Cyber governance in Morocco: an Analysis of the Interne Status

I. The State action, interventions and limits

As an emerging nation, Morocco aims to take a leading role in cyberspace and exploit its inherent potential. This objective is accompanied by concerted efforts and strategies to strengthen its global integration while promoting deep internal digitizationIn parallel with these aspirations to build advanced technological infrastructures, state agencies are seeking to consolidate these guidelines by incorporating institutional and organizational frameworks to support technological initiatives and ensure a stable environment^[1]. Morocco’s investment in the consolidation of regulatory, institutional and industrial arrangements demonstrates its strategic preparedness for cyber threats and evokes a national awareness of contemporary challenges. However, the ever-evolving cyber threats question the relevance of our current instruments.

Exponential advancement of technology and uninterrupted engagement in the digital field increase Morocco’s vulnerability as a potential target [2]. Although Morocco is one of the few African countries that has made significant progress in cybersecurity and infrastructure resilience, this position remains inadequate in the light of current comparative analyses, indicating a potential deficit in response to critical situations. Therefore, the purpose of this chapter is to conduct an in-depth analysis of the Moroccan cyber environment, to assess regulatory and institutional achievements, to draw up a comprehensive situation and to respond to questions raised.

1- Indices describing the cybersecurity environment

This paragraph, along with its sub-divisions, is devoted to the consideration of our secondary objective: to produce a comprehensive report on the sites of cyber gambling in Morocco, taking into account international and regional dynamics. In the first instance, the relevance of the legal framework and the effectiveness of the procedural arrangements implemented by Morocco in recent years to combat cybercrime and cyber threats should be addressed.

We will also question the ability of initiatives to mitigate technological impacts, and how these can disrupt conventional approaches to national security management. Furthermore, how can we assess the mitigation of state power in the face of these challenges?

It is crucial to stress that the challenges are not just legal. The constant implementation of legislation, disconnected from changes in power and influence, is not a solution in itself. Morocco must adopt a holistic approach to understanding the complexity of cyber threats, consolidate its position in cyber-space pacification initiatives and strengthen the robustness of its institutions.

Furthermore, while the analysis looks at the legal framework, diplomacy and institutional initiatives, it cannot conceal the study of the country’s digital infrastructure. The latter, considered to be key drivers for contemporary economies, including that of Morocco, represent fundamental elements in defence strategies against cyber threats on a global scale.

a. The legal and institutional arsenal

Despite Morocco’s position on cybersecurity consolidation, according to ITU indicators^{^[3]}, And compared to other States, Arab States, it is imperative to recognize that the progress made represents significant progress. This progress is notable in terms of its continental context and immediate surroundings, both at the Arab and North African levels^[4]. Therefore, our analysis will focus on these developments in order to identify potential shortcomings and redefine legal, institutional and legislative guidelines.

The legislative corps

In recent years, the Moroccan authorities have taken significant regulatory and legal initiatives. In particular, Law N° 07-03^[5], supplementing the Criminal Code on offences related to automated data processing systems, is one of the first legislation dealing with cybercrime in Morocco^[6]. Following this approach, Act No. 09-08 on the Protection of Individuals with regard to the Processing of Personal Data^{^[7]}, enrich the legal system by defining, inter alia, the prerogatives of the National Commission for Control and Protection of Personal Data^{^[8]}. It also structures the mechanisms associated with cross-border data transfers as well as the penalties for non-compliance.

Furthermore, Act 53-03 on the electronic exchange of legal data strengthens data protection in the context of official exchanges of information and electronic transactions. In the pursuit of renewed confidence in cyberspace, other legislation, such as Act 05-20 on cybersecurity, supports the national legal arsenal^[9]. In particular, it establishes security rules for a range of state, public and private entities, while clarifying key concepts such as cybersecurity, cyber threats and vital infrastructures^[10].

