructure” (such as communications, information technology, defense industry base, etc.). Despite their voluntary nature, they are suited for any firm confronting cybersecurity threats. The framework is divided into three parts as illustrated in the Fig. 2.3 below. The NIST-CSF framework is better structured when used for planning and implementation. As can be seen in Fig. 2.4, the framework is divided into five functions—identify, protect, detect, respond, and recover—22 categories (asset management, risk management, etc., which is similar to Annex A of ISO/IEC 27001), and 98 subcategories (almost like ISO/IEC 27001 controls). Each subcategory references other frameworks and standards such as ISO/IEC 27001, COBIT, NIST SP 800-53, and ISA 62443. This way of presenting things makes looking for requirements to implement and where to find them much more straightforward. The framework also indicates the levels of implementation (partial, risk informed, repeatable, adaptive) that represent the maturity level of implementation of the latter’s controls. With this, the company can easily decide how far they want to go with the application of cybersecurity (NIST, 2018).

2.4  NIST Framework

19

Table 2.1  Control subcomponents Cybersecurity governance

1.1 1.3 1.5

1.7 1.9 Cybersecurity defense

2.1 2.3

Cybersecurity strategy Cybersecurity policies and procedures Cybersecurity risk management Cybersecurity regulatory compliance Cybersecurity in human resources Asset management

Information system and processing facilities protection 2.5 Network security management 2.7 Data and information protection 2.9 Backup and recovery management 2.11 Penetration testing

1.2 1.4

Cybersecurity management Cybersecurity roles and responsibilities 1.6 Cybersecurity in information technology projects 1.8 Cybersecurity periodical assessment and audit 1.10 Cybersecurity awareness and training program 2.2 Identity and access management 2.4 Email protection

2.6

Mobile device security

2.8

Cryptography

2.10 Vulnerability management 2.12 Cybersecurity event logs and monitoring management 2.14 Physical security

2.13 Cybersecurity incident and threat management Cybersecurity resilience 3.1 Cybersecurity resilience aspects of business continuity management (BCM) Third-party and cloud 4.1 Third-party cybersecurity 4.2 Cloud computing and computing cybersecurity hosting cybersecurity Cybersecurity resilience 5.1 Industrial control systems (ICS) protection

The framework’s five primary functions are listed below. There is no intent to use these functions sequentially or to achieve a predetermined end state. As a result, an operational culture that handles dynamic cybersecurity risk must be fostered through the simultaneous and continuous execution of all functions involved. The following is a full list of frameworks. • Identify—To protect systems, people, assets, data, and capabilities against cyberattacks, a company must have a comprehensive awareness of cybersecurity threats. Identification functions are essential for the framework’s success. With this knowledge, a company may prioritize its efforts in a way that is consistent with its risk management strategy as well as the business goals of the organization. Asset management, the business environment, governance, risk assessment, and the risk management strategy are result categories within this function.

2  Understanding Cybersecurity Standards

20

Core

Includes a variety of cybersecurityrelated ac ons and results, as well as references, all arranged into five main roles (Iden fy/Protect/D etect/Respond/Rec over)..

Implementation Tiers

Using these four categories as a reference might help organiza ons beer understand their and their partners' percep ons of cybersecurity risk and the complexity of their management strategy.

Profile

To aid in priori zing and tracking progress toward achieving the desired risk level, a list of outcomes from which a company depending on its business requirements and individual risk assessments (Current Profile).

Fig. 2.3  Three parts of the NIST-CSF

Fig. 2.4  NIST cybersecurity framework

• Protect—Assemble and execute the necessary measures to guarantee the timely provision of essential services. The protect function supports the capacity to minimize or contain the effect of a possible cybersecurity event. Identity management and access control, awareness and training, data security, information

2.4  NIST Framework

21

protection procedures and processes, maintenance, and protection technology are some result categories within this role. • Detect—Develop and execute adequate measures to detect the onset of a cyberattack. Cybersecurity occurrences can be discovered more quickly thanks to the detect function. A few examples of this function’s output categories are an anomaly or event, ongoing security monitoring, and detection process. • Respond—To respond to a cybersecurity issue, devise and implement an action plan. The response function aids in limiting the damage caused by a cyberattack. Communication, analysis, mitigation, and improvements are some outcomes that fall under this category. • Restore—Maintain resilience strategies and restore compromised capabilities or services by developing and implementing relevant initiatives. The recovery function helps to minimize the effect of a cybersecurity event by facilitating a speedy return to normal operations. Recovery planning, enhancements, and communications are just a few of the many outcomes that may be expected from this position.

2.4.1 Implementation Levels of the Framework It is important to understand how an organization sees cybersecurity risk and the mechanisms to manage it while implementing the framework’s implementation levels (Levels). The expertise and rigor of a company’s cybersecurity risk management processes are described at each level. According to these findings, cybersecurity risk management is influenced by business demands and incorporated into an organization’s risk management strategies. This includes how much attention is given to privacy and civil rights when managing cybersecurity risks and the possible responses to such risks. The selection process considers an organization’s current risk management practices, threat environment, legal and regulatory needs, information sharing procedures, business/mission objectives, supply chain cybersecurity requirements, and organizational restrictions. When determining the level of protection sought, organizations should ensure that the level picked satisfies organizational objectives, can be implemented, and decreases the risk to vital assets and resources to a level acceptable to the business. An organization’s maturity level should be assessed using input from various sources, including federal agencies, information sharing and analysis centers, information sharing and analysis organizations, and other sources. There are no maturity levels in the Level 1 (partial) classification. However, businesses are urged to go up to the next level or above. Using the levels, a business may decide which aspects of cybersecurity risk management are most important and should receive greater resources and how to manage those risks best. When a cost-benefit analysis suggests that a viable and cost-effective decrease in cybersecurity risk can be achieved, advancement to higher levels is encouraged. Implementing the framework is all about meeting the goals outlined in an organization’s target profiles, rather than assessing the framework’s level of implementation. As a result, the selection and naming of levels organically alter the

22

2  Understanding Cybersecurity Standards

framework profiles. According to the executives, a company’s level recommendation for cybersecurity risk management by business-/process-level managers should affect priority setting within a target profile and progress evaluations in correcting gaps (Johnson, 2014).

2.4.2 Framework Profile In the framework profile, functions, categories, and subcategories are aligned with the company’s business needs, risk tolerances, and resources. Using a profile, firms may develop a strategy for lowering cybersecurity risks that align with their overall goals and those of the industry in which they operate, as well as considering relevant legal and regulatory requirements and industry best practices. Due to their complexity, many businesses may have many profiles, each aligned to a certain component and considering its unique requirements. Specific cybersecurity operations can be described in their existing or intended target state using framework profiles. In the present profile, we can see what progress has been made in terms of cybersecurity. The target profile must be met to achieve the intended outcomes in terms of cybersecurity risk management. Business/mission needs are supported by these profiles, which aid in communicating risk inside and between companies. As a result, this framework allows for a wide range of implementation options. To fulfill cybersecurity risk management goals, it may be necessary to compare profiles (e.g., the present profile and the desired profile). The road map mentioned above can benefit from an action plan to close these holes and complete a certain category or subcategory. The organization’s needs and risk management processes influence the focus on gap minimization. With this risk-based strategy, the resources needed to fulfill cybersecurity goals are assessed cost-effectively and prioritized (e.g., recruiting and funding). A risk-based approach to the framework also means that the application and accomplishment of a specific subcategory depend on the profile’s breadth (Gillies, 2011).

2.4.3 Baseline Review of Cybersecurity Practices Organizational needs, risk tolerance, and available resources are considered while developing a framework profile. For enterprises, the development of a cybersecurity risk reduction road map that is in line with organizational and industry goals, as well as legal and regulatory requirements and best practice standards, is possible through the use of profiles. The complexity of many companies may necessitate the creation of different user accounts, each tailored to meet the specific requirements of certain parts. Specific cybersecurity operations may be described using framework profiles to represent their existing or desired objective state. The present profile depicts the state of cybersecurity as it stands right now. The target profile must be present to

2.5  International Organization for Standardization ISO

23

obtain the intended outcomes regarding cybersecurity risk management. Some profiles support business or mission needs as well as risk communication. As a result, this framework allows for a wide range of implementations. There may be gaps in cybersecurity risk management that may be discovered by comparing profiles (such as your present and your desired ones). An action plan to close these holes is necessary for the above-described road map to be useful. The organization’s business needs and risk management processes are the driving forces behind the focus on reducing the gap. With this risk-based approach, the resources needed to fulfill cybersecurity goals are assessed cost-effectively and prioritized (e.g., recruitment or funding). Additionally, the framework uses a risk-based approach where the applicability and attainment of a particular subcategory depend on the profile’s scope.

2.5 International Organization for Standardization ISO As a nongovernmental organization, the ISO collaborates with the International Electrotechnical Commission (IEC), the International Telecommunication Union, and other organizations to develop international standards (ITU). The Information Security Management System (ISO/IEC 27000) is a set of ISO standards for information security that includes several substandards.

2.5.1 Overview of ISO 27K Standards It is a set of international standards for information security, designed to protect information. They are the result of a search for a common consensus in the field. Nevertheless, compliance with a standard does not formally guarantee a level of security (Disterer, 2013). The standards do not consider the recent state of the art and the regulatory requirements. Some of the main standards included in the 27000 series are as follows: • ISO/IEC 27001: Describes an Information Security Management System (ISMS), a collection of actions pertaining to the management of information hazards (referred to in the standard as “information security risks”) • ISO/IEC 27002: Rules of Practice for Information Security Management Systems (ISMS) • ISO/IEC 27003: Information Security Management Implementation Manual • ISO/IEC 27004: Measures the effectiveness of Information Security Management Systems • ISO/IEC 27005: Information Security Risk Management • ISO/IEC 27006: A guide to the process of maintaining an information security management system • ISO/IEC 27032: Information technology—security techniques—guidelines for cybersecurity

24

2  Understanding Cybersecurity Standards

Panorama of ISO 2700x Standards Within the framework of the implementation of security within an organization: • The ISO 27001 standard allows an organization to implement and improve the security management system: –– An ISO 27001 certification issued by an accredited certification body guarantees that an organization has properly applied the standard’s requirements in terms of security following an audit. This certification is valid for 3  years; every year a control audit is performed. –– An organization may be required to have this certification in order to access specific contracts: for example, an organization paying European agricultural aid. • The ISO 27002 standard defines a set of “good practices” in terms of a security divided into several chapters. The organization has the following: –– An implementation framework –– A “checklist” in case of an audit • The ISO 27005 standard defines guidelines for managing security risks in an organization. An organization can rely on this risk management process to integrate security. Structure of ISO/IEC 27001 Table 2.2 illustrates the sections of ISO/IEC 27001:2013 (ISO/IEC, 2013). Annex A has a set of 35 control objectives and 114 general security controls, grouped in 14 sections, that guide how to deal with risks identified as unacceptable through risk assessment. It goes further than the ISO/IEC 27002 control section address list. Even though it is “standard,” authorized organizations are permitted to diverge from or enhance it to meet their unique information dangers. ISO/IEC 27002:2005 (Revised by ISO/IEC 27002:2021) The typical lifespan of an ISO standard is 5 years. After this period, whether the norm can stay valid, needs revision, or retracted is decided. In 2018, it was decided that ISO 27002:2013 should be revised. The draft is currently under review and is expected to be published by the end of 2021.

2.5  International Organization for Standardization ISO

25

Table 2.2  ISO/IEC 27001:2013 sections Sections 0 Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Context of the organization 5 Leadership

6 Planning 7 Support 8 Operation

9 Performance evaluation 10 Improvement

Description The standard describes a systematic process for managing information risks. It specifies generic ISMS requirements suitable for organizations of any type, size, or nature. Only ISO/IEC 27000 is considered essential to users of ISO 27001: the remaining ISO27k standards are optional. ISO/IEC 27000. Understanding the organizational context and the needs and expectations of “interested parties” and defining the scope of the ISMS. The top management must demonstrate leadership and support to the ISMS, which should set policies and assign roles and duties for information security. Defining the goals of information security and outlining the process for identifying, analyzing, and planning to handle information threats. Adequate and capable resources must be assigned, awareness increased, paperwork generated and controlled, etc. Details regarding risk assessment and treatment, change management, and recording things are provided in this section (partly so that the certification auditors can audit them). Keep an eye on the security measures, procedures, and management system, and make appropriate improvements as you go along. Make adjustments to the ISMS based on the findings of audits and reviews (such as nonconformities and remedial measures).

As Annex A of ISO 27001 is based on ISO 27002, this standard is expected to follow soon, after which it will be possible to certify against the new standard. ISO 27002:2013 contains 114 controls, divided over 14 chapters. This is going to be restructured. ISO 27002:2021 will contain 93 controls, divided over 4 chapters: • • • •

Chapter 5 Organizational (37 controls) Chapter 6 People (8 controls) Chapter 7 Physical (14 controls) Chapter 8 Technological (34 controls)

ISO/IEC 27032 Officially, ISO/IEC 27032 addresses “cybersecurity” or “cyberspace security,” known as “maintaining the confidentiality, integrity and availability of information in cyberspace.” In contrast, “cyberspace” (complete with a specific essay and capital) is defined as “the complex environment resulting from the interaction of people, programs and services on the Internet through technology devices and related networks, which do not exist in any physical form.”

26

2  Understanding Cybersecurity Standards

Purpose of ISO/IEC 27032 Despite the title, the standard is actually about Internet security. The first two lines give the game away: • “This document focuses on addressing Internet security issues and provides technical guidance to address common Internet security risks ….” • “The standard does not directly address cybersecurity (eg cyber bullying), cyber-­ crime, Internet safety, Internet-related crime, information infrastructure protection, or cyber warfare.” Structure and Content The main sections are as follows: 5. Overview 6. Assets in the cyberspace 7. Threats against the security of the cyberspace 8. Roles of stakeholders in cybersecurity 9. Guidelines for stakeholders 10. Cybersecurity controls 11. A framework of information sharing and coordination Annex A. Cybersecurity readiness Annex B. Additional resources Annex C. Examples of related documents

2.6 Conclusion Consistent and quantifiable implementation of security strategies and policies is vital for organizations, which is why they must adhere to cybersecurity standards. Adopting or creating standards may be a straightforward process. However, to have the intended impact and remain viable, they must all involve a wide range of stakeholders. The efficacy of standards will diminish over time if they are not constantly monitored for implementation and compliance purposes. Adopting standards necessitates a financial outlay, but it pales to the ramifications of a significant cyberattack. This investment is expected to boost the trust and confidence of all parties involved, including top management, boards of directors, and regulators.

References

27

References Bowen, P., Chew, E., & Hash, J. (2007). Information security guide for government executives information security guide for government executives (pp. 3–9). National Institute of Standards and Technology NIST. http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-­7359.pdf CGI. (2019). Comprendre les normes de cybersécurité. CGI. Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 04(02), 92–100. https://doi.org/10.4236/jis.2013.42011 Elkhannoubi, H., & Belaissaoui, M. (2016). Assess developing countries’ cybersecurity capabilities through a social influence strategy. In 2016 7th international conference on sciences of electronics, technologies of information and telecommunications (SETIT) (pp. 19–23). https:// doi.org/10.1109/SETIT.2016.7939834 Gillies, A. (2011). Improving the quality of information security management systems with ISO27000. The TQM Journal, 23(4), 367–376. https://doi.org/10.1108/17542731111139455 ISO/IEC. (2013). ISO/IEC 27002:2013. Retrieved 24 March 2014 from http://www.iso.org/iso/ home/storecatalogue_ics/catalogue_detail_ics.htm?csnumber=54533 Johnson, B. G. (2014). Measuring ISO 27001 ISMS processes. 1–20. Maleh, Y. (2018). Security and privacy management, techniques, and protocols. IGI Global. https://doi.org/10.4018/978-­1-­5225-­5583-­4 NIST. (2014). Framework for improving critical infrastructure cybersecurity, version 1.0. NIST. (2018). Framework for improving critical infrastructure cybersecurity, version 1.1. https:// doi.org/10.6028/NIST.CSWP.04162018. Sedgewick, A. (2014). Framework for improving critical infrastructure cybersecurity, version 1.0. No. NIST-Cybersecurity Framework. Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control systems (ICS) security. NIST Special Publication, 800(82), 16. Yassine, M., Abdelkebir, S., Abdellah, E. (2017). A capability maturity framework for IT security governance in organizations. In 13th International Symposium on Information Assurance and Security (IAS 17).

Chapter 3

The African View on Cybersecurity

3.1 Introduction An impressive amount of high-speed Internet access and vital ICT infrastructure has been built across Africa in the recent decade. Internet users increased from 5% in 2007 to 28% in 2015. The continent should be able to compete with developed countries in terms of Internet availability within the next decade if its current development pace is maintained. Security measures to avoid and control significant technological risks and the risk of information leakage are among the many Internet-related concerns facing Africa today. The only way to deal with these dangers is to have a strong cybersecurity culture, significant reaction capabilities, and appropriate and effective national rules. This led to a decrease in focus on cybersecurity issues. Mobile devices and services like mobile money have helped the IT business grow rapidly in the last few years. IT companies have enjoyed substantial growth in recent years. More and more African innovation centers have sprung up to deal with issues ordinary Africans confront, such as cybersecurity. Generally speaking, the continent is significantly behind in terms of cybersecurity. In the past, the use of external service providers and “black box” offers (applications for which the source code is unavailable and sold off-the-shelf) has often been favored, mainly due to the lack of local skills to administer more elaborate solutions (Sutherland, 2018). The continent is a privileged target, which is natural insofar as cyberattackers have analyzed this structural weakness of Africa in terms of IT security, which they see as a “low hanging fruit,” i.e., an easy target. Furthermore, audits generally show a higher level of heterogeneity within the continent than in Europe or elsewhere and a greater difficulty establishing appropriate governance. Countries like South Africa, Morocco, and Egypt would be among the most attacked countries. This is due to the country’s lack of investment in the subject, despite its relatively high level of development compared to other countries on the continent. There is also a clear © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_3

29

30

3  The African View on Cybersecurity

difference between companies dependent on multinationals and those grown organically locally. The former generally have global standards, which they apply indiscriminately worldwide. The latter has a less structured culture and pays less attention to cybersecurity issues (Kshetri, 2019). However, we can observe that the practices of the former are contaminating the latter, particularly since the COVID-19 crisis, when the number of cyberattacks has increased considerably, while substantive work on cybersecurity topics was not prioritized. To defend and prevent criminal conduct in cyberspace, all parties concerned must work together domestically and internationally, inside and across nations. There is an urgent need to develop a comprehensive approach and a coherent cybersecurity strategy at the continental level to promote peace and security in the information society given the importance of the ICT sector and its direct and positive impact on the social and economic development of African countries.

