Economic DevelopmentResearchCybersecurity in Morocco: between achievements and challenges

While Morocco has made significant strides in cybersecurity, it continues to face ongoing challenges in combating cyber threats. The evolving nature of cyber-attacks necessitates constant adaptation, conformity with international context and investment in technological solutions, human resources, national and international cooperation to ensure a robust cybersecurity posture.
Hind Idrissi Hind Idrissi11/10/2024654280 min

While Morocco has made significant strides in cybersecurity, it continues to face ongoing challenges in combating cyber threats. The evolving nature of cyber-attacks necessitates constant adaptation, conformity with international context and investment in technological solutions, human resources, national and international cooperation to ensure a robust cybersecurity posture.

 

Download article 

 

Introduction

Cybersecurity[1] refers to the practice of protecting computer systems, networks, and digital information from unauthorized access, data breaches, cyber-attacks, and other threats. It involves implementing measures to primarily ensure the confidentiality, integrity, and availability of digital assets. It is a complex and ever-evolving field due to the constantly changing threat landscape, and it requires a multi-layered approach, involving technical solutions, policies, processes, and user awareness, to mitigate risks and protect digital assets effectively.

Nowadays, cybersecurity has emerged as a crucial concern across various societal strata, particularly, with the onset of the Covid-19 pandemic. The exponential growth[2] of interconnected devices constantly generating vast volumes of data, coupled with remarkable advancements in connectivity technologies, along with the prevalence of remote work and the adoption of BYOD[3] (bring your own device), have collectively contributed to a substantial increase in cyber threats. To address this global issue, Morocco has recognized since 2007 the need and necessity of cooperation among the government departments, the public and the private sector in the fight against cybercrime and (the protection of personal data and legal interests in the use and development of information technologies) safeguarding legitimate interests in the use and development of information technologies.

Indeed, significant efforts have been made by various Moroccan stakeholders (Government, law enforcement agencies, regulatory bodies like ANRT, cybersecurity organizations, private sector, academic and research institutions, international partners and civil society) to achieve noteworthy progress in cybersecurity, starting by the formulation of the first “National Strategy for Information Security and Digital Trust” in 2007; the introduction of the “Maroc Numeric 2013” Plan and the enactment of Law 09-08 on Personal Data Protection in 2009; the creation of the “General Directorate for Information Systems Security” (DGSSI) in 2011-marked a significant milestone, and its relative maCERT (Moroccan Computer Emergency Response Team) became one of the pioneering initiatives in Africa at that time.”-; the launch in 2013 of the new national cybersecurity strategy and the publication of the National Directive on Information Systems Security for Critical Infrastructures (IIV: Infrastructures d’Importance Vitale); and recently (from 2020), the enactment of certain laws in response to the consequences of the pandemic, including Law “05-20” for Cybersecurity and Law “43-20” for Electronic Signature and Transactions.

The Moroccan cybersecurity market has demonstrated a certain level of maturity in recent years. Moroccan companies now recognize that cybersecurity is crucial for protecting their data, systems, and reputation. They also understand the risks they face, such as data theft, ransomware attacks, online fraud, and so on.However, despite this awareness, it is true that the means dedicated to cybersecurity in Morocco are often insufficient. The budgets[4]allocated to cybersecurity may not always match the current threats and the actual protection needs.Several factors contribute to this situation, such as a lack of understanding of the real costs of cybersecurity incidents, priorities given to other areas of investment, or a shortage of specialized cybersecurity resources.Nevertheless, it is worth noting that the Moroccan government and regulatory bodies have taken steps to promote cybersecurity in the country[5]. This will be discussed in the coming sections.

 

Morocco, a Fertile Land for Cyber-Attacks

Similar to many other countries, Morocco has historically experienced being a target of severe cyberattacks. With a growing and expanding digital presence and increasing reliance on information technology, the country is exposed to various cyber threats. The reasons behind Morocco being a fertile and fruitful ground(attractive destination) for cybercriminals are multifaceted. Geopolitical factors, driven by political or ideological motivations, may lead threat actors to pursue their agendas or express dissent against the Moroccan government. Additionally, Morocco’s growing economy and digital infrastructure can allure cybercriminals seeking to pilfer valuable financial or intellectual assets. Geopolitical dynamics and regional conflicts also contribute, as cyber attackers exploit vulnerabilities for strategic purposes. Furthermore, hacktivist groups like “Anonymous” may specifically targetMorocco to bring attention and raise awareness about specific issues or support local social movements. Moreover, state-sponsored cyber-espionage might target Moroccan government entities, businesses, or institutions to gather intelligence. Last but not least, like any interconnected nation, Morocco remains vulnerable to opportunistic attacks, where cybercriminals exploit weaknesses in information systems and networks for financial gain.

