Saudi Arabia updates national encryption standards to counter quantum risk
In a strategic move aimed at strengthening the Kingdom’s digital sovereignty, the National Cybersecurity Authority (NCA) has unveiled significant updates to the national encryption standards through its “Istilaa” platform. This step establishes a stringent minimum security requirement applicable to both the civil and commercial sectors, targeting the fortification of national digital infrastructure and data against escalating cyber threats, including future risks associated with quantum computing technologies.
The context of digital transformation and Vision 2030
These updates come at a time when Saudi Arabia is experiencing a massive digital transformation drive as part of its Vision 2030 goals, with reliance on e-services and cloud data becoming a cornerstone of operations for both government and private entities. Cybersecurity is the primary enabler of this transformation, making the updating of encryption protocols an urgent necessity to ensure business continuity and protect digital privacy, especially given the Kingdom's leading global rankings in international cybersecurity indices.
Encryption levels and organizational flexibility
In its new document, the authority adopted a flexible encryption architecture that balances performance and security, defining two main levels:
- Basic level (MODERATE): Provides 128-bit equivalent security, suitable for medium-sensitive data.
- Advanced Level (ADVANCED): Ensures maximum protection up to 256-bit, and is intended for highly sensitive data and critical systems.
The standards gave national authorities flexibility in choosing the appropriate level for the nature of their data, while emphasizing the mandatory adherence to the minimum national policies, and the necessity for the security umbrella to cover all components of the technical system without exception.
Countering the threats of quantum computing
The document included detailed information on accepted algorithms, with a notable proactive focus on "post-quantum computing" algorithms. This approach stems from the immense capabilities that quantum computers will possess in the future to break current traditional encryption codes, necessitating early preparation through the adoption of sophisticated algorithms capable of withstanding these extraordinary computational powers.
Strict technical controls for communications and random generators
The updates included implementing strict encryption controls for modern communication protocols such as 5G, LTE, and Bluetooth to ensure a reliable communication environment. In a related matter, the authority mandated the use of high-quality random number generators (TRNGs) and qRNGs, and categorically prohibited the use of predictable generators. It stipulated that these generators must pass internationally standardized statistical tests to guarantee the unpredictability of the encryption keys, which is the cornerstone of any robust encryption system.
Expected economic and security impact
This regulation is expected to contribute to increased confidence in the Saudi digital economy, as strong encryption is a crucial factor in attracting global technology investments and protecting intellectual property. The document concludes by outlining frameworks for managing the encryption key lifecycle and preventative measures against advanced attacks, ensuring a comprehensive national security system that keeps pace with rapid global changes.