3.2 Africa’s Cybersecurity Gap The recurrence of various events involving multimillion dollar attacks has raised the awareness of African entrepreneurs. Recently, in the United States, a ransomware attack paralyzed an oil pipeline managed by the Colonial Pipeline company, creating general panic (45% of the oil on the coast is transited through the pipeline). A few days after the attack, the company’s management revealed to the Wall Street Journal that it had to pay the hackers a hefty sum of 4.4 million dollars. The case had gone around the world. The WannaCry malware, which had spread to 150 countries, had not spared the continent in 2019, from Morocco to Uganda, via Egypt, Ivory Coast, and Kenya. Today’s widespread use of the cloud and the arrival of connected objects are new threats to companies (Adeboye Adegoke et al., 2022). The “Cybersecurity Maturity Study 2021 in Francophone Africa,” conducted by Deloitte among 210 companies in 11 countries, reveals that 40% of African companies have recorded “an increase in the number of incidents” since the arrival of the COVID-19 pandemic. Malware and phishing attacks have become the nightmares of African entrepreneurs because, while COVID-19 has accelerated the computerization of the continent, it has been accompanied by an increase in cyberattacks. Globally, McAfee recorded a 605% increase in the number of cyberattacks in the second quarter of 2020. Between January and August 2020, Africa was the target of 28 million cyberattacks, according to Kaspersky. Their latest studies predict a loss of earnings of 4.12 billion dollars related to cybercrime on the continent, or nearly 10% of GDP, for the year 2021. The recent Cyber Africa Forum, which took place on May 9 and 10 in Abidjan (Côte d’Ivoire), provided an opportunity to take stock of the growth of new technologies on a continent that entered the digital revolution long ago. Indeed, although all African countries are not yet at the top of the world rankings in information technology, the digital transformation process has been carried out quickly and has many effects on businesses. In this case, one thing is clear: not all companies are

3.2 Africa’s Cybersecurity Gap

31

equipped to deal with cyberattacks, which have increased tenfold since the health crisis of 2020. As early as 2021, a study by Deloitte showed that budgets dedicated to cybersecurity are insufficient (66% of companies invest less than 200  K€ per year), against a backdrop of increasing incidents (+40%): ransomware, payment fraud, false transfer orders, phishing, etc. (CAF, 2022). The risks remain numerous, even though telecommuting is on the rise and the lack of awareness among employees is being felt. It must be said that, as they increasingly work from home, Africans use personal tools that largely escape the vigilance of their companies’ cybersecurity teams (unsecured home Wi-Fi networks, computer sharing between different family members, etc.). However, beyond these shortcomings, there is indeed digital development in Africa, characterized by many studies as a source of economic growth. Many projects based on digital technology are indeed moving in this direction, facilitating an exit from poverty and local economic development. To support this movement, some countries, such as Senegal and Kenya, have set up authorities to manage and promote ICT development at the national level. But in Africa, as elsewhere, the development of digital technology is synonymous with the development of threats. In this respect, Côte d’Ivoire and Nigeria are regularly cited as the main hotbeds of cybercrime on the continent, still mainly driven by scams of all kinds. A Trend Micro report also notes the development of defacement (cyber hacktivism) and more lucrative forms of cybercrime (botnets, malware, RATs). Until now, the level of sophistication of cybercrime in Africa has remained limited. Overall, the inadequacy of states in the fight against cybercrime has led to fears of an increase in cybercriminal acts, to the detriment of the development of the digital economy. In the face of these cyber threats, it is clear that African states are still generally timid in their efforts to improve Cybersecurity. Only 40% of African countries have a legislative framework to punish cybercrime-­ related acts. Some of these countries also have a dedicated cybersecurity authority or even a CERT whose role is to respond to incidents. But many African countries struggle to fight cybercrime, mainly due to a significant lack of resources. This shortage affects public and private sector cybersecurity personnel, as well as dedicated training and adequate material and technological resources. In addition, the lack of cooperation mechanisms between African countries and the rest of the world makes identifying, apprehending, and prosecuting cybercriminals by law enforcement agencies difficult. Finally, although not unique to African countries, there is a risk in some states that cybersecurity will be misused to limit freedom of expression, as has been the case in Angola. Unfortunately, progress in developing and implementing a cybersecurity strategy at the national level in Africa has been limited. According to the most recent data compiled by the UN’s International Telecommunication Union (ITU), about one-third (17) of the 54 countries in Africa have developed a national cybersecurity strategy, which is less than half the global average. Governments are the most important actors in managing cyber threats. Without national strategies, governments often cannot define the scope and scale of the threats they face, set

32

3  The African View on Cybersecurity

Fig. 3.1  National cybersecurity strategy adoption in Africa

priorities, mobilize resources, or effectively coordinate responses within the government, the private sector, and community (ITU, 2022). Figure  3.1 shows the national cybersecurity strategy adoption map in Africa. Less than half of the countries with a national cybersecurity strategy have a threat assessment (which helps justify the existence of the strategy and tailor the response to the threat) or a resource allocation (which is necessary to ensure the implementation of a strategy) (Lebogang et al., 2022). Table 3.1 shows the national cybersecurity strategies in Africa. However, a few African states, such as Morocco, are notable for their efforts to become credible cybersecurity actors on the continent, which has been multiplying initiatives in recent years. Morocco, for example, has been multiplying initiatives in recent years: an action plan to fight cybercrime, the presentation of its cybersecurity strategy at the fourth World Conference on Cyberspace, cooperation with Spain, etc. Senegal is not to be outdone either, with the recent creation of a national cybersecurity center, a laboratory dedicated to the fight against cybercrime, strengthened cooperation with the Netherlands and France, or hosting a regional meeting on cybersecurity. We could also have mentioned Kenya or South Africa.

3.2.1 The African Union Convention on Cybersecurity and Protection of Personal Data 2014 Africa’s 23rd AU summit in Malabo, held on June 26–27, 2014, adopted a “Convention on Cybersecurity and Personal Data Protection” to respond to the legislative challenges posed by criminal activities committed on ICT networks in a regionally and continentally compatible manner, as well as the need to harmonize legislation in this area in the African Union Member States (African Union, 2014).

3.2 Africa’s Cybersecurity Gap

33

Table 3.1  National cybersecurity strategies in Africa Country Benin Burkina Faso Egypt Eswatini Gambia Ghana Kenya Malawi Maurice Mauritania Morocco Nigeria Rwanda Senegal Sierra Leone South Africa Tanzania Tunisia Uganda Total

Threat assessment ☒

Action plan ☒ ☒

Assignment of Calendar responsibilities ☒

☒ ☒

☒ ☒

☒ ☒

☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒

☒

☒

8

☒ ☒ ☒ 19

☒

☒

☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒

☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒ ☒

Assignment of updates

☒

☒ ☒

☒ ☒ ☒ ☒

Last update 2020 2019 2018 2020 2016 2020 2014 2017 2014 2021 2013 2021 2015 2017 2017

☒

2012

☒

☒ ☒

2016 2021 2014

13

15

7

Cybersecurity and personal data protection are addressed as part of the Malabo Convention. Cybercrime and associated concerns are addressed in general terms in this document. Additionally, it represents the current regional, continental, and international commitments of African Union member states to build an information society that respects African cultural values and beliefs, ensures a high level of legal and technological security, and ensures respect for privacy and online freedoms while enhancing the promotion and development of ICTs. The convention of June 23, 2014, aims to “strengthen and harmonize the current legislation of Member States and Regional Economic Communities (RECs) in the field of ICTs” in respect of fundamental freedoms and human and people’s rights. It also aims to create “an appropriate normative framework corresponding to the African legal, cultural, economic, and social environment” and stresses that protecting personal data and privacy is a “major challenge of the information society.” Any processing of personal data must respect a balance between fundamental freedoms, the promotion and use of ICTs, and the interests of public and private actors. The adoption of the convention is in line with the commitments of member states to harmonize African cyber legislation. These include the Decision on Information

34

3  The African View on Cybersecurity

and Communication Technologies in Africa: Challenges and Prospects (2010); the Oliver Tambo Declaration of Johannesburg of November 9, 2009; the Abidjan Declaration of February 22, 2012; and the Addis Ababa Declaration of June 22, 2012. The convention is divided into four chapters: • • • •

Chapter 1: Electronic transactions Chapter 2: Protection of personal data Chapter 3: Promotion of cybersecurity and fight against cybercrime Chapter 4: Final provisions

The AU Heads of State and Government wished to emphasize cybersecurity and the protection of personal data in the title of the convention.

3.2.2 Reminder of the Recommendations of the First Ordinary Session of the STCCICT-1 2015 From August 31 to September 4, 2015, the First Specialized Technical Committee on Communication and Information and Communication Technology (STC-­ CICT-­ 1) met in Addis Ababa, Ethiopia. At this meeting, the African Union Commission was asked to follow up on member states’ ratification of the draft African Union Convention on Cybersecurity and Personal Data Protection. Member states were also asked to sign and ratify the AU Convention on Cybersecurity and Personal Data Protection as quickly as possible.

3.2.3 Lomé Declaration on Cybersecurity 2022 The first summit on cybersecurity in Africa will be held in Lome, Togo, on the 23rd and 24th of March 2022. Formalized in the form of a declaration adopted by participants from 30 African countries, including several ministers of the digital economy, the commitments relate to four key points—points that identify avenues of cooperation and coordination between stakeholders while marking a renewed commitment to the fight against cyber threats. First, participants at the Lomé summit on cybersecurity committed to working towards the signing and ratification by all member countries of the African Union Convention on cybersecurity and the protection of personal data (known as the “Malabo Convention”). This convention was adopted on June 27, 2014, at the 23rd ordinary session of the conference of heads of state of the African Union (United Nations Economic Commission for Africa, 2022). This commitment aims to “foster the development of a safe African cyberspace.” This first summit of Lomé on cybersecurity has also committed to promoting the establishment of a legal and regulatory framework specific to cybersecurity and the fight against cybercrime. At this level, it calls for the establishment in all countries

3.3 Cybersecurity Policy Priorities in Africa

35

of the continent of “regulatory bodies, allowing, in particular, to create investor confidence, promote the adoption of digital activities and services by users and, more generally, to accelerate the digital transformation”. The third commitment made by the Lomé summit on cybersecurity concerns the development of cybersecurity strategies and policies. This is done through awareness actions, new training, and adequate partnerships in the framework of public policy development. Its objective is to strengthen African cooperation in cybersecurity and the fight against cybercrime. The summit finally committed to promoting the creation of a “Regional Cooperation and Mutual Assistance Body on Cybersecurity and the Fight against Cybercrime in the African sub-region.”

3.3 Cybersecurity Policy Priorities in Africa 3.3.1 Strategic Approach Cyberattack complexity and the financial harm they inflict on countries worldwide have grown exponentially in recent years. Cybersecurity legislation and regulations may be lacking due to a lack of innovation in the ICT sector. Legislators face a tremendous challenge in detecting and amending emerging forms of cybercrime and enacting appropriate legislation. National legislation cannot be written in isolation because of cybercrime’s cross-border and international character. Governments must endeavor to harmonize national legislation on cybersecurity problems to help create effective regional and international frameworks for combating cybercrime. It is, therefore, impossible to handle the subject of cybersecurity and cybercrime like any other regulatory issue. There has been a marked increase in interest in developing ways to deal with the new threats posed by information technology’s illegal and political uses (ICT). The safety of companies and other critical infrastructure, as well as national sovereignty and security, are all at stake when it comes to cybersecurity in African countries. The duties and responsibilities of government organizations and institutions as well as other possible partners must be clearly defined to combat cybercrime and destructive activities in cyberspace effectively. African countries’ values and beliefs must be reflected in the strategy and a defined set of guidelines for identifying, managing, and mitigating cybersecurity threats. Furthermore, the complexity and international dimension of cybersecurity policies as well as the ongoing discussions and debates on international and regional policies related to cybersecurity and cybercrime issues for the creation of a global framework should be taken into account when drafting national and regional legislation while taking into account international instruments and best practices.

36

3  The African View on Cybersecurity

3.3.2 National Cybersecurity Framework The Internet has become vital in everyday life in the twenty-first century. However, its advantages are accompanied by dangers. According to the rising cyber events, governments must devise effective countermeasures. At various stages, African states are developing policy tools and legislative frameworks. According to the majority of respondents, African nations are vulnerable to cyberterrorism and cyber espionage due to a lack of cybersecurity knowledge, a lack of legislative frameworks to combat cybercrime, and a lack of financial resources. Security systems are still underutilized even though legislation has been suggested in numerous nations. The ratification and translation of the AU Convention’s provisions into national cyber legislation must be expedited by AU member states to foster a cybersecurity culture and implement effective measures to improve trust and security in telecommunication and ICT networks. To prevent and combat the criminal use of the Internet and ICT on a continental scale, a high degree of integration of policies, laws, and regulatory procedures is required. Member states may take the following steps at the national level: 1. The AU Convention on Cybersecurity and Personal Data Protection should be considered while developing a national cybersecurity strategy. 2. Define the duties and responsibilities of all stakeholders participating in the formation of national cybersecurity governance. 3. Make particular provisions for cyberlaws in legal and regulatory systems. 4. The ability to monitor and protect national networks should be improved. 5. The National Computer Emergency Response Team (CERT) and/or the National Computer Security and Incident Response Team (CSIRT) should be developed. 6. On a bilateral or international level, it helps facilitate the effective exchange of digital information. 7. Provide a long-term capacity development and technical support program to enhance national authorities to combat cybercrime and handle cybersecurity challenges. 8. Member states that do not have mutual assistance agreements on cybercrime shall sign mutual legal assistance agreements. 9. Designate a focal point to facilitate regional and international cooperation

3.3.3 Personal Data Protection (PDP) Personal data has become the fuel for many online activities in today’s digital environment. Data is gathered, stored, and transferred throughout the world daily. Personal data protection and privacy are becoming increasingly important as more commercial and social activities are conducted online. Transnational data flows— particularly personal data—are rising rapidly, making it necessary for governments to tighten data protection legislation. Data protection and privacy in the digital

3.3 Cybersecurity Policy Priorities in Africa

37

environment are also addressed in the AU Convention, which emphasizes how important it is to protect personal data and privacy online and to ensure data processing in African Union member states respects individuals’ fundamental human rights and liberties. This is in addition to regional model laws and regional economic communities (RECs). Regarding data processing and cross-border transfers of personal information, the Malabo agreement aims to harmonize the continent-wide system and establish a standard set of norms to control the transfer of personal data. Personal data must be collected, recorded, processed, stored, and regularly sent fairly and truthfully. All personal data processing must adhere to transparency and confidentiality in all instances. A national data protection authority in the form of an independent administrative authority should be established by each member state in order to ensure that all processing of personal data complies with the provisions of the Malabo Convention, as confirmed in the Lomé Declaration. There should be suitable security measures in place to prevent the alteration, deletion, or unauthorized access to any interconnection of personal data files. By regulating data processing files, particularly those containing sensitive data, establishing cooperation mechanisms with third-party PDP authorities, and participating in international negotiations on personal data protection, national data protection authorities can ensure that ICTs do not threaten the civil liberties’ privacy of citizens (PDP). Most African countries require PDP legislation to protect online privacy and data security while allowing Africans to benefit from ICT and the Internet for socioeconomic development (health, education, governance, and so on). The AU agreement must be implemented and legal and institutional frameworks must be put in place at the national level to safeguard cyberspace and handle data protection.

3.3.4 Capacity Building and Awareness Security of networks and information systems is critical to fostering an environment of trust among African residents and facilitating the exchange of knowledge, information, or skills among all stakeholders, including governments, corporations, and nongovernmental organizations (NGOs). As cyber threats continue to rise, the nation’s cybersecurity capabilities must be strengthened to defend vital infrastructure. Cybersecurity concerns may be reduced by ensuring that the nation’s personnel are well-trained and competent. Every government and business employee should have cybersecurity duties to guarantee systems and networks are sufficiently protected. Member states must provide leadership for developing a cybersecurity culture among end users and assist in increasing awareness and communicating information to the public while developing strong cybersecurity capabilities among experts.

38

3  The African View on Cybersecurity

Public understanding of the potential dangers linked with computer use should be part of national policy. As part of this empowerment, training and instruction on using cyberspace safely should be provided to individual users (Bada et al., 2018).

3.3.5 Strengthening Regional and International Cooperation One of the most important aspects of the modern world is the widespread use of ICT technologies in infrastructure and services. Cyberspace security has become a top problem for modern nations due to the increasing reliance on ICT and the interconnectivity of important assets. Technology has become the common denominator in many fields, from personal and corporate applications to health and education, energy, and even security; everyone utilizes the Internet nowadays. As a result, securing, protecting, and defending our essential political, economic, social, and individual activities have become more complex. International collaboration on cybersecurity concerns means worldwide attempts to prevent the use of ICT in a way that harms international peace and security. There is a worldwide discussion over the need for a cyberspace regulation and code of conduct and the connection between these and global security. The United Nations Group of Governmental Experts (UNGGE) agreed in June 2013 on a consensus report stating that international law, particularly the United Nations Charter, is applicable in cyberspace. It was acknowledged that high-level, real-time communication and information exchange might help develop trust and confidence between countries. The group also emphasized increasing international collaboration in preserving cyberspace, as was the need for a secure and open global cyberspace to stimulate economic and social growth (Dalton et al., 2017). International talks show that addressing the complex issues of cybersecurity involves more than just a local reaction; rather, it necessitates a global approach involving the development of appropriate cybersecurity culture and enhancing complementary and cohesive measures. To limit the dangers of illegal use of ICTs, including cyber espionage and cyberterrorism, it is vital to improving information sharing and contact between nations at the continental level, particularly at the foreign policy level (not merely technical). Regional, continental, and international collaboration must be strengthened through a coordinated continental approach to major cybersecurity challenges for cross-border cybercrime investigations and prosecutions. African countries should benefit from a clear understanding of the risks and vulnerabilities associated with smart technologies and the Internet of Things (IoT), as well as assistance in developing the key elements of a national cybersecurity framework necessary to prevent and combat all malicious activities on Internet networks as a result of the coordinated approach (Kshetri, 2019).

3.4 Conclusion

39

3.3.6 The Role of the Private Sector in Cybersecurity To be successful, government initiatives to increase cybersecurity must be supported by a strong and thriving ecosystem. Public and private entities share responsibilities for cybersecurity in many market-based economies. As a result, most companies have a strong desire and a legal responsibility to develop adequate security methods and practices. They must protect and secure the company’s assets, as well as its information technology, for the benefit of the company’s creditors and shareholders. A Chief Information Security Officer (CISO) is becoming commonplace in many businesses (CISO). Various national and international standards groups have been created to assist businesses in safeguarding their information and technology assets. There are a number of frameworks out there that outline the steps businesses should take to identify and protect their valuable information and technology assets, as well as to estimate the risk of such assets being lost (based on probability and impact). Information and technology assets’ confidentiality, availability, and integrity are safeguarded by a variety of security controls, including managerial, operational, and technological safeguards. Risk management is an ever-changing process in all contexts. To assist in the assessment, management, and prevention of cyber threats and coordination of incident response efforts, more and more firms are forming their own internal Cyber Incident Response Teams (CSIRTs). These internal teams’ responsibility is to do hands-on incident management actions inside an organization’s IT resources.