Cyber incidents can vary in their nature and impact, ranging from large-scale data breaches and ransomware attacks to targeted cyber espionage and state-sponsored hacking. Over the past decade, there have been noteworthy cyber incidents that have had a substantial impact on the country. In the following, we will highlight some of the most notable of these cyber incidents. In2012, the website of the Central Bank of Morocco (Bank Al-Maghrib) was targeted by a hacking group known as “Anonymous Tunisia.” The attack was part of a series of cyber operations carried out by “Anonymous” in response to regional political events. In2014, Moroccan websites, including the Ministry of Foreign Affairs and other government sites, were hacked by a group of Algerian hackers. This attack was part of the ongoing tensions between Morocco and Algeria. In2018, Morocco’s state TV network, 2M, experienced a cyberattack that disrupted its broadcast. The hackers replaced the channel’s content with political messages. The incident attracted attention due to the sensitive nature of targeting a state-owned media outlet. In2019,the website of the Casablanca Stock Exchange, one of Morocco’s critical financial institutions, was defaced by hackers. The attackers replaced the website’s content with political messages, raising concerns about the security of vital financial infrastructure.

When the COVID-19 pandemic hit in early 2020, many countries, including Morocco, had to quickly adapt to remote work and digital solutions to ensure the continuity of economic activities while implementing lockdowns and social distancing measures. This sudden shift to telework and increased reliance on digital technologies presented opportunities, but also challenges. As people started working from home and relying on digital communication tools, cybercriminals saw an opportunity to exploit weaknesses in security measures and carry out cyberattacks. Phishing attempts, ransomware attacks, and other types of cybercrimes increased during this period. The Kaspersky’s security bulletin[6]for 2020 reported more than 13.4 million attacks detected in Morocco between April and June 2020. In this year, alsoa cybersecurity research firm reported on a hacking campaign targeting the Moroccan academic and media sectors. The attackers used phishing emails and other tactics to compromise targets. The operation was attributed to a group with suspected links to the Moroccan government.

The African Cyber-Threat Assessment Report[7] of 2022 published by the Interpol classified Morocco as the most affected African country by banking trojans[8] and stealers malware with a staggering 18,827 attacks detected in 2022, followed by South Africa and Nigeria.For instance, The Banque Centrale Populaire (BCP) fell victim to phishing attack[9] in October 2021.CIH Bank had also been a victim of cyberattacks on several occasions, the latest one in 2023[10] where 105 clients were deceived, and 3 million Moroccan Dirhams were stolen. Within a similar situation, back in 2017, numerous customers of Société Générale Maroc found funds debited from their bank accounts, despite not having initiated any such transactions[11].

In 2023, the various websites of the Moroccan News Agency (Maghreb Arab Press – MAP) have been the target of a Distributed Denial of Service (DDoS) attack[12]. The latter seeks to make targeted machines or networks inaccessible to legitimate users through flooding the target with access requests to overwhelm the system and disrupt its services. The attack referred to regional geo-political tensions.

 

The Inception of a Revolutionary Cybersecurity Era

Before the current emphasis on cybersecurity in Moroccan society, there were efforts to regulate information systems and automated data processing. Law 07-03[13], enacted in 2003, was a significant step in complementing the penal code in terms of offenses and intrusions related to automated data processing systems.

Law 07-03, also known as the “Moroccan Cybercrime Law”, aimed to address various aspects of cybercrime and establish legal frameworks for dealing with offenses related to information systems and automated data processing. The law introduced provisions that specifically targeted unauthorized access, data interference, system sabotage, and other cyber-related activities. It provided a legal basis for prosecuting individuals involved in cyber intrusions, hacking, identity theft, and other cyber-related offenses, and defined penalties and sanctions for those convicted of cybercrimes, which helped establish a deterrent effect. It paved the way for stronger legal enforcement and provided a legal framework to support investigations and prosecutions related to cyber incidents.

In 2007, an initiative called “Global Cybersecurity Agenda” (GCA)[14] was launched by the International Telecommunication Union (ITU), a specialized agency of the United Nations, to promote international cooperation in cybersecurity. The GCA aims to enhance cybersecurity capabilities, raise awareness, and facilitate the exchange of information and best practices among member countries.Morocco was represented within a High-Level Expert Group (HLEG)by Dr. TaiebDebbagh, as the Secretary General of the Ministerial Department in charge of Information Technologies. In the inaugural meeting, he was appointed as the president of Commission 3, which focused on “Organizational Structures.” Just to provide some context, there were 5 commissions. The first one focused on legal measures, the second on technical and procedural measures, the fourth was in charge of all aspects related to capacity building, and the fifth managed matters concerning international cooperation.

