Hassan Kherjouj:
The level of cybersecurity in Morocco is worrying. The real problem is not the absence of graduates, it is the lack of practical skills. In the institutions, the management of diplomas, masterpieces of master or even doctorates are found in institutions, but completely disconnected from the field. They have theoretical knowledge, but not the reflexes or the anticipation necessary to deal with the threats of today. Many of these profiles cease their training or development once recruited. They no longer follow cybersecurity news, no longer frequent communities, no longer participate in any technical exchange. Result: they are no longer able to detect or prevent new attacks. However, we are at a critical period, with crucial issues: international events such as CAN or the World Cup are approaching, and Moroccan infrastructure should not be vulnerable. The recent attack on an institution that holds the personal data of millions of Moroccans clearly shows the urgency of reviewing our methods and approaches to training and recruitment in the field of cybersecurity.
Do you think the Moroccan institutions recruit the appropriate profiles with the required qualifications?
No, clearly not. What we observe today is that institutions recruit profiles based on their diplomas, without ensuring that they really have technical skills to protect sensitive systems. We hire someone because he has a master’s degree or a diploma in cybersecurity, without checking if he is able to follow the evolutions, to prevent a risk, when he is supposed to think like a hacker to anticipate attacks. We are talking about crucial positions here, where the slightest error can endanger the personal data of millions of citizens. Now many of those who are in place have neither vigilance, reflexes, the constant update that this job requires. And that’s how we end up with vulnerable institutions in the face of basic attacks.
Are you saying that diplomas are no longer enough to be operational in cybersecurity today?
Absolutely ! The diploma is a starting point, nothing more. The real skill in cybersecurity comes from the field, from permanent monitoring, from continuous learning. You can have a doctorate, but if you are not constantly connected to the news of the Dark Web, to new flaws, to phishing or social engineering techniques, you are not better than a lover in the face of a real attack. Today, young people without formal, but passionate diplomas, who spend their nights testing, learning, experimenting, can kneel a whole system. And the opposite is also true: someone graduated, but disconnected, becomes a flaw in itself. In cybersecurity, it is not the titles that protect a network, it is the concrete skills.
But should we still review the training and recruitment methods in this area?
It is essential. It is necessary to rethink in depth both the training and the criteria of recruitment in the field of cybersecurity. Today, we still train students in outdated content, with an overly theoretical, too frozen approach. And when they go out, they are recruited without checking if they are really able to deal with an attack, analyze a flaw or react in real time. What we need are curious, autonomous profiles, constantly connected to changes in the field, not just diplomas. A good cybersecurity specialist is someone who knows how hackers think, who understands what’s going on in the Dark Web, and who is able to act quickly. We must also stop believing that an employee formed once is protected for ten years. No ! Continuing education must become the standard, and you have to recruit people who like to learn, who continue to train even outside working hours. It is a question of national security.
What do you think of the recent massive data of Moroccan citizens?
It is an extremely serious incident. We are talking about the compromise of personal data from Moroccan citizens – it is not a little hacking. What makes this affair even more shocking is that the attack targeted an institution supposed to protect this type of information precisely. It is a flaw that raises deep questions about how our data is managed, stored, and secure. And this is not just a problem for Moroccan citizens. Imagine the seriousness of the thing if foreign delegations, diplomats or investors see their data also exposed in Morocco.
Do you have an idea on the technique used to make this attack? SQL, backdoor, phishing or other injection?
I cannot say with certainty which technique has been used, but several scenarios are plausible. One of the most likely is the SQL injection – a very common method to infiltrate a database by injecting a malicious code. It is also possible that a backdoor has been installed in the system, allowing discreet and continuous access. But there is also the possibility of an attack via social engineering, which would be even more worrying. If someone has managed to deceive an official by pretending to be a trusted business, for example, that would mean that the flaw was not only technical, but human. Social engineering is my specialty, and I can tell you that this is often where attacks pass today. We send a well formulated email, we imitate a business or a partner, we push the target to click, to give a password, and voila! This type of attack is based on the naivety or lack of alertness of certain employees, not on technical faults. And it is very difficult to counter, because it requires constant training and a great individual discipline.