3.4 Conclusion It was inevitable that new hazards linked to cyberattacks would arise due to an increase in the use of information and communication technology and an increase in access to the Internet for the supply and delivery of services such as e-­government, banking, health, or education. Africa accounts for 10% of all global cyber incidents. No legislation or agreement can stop cybercrime on its own. A consensus has been reached that all Internet stakeholders must work together to protect Internet users’ security and privacy. A continent-wide commitment to maintaining a safe and secure online environment is required. To reap the advantages of Africa’s digital revolution and to sustain its beneficial influence on human and economic development, it is essential to have a strong digital infrastructure in place.

40

3  The African View on Cybersecurity

References Adegoke, A., Boakye, B., & Garson, M. (2022). Cybersecurity in Africa: What should African leaders do to strengthen the digital economy? Institute for Global Change. African Union. (2014). African Union convention on cybersecurity and personal data protection. African Union. Bada, M., von Solms, B., & Agrafiotis, I. (2018). Reviewing national cybersecurity awareness in Africa: An empirical study. CAF. (2022). Cyber Africa Forum (CAF). Dalton, W., van Vuuren, J. J., & Westcott, J. (2017). Building cybersecurity resilience in Africa. The 12th international conference on cyber warfare and security. ITU. (2022). National cybersecurity strategies repository. ITU. Kshetri, N. (2019). Cybercrime and cybersecurity in Africa. Journal of Global Information Technology Management, 22(2), 77–81. https://doi.org/10.1080/1097198X.2019.1603527 Lebogang, V., Tabona, O., & Maupong, T. (2022). Evaluating cybersecurity strategies in Africa (pp. 1–19). https://doi.org/10.4018/978-­1-­7998-­8693-­8.ch001 Sutherland, E. (2018). Digital privacy in Africa: Cybersecurity, data protection & surveillance. https://ssrn.com/abstract=3201310 United Nations Economic Commission for Africa. (2022). The Lomé declaration on cybersecurity and fight against cybercrime. United Nations Economic Commission for Africa. https://www. uneca.org/sites/default/files/SROs/West-­Africa/20220223-­D%C3%A9claration%20de%20 Lom%C3%A9%20sur%20la%20cybers%C3%A9curit%C3%A9%20et%20la%20lutte%20 contre%20la%20cybercriminalit%C3%A9-­EN%20%282%29.pdf

Chapter 4

The Moroccan View on Cybersecurity

4.1 Introduction Cybercrime is any crime committed through the use of information and communication technologies. It presents today a significant danger to the stability of all the states of the world, since it feeds on the exponential evolution of information technologies. The Kingdom of Morocco, ranked among the countries most exposed to the electronic threat, has become aware of this phenomenon. It has implemented a national cybersecurity and information systems security strategy. Several measures have been achieved on the organizational and regulatory levels to fight against cybercrime (El Azzouzi, 2010). On the organizational level, Morocco has set up the General Directorate of Information Systems Security (DGSSI); the Moroccan Center for Alert and Management of Computer Incidents (MA-CERT) under the Directorate of National Defense; Regional Laboratories for Digital Trace Analysis and Anti-Cybercrime, under the General Directorate of National Security (DGSN); and also the National Commission for the Control of Personal Data Protection (CNDP), which was recently reorganized (DGSSI 2013a, b). Since 1999, Morocco has published five digital strategies and in 2017 created a Digital Development Agency (DDA), a sign of its national ambition and vis-à-vis regional and international markets. These efforts have borne fruit as the number of Moroccans connected to the Internet has risen from 14% in 2008 to 58% in 2017. Morocco has become one of the main destinations for outsourcing IT services for French-speaking companies. This sector now represents more than 3% of the country’s GDP (Rahhal et al., 2019). On the regulatory front, Morocco has implemented laws relating to digital regulation, such as Law No. 07-03 on attacks on automated data processing systems (the first text in Moroccan law that deals with computer offenses), Law 53-05 on the © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_4

41

42

4  The Moroccan View on Cybersecurity

electronic exchange of legal data, and Law 09-08 on the automated processing of personal data. In addition, among the measures adopted by the Kingdom of Morocco, we cite the ratification by the Moroccan Parliament of the Budapest Convention, adopted in November 2001, on cyberattacks. This convention serves as guidelines for any country developing comprehensive legislation on cybercrime and as a framework for international cooperation against cybercrime (European Treaty Series  – No. 185, 2001). Morocco’s accession to the Budapest Convention on Cybercrime has placed the Kingdom among the leading countries in the field of cybersecurity while providing it with an effective mechanism to deal with crimes committed via computer systems. To this end, the continued growth of the threat of cybercrime, especially cyberterrorism, the increased importance of information systems, and the rapid evolution of technologies require Morocco to increase the level of security and means of defense of information systems. In this perspective, the fight against cybercrime will have to be a priority in the national strategy of the fight against terrorism that our country has already elaborated on and started to execute. It requires a qualification of human skills able to analyze and understand the advanced techniques in terms of coding, programming, and computer development.

4.2 Morocco: A Target for Cyber Hackers Early October 2021, the Central People’s Bank (BCP), through the publication of a press release, denounces a fraud attempt on the net. “A fraudulent platform is currently broadcasting a pseudo-contest on behalf of the Banque Populaire. We would like to remind you that our contests are exclusively published on our platforms and we invite you to be extra vigilant in the face of Internet scams,” the statement reads. This is an example of fraud where cybercriminals pretend to be well-known organizations or companies (Interpol, 2021). But there are many other types of malfeasance, some of which can have dramatic consequences. In December 2020, the national press reported on a large-scale scam that affected several Moroccan companies. The latter were victims of hackers who hacked into the electronic mailboxes of their suppliers to embezzle funds. The daily press revealed that “these hackers took advantage of the period of confinement to steal the emails of large international companies”. They used them to send messages to Moroccan companies informing them of the opening of new bank accounts where they had to transfer the number of their debts. Neither the foreign suppliers nor the domestic customers were aware of this scam, which cost them considerable amounts of money. One of the victims was a Moroccan textile company with customers in Western Europe and North America. It remains that the most publicized case of cyberattacks is the one that took place in May 2017 with the malicious virus WannaCry that affected no less than 150 countries and 300,000 users worldwide (Kaspersky, 2020).

4.2  Morocco: A Target for Cyber Hackers

43

The consequence for Morocco, which was only a collateral victim, it lead to the production shutdown at the Renault plant in Tangier for 24 hours. The complexity of cyberattacks lies in the fact that they are cross-border attacks. From any corner of the world, even with computer equipment not necessarily sophisticated, cybercriminals can cause significant damage. Morocco is no exception to the rule. It is a potential target. We can recall in this regard the case of the famous Zotob virus, created in 2005 by a young Moroccan who, with a modest computer and from a working-­class neighborhood, was able to neutralize the information system of the San Francisco International Airport. Morocco, a target of cyberattacks? If companies do not talk about it or not much, the figures reported by cybersecurity specialists confirm it. Kaspersky’s annual report on the state of cyberattacks in the world in 2020 ranks Morocco in fourth place in terms of threats on mobile devices (Kaspersky, 2020). The report states, “22.67% of Moroccan users have been affected by these cyberattacks on their phones.” Is a cost equivalent to 1% of global GDP? But can we have an idea about the real impact of cybercrime on the Moroccan economy? “It is difficult to assess the impact of cybercrime on the Moroccan economy, given the lack of statistics and quantitative studies on the phenomenon”. However, a correlation can be made through the figures related to the cost of cybercrime internationally, estimated at 1% of global GDP. Due to the openness of its economy to the world, multinational companies that suffer from cyberattacks directly impact their subsidiaries based in Morocco. This was notably the case for car manufacturers who were the target in 2020 of a global cyberattack of the ransomware type causing significant damage. Such subsidiaries can also be attack vectors. In addition, there is the case of victimized companies that prefer not to report cyber incidents (ITU, 2022). In June 2021, the International Telecommunication Union (ITU) unveiled a growing global commitment to combat and reduce cybersecurity threats in the Global Cybersecurity Index (GCI). According to the report, countries are striving to improve their cybersecurity despite the challenges of COVID-19 and the rapid shift of everyday activities and socioeconomic services to the digital sphere. About half of countries worldwide report forming a national cyber incident response team (CIRT), an 11% increase since 2018. Sixty-four percent of countries have adopted a national cybersecurity strategy (NCS) through the end of the year, while more than 70% conducted cybersecurity awareness campaigns in 2020, up from 58% and 66% in 2018. Morocco ranks 50th in the world out of 194 countries, according to the GCI 2021, with a score of 83.65 points out of 100. ITU experts screen approaches related to cybersecurity through five criteria: legal aspects, technological level, governance, capacity building, and international cooperation. Morocco scored 18.40 for legal measures, 17.94 for technical measures, 12.37 for organizational measures, 15.24 for capacity building, and 18.46 for cooperation measures, placing it among the developing countries. In the MENA region, the country is ranked 8th behind Saudi Arabia (2nd in the world), the United Arab Emirates (5th), the Sultanate of Oman (21st), Egypt (23rd), Qatar (27th), Israel (36th), and Tunisia (45th). It is also second

44

4  The Moroccan View on Cybersecurity

in the Maghreb, ahead of Algeria (104th), Libya (113th), and Mauritania (133rd) (ITU, 2022). In Africa, it is in the top 5, behind Mauritius (17th), Tanzania (37th), Ghana (43rd), and Tunisia. However, despite significant improvements, the report indicates that there are still gaps in cyber capacity, particularly in sectoral CERTs and online child protection. In addition, according to a Kaspersky report, between April and June 2020, 13.4 million cyberattacks were detected in Morocco. Three significant trends stand out in this report: social engineering (techniques used by cybercriminals to entice unsuspecting users to send them their confidential data, thus infecting their computers with malware), for which Morocco is ranked 32nd in the world, local threats (48th in the world), and the role of servers hosted on the territory (61st in the world). As indicated by Quantum Global’s research laboratory, Morocco has gained attractive foreign investment in Africa and even in the MENA region (African Development Bank Group, 2018). All these factors make Morocco a good place for cyberattacks, whether by ransomware or hack, breach many.

4.3 The Global and Moroccan Cybersecurity Market Data breaches in 2020 are expected to cost an average of $3.86 million worldwide and $8.64 million in the United States. Additionally, a company’s reputation might be tarnished for years if a security breach is not detected and remedied promptly (Philippe & DBIR, 2020). PII (personally identifiable information) is the information that may be used to identify a specific individual, such as a person’s name, address, national identity number (such as a Social Security number in the United States or a bank account number in Italy), and credit card number. Data breaches, including the theft or alteration of a customer’s personally identifiable information, can result in reputational harm, financial penalties, and possibly legal action. According to Kaspersky’s July 2020 report, 13.4 million cyberattacks were detected between April and June 2020 in Morocco (the period of the first containment due to pandemic COVID-19) (Kaspersky, 2020). In its 2020 report, the CI3 (American Center for Internet Crime Complaints) estimates that $4.2 billion was lost due to cybercrimes, including $1.8 billion in email fraud and $29 million in ransomware (FBI National Press Office, 2020). This represents a 69% increase over 2019 with a cumulative $13.3 billion over the past 5 years. The study published by IDC showed that the cybersecurity industry is expected to register nearly $82 billion across all global markets in the current year. The study indicates that if the information security industry were to record this level of revenue in the current year, it would have grown by up to 8%, compared to its level last year, which was nearly $76 billion at the time. IT security spending in Europe will increase by 8.3% in 2021 (Child et al., 2020).

4.4  Political and Regulatory Concepts

45

Cybersecurity investment in 2019 was roughly $40.8 billion, with predictions predicting that the market will exceed US$54 billion by 2021 as a best-case scenario, taking into consideration the impact of the coronavirus on the industry (COVID-19). Spending on cybersecurity is essential to guarantee that sensitive data, such as credit card information, is not compromised due to the widespread use of cloud services by many worldwide enterprises (World Economic Forum, 2022). A study conducted by the American Foundation “Market & Market” confirmed that Morocco had become one of the most popular African markets for investment in digital security, along with South Africa and Nigeria (marketsandmarkets, 2020). The same study confirmed that this growth in cybersecurity investments in Morocco is due to a number of factors, the main one being the legislation and procedures put in place by the government to protect itself digitally and the high number of smartphone users connected to the Internet. The study places South Africa in first place in terms of the volume of investment devoted to digital security, given the importance of economic activities in this African country, followed by Morocco, which confirms the Kingdom’s determination in the coming period to secure communication networks and protect content and data, especially the data of public institutions. A study conducted in 2018, on the Moroccan cybersecurity market, by the Association of Users of Information Systems of Morocco (AUSIM), indicates that the vast majority of companies are aware of the importance of cybersecurity, but that the means devoted are insufficient (DATAPROTECT/AUSIM, 2018). Thus, according to this study, which focused on large companies in the service sector: • Sixty-two percent invest less than one million dirhams (CAD 140,000) per year in cybersecurity. • Only 45% plan to increase this amount in the short term. Cybersecurity is rarely a priority for top management. A gap exists between top management and cybersecurity managers. For example, the COVID-19 pandemic amplified cybersecurity risks and threats. Still, on the other hand, despite the increased risk of cyberattacks during the COVID-19 pandemic, fewer and fewer companies are planning to invest in cybersecurity.

4.4 Political and Regulatory Concepts Morocco is aware of its ranking among the countries most exposed to the electronic threat. Recently, it has committed itself to strengthening its national information systems security capabilities. Since 2003, Morocco has begun to develop a body of legislation dedicated to protection against cyber threats, starting with Law 07-03, which incorporates offenses related to automated data processing systems as defined in the Budapest Convention (Official Bulletin, 2003). In 2007, the country adopted a legal framework on cryptography, electronic signature and electronic certification with Law 53-05 (Official Bulletin, 2007). The

46

4  The Moroccan View on Cybersecurity

strengthening of the legal framework continued in 2009 with Law 09-08 on the protection of individuals with regard to the processing of personal data and the creation of the first authority in the Arab world but also in Africa, dedicated to the protection of personal data (CNDP, 2009). Indeed, the CNDP (National Commission for Personal Data Protection) aims to ensure the proper use of personal data of Moroccan citizens. This Moroccan institution is part of the European Group of Personal Data Protection Authorities (G29). On the regulatory front, in 2011 Morocco established the Strategic Committee for Information Systems Security (CSSSI) and the General Directorate of Information Systems Security (DGSSI) under the Moroccan National Defense Administration, which is responsible for managing the center for monitoring, detection, and response to computer attacks (maCERT), strategy and regulation, assistance, training, control, and expertise and secure IS. In 2012, Morocco launched a national cybersecurity strategy to protect the IS of government agencies, public bodies, and critical infrastructure. This strategy is articulated around four axes: assessing the risks weighing on IS within administrations, public organizations and vital infrastructures; protecting and defending the IS of administrations, public organizations, and vital infrastructures; strengthening the foundations of security through a legal framework, awareness, training, and research and development; and promoting and developing national and international cooperation. In 2013, as part of this strategy, the DGSSI will implement the National Directive on Information Systems Security (DNSSI), whose objective is to raise and homogenize the level of protection. The level of maturity of the security of all IS of public administrations, organizations, and infrastructures is vital (DGSSI 2013a, b). In July 2020, the House of Representatives passed Law No. 05-20 on cybersecurity to strengthen the legal arsenal in the fight against cyberattacks and cybercrimes, given the growing threats faced by the state, public institutions, and companies. Thus, as published in the Official Bulletin, August 9, 2021, decree no. 2.21.406 implements Law 05-20 on cybersecurity, developed by the administration of National Defense (DGSSI, 2020). This decree aims to define the protection measures of the IS of the state administrations, public establishments, and companies and any other legal entity of public law, as well as those of the infrastructures of vital importance and private operators. It also determines the qualification criteria for audit and cybersecurity service providers. This body is also responsible for establishing the organizational and technical rules to be applied by public administrations, local authorities, public institutions, companies, and any legal person subject to public law. The decree also defines the general framework for classifying these entities’ data and information systems. This classification is established based on analyzing the impact of incidents likely to affect security needs. Referring to the decree, the General Directorate of Information Systems Security draws up the security rules to be applied, considering the different classification levels of information systems and data. “Each entity or infrastructure of vital importance appoints an information system security manager, whose main responsibilities are to define and analyze the cybersecurity challenges and dangers

4.4  Political and Regulatory Concepts

47

faced by that entity or infrastructure, as well as to define cybersecurity objectives, implement and monitor the security policy for its information system and submit regular reports on related threats,” the decree states. As regards the provisions specific to operators, the legal text insists on compliance with the guidelines of the national authority. Particularly noteworthy are those relating to the retention of technical data necessary for defining and analyzing any cybersecurity incident. In addition, they must take the necessary protective measures to preserve and neutralize the effects of threats or offenses against their customers’ information systems. To this end, the national authority is qualified to implement technical tools on public communications networks and Internet service providers exclusively to detect events likely to affect the security of the information systems of the customers of operators, entities, and infrastructures of vital importance. Strengthening the national sector also involves introducing a system of qualification of service providers in the areas of detection of cybersecurity incidents, analysis, investigation, and reaction to these incidents. Obtaining this qualification depends on a number of criteria, namely, the availability of the required expertise and qualification at the applicant’s premises, as well as the tools enabling it to ensure the operation and management of cybersecurity incident detection and analysis services. The Second Additional Protocol to the Budapest Convention on Cybercrime was signed at the Council of Europe on May 12, 2022, in Strasbourg as part of the International Conference on Enhanced Cooperation and Disclosure of Electronic Evidence (Council of Europe, 2020). A framework of human rights and the rule of law, including data privacy measures, governs the use of the protocol’s tools for collaboration and disclosure of electronic evidence.

4.4.1 Main Steps of Cybersecurity in Morocco • 2003: Law 07-03 supplementing the penal code for offenses against automated data processing systems (Official Bulletin, 2003). • 2007: First study on “National Strategy for Cybersecurity”— DEPTTI—Deloitte. • 2008: Morocco chairs the commission 3 “Organizational Structures” of the High-Level Expert Group—Global Cybersecurity Agenda (ITU). • 2009: Digital Confidence Program (Cybersecurity and Data Protection)— DEPTTI—AT Kearney Law 09-08 protection of individuals concerning the processing of personal data. • 2010: The Moroccan contribution “National Cybersecurity Management System” was approved by the ITU Plenipotentiary Conference 2010 in Mexico. • 2010: Start of “maCERT” activities—South Korea Cooperation “Cybersecurity and Skills Development.”