This year was also marked by the promulgation of Law 53-05[15], also known as the “Electronic Transactions Law”, that establishes the legal framework and regulations applicable to operations carried out by electronic certification service providers, including electronic data exchange, cryptography, and electronic signatures inMorocco. This law aims to facilitate secure and reliable electronic transactions, promote the use of electronic signatures, and establish guidelines for the protection and authenticity of electronic documents. It recognizes the legal validity and enforceability of electronic records and signatures, provided they meet certain requirements outlined in the law.

In July 2008, the Department of Post, Telecommunications and Information Technologies (DEPTTI) took the initiative to carry out a study in collaboration with the firm Deloitte-France, which resulted in the draw up of the first “National Strategy for Information Security and Digital Trust”. The DEPTTI was a government department in Morocco responsible forshaping and implementing policies to overseeing and regulating the postal, telecommunications, and information technology sectors in the country. Additionally, it had responsibilities related to national cybersecurity, digital economy, and other technology-related initiatives.It is worth to note that the implementation of this study was delayed in order to integrate it as a program of the National Strategy ‘Maroc Numeric 2013’.

Indeed, in 2009, Morocco launched the national strategy “Maroc Numeric 2013.”[16] This initiative was announced by His Majesty King Mohammed VI on October 9, 2009, in Rabat. This plan was an ambitious program aimed at positioning Morocco as a regional digital hub through accelerating the digital transformation of the country and promoting the development of the information technology and communication (ICT) industry.As part of the “Maroc Numeric 2013” strategy, special attention was given to Digital Trust. A specific program was implemented to promote trust and security in the digital domain. This program aimed to enhance the security of information systems, protect personal data, and foster user trust in online services.

Furthermore, it is worth mentioning the enactment of Law 09-08[17] in that same year. Also known as the “Protection of Personal Data Law,” this legislation aimed to regulate the collection, processing, storage, and use of personal data in Morocco. It sought to ensure the protection of individuals’ privacy rights and establish guidelines for businesses and organizations handling personal information. The law introduced principles and obligations for data controllers and data processors, including obtaining consent, implementing security measures, and providing individuals with rights to access, rectify, and delete their personal data. Besides ensuring effective protection of individuals against the misuse of data, the law aimed at harmonizing the Moroccan system for the protection of personal data with those of its partners, particularly European ones. In addition, the law establishes a National Commission for the Protection of Personal Data (CNDP)[18] who’s role focuses on regulation and compliance with international laws, authorization and supervision for personal data processing, awareness and education, complaint handling and investigation, as well as international cooperation.

In 2010, the Moroccan Computer Emergency Response Team (maCERT)[19], was established to address and respond to cybersecurity incidents within the country.A CERT is an international specialized team that focuses on computer security incidents and provides incident response services to prevent, detect, and respond to cyber threats. The maCERT operates under the National Agency for Regulation of Telecommunications (ANRT) and collaborates with various stakeholders to enhance cybersecurity in Morocco. Its primary role is to coordinate incident response efforts, provide guidance and assistance to affected entities, and promote cybersecurity awareness and education. Since its inception, maCERT has been actively involved in safeguarding Morocco’s digital infrastructure and ensuring the protection of individuals, organizations, and critical information systems from cyber threats.

The year 2011 was a major turning point in the development of cybersecurity in Morocco. First, the creation of the DGSSI (Directorate General of Information Systems Security)by the decree n° 2-11-509[20]in September 21, 2011.This organization attached to the National Defense Administration plays a vital role in formulating national policies, strategies, and standards related to information systems security. It collaborates with various stakeholders, including government agencies, private sector organizations, and international partners, to strengthen cybersecurity capabilities and mitigate cyber threats. It works on establishing legal frameworks for cybersecurity (including authorizations, declarations, certifications and verification approaches), ensuring technological monitoring and auditing, developing incident response plans, promoting best practices in information security, and conducting awareness campaigns to educate individuals and organizations about cybersecurity risks.The maCERT was attached to the DGSSI after its foundation.

Another important event marking the year 2011 was the enactment of Law 31-08[21] on Consumer Protection. This law comes to strengthen consumer rights and provide legal safeguards in various commercial transactions, including online commerce. The law aims to protect consumers from unfair practices, ensure the quality and safety of products and services, and promote fair competition. Regarding online commerce, the law establishes rules and obligations for online sellers, such as providing clear and accurate product descriptions, transparent pricing, and secure payment methods. The law also addresses issues such as consumer information, delivery and return policies, and dispute resolution mechanisms. It empowers consumer protection associations and government agencies to monitor and enforce compliance with the law.