Finally, by trying to clarify these terms, the Act aims at a broader understanding, incorporating developments in cyberspace and new practices related to it^[11]. It also defines the responsibilities of digital actors in Morocco, while setting up new entities dedicated to improving cybersecurity governance and performance^[12].

Institutional efforts

In the Moroccan context, the implementation of legislative initiatives can only be achieved through the establishment of a consolidated institutional structure that respects the malicious innovations of the digital space and orchestrates the application of legal provisions. Although the national strategy has some ambivalence in defining its priorities, it nevertheless stresses the importance of this harmonization and insists on its implementation. As a testimony to this commitment, the Moroccan National Defence Administration has, over the past several years, established two major entities.

The first, the Strategic Committee for Information Systems Security, established by Decree No. 2.11.508 of 21 September 2011, is responsible for formulating the strategic guidelines for information security. Its main mission is to safeguard the information of “sovereignty” while ensuring the proper functioning and sustainability of the information systems essential to the nation. In addition, it is empowered to validate the DGSSI action plan, evaluate its performance, establish the framework for IT security audits and consult on legislative and regulatory proposals inherent in IT security. The Committee is composed of prominent representatives from various public and professional spheres.^[13].

In parallel, the DGSSI General Directorate for Information Systems Security, established by Decree No. 2.11.509 of 21 September 2011 and affiliated with DNA, is entrusted with a series of mandates aimed at strengthening the protection and effectiveness of information systems^[14].

In supplementing this institutional picture of Moroccan cybersecurity, various other entities play a leading role, namely:

* MACERT, Moroccan Computer Emergency Response Team, is the security, detection and response centre for cyber attacks [15].

* The NRT, dedicated to the regulation and supervision of the telecommunications sector^{^[16]}.

* CNDP, ensuring compliance with personal data protection standards^{^[17]}.

* CMRPI, holder of the National Campaign to Combat Cybercrime^{^[18]}.

In accordance with the observations made, cybercrime is experiencing a dramatic growth, opposed to a certain inertia and a conservative persistence of the related legal frameworks. This dynamic, which is conducive to increased centralization in cybersecurity, is mentioned in particular by A. Azzouzi^[19]. Increasing threats expose Morocco to continuing vulnerability, calling into question the relevance and effectiveness of our instruments, as well as our associated governmental initiatives^[20].

Technological developments, by complicating the nature of risks and legal shadows, are eroding the credibility of institutional approaches and associated decision-making mechanisms. It is clear that national efforts, although essential, cannot be sufficient to guarantee robust cybersecurity, and it is imperative to consider an approach, also diplomatic and cooperative, aimed at harmonizing our internal efforts with international initiatives in force^[21].

b- Cooperative and partnership efforts

In line with the approach adopted by its peers on the international stage, Morocco has engaged in a dynamic of cooperation, aimed at matching its national expertise with that of foreign specialists. Recognizing that resilience cannot be achieved in a context of security and political isolation, Morocco has integrated a clearly articulated cooperative dimension into its national strategy, positioning it as a fundamental pillar. However, while this strategy emphasizes the importance of collaboration and the need for a structured partnership, it also advocates diversification of initiatives to avoid excessive concentration of efforts in a purely institutional approach.

International cooperation as a strategic principle

In its aspiration to position itself in the global and regional digital arena, the Kingdom is committed to anchoring itself in diplomatic and collaborative approaches, all with a view to attracting investment and enhancing its technological progress. Through such commitments, the Moroccan authorities aspire to assimilate and capitalize on the expertise and expertise of their counterparts, specifically in the legal, institutional, industrial and technological fields^[22].

In this regard, for many years, Morocco has been actively engaged in partnerships with international organizations, States from various continents and multinational entities, all with the aim of increasing its resilience and achieving an adequate level of development of its core technological infrastructure. The National Strategy on Cybersecurity, as a cardinal principle, emphasizes the importance of cooperation, detailing in its final sections the parameters of this interactive approach, both from a security and developmental point of view^[23].