48

4  The Moroccan View on Cybersecurity

• 2011: Transfer of responsibilities related to cybersecurity from the Ministry of Industry, Trade and New Technologies to the Ministry of Defense—Creation of the DGSSI. • 2012: New National Strategy for Cybersecurity—DGSSI. • 2013: National Directive on the security of information systems (DGSSI 2013a, b). • 2016: Decree No. 2-15-712 establishing the protection mechanism for sensitive information systems of critical infrastructures—DGSSI. • 2018: Ratification of the Budapest Convention on Cybercrime, Chap. 3 of which deals with international cooperation. • 2020: Adoption by the parliament of the Law 05-20 on cybersecurity (DGSSI, 2020).

4.5 Advantages and Disadvantages of the Moroccan Approach: A Preliminary Balance Despite this legal arsenal available in Morocco, there is still work to be done. The private sector, especially SMEs, remains relatively behind in terms of strategy, training, and cybersecurity awareness. This situation can be explained by multiple factors that are not only related to the budgets allocated to IS security or personal and professional data protection, but also the lack of a real cybersecurity culture. Cyberattacks are a daily burden for all Moroccan companies, including very small ones, but some companies only consider their security after they have suffered a cyberattack. With the adoption of laws and directives, companies and administrations have started implementing strategies to secure IS. Morocco has been accelerating its structuring in this area for several years, but, as in all countries, the level of maturity is very disparate depending on the sector of activity or the size of the company. Generally speaking, small companies with few resources are less mature than large groups. The banking sector is often the most mature because of its DNA, which is based on trust and IS. Awareness is therefore there, but we still need to work on prioritizing these aspects, which are still seen by some as a constraint rather than a vector for improvement or business. Faced with many types of threats, from simple espionage to the misappropriation or destruction of commercially valuable information, the consequences of a cyberattack can be disastrous for the image and reputation of a company. The consequences can be even more disastrous for its finances or customers. Morocco, a country with an open and liberal economy and a high connection rate, remains one of the favorite targets of cyber hackers. As a result, protecting servers, applications (primarily web applications), and networks (computer and industrial) is becoming a key security issue, which also involves a real hunt for vulnerabilities. The challenge for these companies is fostering trust by demonstrating transparency in data collection, protocol communication, and consumer protection. It is a question of trust,

4.6 Conclusion

49

nothing more and nothing less. Without trust, there is no business and no digital transformation. Investing in security must first and foremost protect the user and the customer’s privacy and safeguard the company’s business in the long term. In 2018, AUSIM with Dataprotect conducted a study on the Moroccan cybersecurity market that indicates that the vast majority of companies are aware of the importance of cybersecurity, but that the resources devoted are insufficient (DATAPROTECT/ AUSIM, 2018). When it comes to cybersecurity, 84% of businesses have a program; 86% of businesses offer training or awareness programs to employees; 86% have adopted one or more security standards (ISO 27001, DNSSI); 63% of businesses have two or fewer employees assigned to cybersecurity; 62% of businesses invest less than one million dirhams per year in cybersecurity, and only 12% of businesses spend more than one million dirhams on cybersecurity. While most companies have done a cybersecurity audit, the report shows that many just did it once rather than performing it regularly to ensure its effectiveness. The COVID-19 epidemic has accelerated company digitalization and dematerialization activities because of the increased risk of cyberattacks. Because of the pandemic’s implications and the 05-20 law’s restrictions on cybersecurity, businesses are forced to obtain the tools they need to safeguard their IS. Indeed, given the very high risk that cybersecurity represents in mapping large public or private organizations, it is a subject that is becoming a recurring item on the COMEX agenda. In most large companies, CISOs (Information Systems Security Managers) have been appointed for several years, and some have already implemented certifications such as ISO 27001. However, the situation is different for SMEs, which are lagging, while the country is experiencing an acceleration of digitalization. Beyond cybersecurity, digital sovereignty is now at stake, something that several countries have begun to realize before developing a strategy of anticipation and cyber defense. Today, while large groups have the means to upgrade, it will be necessary to provide support programs for SMEs or at least build a cybersecurity ecosystem. In this ecosystem, SMEs can access a minimum of training, certification, services, and cybersecurity solutions. Their competitiveness and sustainability are at stake. This is a national emergency exacerbated by the growing scarcity of cybersecurity skills (Rahhal et al., 2019).

4.6 Conclusion The challenge of securing Moroccan cyberspace has been identified for several years by the authorities. The country has a solid regulatory framework and a credible state organization. However, the lack of specialized cybersecurity profiles on the job market is a significant obstacle to the many efforts and initiatives undertaken to structure a robust cybersecurity industry and, more broadly, to increase the level of knowledge, skills, and awareness on the subject within Moroccan society. By focusing on training—both academic and in-house—and having an attractive policy

50

4  The Moroccan View on Cybersecurity

towards qualified profiles, Moroccan and foreign companies have realistic room to maneuver to make the most of the legal and state ecosystem in place, as well as the economic opportunities opened up by the kingdom on a national, regional, and international scale.

References African Development Bank Group. (2018). African Economic Outlook 2018. Child, M., Fouchereau, R., Helkenberg, R., Rychkov, K., Stahnke, C., Analyst, S., & Trott, D. (2020). IDC FutureScape: Worldwide security and trust 2020 predictions-European implications. CNDP. (2009). Law 09-08_personal data protection. http://www.egov.ma/sites/default/files/ Loi%20n%C2%B009-­08_Protection%20Donn%C3%A9es%20Personnelles.pdf Council of Europe. (2020). The Budapest convention on cybercrime: Benefits and impact in practice. https://rm.coe.int/t-­cy-­2020-­16-­bc-­benefits-­rep-­provisional/16809ef6ac DATAPROTECT/AUSIM. (2018). Les enjeux de la cybersécurité au Maroc V18. Livre Blanc. DGSSI. (2013a). Directive Nationale de la Sécurité des Systèmes d’Information. https://www. dgssi.gov.ma/fr/directive-­nationale-­de-­la-­securite-­des-­systemes-­d-­information.html DGSSI. (2013b). Stratégie Nationale en matière de cybersecurié. https://www.dgssi.gov.ma/sites/ default/files/attached_files/strategie_nationale.pdf DGSSI. (2020). Presentation note of law N ° 05-20 on cybersecurity. https://www.dgssi.gov. ma/sites/default/files/attached_files/presentation_note_of_the_law_n_deg_05-­2 0_on_ cybersecurity_-­_english_version.pdf el Azzouzi, A. (2010). La cybercriminalité au Maroc. Ali El Azzouzi. European Treaty Series  – No. 185. (2001). Convention on cybercrime. https://rm.coe. int/1680081561 FBI National Press Office. (2020). 2020 Internet crime report. https://www.ic3.gov/Media/PDF/ AnnualReport/2020_IC3Report.pdf Interpol. (2021). Moroccan police arrest suspected cybercriminal after INTERPOL probe. https://www.interpol.int/en/News-­and-­Events/News/2021/ Moroccan-­police-­arrest-­suspected-­cybercriminal-­after-­INTERPOL-­probe ITU. (2022). National cybersecurity strategies repository. ITU. Kaspersky. (2020). Kaspersky Security Bulletin 2020. Statistics 2 Contents. https://go.kaspersky. com/rs/802-­IJN-­240/images/KSB_statistics_2020_en.pdf Official Bulletin. (2003). Law 07-03. https://dgssi.gov.ma/sites/default/files/attached_files/ loi_n_07-­03_code_penal.pdf marketsandmarkets. (2020). Africa cyber security market size, trends and forecast. https://www. marketsandmarkets.com/Market-­Reports/africa-­cyber-­security-­market-­201727948.html Official Bulletin. (2007). Law No. 53-05 on the electronic exchange of legal data. https://www. dgssi.gov.ma/fr/content/loi-­53-­05-­relative-­l-­echange-­electronique-­de-­donnees-­juridiques.html Philippe, L., & DBIR, A. (2020). 2020 data breach investigations report. https://www.cisecurity.org/wp-­content/uploads/2020/07/The-­2020-­Verizon-­Data-­Breach-­Investigations-­ Report-­DBIR.pdf Rahhal, I., Makdoun, I., Mezzour, G., Khaouja, I., Carley, K., & Kassou, I. (2019). Analyzing cybersecurity job market needs in Morocco by mining job ads. In 2019 IEEE global engineering education conference (EDUCON) (pp.  535–543). https://doi.org/10.1109/ EDUCON.2019.8725033 World Economic Forum. (2022). Global Cybersecurity Outlook 2022. https://www3.weforum.org/ docs/WEF_Global_Cybersecurity_Outlook_2022.pdf

Chapter 5

Morocco National Cybersecurity Strategy

5.1 Strategic Foundations To implement a cybersecurity approach per the guidelines of the International Telecommunication Union, it is important to correctly identify the values and assets to be protected from circumscribing the security perimeter to be put in place. This implies a global, multidisciplinary, and systemic approach to security. Cybersecurity must be understood globally because it is not enough to protect information during its transfer but also when it is processed and stored. Technological security solutions alone cannot compensate for the lack of coherent and rigorous management of security needs, measures, procedures, and tools. The definition of a security strategy for information systems requires: • The definition of an Information Systems Security Policy (ISSP) translates the understanding of the risks incurred and their impacts into security measures to be implemented (Maleh et al., 2022) • The deployment of solutions capable of securing IT systems and telecommunication infrastructures • The implementation of a threat detection and response approach • The implementation of an appropriate legal framework • The encouragement of research and development in the field of IS security as well as the obligation to respect a minimum of standards • The sensitization of all actors to promote a culture of cybersecurity

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_5

51

52

5  Morocco National Cybersecurity Strategy

5.2 The Strategic Committee for the Security of Information Systems The first National Cyber Security Strategy of Morocco was approved and adopted in December 2012 by the Strategic Committee for the Security of Information Systems (CSSSI). This committee comprises 13 different ministries and is chaired by the National Defense Administration (AND). It is responsible for establishing information security directives and guidelines for all key government entities and approving funding (DGSSI, 2013). The document was constructed on the foundation of the Digital Morocco 2013 strategy. It outlined programs and projects with the goal of “ensuring the protection of the information systems of government agencies, public organizations, and vital infrastructures, [...] as well as creating the conditions for a trusted and secure environment conducive to the development of an information society.” It emphasized the following four primary strategic priorities: 1. Analyzing potential threats to the information systems of government agencies, public organizations, and critical infrastructures 2. Securing and defending the information systems of government agencies, public organizations, and critical infrastructures 3. Enhancing the fundamental aspects of information systems security, including the legislative framework, awareness campaigns, training, and research and development (R&D) 4. Promoting national and international collaboration Only an overview of programs and projects was included in the strategy, which meant specific operational action plans were still required for each of those programs, including concrete measures implemented according to a predefined timeline and determining which actors should contribute to the attainment of specific and quantifiable goals. According to the strategy, it was necessary to include key organizations involved in the development of the national cybersecurity strategy (CSSSI, DGSSI, etc.) in the process of defining the specific action plans that would be implemented in accordance with the needs, priorities, and constraints of the country. Figure 5.1 below shows the Morocco cybersecurity organizational chart. Although the national cybersecurity policy ends with a vow to be amended and updated regularly to reflect changing circumstances and requirements, no new version has been released as of yet. DGSSI was acknowledged as the competent entity responsible for the nation’s cybersecurity and the operationalization of the plan by the strategy, which identified the major government agencies participating in the country’s cybersecurity architecture. CSSSI oversees this combined interministerial coordinating organization, which has four directorates: 1 . The Strategic and Regulation Directorate 2. The Assistance and Training Center 3. The Secured Information Systems Center 4. The Center for Detection and Response

5.2  The Strategic Committee for the Security of Information Systems

53

Fig. 5.1  Morocco cybersecurity organizational chart

In Rabat, Morocco’s capital, DGSSI has a wide range of tasks, including the following: • Ensuring that CSSSI’s directives and standards are implemented: • Ensuring the national cybersecurity plan is being put into action. • Establishing national information systems and critical infrastructure security standards and policies. • Creating a yearlong strategy for all ministries to guarantee that critical national infrastructures have reliable Internet connections and are more resilient. • Provisioning information security consulting services to both governmental and commercial sector organizations • Establishing a system for detecting and warning of threats to the security of national information. • Expertise building for IT security researchers and practitioners. • CSSSI-approved information systems security audits must be carried out in compliance with their scope and requirements. • Establishing worldwide computer security cooperation in the form of capacity-­ building training courses and awareness campaigns. • Maintaining Morocco’s compliance with international treaties and ensuring its policy objectives are met. • Accrediting devices and service providers for digital certification and issuing certificates for the production and verification of digital signatures are some of the functions of this agency. However, several of these tasks are still evolving and operating at varied levels of efficacy. CSSSI prepared a 2013 action plan for DGSSI to implement the principles and directives included in the national cybersecurity policy. “Raising and homogenizing the level of protection and maturity of the security of information systems of administrations, public entities, and infrastructures of vital importance” was one of the

54

5  Morocco National Cybersecurity Strategy

main objectives of the National Directive on Information Systems Security (Directive Nationale de la Sécurité des Systèmes d’Information, DNSSI). For critical services, this is based on the European Union’s Network and Information Security (NIS) directive, which mandates firms to set basic standards of care for their vital services. Morocco’s directive requires the covered entities to establish basic organizational and technical security measures and submit any extra processes and action plans they need to create safeguards for their information systems. These organizations must also provide yearly reports outlining their maturity and progress in adopting the directive’s criteria. DGSSI can then recommend further action and audits based on the findings of CSSSI.  It is also possible for the DGSSI to order government agencies, critical infrastructures, and private sector organizations to undergo security audits. A new national order issued in October 2018 allows the DGSSI to certify private auditors to do these audits.

5.3 The National Cybersecurity Strategy The National Cybersecurity Strategy, which the CSSSI adopted on December 05, 2012, is organized around four strategic areas: • Axis 1: Assessing the risks to information systems in government agencies, public bodies, and critical infrastructures Before implementing preventive security measures, a risk analysis must be carried out to estimate the potential losses linked to a failure in the availability, integrity, or confidentiality of data, without losing sight of the fact that the significant impact is often the loss of reputation and trust in the entity concerned. The consistent and efficient implementation of secure systems within the state requires adopting risk analysis methods, policies, and security standards that are consistent and adapted to the context. The organizational and technical security measures described in these policies and standards must be applied by the various administrations, public bodies, and critical infrastructures. The risk assessment is a prerequisite for developing guidelines and defining the areas of effort that will help managers at all levels protect their information systems. This axis is subdivided into two (2) programs and eight (8) actions, as shown in Fig. 5.2. This axis will be implemented through two programs: • Develop risk and threat assessment plans: –– Define an evaluation grid for the degree of criticality of the IS of administrations, public organizations, and infrastructures of vital importance. –– List, identify, and classify the IS of administrations, public bodies, and infrastructures of vital importance. –– Periodically assess the level of risk to the IS of government agencies, public bodies, and critical infrastructures.

5.3  The National Cybersecurity Strategy

55

–– Evaluate the risk management plans adopted by government agencies, public bodies, and critical infrastructures. –– Identify the IS of administrations and public organizations that should be supervised by maCERT. • Implement decision support tools: –– Conduct surveys to collect legal, technical, and procedural data related to IS security. –– Produce statistical data and monitoring indicators. –– Ensure technological, legal, and regulatory watch.

Fig. 5.2  Axis 1: Assessing information system risks

56

5  Morocco National Cybersecurity Strategy

Fig. 5.3  Axis 2: Protect and defend the information systems

• Axis 2: Protect and defend the information systems of government agencies, public bodies, and critical infrastructures. Information systems require physical and intangible protection against all types of threats. However, it must be recognized that no information system, whatever its level of protection, is perfectly secure. Therefore, it is necessary to have sufficient capacity to detect intrusions and react in case of an incident, treat it efficiently, and restore the operability of the affected systems quickly. This axis is subdivided into three (3) programs and eleven (11) actions, as shown in Fig. 5.3. This axis will be implemented through three programs: • Develop national frameworks and standards: –– Identify standards and best practices for information technology security. –– Define the National Information Systems Security Policy (ISSP) for the benefit of administrations, public bodies, and infrastructures of vital importance. –– Elaborate guides and frameworks to implement specific information systems security policies.

5.3  The National Cybersecurity Strategy

57

• Strengthen the security of the information systems of government agencies, public bodies, and critical infrastructures: –– Ensure the implementation of the PSSI. –– Study the feasibility and initiate the progressive implementation of a secure interdepartmental transmission network. –– Involve operators and Internet service providers in IS security. –– Encourage administrations, public organizations, and critical infrastructures to be audited to obtain ISO27001 or equivalent certification. • Strengthen the structures for monitoring, detecting, and responding to computer incidents: –– Strengthen the capacities of maCERT to offer the main services and integrate the maximum number of stakeholders, in accordance with international standards. –– Encourage administrations, public bodies, and critical infrastructures, depending on the scale of their information systems, to have focal points or to set up Operational Security Centers (SOC) for information systems. –– Formalize and implement the information exchange mechanisms relating to the treatment of alerts and incidents between maCERT and the stakeholders. • Axis 3: Strengthening the foundations of security—legal framework, awareness, training, and research and development The rapid evolution of technologies, infrastructures, communication, and information processing systems generates new threats. It is therefore essential to regularly check whether the legal bases in force are still appropriate. The need for a legal watch also arises from the cross-border nature of criminal acts, which to a certain extent calls into question the principle of the territorial application of legal rules. Developing education and training programs specific to IS security is also important. Managers should be able to acquire the necessary skills to participate in understanding actively and resolving cyber threats. Research and development must ensure sufficient autonomy and contribute to in-depth IS security. Operating systems and cryptography are the most important technologies to master in this context. This axis will be implemented according to four programs and ten actions, as shown in Fig. 5.4. • Strengthening the legal framework to build digital trust: –– Upgrade the legal and regulatory framework to take into account the specific requirements of IS security, particularly those related to electronic certification services, and cryptography. –– Examine the recommendations of regional and international institutions for possible application in national regulations.

58

5  Morocco National Cybersecurity Strategy

Fig. 5.4  Axis 3: Strengthening the foundations of security

• Identify and organize training programs on technical and legal issues related to cybersecurity: –– Define appropriate cybersecurity competency profiles. –– Establish cybersecurity training programs and ensure their implementation. –– Promote the development and distribution of educational materials.