The National Cybersecurity Strategy (SNC)[22], also called National Strategy for Information System Security (SNSSI), adopted in 2012 was indeed an essential step taken by the country to strengthen its cybersecurity and safeguard critical information infrastructure. The strategy was developed to tackle the increasing risks and challenges presented by cyber threats and attacks in the digital age.By implementing this strategy, Morocco aimed to achieve several key objectives, including 1) Protecting Critical Infrastructure (energy, finance, transportation, etc) from potential cyber-attacks that could have severe consequences on the country’s stability and economy; 2) Enhancing Cyber Incident Response through effective and coordinated actions to mitigate the attacks impact and recover swiftly; 3) Strengthening Legal and Regulatory Framework to combat cybercrime effectively; 4) Promoting Cybersecurity Awareness and Education about the risks associated with cyberspace and how to stay safe online; 5) Encouraging collaboration between the government and the private sector, partnerships with industry stakeholders and international cooperation.

In August 2014, Morocco promulgated the Law No. 46-13 approving the Council of Europe’s Convention for the Protection of Individuals regarding Automatic Processing of Personal Data, commonly known as “Convention 108.”[23] This Convention was opened for signature on January 28, 1981, and it is indeed the first legally binding international instrument in the field of data protection.The main purpose of Convention 108 is to ensure that every individual, regardless of their nationality or place of residence, enjoys respect for their privacy rights.It acknowledges the importance of privacy in the rapidly evolving technological landscape, where personal data can be easily collected, stored, and shared through various automated means, primarily through Internet. Another marking initiative in this year was the launch of an extensive four-year awareness-raising campaign “the Moroccan National Campaign to Fight Cybercrime (CNLCC 2014-2017)” by the Moroccan Centre for Polytechnic Research and Innovation (CMRPI)[24], under the aegis of the Moroccan Ministry of Industry, Commerce, Investment and Digital Economy. This campaign is the first such experiment of its scale in Africa. Its primary goal was to foster good and responsible cybersecurity practices within Moroccan society, and was targeting the public and private sectors as well as citizens across various age groups.

The main event of the year 2015 was the publication of the first version of the ‘Global Cybersecurity Index,’ (GCI)[25]by the International Telecommunication Union (UIT). The GCI is a survey that measures the commitment of UIT member states towards cybersecurity to raise public awareness.It assesses the achievements of each country in terms of legal framework, technical measures, organizational structures, skill development, and cooperation regarding cybersecurity. This index ranked Morocco at the 24th position globally, 3rd in Africa, and 4th among Arab countries.At the same time as the release of the initial GCI edition, the UIT created a “Cyberwellness Profile” for each country[26],encompassing all the achievements of that country concerning cybersecurity and safeguarding of personal data.Morocco’s profile outlined specific legal and regulatory aspects related to cybersecurity and cybercrime, along with important technical measures like standards, certification, and specialized entities. The profile also provided an overview of officially endorsed national strategies and the roadmap for cybersecurity governance in Morocco, as well as the agency responsible for their implementation. It included a section on capacity building, highlighting key elements related to workforce development, professional certification, and agency accreditation. Notably, at that time, Morocco lacked officially recognized national or sector-specific research and development (R&D) initiatives aimed at cybersecurity standards, best practices, and guidelines applicable in both the private and public sectors.

The profile acknowledged Morocco’s efforts to establish international cooperation and partnerships, although the country had not yet instituted officially recognized national or sector-specific programs for sharing cybersecurity resources between the public and private sectors. Furthermore, it emphasized progress in child online protection through national legislation and participation in international conventions and protocols. However, as of that time, Morocco had not established an officially recognized agency or reporting mechanisms to provide institutional support for child online protection.

In March 2016 was the publication of the decree No. 2-15-712[27] establishing the framework for the protection of sensitive information systems of vital infrastructures. This decree, approved by the government convened under the presidency of His Majesty King Mohammed VI, materialized the national directive for the security of information systems developed by the DGSSI, which applies to all information systems of administrations, public bodies, and critical structures. In June of the same year, Bank Al-Maghrib has released Directive No. 3/W/16[28], outlining the essential regulations that credit institutions must adhere to when performing penetration tests on their information systems.

The year 2017 was marked by the publication of the second edition of the “Global Cybersecurity Index” (GCI)[29], placing Morocco at the 49th position globally, 4th in Africa, and 7th among Arab nations. The second significant event in this year concerns the development of a new directive by the DGSSI. This directive outlinedsecurity protocols and reporting procedures for sensitive information systems and security incidents within critical infrastructure. It complements the rules contained in the National Information Systems Security Directive (DNSSI)[30]and the Decree on Vital Infrastructure developed in 2013.