The intrinsic vocation of this cooperation is to intensify dialogue, to encourage the sharing of experiences, to identify standards and themes of collaboration, to diversify the collaborating entities (universities, organizations, the private sector, etc.), and to develop the organizational modalities of such cooperation, while cultivating fruitful relationships with both public and private partners^[24]. By assimilating these recommendations, Morocco is pursuing a definite path, seeking to expand its agreements in the field, to take advantage of cooperative synergies and at the same time to diversify its sources of partnership and collaboration with the private sector^[25].

Institutional collaboration and bilateral partnership

In this particular context, various projects have been implemented in accordance with these partnership principles, including with Israeli, British, American and Brazilian entities. Focused on strengthening intelligence and cooperation skills in cyberspace, while with the latter, emphasis was placed on improving the country’s digital infrastructure. With the latter entities mentioned, the orientation has been clearly towards increasing industrial and production capacities^[26].

At the same time, the DGSSI has concluded a collaborative agreement with the ANSSI, initiating in 2013 collaborations based on the need to establish strong links between trustworthy entities, while optimizing the response to incidents affecting the security of information systems. These agreements codify the exchange of information, experiences and best practices between the two institutions, thereby stimulating the strengthening of Franco-Moroccan cooperation in this field^[27].

Such partnerships substantially strengthen the DGSSI’s competences and are part of a broader perspective to strengthen close friendship between Morocco and its strategic allies^[28]. In addition to these bilateral collaborations, it should be noted that Morocco ratified the Budapest Convention on Cyber Crime in 2018^[29], thus enhancing its position as a pioneer of contemporary legislation at the regional level and equipping itself with a sophisticated tool to combat cybercrime^[30].

Moreover, Morocco has joined the CyberSud cooperation project, as a founding member jointly with the EU and other nations such as Tunisia and Algeria. The objectives of this project include legislative consolidation, police collaboration, specialized prosecution and inter-service security cooperation. The agreement also aims to strengthen public-private collaboration, standardize judicial training, improve international cooperation, and define guidelines on cybercrime^[31].

Specific activities and programmes of discussion and action

In terms of training, DGSSI is committed to organizing annual international conferences and summits, bringing together scholars and specialists from various disciplines of IT security, in order to exchange information on recent developments in cybersecurity and to prepare relevant reports^[32].

It should be noted that the DGSSI does not restrict its initiatives exclusively to a theoretical and analytical dimension. Indeed, the cyberdrill training and simulation programme, orchestrated annually in conjunction with other activities, has, in its latest phase, mobilized teams from various organizations and institutions to reproduce, as far as possible, an environment simulating real operating conditions, thus subjecting participants to tangible pressure from cyber attacks^[33].

Specific training and expertise transfer partnerships

Since 2015, Morocco has engaged in specific partnership agreements focused on the training of cybersecurity specialists. These training sessions cover recurring and focused topics in the field, including advanced technical aspects of cybersecurity, an incident management and disaster recovery course, as well as cyber-attack simulations, etc. These training courses also include a theoretical and analytical segment called Network Security course^[34].

By adopting an alternative perspective, some scholars argue that national digital security relies more on improving the country’s core digital and technological infrastructures, as well as on consolidating the nation’s productive and industrial capacities, rather than on the diversity of reform initiatives. These experts argue that, in a context of monopoly, the assurance of robust cybersecurity is conditional on increased efficiency and technological self-sufficiency^{^[35]}.

[1] MASTAFI (M.), “Obstacles à l’intégration des technologies de l’information et de la communication (TIC) dans le système éducatif marocain”, Éd, Frantice net, n° 8, HAL archives ouverts, 2014, p. 58.

[2] BEDRAN (M.) «Menace terroriste sur le cyberespace marocain », Aujourd’hui le Maroc, 2022, in : https://www.aujour dhui.ma/societe/menace-terroriste-sur-le-cyberespace-marocain (Consulté le 10 Septembre 2023).