5.3  The National Cybersecurity Strategy

59

• Raise awareness on cyber ethics and IS security threats and risks: –– Implement information systems security and awareness programs. –– Educate the population on cyber ethics and IS security threats and risks, especially children and individual users. • Support research and development of national IS security products to ensure scientific and technical autonomy: –– Encourage the development of national solutions in the field of IT security. –– Identify academic research in the field of IS security and monitor its progress. –– Identify national and international experts who could assist in solving cybersecurity problems. • Axis 4: Promotion and development of national and international cooperation The need for cooperation, whether at the national or international level, stems from the inherently global nature of communication networks. At the national level, practical cooperation and interaction between all relevant actors are necessary for a coherent strategy. At the international level, the dialogue on cybersecurity should promote the exchange of experience and the identification and application of compatible rules and standards. This axis will be implemented through two programs and six actions, as shown in Fig. 5.5 below.

Fig. 5.5  Promotion and development of national and international cooperation

60

5  Morocco National Cybersecurity Strategy

• Identify cooperation themes and mechanisms: –– Identify programs and themes for cooperation. –– Explore opportunities for cooperation with academia, regulatory bodies, private sectors, etc. –– Identify and establish the mechanisms and modalities of cooperation. • Conclude and implement partnerships: –– Establish partnerships with identified actors in the field of IS security. –– Implement and evaluate cooperation programs.

5.4 Moroccan Cybersecurity Strategy: Opportunities and Challenges No evidence exists that Morocco’s military or intelligence services have formally defined their cybersecurity role in a policy or decree, even though Morocco has developed various cyber-related capabilities. Royal Moroccan Armed Forces (FAR) are in charge of guaranteeing military operational networks’ resilience and availability and managing the development of cybersecurity and cyber defense capabilities (i.e., air defense, air surveillance, ground surveillance, and special communications). Network security and data interchange between all three military branches are within its purview (i.e., army, navy, and air force). Even though the FAR’s primary focus is border security, it is not apparent whether it has a broader cyber mandate for the country or would be activated to restore services in a national cyber disaster. It is clear that FAR is unique from DGSSI because it reports directly to the King, its Supreme Commander and the Chief of the General Staff. The FAR has just established a Cyber Center of Excellence. It is a part of the FAR’s Communications and Information Systems Protection Entity and is responsible for several projects. As well as putting on yearly cyber defense exercises, it assists in the event of incidents. Also, in charge of R&D, it is actively working on new apps to assist with SOC implementation (CNDP, 2009; Hathaway & Spidalieri, 2018a). Regarding cybersecurity and defense, Moroccan military officers are being educated at the Royal Military Education College of Morocco (CREMS). The Joint Theatre Level Simulation (CREMS) also attempts to integrate cyber exercises (JTLS). In the current state of affairs, their cyber education is restricted to tactical planning. It has yet to expand to larger cyber defense/security challenges at the strategic and operational levels. The Moroccan cybersecurity strategy is too often limited to the economic aspect. Indeed, it is the European principals who, in the context of their offshoring activities, have pushed the public authorities to set up cybersecurity structures comparable to those at home. It is, therefore, not surprising that the champion of all these reforms has long been the Ministry of Industry, Investment, Commerce, and the

5.4  Moroccan Cybersecurity Strategy: Opportunities and Challenges

61

Digital Economy (Bennis Nechba et al., 2022). In contrast, in many European countries, the initiative to fight cybercrime was born around the issue of defending human rights and privacy. In the United States, it is part of the core mission of the Department of Homeland Security. Everywhere, security and safety are inseparable. Without this overall vision, Morocco’s cybersecurity strategy remains incomplete. A modern but incomplete legal framework Giant Steps has nevertheless been taken since the adoption of the DNSSI, which is aimed at organizations of vital importance. Considerable efforts have been made in terms of awareness and obligation, resulting in these organizations now considering cybersecurity a priority. However, this effort is limited to critical organizations and leaves most of the private sector. Since the adoption of the DNSSI in 2013, the Moroccan legal arsenal has not changed much, except for the promulgation of a few application decrees at the level of Law 09-08 (CNDP, 2009). The real issues lie in the enforcement of laws. In other words, Morocco has a legal arsenal comparable to the best in the world, but there are still many problems with applicability. Judges continue to refer to common law to incriminate cybercrime because it is more convenient than referring to new laws. For example, when a disk is confiscated from a suspect’s computer, what is to be done with this evidence, what type of intervention is to be carried out, how long is it to be kept, and how is it to be determined whether the owner is responsible for its content, etc.? There are still many grey areas, yet at the same time there is an increase in the number of criminal acts.

5.4.1 Insufficient Investment The results of the study conducted by DATAPROTECT/AUSIM in 2018 show that few companies exceed five million dirhams and more in cybersecurity investments. Most companies invest less than one million dirhams, which is low. Respondents often say they have trouble convincing senior management to invest in cybersecurity. As a result, they only invest when there is an incident. This is an issue that every cybersecurity practitioner encounters every day in the course of their duties. There is also a human resource issue (DATAPROTECT/AUSIM, 2018).

5.4.2 The Need for More International Cooperation Morocco has recently begun to take cybersecurity seriously as a foreign policy concern. However, Morocco has recognized the importance of ICT and cybersecurity to its national security and economic development and in international trade and commerce discussions. It is more decisive in fostering regional cooperation and cybersecurity awareness. The DGSSI has signed agreements with NATO, ANSSI-France, and Cybersecurity Malaysia, Spain, and India to meet the need for exchange and cooperation in

62

5  Morocco National Cybersecurity Strategy

cybersecurity. It has also signed the Bucharest Convention and the Arab Convention for the fight against crimes related to information and communication technologies. Moreover, the “ma-CERT” (Moroccan–Computer Emergency Response Team) has joined FIRST (organization gathering CERTs worldwide), as well as OIC-CERT, which gathers those of the Islamic countries (NATO, 2021). Along with NATO’s “Mediterranean Dialogue” efforts to investigate cybersecurity cooperation, including the sharing of experience and training, Morocco also participates in many exercises with foreign partners, including the “Mediterranean naval exercise” Phoenix Express (Center for Nonproliferation Studies, 2021). It is intended to boost regional collaboration and develop marine domain awareness, information-sharing procedures, and operational capabilities to improve Mediterranean safety and security efforts. The yearly joint military exercise “African Lion” is also held in Morocco and has done so since 2005 (Army Master Sgt Jim, 2021). Fifteen nations, including Burkina Faso (Canada), Chad (Egypt), Egypt (Germany), Italy (France), Mali (Mauritania), Spain (Spain), Tunisia (UK), and the United States (USA), participated in this year’s exercise. The DGSSI organizes thematic seminars yearly concerning cybersecurity, which gather Moroccan and foreign experts, as well as awareness sessions on the subject (Patryk et al., 2021). It has also published several guides related to the audit of the security of information systems, the security of outsourcing information systems, the risk management of information systems security, the security of industrial information systems, and the development of a continuity and recovery plan, to the modalities governing the classification of information systems. In a few years, Morocco has developed a legislative and regulatory arsenal designed to regulate IT activities and ensure the security of citizens and critical infrastructures (Law 09-08 and DNSSI), and in July 2020, Law 05-20 dedicated to cybersecurity was passed by the Parliament (DGSSI, 2020). In July 2015, Morocco and Israel, a world leader in the field of cybersecurity, signed a cooperation agreement in cybersecurity; this agreement covers operational cooperation, research and development, and the sharing of information and skills. Recently, Mohammed VI Polytechnic University and Deloitte Morocco Cyber Center (Deloitte MCC), a Moroccan center of expertise specializing in cybersecurity and a member of the Deloitte global network, signed on Monday, May 9, 2022, a partnership agreement in the field of research and scientific and technological development. The partnership focuses on developing a certifying academic program that meets international standards. It involves setting up ambitious research and development programs to strengthen innovation and anticipate the next significant transformations (post-quantum cryptography, using artificial intelligence, etc.) and designing a professional integration path within Deloitte MCC and, more generally, within the Deloitte network. Several high-level discussions on security, counterterrorism, and the use of cyberspace by terrorists and other criminal groups have taken place between Morocco and European nations, the US, and GCC members. As an important security partner in the Maghreb region and a gateway to the larger Arab world, it has a strategic worth that extends beyond its geographic location. In addition to sharing

5.4  Moroccan Cybersecurity Strategy: Opportunities and Challenges

63

information and best practices on security concerns, including cybersecurity, the Moroccan and European security agencies often collaborate and share information and best practices and consider Morocco their most trusted friend in the area. There is the geopolitics of cybercrime. Brazil specializes in spam, sub-Saharan Africa in Internet scams, Eastern Europe in credit card fraud, Russia in distributed denial of service, the Middle East and Morocco in website defacement, etc. There is a regional specialization of cybercrime. Unfortunately, in Morocco, there is a lack of statistics on cybercrime. We do not know how many crimes there have been, their nature, impact, etc. For a CERT to be valuable, incident reporting should be mandatory, especially for data breaches. Things should change due to the adoption of the RGPD by the European Union, which should affect Morocco in turn. Indeed, cybersecurity is a transnational phenomenon by definition. For this reason, Morocco ratified the Budapest Convention on Cybercrime in February 2014, which is the first international treaty to address computer and Internet crimes by harmonizing certain national laws, improving investigative techniques, and increasing cooperation between nations and adequate protection of human rights and freedoms (Hathaway & Spidalieri, 2018b). But few African states have ratified the Budapest Convention. Let us also point out the participation of Morocco in the CyberSouth initiative, a European project of cooperation in the fight against cybercrime in the southern neighborhood that was officially announced in March 2018 in Tunis. The project’s specific objective is to strengthen legislation and institutional capacities in cybercrime and electronic evidence, in line with human rights and the rule of law requirements. International cooperation is an absolute necessity because you cannot get it alone when it comes to cybercrime. When attacks come from foreign intruders, a multilateral approach is indispensable.

5.4.3 COVID-19 and the Challenges of Cybersecurity The world has been grappling with the unprecedented outbreak of the coronavirus, COVID-19, for over a year. In addition to its obvious effects on the health of individuals and the economies of entire countries, the spread of the disease has caused sudden and drastic changes in the daily lives of millions. Work and study have moved to the home and videoconferencing has replaced social and professional meetings. Cybersecurity challenges have worsened due to the big move to the Internet. There are new hurdles to overcome for the country and enterprises, as they adjust to a new business model where “working from home or remotely” has become the new standard. Security is increasingly a big worry for the government and industry as they accelerate their digital transformation. There can be serious consequences if cybersecurity concerns are not properly addressed. Videoconferencing users’ personal information (such as names, passwords, and email addresses) was stolen and sold

64

5  Morocco National Cybersecurity Strategy

on the dark web between February and May 2020, affecting around 500,000 people worldwide. “OpenBullet” is a hacking tool used by some. As a result, cyberattackers see the epidemic as an opportunity to step up their criminal activities by taking advantage of employees’ weaknesses in safe Internet use and digital content when they work from home, as well as another important con, the people’s keen interest in coronavirus-related news (such as fake and malicious websites related to the coronavirus). The key difficulty for cybersecurity departments in this emergency circumstance is to guarantee that the organization is adequately protected against cyberattacks and failures that might jeopardize its operations (Song et  al., 2020). Three basic categories may be used to characterize cybersecurity threats during and after COVID-19: • Resilience: Protecting the organization and its users from cyberattackers who are taking advantage of the crisis climate is the problem that faces us (phishing, ransomware, etc.). If a new crisis arises, the organization and the protocols and procedures for managing continuity and emergencies need to be modified (Lengnick-­Hall et al., 2011). • Recovery: Restoring regular working methods while maintaining acceptable cybersecurity standards and repairing security infractions will be a problem. Normal working methods include face-to-face communication and local network connectivity. To be effective going forward, the cybersecurity function must also regain adequate operational skills suited to the uncertain environment, including the lessons learned from the previous months. • New realities: In digital transformation initiatives, cybersecurity needs to be adapted to suit the demands of the company and the customers’ expectations while also considering the economic impact on the resources devoted to cybersecurity. The post-coronavirus period can finally be a unique opportunity to build a digital industry. This health crisis has revealed the importance of digital in our lives, our economies, and the extent of our dependency. It is up to the companies to implement the means to protect themselves. In this sense, cybersecurity responds to this challenge of protection and confidence to ensure an appropriate investment level covering cyber risks. It is seen as part of a comprehensive, integrated management approach. It is up to the company to use the solutions available against cybercrime, which are often very accessible, to protect itself effectively and guarantee absolute security in the face of possible cyber threats. The post-pandemic recovery and preparedness period is an opportunity for organizations to rebuild towards a new normal, with business resilience as an ever-­ present goal.

5.4  Moroccan Cybersecurity Strategy: Opportunities and Challenges

65

5.4.4 Towards a Moroccan Defense Agency The conceptual field covered by war is no longer strictly military, as soon as the political and strategic staffs have extended it to a growing number of spheres; we thus speak of economic warfare, information warfare, the war against terrorism, biological warfare, or even cyber warfare. The nature of warfare has not been altered and remains faithful to the Clausewitzian vision (van Creveld, 1991): “to force the adversary to carry out our will.” It is rather the way to do it that is constantly evolving according to technological advances and the characteristics of the threat. COVID-19 dramatically reveals that knowledge management, knowledge mobilization, and innovation are major concerns in public policy making. Morocco’s sovereignty issue must be mastered in the medium and long term, since there is no stability without health and food security, just as there is no autonomy without national production. Military and civilian (public-private) R&D in Morocco suffer from a threefold crisis: financial, cooperative, and governance. Investment in research is insufficient, while cooperation between the two is insignificant, mainly because of bureaucratic compartmentalization. The debate on the new development model offers the ideal framework to discuss and deepen the issue of technological independence for greater economic efficiency and strategic autonomy (Rachid Houdaigui, 2017). Civil-military coordination in the fields of R&D remains the most appropriate path for the national context and the pragmatic response to the low budgetary appropriations. It will enable us to make the most of the global budget (civil and military) dedicated to research and development. The approach will have to be based on the institutional identification of priorities, namely, the coordination of research activities (civil and military public authorities, companies, research centers) and openness to international partnership and, finally, the systematic evaluation of the effectiveness of research based on indicators to measure efficiency. The time has come to foster the conditions for a bottom-up dynamic that can make it possible to make up for Morocco’s lag in these areas. However, since a defense industry backs R&D, the latter can only take shape within a specific legal framework and a national sectoral strategy. It is, therefore, necessary to create a real political framework that will underpin the pooling of research efforts in three areas: the relaunch of the new industrial policy, the establishment of military industry, and, finally, the creation of a national agency for research in the military field, called the Moroccan Defense Agency (AMD). This policy framework should also be accompanied by a certain number of rules, principles, and good practices guaranteeing the sanctuary of the “defense secret” and reciprocity regarding the effectiveness of results. The reflection on defense policy highlights the objective of strategic autonomy, which, inspired, in its construction, by political will, indicates the development perspectives that should structure national strategic orientations. Adaptation is an exercise not without difficulty for Morocco, but the stakes are high. More than ever, Morocco must turn constraints into opportunities to ensure its independence is not relative!

66

5  Morocco National Cybersecurity Strategy

5.5 Conclusion In conclusion, this strategy defines the broad outlines of the programs and projects to be launched. It will be broken down into operational action plans. For each program, these plans must describe the concrete measures to be implemented according to a specific timetable while specifying the actors called upon to contribute to their accomplishment according to quantified objectives. To make Morocco a secure nation, it is fundamental to change mentalities and to make the adoption of “security by design” “natural.” Security must be systematically integrated into the technological evolution as soon as solutions are designed, whether IT or other. To translate this evolution into reality, cybersecurity must be considered from two angles: digital sovereignty and digital trust.

References Army Master Sgt Jim, B. (2021). African Lion: National Guard supports continent’s largest military exercise. https://www.armywarcollege.edu/news/Archives/14058.pdf Bennis Nechba, Z., Boujibar, A., & Alj, A. (2022). Good governance and digitalization in Morocco: State of the art. International Journal of Business and Technology Studies and Research. www. ijbtsr.org Center for Nonproliferation Studies. (2021). PSI inventory of international nonproliferation organizations and regimes. https://www.nti.org/wp-­content/uploads/2021/09/psi.pdf CNDP. (2009). Law 09-08_personal data protection. http://www.egov.ma/sites/default/files/ Loi%20n%C2%B009-­08_Protection%20Donn%C3%A9es%20Personnelles.pdf DATAPROTECT/AUSIM. (2018). Les enjeux de la cybersécurité au Maroc V18. Livre Blanc. DGSSI. (2013). Directive Nationale de la Sécurité des Systèmes d’Information. https://www.dgssi. gov.ma/fr/directive-nationale-de-la-securite-des-systemes-d-information.html DGSSI. (2020). Presentation note of law N ° 05-20 on cybersecurity. https://www.dgssi.gov. ma/sites/default/files/attached_files/presentation_note_of_the_law_n_deg_05-­2 0_on_ cybersecurity_-­_english_version.pdf Hathaway, M., & Spidalieri, F. (2018a). Cyber readiness at a glance. www.potomacinstitute.org Hathaway, M., & Spidalieri, F. (2018b). Kingdom of Morocco cyber readiness at a glance. www. potomacinstitute.org Lengnick-Hall, C.  A., Beck, T.  E., & Lengnick-Hall, M.  L. (2011). Developing a capacity for organizational resilience through strategic human resource management. Human Resource Management Review, 21(3), 243–255. https://doi.org/10.1016/j.hrmr.2010.07.001 Maleh, Y., Sahid, A., & Belaissaoui, M. (2022). A practical maturity for information security policy in organizations. EDPACS, 65(1), 1–11. https://doi.org/10.1080/07366981.2021.1885590 NATO. (2021). CountryFlyer 2021. https://www.nato.int/science/country-­fliers/Morocco-­ENG.pdf Patryk, P., Abdel-Sadek, A., Dominioni, S., Marion, A., & Laban, Y. (2021). Great expectations: Defining a trans-mediterranean cybersecurity agenda. Rachid Houdaigui. (2017). Defense, time for necessary adjustments. https://www.defense.gov/ News/News-­Releases/News-­Release-­View/ Song, Z., Skuric, A., & Ji, K. (2020). A recursive watermark method for hard real-time industrial control system cyber-resilience enhancement. IEEE Transactions on Automation Science and Engineering, 17(2), 1030–1043. van Creveld, M. (1991). The clausewitzian universe and the law of war. Journal of Contemporary History, 26(3), 403–429. https://doi.org/10.1177/002200949102600304