In 2018,the third edition of the GCI[31]ranked Morocco 93rd globally, 16th in Africa, and 10th among Arab countries. This decrease in ranking could be explained by the fact that the UIT completely changed its methods of data collection and evaluation (for example, the number of questions was reduced from 153 to 50, weighting values were reevaluated and modified, etc). Additionally, elements related to online child protection were included in the questions and scoring, and for which UIT couldn’t access all the relevant information. It should be noted that, according to the ITU, Morocco’s score was impacted by weaknesses in the “Legal Framework” and “Capacity Building” areas.In the same year, PwC-Maroc published the first ‘Global State of Information Security® Survey – Focus Morocco,’[32]specifying that the majority of Moroccan companies are aware of cybersecurity challenges and are implementing investment plans for robust cybersecurity solutions. However, compliance remains a major obstacle.

In 2019, the DGSSI established a reference framework[33] that consolidates the requirements to be met by audit service providers for their accreditation. This system serves as a trust indicator when entrusting audit missions to accredited providers.

The year 2020 was marked by significant disruptions for organizations on a global scale. The unprecedented world pandemic and the acceleration of digital transformation paved the way for a shift towards remote work, thereby substantially raising the risk level regarding information security. This year saw the enactment of two important laws: Law 05-20[34] aimed at establishing a legal framework recommending entities to adhere to minimum rules and security measures to ensure the reliability and resilience of their Information Systems, and Law 42-20[35] concerning trust services for electronic transactions with the objective of implementing a new legal framework that meets the needs of economic, public, private, governmental, and citizen actors, through the organization of electronic signatures, electronic seals, electronic timestamping, secure electronic transmission services, and website verification.

In June 2021, the DGSSI (General Directorate for Information Systems Security) and the ‘Global Cyber Security Capacity Centre’ at the University of Oxford organized meetings to assess the maturity of cybersecurity at the national level. This analysis was conducted using the Cybersecurity Capacity Maturity Model (CMM) for nations and resulted in five dimensions to be considered: 1)Develop a cybersecurity policy and strategy; 2) Promote a responsible culture and society in cybersecurity; 3) Enhance knowledge and capabilities in cybersecurity; 4) Establish effective legal and regulatory frameworks; and 5) Manage risks through standards and technologies. On June 29, 2021, the ITU (International Telecommunication Union) published its fourth ‘Global Cybersecurity Index,’ (GCI)[36] which ranked Morocco in 50th place out of 182 countries, marking a significant improvement of 43 positions compared to the previous evaluation.

In May 2022, the Deloitte Morocco Cybersecurity Center (MCC) signed a partnership agreement[37]with the Mohammed VI Polytechnic University (UM6P) aimed at promoting research and development in cybersecurity with a focus on ‘Pan-African development.’ The agreement also aims to support talent development through education and research projects. Additionally, in the same year, Morocco signed the 2nd Additional Protocol to the Budapest Convention on Cybercrime in Strasbourg[38], which focuses on strengthening cooperation and the disclosure of electronic evidence.

Among the significant milestones accomplished in 2023, one notable achievement is the publication by the DGSSI in March 2023 of a list comprising eight certified service providers[39]. This list includes four Moroccan companies (Dataprotect[40], LMPS[41], DXC Technology[42], and Near Secure[43]), and four representatives from international corporations (Thales Holding Morocco, Orange Cyberdefense Maghreb and West Africa, PwC, and Sekera Services).

 

Cybersecurity Wellness in Morocco: Challenges and Recommendations

Enhancing the digital security posture of Morocco is crucial, and this effort involves tackling various challenges that cybersecurity in the country encounters. Some of the key challenges include:

  • Lack of awareness and education about cybersecurity threats and best practices, which can result in a poor security hygiene and high vulnerability to cyberattacks.
  • Shortage of skilled and well-trained workforce to effectively combat evolving cyber threats.
  • Budget constraintsencountered by small and medium-sized enterprises (SMEs) as well as public institutions when it comes to making substantial investments in robust cybersecurity measuresand solutions.
  • Regulatory and compliance gaps, particularly in terms of incomplete legislation, inadequate penalties, industry-specific regulations and international standards alignment.
  • Cross-border threats,with limited international agreements and varying legal frameworks among countries,cross -border threats also present several challenges such as the difficulty to identify the exact source of a cyberattack and the complexity to determine which country’s laws applyand how to collaborate with foreign authorities.
  • Legacy systems, some critical infrastructure and government systems in Morocco still use legacy systems that rely on outdated and unsupported technology, which are often more vulnerable to cyber threat, mainly because of their incompatibility with modern security measures, the lack of security updates, and the difficulty in implementing access controls.
  • Growth of cybercrime,notably ransomware attacks, social engineering attacks and financial frauds,poses a significant threat to all society. These attacks become prevalent in Moroccoand exploit human psychology and ignorance to bypass technical security measures, hence, cause severe consequences and financial lossesfor businesses and individuals.
  • Absence of well-defined incident response planning in many organizations, including those in Morocco. This lack of preparedness can have serious consequences such as delayed response leading to potential impact, financial and reputational damages, regulatory non-compliance leading to penalties, as well as confusion and panic among employees and stakeholders.

