Jordan’s National Cybersecurity Centre (NCSC) reported handling 6,758 cybersecurity
incidents in 2024, a 175% increase over the 2023 total, alongside 6,922 cybersecurity
alerts (more than double the 2,609 issued in 2023). The NCSC achieved a 97% detection
rate against known threat indicators, though the severity profile of incidents was
dominated by medium-severity events (88%), with serious incidents accounting for 2%
and critical incidents for 0% of the total. Jordan’s computer emergency response
team, JOCERT, handled 3% of incidents independently and released 75 technical advisories
during the year.
Alongside the incident statistics, the NCSC reported discovering 7,846 vulnerabilities
in government websites and servers - a figure that provides sobering context for
the incident surge, as it implies that the attack surface available to threat actors
targeting Jordanian government infrastructure remains extensive despite the NCSC’s
expanding operational capacity. The year also saw the launch of Jordan’s National
Cybersecurity Strategy 2024-2028, representing the government’s most
comprehensive articulation of its cybersecurity policy objectives to date.
## Key Facts
- .**What:** Jordan NCSC reported 6,758 cyber incidents in 2024, up 175% from 2023.
- .**Who:** Jordanian government agencies and public sector infrastructure.
- .**Data Exposed:** 7,846 vulnerabilities found across government websites and servers.
- .**Outcome:** National Cybersecurity Strategy 2024-2028 launched; no data protection law yet.
## What Was Exposed
- .7,846 vulnerabilities discovered in government websites and servers during 2024, representing active attack surface available to threat actors targeting Jordan’s public sector digital infrastructure
- .Government systems affected by espionage campaigns, data theft operations, and malware deployments across the 6,758 incidents handled by the NCSC during the year
- .Potentially sensitive government data in the 2% of incidents classified as serious severity, which at 6,758 total incidents represents approximately 135 events warranting elevated concern
- .The operating picture of Jordan’s government cybersecurity posture, as revealed by the concentration of vulnerabilities across websites and servers that are publicly accessible
- .Incidents categorized under espionage and intelligence collection - implying that state-sponsored threat actors successfully achieved access to Jordanian government information systems during the reporting period
The 175% incident surge between 2023 and 2024 is a striking statistic that warrants
careful interpretation. Year-on-year incident count increases in national CERT reports
can reflect three distinct dynamics: a genuine increase in the volume of attacks,
an improvement in detection and classification capabilities that surfaces incidents
previously undetected or unreported, or a combination of both. The simultaneous
doubling of cybersecurity alerts (from 2,609 to 6,922) suggests significant growth
in NCSC monitoring capacity, which would increase detection rates even at constant
attack volumes. However, the broader regional and global context - which saw
heightened cyberthreat activity against Middle Eastern targets throughout 2024,
driven partly by the geopolitical pressures associated with the Gaza conflict and
its regional spillover - supports a genuine increase in attack volume as a
contributing factor.
The 97% detection rate claimed by the NCSC requires contextual understanding.
A detection rate metric in this context typically measures the proportion of incidents
matching known threat indicators that were identified and classified as incidents,
rather than representing the proportion of all attacks (including unknown-unknown
threats) that were detected. A 97% detection rate against known indicators is a
strong operational performance, but it does not address the category of sophisticated
attacks using novel techniques, zero-day exploits, or living-off-the-land tradecraft
that specifically avoid signature-based detection. The 0% critical incident rate is
particularly interesting: it may reflect genuine absence of critical-severity events,
or it may reflect a classification methodology in which the NCSC’s incident
severity taxonomy assigns fewer events to the critical category than international
comparators would.
The 7,846 vulnerabilities found in government websites and servers is the most
operationally concerning figure in the NCSC’s annual report. This number
implies a systematic vulnerability scanning program across Jordanian government
digital infrastructure - a positive indicator of proactive security assessment
- .but also a government attack surface that is both extensive and insufficiently
patched. Vulnerability counts of this magnitude across government web infrastructure
are characteristic of organizations where application security and patch management
have not kept pace with the rate at which new systems and services are deployed.
Each unpatched vulnerability represents a potential entry point for the espionage
campaigns, data theft operations, and malware deployments that feature prominently
in the NCSC’s incident taxonomy.
The NCSC’s identification of espionage and intelligence collection among the
attack categories it handled in 2024 is significant. Espionage campaigns against
Jordan typically originate from state-sponsored threat actors with interests in
Jordanian government policy, military affairs, intelligence sharing arrangements,
or Jordan’s role as a hub for regional diplomacy on Palestinian affairs.
Iran-nexus groups (including those associated with the IRGC), groups linked to
Palestinian militant organizations, and groups with possible connections to regional
powers have all been documented conducting operations against Jordanian targets in
prior years. Jordan’s position as a country with official diplomatic relationships
with Israel, an active role in regional mediation, and close security cooperation
with both Western powers and Gulf states makes it a high-value intelligence target
for multiple adversarial actors simultaneously.