Chapter 6

National Cyber Resilience Strategy in a Post-COVID-19 World

6.1 Introduction Cyber threat actors are building malware or launching attacks themed around the ongoing global spread of the COVID-19 pandemic and its different variations. By exploiting the vulnerabilities of employees working from home and relying on public interest in coronavirus-related news, cyberattackers see the epidemic as an opportunity to increase their illegal operations (e.g., by creating fake malicious websites dealing with the coronavirus). The average data breach cost arising from remote work can be as high as $137,000, according to the IBM Cost of a Data Breach 2021 study (IBM Security, 2021). When the crisis ends, companies will face a security and compliance debt due to the impacts of the crisis: urgent changes to infrastructure, deviations and breaches of security policy, and lax controls. Besides, the impending economic crisis will put significant pressure on cyber budgets in several companies (Maleh, 2021). Because of technology’s crucial and ubiquitous role in facilitating COVID-19 response and recovery, cyber resilience has become a worldwide concern for governments, corporations, development organizations, and society. Building resiliency is essential in this new environment because future public health crises, climatic disasters, and geopolitical events will grow in frequency and size (Weil & Murugesan, 2020). Cyber resilience is increasingly being promoted by specific guidelines for protecting critical infrastructures, such as the NIST (National Institute of Standards and Technology) framework developed by the United States. Indeed, critical sectors are now prime targets for attackers, given the stakes involved. The financial sector is one of the most illustrative examples, as evidenced by the annual losses of financial institutions attributable to cyberattacks, which would amount to nearly 100 billion dollars according to a model conducted in 2018 by the International Monetary Fund (IMF). Moreover, this institution recommends moving towards a better mastery of © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_6

67

68

6  National Cyber Resilience Strategy in a Post-COVID-19 World

the means to strengthen the resilience of financial institutions and infrastructures, reduce the probability of success of cyberattacks, and facilitate quick and smooth recovery of activities (NIST, 2018). People and organizations are in much greater need of new technology than before the COVID-19 outbreak. These new technologies are critical in limiting the spread of COVID-19 and speeding up the search for therapies and vaccinations. This pandemic has unaddressed disparities in digital technology and severe technological hurdles. Access to digital technology is disproportionately denied to people of color, the elderly, people with disabilities, ethnic minorities, indigenous populations, worldwide migrants, and other internally displaced people (IDPs). Today, it is also appropriate for national actors to integrate cyber resilience into their operational strategies to be better prepared to face cyber threats. In this sense, several actions undertaken by the General Directorate of Information Systems Security (DGSSI) have strengthened the resilience of national information systems. These include the following steps: • Strengthen the resilience of the national Internet, the primary means of interconnecting all players’ systems, both public and private. To this end, studies and technical projects have been carried out in partnership with the European Commission. • In this respect, technical studies and projects have been carried out in partnership with the ANRT to secure the BGP and DNS protocols and to set up autonomous systems. • Protection of sensitive information systems of critical infrastructures through the implementation of guidelines and regulatory mechanisms for the control and monitoring of security incidents. • Improving the management of major cyber crises and events through implementing and coordinating an interministerial cyber crisis management system. Also, and in the continuity of the initiative led by the DGSSI for the deployment of Operational Security Centers (SOC) within public entities and vital infrastructures to provide them with their supervision capabilities, it is now a question of encouraging them to reinforce the resilience of their internal systems further.

6.2 Cybersecurity and Cyber Resilience Challenges In this emergency, cybersecurity departments’ main challenge is ensuring optimal protection against cyber threats and failures that endanger the continuity of their activities. Cybersecurity challenges during and after COVID-19 can be classified into three main categories: • Resilience: Defending against cyberattacks that take advantage of the current crisis is a difficult task (phishing, ransomware, etc.). The organization’s continuity and crisis management strategies must be adjusted to maintain operations if a new crisis arises (Hausken, 2020).

6.2  Cybersecurity and Cyber Resilience Challenges

69

• Recovery: Cybersecurity criteria must be completed before normal working practices (such as meeting in person or connecting to a local network) may be resumed, and security breaches must be repaired. Even more important than ensuring the security department has enough operational skills in the face of uncertainty is the need to learn from the prior months’ experiences (Peter, 2017). • New realities: As part of digital transformation initiatives, cybersecurity needs to modify its road map and operational model to fulfill the demands of businesses and customers, as well as the economic effect on resources committed to cybersecurity (Linkov & Kott, 2019).

6.2.1 Resilience: Maintain Activity During the Crisis by Managing Risks Ensure the resilience and security of infrastructures and critical applications accessible on the Internet (VPN, mail servers, videoconferencing, file sharing, security tools, business applications, etc.): • Inquire about the infrastructure’s scalability and load-bearing capabilities (hardware, licenses). As a last resort, enhance or reallocate capacity, research other alternatives, and renegotiate service and supply contract terms. • Check the level of security of environments that may be accessed over the Internet (penetration tests, vulnerability scans, configuration reviews, architecture reviews, etc.) • Strengthening the security of freshly opened Internet settings (strong authentication, access control and monitoring, etc.) is essential. • Adopt crisis-specific cybersecurity management and supervision methods (patches, backups, antivirus, monitoring) (remote work, reduced staff). • Maintain compliance with the IS security policy by monitoring variations and breaches of the policy. • Keep an eye on the company’s online presence, particularly the infrastructure that has been implemented (cloud and shadow IT). Manage new risks and avoid over-incidents: • Reassess IT and cyber risks in light of the Covid-19 crisis (cyberattacks, failure of critical IT systems, absence of key personnel). • Analyze response capabilities to new crises: backups and restorations, availability of people and tools, adequacy of procedures, SLA of suppliers. • Update the IT and business continuity plans, checking, and in particular, the capacity for remote deployment.

70

6  National Cyber Resilience Strategy in a Post-COVID-19 World

6.2.2 Security Operation Center (SOC) SOCs are tasked with coordinating a multilayered defense to identify, defend, and respond to threats that may impact an organization’s cybersecurity. As part of an organization’s overall resilience plan, an SOC may be implemented by adopting a four-level operational model: data, technology, operations, and governance. When deploying SOCs, these are the most important points to remember. In terms of technology, combining SIEM and Big Data technologies is critical for detecting even unknown threats, which presently account for over 42% of all attacks. The automation of SOC operations tasks is the new buzzword to lower the mistake rate and management costs and focus on other aspects, not only operations. It is all about making the most of your time and resources. Using key performance indicators (KPIs) to monitor the efficacy of SOCs in real time symbolizes the future vision for SOCs and the newest developments in this field. It is about enterprises managing security with an approach that involves people, processes, and technology to strengthen the five pillars of cyber resilience: • Establishing the most vital data, its location, the degree of susceptibility, and the level of risk that can be tolerated is necessary for the preparation process. • Protection by putting in place measures to restrict the damage that an attack may do to essential infrastructure and services. • Detection through appropriate tools for continually monitoring and correlating internal security events with external threats. • Preestablished intervention teams with well-defined roles and tasks are used to remediate incidents. • Recovering data and services that may have been affected by the disaster is the final step. Raise awareness and help employees: • Educate staff on crisis-related dangers and best practices (best practices sheets, e-learning, phishing campaign). • If applicable, assist workers in securing their teleworking practices, including using less-than-professional equipment and services.

6.2.3 Reestablish an Appropriate Cybersecurity System When the Crisis Is Over Organize and oversee the restoration to the normal condition of the information system and the security posture: • Consider how much of a financial burden the healthcare crisis has been on the nation’s security and privacy infrastructure.

6.2  Cybersecurity and Cyber Resilience Challenges

71

• Prepare to resume nominal activities while doing a system cybersecurity “health check” (employee workstations and smartphones, business applications, external infrastructures, security tools). • The company’s internal network should be scanned and checked before any new equipment is connected. • Begin reactivating any momentarily halted cyber processes (backups, patches, authorizations, etc.) in a context that is still degraded compared to the previous state. • Ensure that the backups are in order (in particular by performing restoration tests). • Examine IT and cyber service providers for weaknesses and incapabilities. • Bring back data that has been kept outside of the company’s systems (personal computers, cloud storage, private USB keys). • Check the IS for any signs of an unnoticed infiltration (threat hunting). Draw lessons from the health crisis: • Analyze the past months of the Covid-19 crisis and identify the business, security, compliance, and privacy needs to which the degraded working methods could not sufficiently respond during the crisis (remote work, communication and collaboration solutions, dematerialized exchanges with customers and partners, online payments, sales and invoicing, access to business applications, etc.) • Adapt the organization, policies, operational procedures, and continuity plans, taking into account the experiences acquired during the crisis (key systems and people, continuity of teams and cybersecurity systems, maintenance of a minimum-­security base, management of a remote crisis). • Evaluate the applications and solutions, especially collaborative ones, acquired and deployed in an emergency to confirm, replace, or secure them.

6.2.4 Adapt to the Post-Crisis Environment and Guarantee That the Company’s Strategy Is Aligned with the New Reality Adapt the company’s cybersecurity chain to the realities of today and tomorrow: • Review the risk mapping in light of the new context and identify the most important areas of risk. • Reevaluate the company’s cyber project portfolio in light of its risk management contribution and alignment with the new strategy. • Maintaining a consistent approach to cybersecurity in the face of a rapidly changing environment is critical to achieving the goal of rationalization. • Aim to streamline the catalog of security measures, focusing on efficacy and efficiency.

72

6  National Cyber Resilience Strategy in a Post-COVID-19 World

• In particular, AI skills should be developed to automate security processes such as patch management, detection, and analysis of attacks. • The cloud and managed services are two options for outsourcing security operations. • Selecting the most critical cyber CAPEX/OPEX investments in a cost-conscious environment. • Streamline reporting shows the value of cyber investments and their connection with the company’s overall strategy. Support the company’s resilience programs in the face of health or other crises: • Adopt an operational resilience strategy that includes cybersecurity as a key component. • Prepare for and practice multi-crisis cyber catastrophes. • Evaluate the coverage provided by cyber insurance. • Boost supplier and subcontractor security, resiliency, and delivery capability controls.

6.3 Cybersecurity Strategy and Cyber Resilience in Morocco In the national cybersecurity strategy adopted by Morocco in 2012, actions related to the census, identification and classification of information systems, and risk assessment directly impact the “identification” pillar. The establishment of a secure transmission network of the state, the involvement of operators and Internet service providers, the securing of websites and online public services, and, finally, the actions related to strengthening the foundations of security such as training and awareness have a direct impact on the pillar of “protection.” Regarding the contribution of regulation, a correspondence was made between developing resilience and implementing three regulatory mechanisms. First, the National Directive on Information Systems Security (DNSSI) includes 104 security rules divided into 11 chapters inspired by the ISO 27002:2005 standard and represents the common and minimum base that all public departments are called upon to implement. It should be noted that the entire chapters of this directive are devoted to incident management and business continuity, which represents a direct link to resilience. Secondly, the system for protecting sensitive information systems of vital infrastructures was put in place through a decree in March 2016 (6ème Edition du Séminaire de Sensibilisation sur la Sécurité des Systèmes d’Information, 2018). On the one hand, this system has allowed the DGSSI to extend its field of competence to private entities belonging to sectors of vital importance. On the other hand, it has allowed the DGSSI to implement mandatory measures such as the identification of sensitive information systems, the implementation of supervision and detection means, the declaration and treatment of security incidents, and the

6.3  Cybersecurity Strategy and Cyber Resilience in Morocco

73

implementation of continuity and activity recovery plans, as well as the realization of security audits periodically conducted by the DGSSI or by service providers approved by the DGSSI. In this sense, the DGSSI has deployed some accompanying measures. These include the directive that sets out the security rules and the procedures for declaring sensitive systems, technical security guides and guidelines, and the system for approving audit providers. The latter will enable the creation of an ecosystem of expertise in evaluation and auditing at the national level and the designation of service providers who can carry out this activity according to the standards and good practices in force. The third mechanism that has been put in place by the DGSSI is cyber crisis management. This interministerial mechanism aims to ensure better reactivity, coordinate action, and avoid improvisation. This system has been set up via a two-level organization: a decision-making level that approves the activation of the system that invites the departments concerned to be represented according to the situation that can call on external expertise and that also ensures communication with the public. In addition, an operational level is in charge of the operational and technical management of the crisis, from identifying the triggers to the closure. Secondly, the system for protecting sensitive information systems of vital infrastructures was put in place through a decree in March 2016. On the one hand, this system has allowed the DGSSI to extend its field of competence to private entities belonging to sectors of vital importance (Hathaway & Spidalieri, 2018). On the other hand, it has allowed the DGSSI to implement mandatory measures such as the identification of sensitive information systems, the implementation of supervision and detection means, the declaration and treatment of security incidents, and the implementation of continuity and activity recovery plans, as well as the realization of security audits periodically conducted by the DGSSI or by service providers approved by the DGSSI. In this sense, the DGSSI has deployed some accompanying measures. These include the directive that sets out the security rules and the procedures for declaring sensitive systems, technical security guides and guidelines, and the system for approving audit providers. The latter will enable the creation of an ecosystem of expertise in evaluation and auditing at the national level and the designation of service providers who can carry out this activity according to the standards and good practices in force. The third mechanism that has been put in place by the DGSSI is cyber crisis management. This is an interministerial mechanism whose objective is to ensure better reactivity, coordinate action, and avoid improvisation. This system has been set up via a two-level organization: a decision-­ making level that approves the activation of the system that invites the departments concerned to be represented according to the situation that can call on external expertise and that also ensures communication with the public. And an operational level is in charge of the operational and technical management of the crisis, from identifying the triggers to the closure. The importance of putting measures in place to build cyber resilience to global threats and attacks, including: • Act on all IT projects by integrating security into the project life cycle. • Strengthen automated and proactive security audits of infrastructure, networks, source code, and applications.

74

6  National Cyber Resilience Strategy in a Post-COVID-19 World

• Continue and accelerate the landing of security action plans aimed at ensuring compliance of sensitive platforms with the DNSSI. • Reinforce vigilance in the choice of cloud-based solutions in terms of risk analysis, classification, and risk mapping. • Train and raise awareness among teams and users. • Strengthen security governance through the implementation of an ISMS and ISO 27001 certification. • Strengthen the bank and its subsidiaries’ SIEM and SOC monitoring systems. • Continue and accelerate the landing of security action plans aimed at the compliance of sensitive platforms with the DNSSI. • Strengthen security governance through the implementation of Security Management Systems by defining roles and responsibilities in this area. • Integrate security into the life cycle of all IT projects and reinforce vigilance regarding the choice of solutions in terms of risk analysis and mapping, asset classification, training, and awareness of teams and users. • Set up SOCs (Security Operations Centers), continuity and disaster recovery plans, and mechanisms for managing incidents and reporting them to the DGSSI. • Analyze past incidents and experiences and take concrete actions to build and strengthen defenses and to be able to protect against them in the future. • Systematize periodic audits and strengthen automated and proactive security assessment systems for infrastructures, networks, source codes, and applications.

6.4 Conclusion The post-coronavirus period may be a unique opportunity to build a real digital industry finally. This health crisis has revealed the importance of digital in our lives, our economies, and the extent of our dependence. It is up to companies to implement the means to protect themselves. In this sense, cybersecurity responds to this challenge of protection and confidence to ensure the appropriate investment level covering cyber risks. It is considered part of a comprehensive approach to integrated management. In conclusion, it is up to the company to use the solutions available against cybercrime, which are often very accessible, protect itself effectively, and guarantee real security against possible cyber threats. The post-pandemic recovery and preparedness period is an opportunity for organizations to rebuild to a new normal, with business resiliency as a pervasive goal.

References

75

References 6ème Edition du Séminaire de Sensibilisation sur la Sécurité des Systèmes d’Information. (2018). Cyber résilience: Nouvelle approche pour relever le défi du cyber risque. dgssi.gov.ma/sites/ default/files/evenements/rapport_6eme_edition_version_01_03_19.pdf Hathaway, M., & Spidalieri, F. (2018). Kingdom of Morocco cyber readiness at a glance. www. potomacinstitute.org Hausken, K. (2020). Cyber resilience in firms, organizations and societies. Internet of Things, 11, 100204. https://doi.org/10.1016/J.IOT.2020.100204 IBM Security. (2021). Cost of a data breach report 2021. https://www.ibm.com/downloads/cas/ OJDVQGRY Linkov, I., & Kott, A. (2019). Fundamental concepts of cyber resilience: Introduction and overview. In A.  Kott & I.  Linkov (Eds.), Cyber resilience of systems and networks (pp.  1–25). Springer International Publishing. https://doi.org/10.1007/978-­3-­319-­77492-­3_1 Maleh, Y. (2021). Digital transformation and cybersecurity in the context of COVID-19 proliferation. IEEE Technology Policy and Ethics, 6(5), 1. NIST. (2018). Framework for improving critical infrastructure cybersecurity, version 1.1. https:// doi.org/10.6028/NIST.CSWP.04162018 Peter, A.  S. (2017). Cyber resilience preparedness of Africa’s top-12 emerging economies. International Journal of Critical Infrastructure Protection, 17, 49–59. https://doi.org/10.1016/j. ijcip.2017.03.002 Weil, T., & Murugesan, S. (2020). IT risk and resilience—Cybersecurity response to COVID-19. IT Professional, 22(3), 4–10. https://doi.org/10.1109/MITP.2020.2988330

Chapter 7

Cyber Sovereignty in Morocco

7.1 The Concept of Digital Sovereignty To unpack the concept of data sovereignty or digital sovereignty, one must first recall the historical importance and powerful hold on the political discourse of the concept of sovereignty itself. It emerged progressively, especially in Europe, through centuries of struggles between power regimes and intense philosophical and political debates, as evidenced by the writings of Jean Bodin, Grotius, Thomas Hobbes, John Locke, Montesquieu, and Rousseau (Bodin & Jean, 1992; Putterman, 2010). Sovereignty is a term that can be applied to any situation where a person or organization can act autonomously and without interference from outside forces. The traditional concept of sovereignty was heavily inspired by Jean Bodin (Bodin & Jean, 1992), who believed that the ultimate decision-making power and exclusive right to use force in a state should be held by the ruler or sovereign. Rousseau (Putterman, 2010), a French philosopher of the Enlightenment, introduced a dramatic shift in the notion of sovereignty, from the rule of the ruler to that of the people, in his writings. Modern democracies gave rise to the concept that the people, in his view, had the ultimate authority in the state, but that they may delegate its execution to a sovereign or elected government (Linkov & Kott, 2019). Similarly, the current concept of sovereignty, which refers to a legal entity’s ability to make its own decisions, relies heavily on the term’s legal interpretation. As a result, it is distinct from the external definition of self-sufficiency and/or full isolation, defined by autonomy and independence. Sovereignty in constitutional and international law refers to a state’s internal self-organization and independence from other states (external sovereignty) (internal sovereignty). States are sovereign if they can operate mainly autonomously at all three levels of government, economics, and society, with other states. This idea of sovereignty is closely tied to that of territorially defined nation-states (Weil & Murugesan, 2020). © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_7

77

78

7  Cyber Sovereignty in Morocco

Sovereignty and the rule of law go hand in hand in modern democracies. A democratic state’s sovereignty is based on guaranteeing that its citizens can exercise their fundamental rights. It aspires to empower all people to respect their rights and exercise their authority in accordance with those rights. The state must see that this happens, especially in light of the numerous difficulties that the digital transition brings to society. So the term digital sovereignty is becoming increasingly frequent in the media as a result State control over their digital infrastructure and the personal data of its population is one of the many possible interpretations of the term. However, the phrase is increasingly being used in a more general sense. Global leadership is being fought over the digital technologies of today. As a result, tensions between China and the United States are rising (also known as the technical cold war). It comes down to who has the best next-generation communications, semiconductor, and AI leadership. In this context, the United States and China frequently draw on one other‘s sovereignty maps. According to Trump, prominent Chinese applications like TikTok and WeChat were banned because they threatened “national security, foreign policy and the economy” of the United States (Hong & Goodnight, 2020). Before 2011, the term “data sovereignty” was virtually nonexistent in academic and popular debate. Most of the talk about “digital sovereignty” concerns national governments’ abilities, notably in China, Russia, and France, to impose control over infrastructure and data generated on their own. However, when discussing sovereignty, several interpretations are highlighted (Budnitsky & Jia, 2021). There are five types of discourses or views on the concept of “sovereignty” as it applies to the digital aspect: • As a result of John Perry Barlow’s 1996 proclamation of “cyberspace independence,” which said that “cyberspace” was a new area that governments should not regulate, the term “cyberspace sovereignty” has historical importance. Milton Mueller’s “People Sovereignty in Cyberspace” presents a more contemporary (and scholarly) take on the same issue. According to Mueller, multi-stakeholder engagement in Internet governance institutions like IGFs and ICANN should be the foundation for cyberspace sovereignty. • In today’s world, “state digital sovereignty” refers to a country’s or nation’s capabilities and attempts to manage its data and information infrastructure. Another cliché (what they term the “brand of the nation”) is the discussion of digital sovereignty to develop a distinct national vision of the Internet in the United States. • The sovereignty of the digital natives: People and nations have more power over their data, infrastructure, and fate than previously thought, similar to the preceding perspective. Indigenous sovereignty, self-determination, and revival are all emphasized in the context of the notion of “network sovereignty.” Indigenous sovereignty can only be strengthened via the use of technology. • This term alludes to social movements and activist organizations’ power over their data and information through software, servers, and cryptography-based technology.