To enhance cybersecurity wellness in Morocco, a holistic approach involving individuals, businesses, government agencies, and cybersecurity professionals is crucial. Here are some recommendations to strengthen cybersecurity in the country:

  • National Cybersecurity Strategy: Establish and execute a comprehensive national cybersecurity strategy outlining the country’s cybersecurity goals, priorities, and action plans.
  • Public Awareness Campaigns:Initiate cybersecurity-focused awareness campaigns to educate individuals, employees, businesses and governmental bodies about the significance of cybersecurity and the perils of cyber threats, as well as to promote safe online practices, and how to identify and respond to attacks and scams.
  • Education and Training: Allocate resources towards cybersecurity education and training initiatives across various levels, spanning from educational institutions like schools and universities to businesses and government organizations.
  • Regulatory Framework:Strengthen and enforce cybersecurity regulations and standards, particularly for critical infrastructure sectors, and encourage compliance with international cybersecurity standards and best practices.
  • Skilled Workforce Development:Promote cybersecurity workforce development through investments in training programs, certifications, and initiatives aimed at attracting and retaining skilled professionals in the field of cybersecurity.
  • Regular Software Updates: Ensure that software and systems are regularly updated with security patches to address known vulnerabilities.
  • Incident Response Planning:Develop and regularly test and update incident response plans for both businesses and government entities, with the goal of reducing the impact of cyberattacks and ensuring a swift recovery.
  • Regular Security Audits:Regularly perform security audits and evaluations on critical infrastructure and government systems to identify vulnerabilities and prioritize remediation. Additionally, share the outcomes and insights gained to enhance overall cybersecurity practices.
  • Incident Reporting: Encourage organizations to report cyber incidents promptly to appropriate authorities to facilitate investigation and response.
  • Continuous Monitoring: Integrate continuous monitoring solutions to detect and react to cyber threats in real-time.
  • Investment in Technology:Keep updated with the most recent advancements in cybersecurity technologies and solutions to protect against evolving threats. This includes leveraging tools like intrusion detection systems, endpoint security, cyber-intelligence resources, and network monitoring technologies.
  • Government Support for SMEs: Provide support and resources to small and medium-sized enterprises (SMEs) to improve their cybersecurity posture.
  • Public-Private Partnerships: Foster collaboration and partnerships between government, businesses, and cybersecurity organizations to enhance cybersecurity capabilities and share resources for collective defense.
  • International Collaboration: Collaborate with international organizations and neighboring countries on cybersecurity initiatives, norms/practices and information sharing to combat cross-border cyber threats.
  • Continuous Improvement:Recognize that cybersecurity is an ongoing process, and continuous improvement is essential. Stay vigilant, adapt to emerging threats, and update strategies accordingly.

By implementing these recommendations and fostering a culture of cybersecurity, Morocco can strengthen its cybersecurity posture, protect critical infrastructure, and mitigate the risks associated with cyber threats. Collaboration, education, and proactive measures are key to building a more secure digital environment in the country.

 

Conclusion

Morocco had made significant strides in the field of cybersecurity, reflecting its growing recognition of the importance of protecting its digital infrastructure and data.Initially, Morocco has demonstrated a commitment to enhancing cybersecurity through creating dedicated institutions and frameworks like the DGSSI, the ANRT, the ma-CERT, the CNDP, the CRMPI.Additionally, the Moroccan government had enacted cybersecurity-related laws and regulations aimed at addressing various aspects of cyber threats, data protection, and cybercrime.Morocco has acknowledged early the significance of raising awareness and education regarding cybersecurity threats and has been pioneer in launching educational programs and awareness campaigns targeting businesses and individuals.Furthermore, Morocco has actively engaged in private sector involvement and in collaboration with international organizations (like the African Union (AU) and the International Telecommunication Union (ITU), as well as with neighboring countries to bolster the country’s cybersecurity defenses. Definitely, Morocco has recognized the importance of a robust cybersecurity posture for the economic well-being of the country, and has shown its vigilance regarding the ever-changing landscape of cyber threats and the new challenges raised with technological advancements (IoT, Cloud computing, mobile technologies, etc).This awareness has led to consistent efforts to adapt and strengthen cybersecurity measures while complying with regulations and staying current with the latest technological developments. Finally, like any country, Morocco continues to face ongoing challenges in combating cyber threats. This necessitates constant adaptation and investment in human resources, international cooperation and technological solutions to ensure a robust cybersecurity posture.