[3] «Le Maroc gagne deux places dans l’indice mondial de l’UIT», 2016, in: https://www.egovol.ma/fr/actualites/le –maroc gagne –deux –places –dans –lindice –mondial –de –luit (Consulté le 10 Septembre 2023).

[4] SUSSMAN (B.) «The List: best and worst countries for cybersecurity», 2019, in: https://www.secureworldexpo.com /industry-news/countries-dedicated-to-cybersecurity (Consulté le 10 Septembre 2023).

[5] LOI 07-03, Complétant de code pénal en ce qui concerne les infractions relatives aux systèmes de traitement automatisé des données, Bulletin Officiel, n° 5184, 05-02-2004, in: https://dgssi.gov.ma/fr/content/loi –07 –03 –completant –le –code penal –en –ce –qui –concerne –les –infractions –relatives –aux –systemes –de –traitement –automatise –des –donnees.html (Consulté le 10 Septembre 2023).

[6] Ibid.

[7] LOI 09-08, Relative à la protection des personnes physiques à l’égard du traitement des données à caractère personnel, Bulletin Officiel, n° 5714, 05-03-2009, in: https://www.dgssi.gov.ma/fr/content/loi –09 –08 –relative –la –protection –des personnes –physiques –l –egard –du –traitement –des –donnees –caractere –personnel (Consulté le 10 Septembre 2023).

[8] Ibid.

[9] LOI 53-03 Relative à l’échange électronique des données juridiques, Bulletin Officiel, n° 5584, 06-12-2007, in: https://www.dgssi.gouv.ma/sites/default/files/attached_files/loi3 –05fr –new.pdf (Consulté le 10 Septembre 2023).

[10] LOI 05.20 Relative à la cybersécurité, Bulletin Officiel, n° 6906, 06-08-2020, in: https://www.dgssi.gouv,ma/fr/content /loi –ndeg –0520relativelacybersecurite.html,de –20d’Information (Consulté le 10 Septembre 2023).

[11] LE COMITÉ STRATÉGIQUE DE LA CYBERSÉCURITÉ, in: https://www.dgssi.gouv .ma/fr/comite–strategique –de –la –cybersecurite .html (Consulté le 10 Septembre 2023).

[12] L’AUTORITÉ NATIONALE DE LA CYBERSÉCURITÉ, in: https://www.dgssi.gouv.ma/sites /default /files /evenem ents/projetde –loi 05.20 –version –francaise.pdf (Consulté le 10 Septembre 2023).

[13] COMITÉ STRATÉGIQUE DE LA SÉCURITÉ DES SYSTÈMES D’INFORMATION, in: https://www.dgssi.gov .ma/fr/presentation/csssi/missions –du –comite –strategique –de –la –securite –des –systemes –d –information (Consulté le 10 Septembre 2023).

[14] DIRECTION GÉNÉRALE DE LA SÉCURITÉ DES SYSTÈMES D’INFORMATION, in: https://www.dgssi.gov .ma/fr/presentation/dgssi/presentation –missions.html (Consulté le 10 Septembre 2023).

[15] MACERT, in: https://www.dgssi.gov.ma/fr/macert (Consulté le 10 Septembre 2023).

[16] ANRT , in: https://www.anrt.ma/lagence/presentation

[17] COMMISSION NATIONALE, in: https://www.cndp.ma/qui –sommes –nous/commision.html (Consulté le 10 Septembre 2023).

[18] «Lancement officiel de la campagne nationale Maroc cyberconfiance CNMC 2018-2022 », Journal International de CMPRI, 2018, in: https://www.cmrpi.ma/cmrpi –v2/2018/04/24/ceremonie –de –lancement –officiel –de –la –campagne –nation ale –cnmc/ (Consulté le 10 Septembre 2023).

