Data Protection: Towards a Wake-Up Call in Public Administrations?

The cyberattacks against the CNSS, which holds a significant amount of personal data—namely millions of employees’ records (health files, addresses, salaries)—have reignited the debate on the security of sensitive data held by public administrations.

At the time of going to press, the websites of the Ministries of Agriculture and Economic Inclusion were inaccessible following cyberattacks claimed on Telegram by Algerian hackers.

It should be recalled that public administrations are among the entities storing and managing the largest quantities of personal, and thus sensitive, data nationally. This underscores the importance of protecting such data within public structures.

Legally, in Morocco, Law 05-20 on cybersecurity and Law 08-09 on personal data processing require public administrations to minimize cyberattack risks and protect sensitive data. Additionally, the Prime Minister issued Circular No. 2/2023 on January 12, 2023, urging public entities to apply the National Directive on Information Systems Security (SI).

Given this, the key question is whether public administrations have enough skilled internal profiles in cyberdefense and cybersecurity. If they outsource protection of their information systems and sensitive data, do they have experts capable of assessing the effectiveness of their external partners’ protection mechanisms? In other words, do they invest sufficiently to safeguard the sensitive data they hold? These questions deserve answers.

Human Capital: The Achilles’ Heel of the Public Sector?

Interviewed by «La Vie éco », an anonymous cyberdefense specialist and Badr Bellaj, a blockchain and cybersecurity expert, share a general observation: there is a shortage of highly skilled cyberdefense profiles within public administrations working daily with sensitive data.

This is paradoxical given Morocco’s 30th place ranking in the international Cybersecurity Resilience Index.

Morocco’s good international standing is partly due to a strong legal framework and institutional setup (DGSSI, CNDP), as well as the National Cybersecurity Strategy 2030 led by the Directorate General of Information Systems Security (DGSSI).

Bellaj explains that while investing in firewalls, UTM (all-in-one security solutions), and other tools is crucial to strengthen public administrations’ defense against malicious cyberattacks, it must be accompanied by a team of seasoned cybersecurity professionals.

He considers human capital a vital link in the ecosystem protecting sensitive data in public organizations.

According to the second source, human capital is a real challenge in cybersecurity, even for the private sector, but more so for the public sector, which tends to attract more conventional, less experienced profiles.

Public administrations also face the challenge of reducing the expertise gap with their private partners (cybersecurity service providers), allowing them to maintain internal control, seen as a security valve by both experts.

In short, the private sector, offering higher salaries, tends to attract the best, highly specialized profiles, in a national context marked by a limited number of cybersecurity specialists.

Lessons from the CNSS Hacking

Asked about lessons public administrations should draw from the CNSS sensitive data leak, both experts suggest several avenues.

Bellaj states the first lesson for public administrations, especially those handling large amounts of sensitive data daily, is to prioritize IT security.

He warns that departments responsible for SI security must have the necessary financial means and human resources, as hacking and sensitive data leaks can disrupt an organization’s operations for a long time (damaged reputation, credibility loss).

Though difficult to specify annual public investment amounts for sensitive data security, both experts stress the cost of protecting sensitive data in public structures.

The 2023 report from France’s National Agency for the Security of Information Systems (ANSSI) mentions a French plan allocating 136 million euros to strengthen public sector infrastructure security, plus 887 million euros for post-attack response.

Another lesson from the CNSS cyberattacks is that public administrations, vulnerable to attacks at any time, must have robust cyberdefense mechanisms and rapid response protocols to limit damage. Transparent and reassuring communication after cyberattacks helps maintain citizens’ trust.

For example, the National Agency for Land Conservation, Cadastre, and Cartography (ANCFCC) temporarily suspended some digital services to conduct cybersecurity tests to strengthen cyberdefense.

Ultimately, every cloud has a silver lining: several public structures will likely follow ANCFCC’s example, learning from the CNSS hacking to better secure sensitive data. A wake-up call in public administrations would be beneficial and welcomed by public opinion.