7.2  The Realities of Digital Sovereignty

79

• Although this viewpoint is not widely accepted, it is important to address since it relates to our power over digital devices. As a result, social activists must use free and open-source software or encrypted communication tools to maintain their technological superiority.

7.2 The Realities of Digital Sovereignty The international community has not agreed on whether cyberspace is part of the public domain, belongs to the territory of “physical” states, or is based on national origins, highlighting the digital sovereignty issue. According to the quarterly analysis of the current and projected growth of the global information technology sector by the International Data Corporation, global spending in the field in question will increase by 6% in 2020, reaching $5200 billion. At the current IT development stage, the digital economy’s economic geography does not present the traditional North-South divide. It is led by two countries: the United States and China. For example, they account for 75% of all blockchain-related patents, 50% of global spending on the Internet of Things, and more than 75% of the global public cloud computing market. And, perhaps most strikingly, they account for 90% of the market capitalization of the world’s 70 largest digital platforms. Europe’s share is 4%, while Africa and Latin America account for just 1%. Seven “super platforms”— Microsoft, followed by Apple, Amazon, Google, Facebook, Tencent, and Alibaba— account for two-thirds of the total market value. Thus, in many digital technologies, the rest of the world, especially Africa and Latin America, lags far behind the United States and China. The United States, the most technologically advanced country, which in 2018 was home to 45% of the companies on the top lists of technology leaders,9 is the world’s largest technology market in 2020, accounting for 32% of the total, or about $1.7 trillion in 2020. Among the regions, Western Europe continues to be a significant contributor to the IT sector, accounting for about one in five dollars spent on IT worldwide (Marta Taggart & Orlando Scott-Cowle, 2021). The coronavirus infection (COVID-19) pandemic, which is sweeping and affecting the world in 2020, has demonstrated the critical role of the high-tech sector in ensuring the continuity of social life, business, and governance and has accelerated thinking about the need for digital sovereignty in the European Union (EU). Economic considerations reinforce this concern due to the unchecked behavior of large and growing Internet companies, notably the GAFAs. The astronomical growth of GAFA has forced the EU to reflect on its digital ecosystem to avoid a monopoly of US companies and to support innovation and Internet capabilities across Europe. The technological choices made by Apple and Google have encouraged some Member States to develop their contact tracing solutions (such as Stop Covid in France) and fueled aspirations for digital sovereignty. In this context, there is growing support for a new policy approach to strengthen Europe’s strategic digital autonomy. There are growing calls in the EU for creating a European cloud and information infrastructure to strengthen European digital sovereignty and address

80

7  Cyber Sovereignty in Morocco

the fact that today the cloud and information storage market is almost exclusively dominated by non-European providers—with potentially detrimental consequences for the security and rights of European citizens. Germany and France jointly announced the Gaia-X project of the European Cloud Initiative and provided for the creation of a federated data infrastructure at the European level starting in 2020. In this context, the conclusion of a multi-annual financial framework for 2021–2027, which is currently under discussion, is crucial, as it provides for a budget of €100 billion for the Horizon Europe research program. In the long term, creating a truly sovereign e-environment will also require addressing the lack of regulatory coordination in this area. This, in turn, raises the question of rethinking the governance arrangements currently in place within the EU, both horizontally (between sectoral regulators with parallel and sometimes overlapping competencies) and vertically (between member state and EU levels of competence) (Dalton et al., 2017). Notably, the concept of a sovereign Internet was first introduced by Fan Binxing, known as the “father of the Chinese firewall” and one of the developers of China’s Internet censorship system, in a 2011 speech at the International Symposium on Information Security in Changsha. Four principles underlie the ideas of cyber sovereignty: each country should have complete control over its segment of the Internet, the state should be able to protect its segment of the Internet from outside attack, all countries should have equal rights to use resources on the Internet, and other countries should not control the root DNS servers through which the national segment of the Internet is accessed. China has established itself as a significant player in the global technology market. During the US-China trade war, the two sides have engaged in increasing competition for dominance in various areas of next-­ generation technologies, such as 5G networks and artificial intelligence. According to China’s policy documents, one of the country’s main economic goals is to achieve global leadership in various technology fields. China is preparing to release China Standards 2035, outlining plans to set global standards for future technologies. In 2017, China announced its ambition to become the world leader in artificial intelligence by 2030. The competition between the United States and China is mainly about who will control the global computing infrastructure and standards in this area. A sovereign Internet would be based on technical means to counter threats, centralized management of telecommunication networks in the event of a threat, and a mechanism to control communication lines crossing national borders, as well as the introduction of a national domain name system (DNS), within the United Nations International Telecommunication Union (ITU). Through this chapter, we will try to answer some questions: What does the term digital sovereignty mean? What are its most important manifestations and pillars? To what extent can we talk about digital sovereignty in Morocco?

7.4  Cyber Threats and Digital Sovereignty

81

7.3 Digital Sovereignty in the Time of COVID-19 When the COVID-19 pandemic emerged in 2020, much of the world’s population moved to the Internet, accelerating the digital transformation underway for decades. As children accessing the Internet from home began to take courses remotely, many employees began to work from home. Many companies adopted digital business models to maintain operations and strengthen their reputations. Many companies have also adopted digital business models to maintain their operations and sustain certain revenue streams. At the same time, mobile apps have been developed to help “track and trace” the outbreak. Researchers have used artificial intelligence (AI) to learn more about the virus and speed the search for a vaccine. In some countries, Internet traffic increased by up to 60% shortly after the pandemic, confirming the digital acceleration caused by the pandemic (Maleh, 2021). While these activities demonstrate the enormous potential of digital transformation, the pandemic has also highlighted the gaps that remain. While some digital divides have increased in recent years, others have not kept pace, leaving some people behind in the digital acceleration brought on by COVID.  In addition, the growing use of digital solutions has increased concerns about privacy, digital security, and how to achieve digital sovereignty. COVID-19 revealed the critical importance of technology to economic and health resilience. As a result, governments have used real-time data and disease tracking tools that determine the size, spread, and distribution of the new coronavirus (SARS-CoV-2 [COVID-19]) that emerged in 2019 to inform and influence decision- and policy-making. Coronavirus has disproportionately affected people through infections, deaths, economic losses, or changes in social interactions. While people need appropriate, timely, relevant, and quality data to guide their response to a pandemic, collecting and using such data is not without risk. Recently, concerns have been raised about data damage, group privacy, consent, racial surveillance, algorithmic targeting, and more (Weil & Murugesan, 2020).

7.4 Cyber Threats and Digital Sovereignty Findings by Edward Snowden on the NSA widespread Internet monitoring program in 2013 indicated that technology is vulnerable to dominance by other nations in information and communications technology. It is not only about technological flaws when exposing information about another country’s citizens and national security secrets. American electronic operations and technology have suffered because of Edward Snowden’s revelations. As a result of the Snowden leaks, countries have rethought their approach to securing their cyber sovereignty. As it is, the phrase “cyber sovereignty” is inaccurate. State sovereignty has been compromised. However, it is vital to distinguish between concerns of strategic autonomy relating

82

7  Cyber Sovereignty in Morocco

to cyber security and cyber sovereignty as defined by international law (Pohle & Thiel, 2020). Eighty-four of the world’s 193 countries have publicly available national cybersecurity strategies, according to open-source research using the ITU Global Cybersecurity Index (2017) and the ITU National Strategy Repository (2018), and 69 countries have translated their national cybersecurity strategies into English as of December 2017. There were mentions of countries with national cybersecurity plans in several of the documents. Still, open-source searches could not locate the essential papers (e.g., Oman and Algeria) (ITU, 2022). Only a few nations in Africa, the Middle East, and South America have a national cybersecurity strategy. Only 15 of the 69 nations with publicly available English-­ language national cybersecurity strategies used sovereignty-related phrases. In the Western countries, Canada, Finland, France, Hungary, Portugal, Spain, Australia, and the United Kingdom, the phrase “sovereignty” was used in over half of the strategy formulations. The remaining half comprised people from Chile, Colombia, Ghana, Japan, Nigeria, Russia, and Saudi Arabia. The phrase “e-sovereignty” was first used by Canada. National cybersecurity policies seldom include the idea of “sovereignty,” as seen by these findings. To infer that cybersecurity dominance is predominantly a Western notion, it is necessary to look at the nations that utilize the word. Since several nations in this category have implemented a national cybersecurity strategy, the Western nations are overrepresented in this group. Sovereignty and cyber sovereignty are included in these cybersecurity measures, although they are rarely implemented. The term “rule” appears in the paper on average thrice. In Finland, Nigeria, and Portugal, the phrase “sovereignty” appeared at least three times in their plans. But France stood out by invoking the phrase “sovereignty” nine times in 2011 and five times in 2015 in its policies. Sovereignty is a word that is rarely used in national cybersecurity policies, and even when it is used, it is infrequent and without a defined definition. Furthermore, countries do not seem to agree on what the phrase means. In cybersecurity, however, the Westphalian idea of sovereignty appears to dominate among governments. The term “sovereignty” in the plans does not appear to evolve or be impacted by Edward Snowden’s revelations. There were 55 records published prior to Edward Snowden’s revelation in 2013 and 38 that were published following Snowden’s disclosure, according to the study. “Sovereignty” and “E” sovereignty appear in 13 publications published before 2013 and 5 released subsequently. Although there is no evident distinction between texts written before 2013 and those written subsequently, the notion of sovereignty is used differently. Only after 2013 has cyberspace security become a more prominent theme in national security agendas. To achieve digital sovereignty, we must ensure that our critical sectors, processes, and data are cyber-resilient. Growing cyber threats threaten our national security by jeopardizing key infrastructure, infiltrating social media to affect the democratic process, extorting our personal information, and stealing our intellectual property. Internal legitimacy of the state is undermined when key sections of our

7.5  The Possibilities of Digital Sovereignty in Morocco

83

government and the military cannot maintain control over essential procedures and data. Digital sovereignty and the CIA (confidentiality, integrity, and availability) principles of information security are inseparably intertwined regarding cyber dangers. The CIA stands for confidentiality, integrity, and availability. There must be safeguards for autonomy not just at the level of a specific system in a certain sector (such as the sanction chain’s ICT system), but also in the larger economic, social, and democratic contexts. As an example of how the specialized government regime of ICT may erode sovereignty, consider the espionage and cyberattacks on the automation and industrial control systems of our essential infrastructure that take place when information from government officials is stolen (secrecy) (availability). These schemes are targeted explicitly by foreign state actors to achieve their geopolitical objectives. Digital sovereignty can be directly translated into ICT system needs in certain circumstances. Digital sovereignty must also be seen in terms of the state’s interest in economic growth, social cohesion, and democracy and the prohibition of foreign forces from accessing sensitive information. Consider, for example, the degree of control over the underlying economic ecosystems, the quality of democratic decision-­making, the faith in the rule of law, and information and data.

7.5 The Possibilities of Digital Sovereignty in Morocco Cyber resilience is a new concept that has been added to the panorama of information systems security concepts, but it does not change security fundamentals. It just emphasizes specific aspects inherent to business continuity. Regarding strategy and regulation, these two components have contributed in one way or another to strengthening one or more of the previously mentioned pillars of resilience (i.e., preparation, identification, protection, detection, resolution, and recovery), as shown in Fig. 7.1. As an illustration, in the national cybersecurity strategy adopted by Morocco in 2012, actions related to the census, identification and classification of information systems, and risk assessment directly impact the “identification” pillar. The implementation of a secure transmission network of the state, the involvement of operators and Internet service providers, the securing of websites and online public services, and, finally, the actions related to the strengthening of the foundations of security such as training and awareness have a direct impact on the pillar of “protection”. The speaker thus made the correspondence between the programs and actions of the national strategy and the rest of the pillars of resilience. Regarding the contribution of regulation, correspondence was made between developing resilience and implementing three regulatory mechanisms. First, the National Directive on Information Systems Security (DNSSI) includes 104 security rules divided into 11 chapters inspired by the ISO 27002:2005 standard and represents the common and minimum base that all public departments are called upon to implement. He stressed

84

7  Cyber Sovereignty in Morocco

Fig. 7.1  Key pillars of cyber resilience

Preparaon

Recovery

Idenficaon

Cyber resilience Resoluon

Protecon

Detecon

that entire chapters of this directive are devoted to incident management and business continuity, which represents a direct link to resilience. Secondly, the mechanism for protecting sensitive information systems of critical infrastructures was put in place through a decree in March 2016. On the one hand, this system has allowed the DGSSI to extend its scope of competence to private entities in sectors of vital importance (Chambre Française de Commerce et d’Industrie du Maroc, 2021; DGSSI, 2013). On the other hand, it has allowed the DGSSI to implement mandatory measures such as the identification of sensitive information systems, the implementation of supervision and detection means, the declaration and treatment of security incidents, and the implementation of continuity and activity recovery plans, as well as the performance of security audits periodically conducted by the DGSSI or by service providers approved by the DGSSI. In this sense, the DGSSI has deployed some accompanying measures. These include the directive that sets out the security rules and the procedures for declaring sensitive systems, technical security guides and guidelines, and the system for approving audit providers. The latter will enable the creation of an ecosystem of expertise in evaluation and auditing at the national level and the designation of service providers who can carry out this activity according to the standards and good practices in force. The third mechanism that has been put in place by the DGSSI is cyber crisis management. This is an interministerial mechanism whose objective is to ensure better reactivity, coordinate action, and avoid improvisation. This system has been set up via a two-level organization: a decision-making level that approves the activation of the system, that invites the departments concerned to be

7.5  The Possibilities of Digital Sovereignty in Morocco

85

represented according to the situation, that can call on external expertise, and that also ensures communication with the public and an operational level that is in charge of the operational and technical management of the crisis from identifying the triggers to the closure. In this sense, the special commission’s report on the development model recommends understanding digital as a means of continuous evolution. In line with global transformations, digital infrastructure and digital technology adoption capabilities are important determinants of a country’s competitiveness, given the increasing importance of new technologies in all sectors of the economy, which requires reliable and quality digital services. Strengthening the competitiveness of the Moroccan economy requires a proactive approach to generalizing access to high-speed Internet in all regions of the kingdom and to very high-speed Internet in areas of intense economic activity. The rehabilitation of the digital infrastructure should be accompanied by a rapid process of improving the capacity to use new technologies, as a special capacity, to intensify the internal offers of digital configuration and the standard job offer. Under digital sovereignty, the special committee’s report on the development model recommends completing the legal framework to ensure users’ digital confidence and the kingdom’s digital sovereignty. In this regard, the pace of production of legal texts and implementation decrees related to cybercrime, intellectual property, and personal data management must be accelerated, as well as an institutional framework that ensures full legal recognition of digital interactions and the legal value of digital. Here, we must turn to the Agency for Digital Development in Morocco, known by its acronym (the Agency for Digital Development [ADD]), which is a strategic institution that enjoys legal personality and financial independence and then created under Law No. 16-61 published in the Official Gazette No. 6604 of September 14, 2017. This agency, under the supervision of the government authority in charge of the digital economy, ensures the implementation of the state strategy in the field of digital development and encourages the dissemination of digital means and the development of their uses among citizens. It also aims to encourage digital management by bringing it closer to users (citizens and businesses) by developing digital product and service repositories. This is in addition to reducing the digital divide, supporting the industrial revolution 4.0, and managing change for society through training and awareness. The agency also fosters research and development, stimulates social and entrepreneurial innovation, and ensures responsible and sustainable digital inclusion (El Achouri, 2019). In addition, the Agency for Digital Development has developed a project to create an Interactive Digital Center in Morocco (IDC Morocco), an innovative academy for training and disseminating digital economy professions, including virtual and augmented reality technology (VAR). This project is part of a public-private partnership between the Agency for Digital Development; the University Mohammed VI Polytechnic; the US Agency for International Development (USAID); the Ministry of Industry, Trade, and Green and Digital Economy; the Ministry of National Education, Vocational Training, Higher Education, and Scientific Research;

86

7  Cyber Sovereignty in Morocco

and the University Mohammed the Fifth in Rabat, and the international company EON Reality. The Interactive Digital Center (IDC Morocco), which was inaugurated on February 11, 2020, allows the development of knowledge transfer solutions in the field of augmented reality (AR) and virtual reality (VR) technology for various academic and vocational training programs in order to contribute to the development of skills needed for the next-generation 4.0 industries and the expansion of the digital economy at the national and regional levels. In addition, this center provides training to young Moroccans in programming techniques for applications related to virtual and augmented reality (VAR) in education and vocational training to become future experts in this field. The center will also address the skills shortage in Morocco and North Africa by providing innovative and low-cost educational development solutions for students and professionals. Thus, this program will fight youth unemployment, promote digital sector entrepreneurship, and increase industrial productivity. This project will run for 5 years, during which it will be incubated by the Mohammed VI Polytechnic University of Benguerir, with the proactive participation of all project partners. In the expansion phase, it is envisaged to create subsidiary centers to meet the needs of beneficiaries in certain regions. Active citizenship, increased efficiency in service delivery, and inclusive economic growth and transformation are just some of the challenges faced by the public sector today. According to the Moroccan government’s aim, a digital platform would connect the public administration to the active citizen, stimulate economic growth and development, and assist regional and local integration. The government’s digital transformation will rely heavily on cloud services. Data may be processed and analyzed quickly on the cloud, resulting in actionable insights, smarter choices, and a more efficient use of resources. It is easier for the public to participate in decision-making when data is readily available and communicated through many channels. This makes it easier to foster cross-departmental cooperation and social inclusion. Cloud computing can be defined as “the provision, use, and billing of information technology services that dynamically adapt to demand and are delivered over a network.” They include, but are not limited to, infrastructure (such as processing capacity and storage space), platforms, and software. With the convergence of cloud computing with the Internet of Things and 5G, a paradigm shift will occur as increasing amounts of data (due to real-time needs or intellectual property and/or data protection) will be generated and processed on a decentralized basis. Cloud services are superior to manual paper-based operations in cost reduction, data security, and open government capabilities. If you are moving to the cloud in the public sector, you need to ensure that the move complies with all standards and delivers demonstrable advantages without undue risk. For some years, Morocco has placed the digital economy at the heart of its development challenges. This naturally requires a nondependence on other more advanced countries in this area. For the government, the Moroccan digital sovereignty must be considered a priority that is given to the developments in this field and the increasing use of digital technologies in everyday life.