[19] AZOUZI (E. A.), «Ali El Azzouzi icone de la cybersécurité au Maroc», Média 24, 2020, in: https://www.médias24.com /personnalite/ali-el-azzouzi-licone-de-la-cybersecurite-au-maroc/ (Consulté le 10 Septembre 2023).

[20] ADAM (J.) « Cybersécurité : Encore trop de fragilités», L’Économiste, 2019, in: https://www.leconomiste.com /article/ cybersecurite –encore –trop –de –fragilites (Consulté le 10 Septembre 2023).

[21] AMRABI (S.), «Cybersécurité : Un marché stratégique où tout reste à faire», L’Opinion, 2022, in: https://www. Lopinion.ma/Cybersecurite-Un-marche-strategique-ou-tout-reste-a-faire (Consulté le 10 Septembre 2023).

[22] MSSEFER (D.), «Les enjeux de la cybersécurité au Maroc», La Conjoncture, 2021, in: https://www.Cfcim.org /magazine/83893 (Consulté le 10 Septembre 2023).

[23] Stratégie Nationale de Cybersécurité, op. cit., p. 16.

[24] MSSEFER (D.), op. cit.

[25] ATANTAOUI (Y.), «La Corée du Sud… aussi», Maghress, 2011, in: https://www.Maghress.com/fr/lesechos (Consulté le 10 Septembre 2023).

[26] LABID (M. Y.), «Le Maroc et Isreal signent trois accords de coopération», Diplomatie, 2021, in: https://www .diplomatie.ma/fr/le-maroc-et-isra-signent-trois-accords-decoopA9ratio (Consulté le 10 Septembre 2023).

[27] «Sécurité des systèmes d’information : la France et le Maroc signent un accord de coopération», Communiqué de presse, 2013, in: https://www.ssi.gov,fr/publication/securite –des –systemes –dinformation –la –france –et –le –maroc –signent –un accord (Consulté le 10 Septembre 2023).

[28] Ibid.

[29] «Le Maroc adhère à la Convention de Budapest sur la cybercriminalité et à son Protocole sur la xénophobie et le racisme», Council of Europe, 2018, in: https://www.coe.int/fr/web/cybercrime/–/morocco –joins –the –budapest –convention on –cyber crime –an –becomes –it –s –60th –member – (Consulté le 10 Septembre 2023).

[30] Ibid.

[31] «Projet CyberSud – Coopération en matière de cybercriminalité dans la région du Voisinage Sud», communiqué de presse, Euneigh Bourse, 2021, in: https://www.euneighbours.eu/fr/south/eu –in –action/projects/projet –cybersud –cooperati on –en –matiere –de –cybercriminalite –dans –la (Consulté le 10 Septembre 2023).

[32] 7 ème édition du séminaire sur la cybersécurité organisée par la Direction Générale de la Sécurité des Systèmes d’Information, in: https://www.dgssi.gov.ma/fr/content/discours –de –monsieur –le –ministre –l –occasion –du –7eme –seminaire –sur –la –cyber sec urite.html (Consulté le 10 Septembre 2023).

[33] LA QUATRIÈME ÉDITION DE L’ÉXÉRCICE DE SIMULATION CYBER EN LIGNE, “CyberDrill-2020”, sous le thème : «Supply chain attacks», in: https://www.dgssi.gov.ma/fr/content/cyberdrill –2020 (Consulté le 10 Septembre 2023).

[34] Cycle de formation en cybersécurité – partenariat DGSSI/ OTAN, in: https://www.dgssi.gov.ma/fr/content /cycle-deforma tion-en-cybersecurite-partenariat-dgssi-otan.html (Consulté le 10 Septembre 2023).

[35] CHEMINAT (J.), «La NSA injecte des backdoors dans les matériels IT à l’export», Journal Silicon, 2021, in: https:// www.silicon.fr/nsa-injecte-backdoors-les-materiels-it-lexport-94308.html# (Consulté le 10 Septembre 2023).