 

Footnotes

[1]Cybersecurity and Cyberwar: What Everyone Needs to Know. P.W. Singer and Allan Friedman, Oxford University Press 2014. ISBN: 978-0-19-991811-9, 306 pages

[2] The number of Internet of Things (IoT) devices worldwide is forecast to almost double from 15.1 billion in 2020 to more than 29 billion IoT devices in 2030 (https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/). The Consumer IoT market in Morocco is projected to reach €0.86bn by 2023,and continue with an annual growth rate (CAGR 2023-2028) of 2.44%, leading to a market volume of €0.97bn by 2028 (https://es.statista.com/outlook/tmo/internet-of-things/consumer-iot/morocco).

[3]BYOD stands for “Bring Your Own Device.” It is a practice where employees or individuals are allowed to use their personal electronic devicesfor work-related tasks and access corporate networks or data. BYOD is often implemented to enhance flexibility and convenience for employees, as they can use devices with which they are familiar, but it also presents challenges related to security, data privacy, and device management.

[4] It is difficult to determine the level of funding dedicated to further developing cyber-capabilities within Moroccobecause the budget isnot publicly available.

[5]Taieb Debbagh, « 15 ans de Cybersécurité au Maroc » 2020. https://cyber4d.org/le-livre-blanc/

[6] Kaspersky. (2020). Kaspersky Security Bulletin 2020 – Statistics. https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2020_en.pdf

[7]INTERPOL (2022).African Cyber-Threat Assessment Report. https://www.interpol.int/fr/content/download/ 19174/file/African%20Cyberthreat%20Assessment%20Report%202022-V2.pdf

[8]Trojans can be installed through phishing emails, malicious websites, drive-by downloads, or other means.

[9]https://www.bladi.net/arnaque-internet-bcp-jeu-concours,87198.html

[10]https://lobservateur.info/article/105974/economie/cih-clients-pirates-suspects-arretes-quelles-lecons-a-tirer

[11]https://www.le1.ma/societe-generale-maroc-panique-a-bord/

[12]AgenceMarocaine de Presse (MAP), 2023.MAP Websites Targeted by DDOS Cyberattack. https://www.mapnews.ma/en/actualites/general/map-websites-targeted-ddos-cyberattack

[13] Official Bulletin. (2003). Law 07-03. https://www.dgssi.gov.ma/sites/default/files/legislative/brochure/2023-03/loi%2007-03.pdf

[14] International Telecommunication Union (ITU). (2007). Global Cybersecurity Agenda(GCA). https://www.itu.int/en/action/cybersecurity/Pages/gca.aspx

[15] Official Bulletin. (2007). Law No. 53-05 on the electronic exchange of legal data. https://www.dgssi.gov.ma/fr/loi-53-05-relative-lechange-electronique-de-donnees-juridiques

[16]Special Report n° 05/13/CH IV: Evaluation of “Maroc Numeric 2013” Strategy (2014). The Court of Accounts, Kingdom of Morocco. https://www.courdescomptes.ma/publication/evaluation-de-la-strategie-maroc-numeric-2013/

[17] CNDP. (2009). Law 09-08_personal data protection. https://www.cndp.ma/images/lois/Loi-09-08-Fr.pdf

[18]https://www.cndp.ma/fr/

[19]https://www.dgssi.gov.ma/fr/macert

[20] Official Bulletin (2011). Decree2-11-509: Organization of the National Defense Administration and Creation of the Directorate General of Information Systems Security. https://www.dgssi.gov.ma/fr/dgssi

[21] Official Bulletin (2011). Law 31-08 on Consumer Protection. https://www.dgssi.gov.ma/sites/default/files/legislative/brochure/2023-07/loi%2031-08.pdf

[22] DGSSI. (2012). Stratégie Nationale en matière de cybersécurité. https://www.dgssi.gov.ma/sites/default/files/publications/pdf/2022-10/strategie_nationale.pdf

[23] Council of Europe (1981). CONVENTIONPOUR LA PROTECTION DES PERSONNESÀ L’ÉGARD DU TRAITEMENT AUTOMATISÉDES DONNÉES À CARACTERE PERSONNEL. https://www.cndp.ma/images/lois/convention-108.pdf

