In a strategic move aimed at strengthening the Kingdom of Saudi Arabia’s digital sovereignty, the National Cybersecurity Authority (NCA) has unveiled significant updates to the national encryption standards through its “Istilaa” platform. This step establishes a stringent minimum security requirement applicable to both civil and commercial purposes, as part of proactive efforts to fortify the national cyberspace and protect sensitive data, systems, and networks from escalating threats, including those arising from the development of quantum computing technologies.
The context of digital transformation and Vision 2030
These updates are particularly important given the Kingdom's rapid digital transformation under the Vision 2030 goals, where cybersecurity is a cornerstone for protecting the digital economy and critical infrastructure. The National Cybersecurity Authority continuously works to align national standards with global best practices to ensure a secure and reliable digital environment that attracts technology investments and strengthens the Kingdom's position as a regional and international leader in cybersecurity.
Flexible encryption architecture and advanced protection levels
In its new document, the Authority adopted a flexible encryption structure based on two main levels to ensure efficient implementation and comprehensive protection:
- Basic level (MODERATE): Provides 128-bit equivalent security, which is the minimum acceptable for general applications.
- Advanced Level (ADVANCED): Ensures maximum protection up to 256-bit, and is intended for highly sensitive data and critical systems.
The new standards have given national authorities flexibility in choosing the appropriate level for the nature of their data, while emphasizing the mandatory compliance with the minimum national policies, and ensuring that advanced security levels cover all components of the technical system without any exceptions that may constitute security gaps.
Preparing for the post-quantum computing era
The document included detailed information on accepted algorithms, precisely defining key lengths and configuration vectors, with a notable focus on post-quantum computing algorithms. This emphasis stems from the dramatic advancements in computing power, which could render traditional encryption algorithms vulnerable to cracking in the near future. To ensure continued data protection, the updates also covered the most common communication protocols, such as 5G, LTE, and Bluetooth, as well as protocols for securing the internet and transmitting data securely.
Banning predictable generators
In a decisive move to close loopholes for sophisticated cyberattacks, the authority mandated that entities use high-quality random number generators of the TRNG and QRNG types. The standards explicitly prohibited the use of predictable generators, requiring that any generators used pass international standardized statistical tests before being approved, to ensure that the encryption keys cannot be predicted by attackers.
Integration of quantitative and classical solutions
The standards dedicated a specific section to quantum key distribution (QKD) solutions, recommending a hybrid approach that combines quantum and classical algorithms to enhance security layers. They emphasized the need for continuous monitoring of error rates to detect any hacking or interference attempts, while adhering to international standards such as ISO to ensure compatibility.
The document concluded by establishing comprehensive regulatory frameworks for managing the encryption key lifecycle, from creation to secure destruction, in addition to preventive measures against advanced attacks such as side-channel attacks, thus ensuring an integrated national security system capable of keeping pace with global changes and addressing future challenges efficiently and effectively.