7.6  Cyber Sovereignty Challenges in Morocco

87

As part of promoting this sovereignty, the kingdom has acceded to several international conventions in this area. Still, it is also in the process of finalizing a legal framework for “digital trust.” She added that several laws have already been adopted and others will follow soon. This digital policy includes the protection of digital infrastructures in “vital” areas. On this point, the recently announced decision aims to protect information and infrastructure of vital importance and prevent attacks against them. This prevents sensitive data from being relocated or stored outside the national territory. The law also defines the conditions and technical and regulatory requirements for the security of information systems of organizations and administrations in the face of digital risks. The Mohammed VI Polytechnic University (UM6P) of Benguerir has proceeded, in early 2021, to the inauguration of its new Data Center housing the most powerful “Supercomputer” in Africa (African Supercomputing Center). With this Data Center, a world-class facility, ensuring high security, maximum availability, high flexibility, and optimal connectivity, UM6P, true to its position of excellence at the national and continental levels, is at the service of the national digital ecosystem to contribute to ensuring the kingdom’s digital sovereignty and to developing new 100% Moroccan digital services. In the same context, the Moroccan Observatory of Digital Sovereignty (OMSN) was born in June 2021 and aims to bring together companies and digital actors to emerge a sovereign Moroccan digital ecosystem. This initiative stems from an awareness of the importance of encouraging the kingdom’s technological and digital independence. The observatory will therefore aim to bring together technological, economic, and academic actors around studies, scientific articles to build a case for Moroccan digital sovereignty, and a reference manual on the subject, but also the organization of training cycles and workshops to popularize the principles and issues of this new challenge nationally and internationally.

7.6 Cyber Sovereignty Challenges in Morocco In the future, the trend of increasingly promoting digital sovereignty norms may lead to the next evolution of international legal regulation of cyberspace being left to states. Suppose the idea of digital sovereignty allows key actors in international law to agree on the formulation of international cyber law. In that case, the law itself may be primarily represented and driven by state interests. If this is the case, future international cyberspace law will be based on digital sovereignty at the expense of non-state actors. These two scenarios show that international cyberspace law is difficult to implement by state actors alone and requires broader approaches to develop further rule-based regulation, freedoms, and norms of inclusive global Internet governance. At the same time, the benefits of a global Internet must be actively promoted, and key stakeholders, civil society actors, and

88

7  Cyber Sovereignty in Morocco

the business community must be engaged in a broad discussion of how to preserve and improve its future governance. The development of a long-term global strategy to preserve the Internet in its current, “non-segmented,” and truly global form should occur within institutions such as the UN Internet Governance Forum. And norms for international legal regulation in cyberspace should be developed by a broad coalition of countries, businesses, technology companies, and civil society. Where international norms in cyberspace are not yet firmly established, decisions should be dictated by practice and customary international law. As a result, now the most plausible scenario is that of a split Internet, where nations control and regulate specific Internet parts based on their national or regional interests. All of us are born with a diversity of ideas and experiences that cannot be contained by any notion or country’s control over a particular sector. Digital sovereignty and international Internet governance go hand in hand when there is diversity and technical options. The right of nations to build their Internet and cyberspace governance models is a fundamental tenet of modern democratic technology. The foundation of state sovereignty is technological democracy, which may be applied to any form of government. There are several ways in which Morocco may be a driving force in the development of regional and national Internet governance frameworks.

7.7 Conclusion Cyber resilience must be a priority to be incorporated into the operational strategies of national agencies so that they are better prepared to deal with cyber threats and able to resume normal operations within an acceptable timeframe in the event of a major incident. Resilience is not only about technology but also about the organization and good governance as well as emphasizing the importance and necessity of coordination, exchange, and sharing between institutions.

References Bodin, J., & Jean, B. (1992). Bodin: On sovereignty. Cambridge University Press. Budnitsky, S., & Jia, L. (2021). Branding Internet sovereignty: Digital media and the Chinese– Russian cyberalliance. European Journal of Cultural Studies, 21(5), 594–613. Chambre Française de Commerce et d’Industrie du Maroc. (2021). Transformation digitale: l’heure de vérité. https://www.cfcim.org/wp-­content/uploads/2021/03/1034-­mars-­2021-­ Transformation-­numerique.pdf Dalton, W., van Vuuren, J. J., & Westcott, J. (2017). Building cybersecurity resilience in Africa. In The 12th International Conference on Cyber Warfare and Security. DGSSI. (2013). Stratégie Nationale en matière de cybersecurié. https://www.dgssi.gov.ma/sites/ default/files/attached_files/strategie_nationale.pdf el Achouri, M. F. (2019). Sovereignty in Morocco: Between royal legitimacy and democratic legitimacy. Contemporary Arab Affairs, 12(3), 83–98. https://doi.org/10.1525/caa.2019.123005

References

89

Hong, Y., & Goodnight, G.  T. (2020). How to think about cyber sovereignty: The case of China. Chinese Journal of Communication, 13(1), 8–26. https://doi.org/10.1080/1754475 0.2019.1687536 ITU. (2022). National cybersecurity strategies repository. ITU. Linkov, I., & Kott, A. (2019). Fundamental concepts of cyber resilience: Introduction and overview. In A.  Kott & I.  Linkov (Eds.), Cyber resilience of systems and networks (pp.  1–25). Springer International Publishing. https://doi.org/10.1007/978-­3-­319-­77492-­3_1 Maleh, Y. (2021). Digital transformation and cybersecurity in the context of COVID-19 proliferation. IEEE Technology Policy and Ethics, 6(5), 1. Marta Taggart, & Orlando Scott-Cowle. (2021). New IDC whitepaper released – Trusted cloud: Overcoming the tension between data sovereignty and accelerated digital transformation. AWS Security Blog. Pohle, J., & Thiel, T. (2020). Digital sovereignty. Internet Policy Review, 9(4). Putterman, E. (2010). Rousseau, law and the sovereignty of the people. Cambridge University Press. Weil, T., & Murugesan, S. (2020). IT risk and resilience—Cybersecurity response to COVID-19. IT Professional, 22(3), 4–10. https://doi.org/10.1109/MITP.2020.2988330

Chapter 8

Conclusion

Morocco’s cybersecurity strategy is paying off. The country is achieving spectacular performances, saying the least. The current data from international organizations is edifying. While Morocco pointed in 2018 at the 93rd position according to the ranking of the International Telecommunication Union, under the United Nations, the kingdom is currently in the top 50 worldwide. The country has risen by no less than 43 in just two years. This result was possible thanks to the Moroccan strategy that places cyber threats at the heart of its concerns (ITU, 2022). In this sense, the Moroccan authorities will, in the coming months, move forward in this sector by strengthening cooperation with partners and enhancing national systems. Morocco has also made reasonably rapid progress in setting up and legally enforcing the fight against cybercrime (El Hamzaoui & Bensalah, 2019). The country has strongly influenced African strategy and regulation in these two areas. Beyond cybersecurity, digital sovereignty is now at stake, and several countries have begun to realize this by developing a strategy of anticipation and cyber defense. In Morocco today, a cybersecurity industry is developing, combining consulting and training with the provision of SOC (security operation center) services or the detection and processing of cybersecurity incidents (Chamkar et al., 2022). Suppose the large groups have the means to upgrade. In that case, it will be necessary to provide support programs for SMEs and, at the very least, to build a cybersecurity ecosystem where these SMEs can access a minimum level of services in terms of training, certification, services, and appropriate solutions. Their competitiveness and sustainability are at stake (Maleh et al., 2021). Cybersecurity is a sector of innovation par excellence. Therefore, we need an ecosystem and programs supported by the state to develop national technological know-how that can even become a soft power for the country at a regional level. Mobilizing for all these issues is a national emergency, exacerbated by the growing scarcity of skills and the rapid evolution of technology. To address current and emerging cybersecurity threats, states and governments must continually assess and adapt their national cybersecurity strategies to the changing threat environment. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8_8

91

92

8 Conclusion

Thinking about security in terms of governance is helpful because it highlights how various actors, both state and non-state, exercise power and authority over security, both formally and informally, at the international, national, and local levels. State authorities should develop, adopt, and update national legislation, policies, and strategies to regulate cyberspace and respond to new challenges, including privacy and personal data protection and critical infrastructure protection. Building expertise in cyberspace through education and knowledge sharing fostered by public-­ private partnerships (PPPs) and other means is essential to ensure good governance in cybersecurity. Cybersecurity is an issue that spans multiple sectors and different responsibilities within public bodies. Therefore, the effective implementation of the national cybersecurity strategy must be based on close cooperation between the different authorities and the private sector (Hathaway & Spidalieri, 2018). Cyber resilience, if implemented effectively, can make a powerful contribution to building long-term economic prosperity and innovation across Morocco and the rest of emerging Africa. Digital development will inevitably expose institutions to the risk of cyberattacks. Implementing a local framework would protect Moroccan actors and citizens from a strong dependence on significant international digital actors. The objective is to limit this dependence on foreign technologies and those who control them, towards the definition of a vision and a plan for national digital sovereignty in the short term. In this context, this Springer Brief presented a report card on Morocco’s cybersecurity strategy. The aims were to establish the framework for a thorough comparative analysis of Morocco’s cybersecurity regulations. It cannot, however, guarantee a full review. Simply said, the topic of cybersecurity is just too broad for our goals. This recognition is intended to encourage further research on all of the topics discussed in this brief to enrich existing methods for measuring the effectiveness of the national cybersecurity strategy.

References Chamkar, S. A., Maleh, Y., & Gherabi, N. (2022). The human factor capabilities in security operation center (SOC). EDPACS, 66(1), 1–14. https://doi.org/10.1080/07366981.2021.1977026 El Hamzaoui, M., & Bensalah, F. (2019). Cybercrime in Morocco. International Journal of Advanced Computer Science and Applications, 10(4). https://doi.org/10.14569/ijacsa.2019.0100457 Hathaway, M., & Spidalieri, F. (2018). Cyber readiness at a glance. www.potomacinstitute.org ITU. (2022). National cybersecurity strategies repository. ITU. Maleh, Y., Sahid, A., & Belaissaoui, M. (2021). A maturity framework for cybersecurity governance in organizations. EDPACS, 64(02), 1–22. https://doi.org/10.1080/0736698 1.2020.1815354

Glossary

Confidentiality  Property of information that is not available or disclosed to unauthorized persons, entities, or processes. Cyber defense  All the technical and nontechnical measures that enable a state to counter cyberattacks. Cybersecurity  The situation sought by an information system enabling it to resist events from cyberspace likely to compromise the availability, integrity, or confidentiality of stored, processed, or transmitted data. Cybercrime  All criminal offenses that can be committed on or through a computer system generally connected to a network. Cyberattacks  Malicious acts against a computer device, generally via a telecommunications network. Cyber sovereignty  Coupled with the notion of digital, sovereignty would then be translated by the fact of establishing one’s authority, as a state in particular, in cyberspace. Cyberspace  A set of digitized data constituting an information universe and a communication environment, linked to the global interconnection of computers. Digital sovereignty  Digital sovereignty, sometimes also called e-sovereignty, is the application of the principles of sovereignty to the field of information and communication technologies, i.e., computing and telecommunications. Digital trust  A measure of how much Internet users trust digital life. Electronic certificate  This is a document in electronic form attesting to the link between electronic signature verification data and a signatory. Information system (IS)  Is an organized set of resources (hardware, software, personnel, data, and procedures) that allows to gather, classify, and process information in a given environment. Information Systems Security Policy A formalized set of strategic elements, guidelines, procedures, codes of conduct, and organizational and technical rules, aimed at protecting the organization’s information system(s).

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8

93

94

Glossary

Integrity  Guarantee that the system and the processed information are modified only by voluntary and legitimate action. maCERT  Center Emergency Response Team or Center of Watch, Detection and Reaction to Computer Attacks in Morocco. Maroc Numeric 2013  National Strategy for the Information Society and Digital Economy in Morocco by 2013. Resilience  The ability to cope with a disruptive situation such as a computer failure or attack and continue functioning. Risk  The possibility that a vulnerability could lead to damage to the operation of the business. Risk analysis A set of coordinated activities aimed at directing and steering an organization concerning risk to improve IS security, justify the budget allocated to IS security, and prove the credibility of the information system using the analyses performed. Security incidents  A security incident is an event that affects the availability, confidentiality, or integrity of an asset. Examples include illegal use of a password, theft of computer equipment, intrusion into a file or application, etc. Security Operations Center (SOC) A platform that provides security incident detection and response services. Standards Reference document containing precise technical specifications intended to be used as rules or guidelines. Vital infrastructure (VII)  Infrastructure and systems for which a breach in security or operation would significantly diminish the nation’s war or economic potential, security, or survivability. Vulnerability  A security flaw in a program or a computer system.

Index

A Africa, 1–5, 10, 29–35, 39, 44–46, 63, 79, 82, 86, 87, 92 C COVID-19, 3, 10, 30, 43–45, 49, 63–65, 67, 68, 79, 81 Critical National Infrastructures (CNIs), 17, 53 Cyber bullying, 26 Cybercrime, 3, 6, 11, 26, 30–32, 34–36, 38, 39, 41–44, 46–48, 61, 63, 64, 74, 85, 91, 93 Cyberlaw, 36 Cyber resilience, 10, 67–74, 83, 88, 92 Cyber risks, 4, 13, 16, 17, 64, 69, 74 Cybersecurity, 3–6, 8, 10, 11, 13–26, 29–39, 41–53, 57–66, 68–74, 82, 91–93 Cybersecurity resilience, 17, 19 Cyber sovereignty, 11, 77–88, 93 Cyberspace, 11, 13, 25, 26, 30, 32, 34, 35, 37, 38, 49, 62, 78, 79, 82, 87, 88, 92, 93 Cyber warfare, 26, 65 D Defense, 4, 6, 7, 10, 11, 17–19, 41, 42, 46, 48, 49, 52, 60, 65, 70, 74, 91, 93 Digitalization, 2, 3, 5, 6, 49 Digital sovereignty, 49, 66, 77–88, 91–93 Directorate General of Information Systems Security (DGSSI), 4, 6–10, 41, 46, 48, 52–54, 60–62, 68, 72–74, 84

F Framework, 1, 14–24, 26, 31, 32, 34–39, 42, 45–47, 49, 51, 52, 56, 57, 61, 65, 67, 80, 85, 87, 88, 92 I ICT, 2, 4, 5, 13, 29–32, 35–38, 61, 83 Incident response, 4, 36, 39, 43 International cooperation, 36, 38, 42, 43, 46, 48, 59, 61–63 International Telecommunication Union (ITU), 3, 23, 31, 32, 43, 44, 47, 80, 82, 91 ISO/IEC 27001, 15, 18, 23–25 IT governance, 14, 15 M Moroccan Computer Emergency Response Team (ma-CERT), 4, 8, 11, 41, 46, 47, 55, 57, 94 Moroccan cybersecurity policy, 10, 52, 53 Morocco, 1–7, 10, 11, 29, 30, 32, 33, 41–48, 51–66, 72–74, 80, 83–88, 91, 92, 94 N National Commission for Personal Data Protection (CNDP), 6, 41, 46, 60, 61 National cybersecurity strategy, 4–6, 10, 31–33, 36, 43, 46, 52, 54, 55, 57–60, 72, 82, 83, 91, 92

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022 Y. Maleh, Y. Maleh, Cybersecurity in Morocco, SpringerBriefs in Cybersecurity, https://doi.org/10.1007/978-3-031-18475-8

95

96 National Directive on the Security of Information Systems (DNSSI), 8–10, 46, 49, 54, 61, 62, 72, 74, 83 National Institute of Standards and Technology (NIST), 15–21, 67, 68 National security, 6, 41, 61, 78, 81, 82 P Personal data, 6, 15, 32, 34, 36, 37, 41, 42, 46, 47, 78, 85, 92 R Recovery, 19, 21, 62, 64, 67–69, 73, 74, 83, 84 Resilience, 9, 19, 21, 60, 64, 68–70, 72, 81, 83, 84, 88, 94

Index S Security operation center (SOC), 11, 57, 60, 68, 70, 74, 91, 94 SMEs, 48, 49, 91 Sovereignty, 11, 35, 65, 77, 78, 81–83, 87, 88, 93 Standards, 6, 10, 11, 13–16, 18, 19, 22–26, 30, 37, 39, 49, 51, 53, 54, 56, 57, 59, 62–64, 67, 72, 73, 80, 83–86, 94 Strategy, 2–5, 7, 8, 10, 11, 13, 17, 19, 21, 22, 26, 30–32, 35, 41, 42, 46–49, 51–53, 59–74, 82, 83, 85, 88, 91, 92, 94 W Warfare, 65