[24]http://www.cmrpi.ma

[25]International Telecommunication Union (2015). Global Cybersecurity Index &Cyberwellness Profiles. https://www.itu.int/pub/D-STR-SECU-2015

[26]Morocco’s Cyberwellness Profile, pages: 342-344. https://www.itu.int/pub/D-STR-SECU-2015

[27] Official Bulletin n° 6458 (2016). Decret No. 2-15-712 fixant le dispositif de protection des systèmes d’information sensibles des infrastructures vitales. http://www.sgg.gov.ma/Portals/0/BO/2016/BO_6458_Fr.PDF?ver=2016-05-05-092424-563

[28] BANK AL-MAGHRIB (2016). Directive No. 3/W/16. https://www.apsf.pro/DOCS/TEXTES%20LEG%20ET%20REG/CEC_2016-06-01/C-3-W-16-modifiant-et-completant-C-26G2006-exigences-FP–approche-standard.pdf

[29] International Telecommunication Union (2017). Global Cybersecurity Index.

https://www.itu.int/pub/D-STR-GCI.01-2017

[30]DGSSI. (2013). Directive Nationale de la Sécurité des Systèmes d’Information. http://www.abhatoo.net.ma/content/download/28456/614926/version/1/file/DIRECTIVE+NATIONALE+DE+LA+SECURITE+DES+SYSTEMES+D%27INFORMATION+URL+%28web%29+140523-DIRECTIVE+NATIONALE+DE+LA+SECURITE+DES+SYSTEMES+D%27INFORMATION-.pdf

[31] International Telecommunication Union (2018). Global Cybersecurity Index. https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2018-PDF-E.pdf

[32]PwC, CIO and CSO (2018). PwC Global State of Information Security® Survey 2018 – Focus Maroc. https://fr.readkong.com/page/focus-maroc-1687925

[33]DGSSI (2019).REFERENTIEL D’EXIGENCES RELATIF A LA QUALIFICATION DES PRESTATAIRES D’AUDIT DE LA SECURITE DES SYSTEMES D’INFORMATION. https://www.dgssi.gov.ma/sites/default/files/publications/pdf/2022-10/referentiel_dexigences_relatif_a_la_qualification_des_passi.pdf

[34] DGSSI. (2020). Presentation note of law N ° 05-20 on cybersecurity. https://dgssi.gov.ma/sites/default/files/legislative/brochure/2022-10/presentation_note_of_the_law_n_deg_05-20_on_cybersecurity_-_english_version.pdf

[35] DGSSI (2020). Presentation note of law N ° 43-20 on trust services for electronic transactions. https://www.dgssi.gov.ma/sites/default/files/legislative/brochure/2023-03/presentation%20note%20of%20the%20law%20n%20deg%2043-20%20english%20version.pdf

[36] International Telecommunication Union (2021). Global Cybersecurity Index (GCI). https://www.itu.int/epublications/publication/D-STR-GCI.01-2021-HTM-E

[37]https://www.um6p.ma/en/um6p-and-deloitte-morocco-cyber-center-sign-cooperation-agreement-scientific-and-technological

[38] Agence Marocaine de Presse (MAP), 2022. https://www.mapnews.ma/en/actualites/politics/morocco-signs-second-additional-protocol-budapest-cybercrime-convention

[39] DGSSI (2023). Prestataires d’Audit de la Sécurité des Systèmes d’Information qualifiés. https://www.dgssi.gov.ma/fr/prestations-et-produits-reglementes

[40]https://www.dataprotect.ma/

[41]https://www.lmps-group.com/fr/

[42]https://www.dxc-maroc.com/

[43]https://www.nearsecure.com/

Hind Idrissi

Hind Idrissi

Dr. Hind Idrissi currently holds the position of a cybersecurity professor at the University Sultan Moulay Slimane in Morocco, alongside her roles as a consultant and trainer in the same field. She received her PhD in Computer Sciences and Information Security from the University of La Rochelle in France and obtained her master’s degree specialized in Cryptography and Information Security (CRYPTIS) from the University of Limoges in France. Dr. Idrissi served as a Post-Doctoral Researcher within the Insight Center for Data Analytics at University College Cork (Ireland) for an extensive period of nearly three years. Furthermore, she has fulfilled positions as a visiting scholar and teaching assistant at various institutions. Dr. Idrissi has authored numerous research papers and book chapters, while maintaining membership in multiple esteemed research organizations. Her involvement extends beyond research, as she actively engages in endeavors aimed at raising cybersecurity awareness, leadership and citizenship education. Her research interests within cyber realm include cryptography, privacy-enhancing technologies, Cloud and IoT, Blockchain, Identity and Access Management and artificial Intelligence.