Does the publication of these data on Telegram posed a particular problem compared to other platforms? Why do you think Telegram?
-Yes, Telegram is particularly problematic in this kind of case. Unlike WhatsApp, for example, Telegram does not easily report accounts or quickly deleting the content disseminated illegally. Anonymity is also strengthened: phone numbers are hidden, messages can be automated, the channels are difficult to trace. This is the reason why, moreover, the authors of the attack chose Telegram. They know that it is an opaque platform, difficult to control, and that they can diffuse there massively without being quickly worried. It is a real challenge for the authorities.
What is your opinion on the fact that some people share or disseminate this personal data? Is it legal?
It is not legal, and it is even extremely serious. Sharing personal data from a leak is participating in an offense. Even if it was not you who hacked the data. But the simple fact of distributing them or making them public makes you an actor in the illegality chain.
From a legal point of view, what do people who disseminate this type of sensitive information are likely?
As soon as it is personal data, there are very clear laws that apply, especially in Morocco: the law on the protection of personal data. A person who disseminates this information is exposed to legal proceedings. It can be prosecuted in civilians for violation of privacy, and even criminal if the intention to harm is proven. The problem is that many people do not realize that by relaying these leaks, they themselves become distributors of illegal content, and therefore responsible. It is not because the information circulates on Telegram that you can afford to rest.
Can a Moroccan initiate procedure abroad, for example in Germany, against the person who has disseminated his data?
Yes, absolutely. If the person at the origin of the flight is identified and that it is abroad, for example in Germany, a Moroccan citizen can file a complaint there. It is enough to call on a local lawyer, to provide the evidence that his data has been compromised, and to initiate legal action. It is a completely legitimate approach, because personal data fall under fundamental rights to privacy, and this right is recognized at the international level. Moreover, this kind of complaint has already led to other countries, as in the United States, where Facebook had to pay millions of dollars to victims of data leak. The Moroccan who was injured has the right to defend his dignity, wherever the aggressor.
What is your opinion on the action of young Moroccan hackers who responded to attacks from Algeria?
I clearly say: Bravo to these young people. Certainly what they did does not fall under their mission, and it is not their job, but they reacted with a real sense of patriotism. What they did is impressive, and I draw my hat. These young people have proven that there are real skills in Morocco, talents capable of detecting, analyzing and countering complex attacks. It is not normal that they are hidden in the dark corners of the Internet, to work in the shadows, sometimes even with the fear of being prosecuted while they do service in the country.
Can this type of response be considered legitimate or useful for digital national defense?
Yes of course. In the absence of a strong and reactive national structure, this kind of initiatives can help fill the void. These young people are in a way informal sentries, and they show that one can have real digital deterrents if we know how to mobilize good people. Obviously, the ideal would be to supervise them, train them, integrate them into a legal framework, but their action already proves that there is a desire to defend Morocco, spontaneously and efficiently. We are no longer in a world where only the army or the state services assure the defense: war is also digital, and our best soldiers are sometimes young people behind a screen, at home, with an internet connection and a lot of know-how.
In the United States, for example, there are “Bug Bounty” platforms where the biggest hackers meet to help giants like Google or Facebook to correct flaws. They are paid, recognized. We, in Morocco, also has very talented young people in this area. Why not integrate them into structures, supervise them, offer them a legal framework?
Bio Express de Hassan Kherjouj
Hassan Kherjouj is a teacher at Ibn Tofaïl University in Kenitra and in several training institutes. His career is closely linked to computer science, which he says “to practice for years, not only as theory, but on the ground”. His specialty is digital marketing, web development. He is currently preparing a master’s degree in cybersecurity, more specifically in cyberfense. But there is another area which is close to his heart, and which according to him is little taught in Morocco: “Social engineering”. It is a branch of cybersecurity that is interested in the psychological manipulation of individuals to obtain access to computer systems, he explains. Hassan Kherjouj specifies that this specialty is learned above all by practice and self -training, in particular through specialized platforms and communities.
){kind=link}