JOCERT’s handling of 3% of incidents independently and release of 75 technical
advisories during 2024 indicates a developing operational capacity at the sectoral
incident response level. JOCERT serves as the national CERT for the broader Jordanian
constituency, handling incidents from entities outside the government sector that
are not within the NCSC’s direct mandate. The 75 technical advisories released
during the year represent a significant contribution to the national security community’s
situational awareness, translating threat intelligence into actionable guidance for
organizations across the Jordanian economy. The quality and timeliness of these
advisories, relative to the evolving threat landscape, determines their practical
defensive value.
The National Cybersecurity Strategy 2024-2028, launched in conjunction with the
NCSC’s annual report, represents Jordan’s most comprehensive policy commitment
to cybersecurity to date. The strategy identifies five pillars: cybersecurity governance,
critical infrastructure protection, incident response and resilience, human capital
development, and international cooperation. The governance pillar is particularly
relevant to the data protection legislative gap: the strategy acknowledges the need
for a comprehensive legal and regulatory framework and identifies the development of
personal data protection legislation as a policy objective. Whether this objective
produces enacted legislation within the 2024-2028 strategy horizon will determine
whether Jordan’s cybersecurity posture development outpaces or merely tracks
the growth in the threat it faces.
## Regulatory Analysis
The NCSC’s 2024 annual statistics provide both a performance baseline and a
policy challenge for Jordan’s regulatory framework. The Cybercrime Law No. 17/2023
gives the NCSC and JOCERT their primary operational mandate - the 2023 law
formally recognizes their roles in national cyber incident response and provides the
legal basis for their engagement with incidents affecting government systems and critical
infrastructure. However, the 2023 law’s criminal focus - on prosecution
of offenders - does not translate directly into the regulatory framework needed
to improve security standards across the broader economy, including the government
agencies whose 7,846 vulnerabilities represent the most immediately addressable attack
surface.
Jordan’s existing legislative framework does not include a government security
baseline comparable to the U.S. Federal Information Security Management Act (FISMA)
or the EU’s NIS2 Directive. FISMA mandates minimum security standards for all
U.S. federal agency IT systems, requires annual independent security assessments,
and establishes a continuous monitoring program that the National Institute of
Standards and Technology (NIST) supports with detailed security control frameworks.
NIS2 requires member states to impose minimum security measures and incident reporting
obligations on entities in critical sectors, with independent oversight and enforcement.
Jordan’s government has no equivalent mandatory baseline - agencies
improve their security in response to NCSC guidance and incident experience rather
than regulatory compulsion, creating uneven security investment across the government
estate that is reflected in the 7,846 vulnerability count.
The Cybercrime Law No. 17/2023’s expanded prosecutorial powers create a mechanism
for addressing incidents with criminal dimensions, but the 97% detection rate and 175%
incident surge suggest that detection and response capacity is outpacing prosecution
capacity. The Jordan Cybercrime Unit, which operates under the Public Security Directorate,
is responsible for cybercrime investigation and prosecution, but the technical complexity
of espionage campaigns, ransomware operations, and initial access broker activity
(as demonstrated by the r1z case) requires specialist capabilities that are still
being developed. The NCSC’s 2024 report implicitly acknowledges this gap by
noting the international cooperation dimension of its incident response work -
indicating that some incidents require engagement with foreign law enforcement or
intelligence partners to achieve attribution and prosecution outcomes.
The National Cybersecurity Strategy 2024-2028’s identification of personal
data protection legislation as a policy objective creates a legislative roadmap
commitment that should be held to account by civil society, the business community,
and international partners. Jordan’s candidacy for OECD membership - which
has been a stated government aspiration - has data protection adequacy requirements
associated with it, as OECD members are expected to provide data protection frameworks
that meet the organization’s privacy guidelines. This external accession pressure,
combined with Jordan’s trade relationships with the EU (which requires adequacy
determinations for cross-border data transfers), creates practical incentives for
legislative progress that purely domestic policy dynamics might not generate.
## What Should Have Been Done
The NCSC’s 2024 statistics provide a clear operational roadmap for priority
investment. The 7,846 vulnerabilities in government websites and servers represent
a concrete, addressable risk that should be the NCSC’s primary remediation
target for 2025 and beyond. The 2% serious incident rate, applied to 6,758 total
incidents, represents approximately 135 events that warranted elevated response
- .an operational load that tests the NCSC’s capacity and the incident
response integration between the NCSC, JOCERT, and individual agency security teams.
The vulnerability remediation challenge requires a structured vulnerability management
program across all Jordanian government agencies, coordinated by the NCSC. Each
government ministry and agency should be required to maintain a prioritized vulnerability
remediation register, tracked against defined timelines based on vulnerability severity.
Critical vulnerabilities should be remediated within 15 days of discovery; high-severity
vulnerabilities within 30 days; and medium-severity vulnerabilities within 90 days.
The NCSC should publish quarterly aggregate statistics on government vulnerability
remediation progress, creating public accountability for the pace at which identified
weaknesses are addressed. The current 7,846-vulnerability baseline - while alarming
in absolute terms - represents a known, quantifiable risk that systematic
remediation can reduce over time, provided adequate resources and management accountability
are applied.
Jordan’s government security program should be formalized in a Government Security
Baseline standard, analogous to NIST SP 800-53 or the UK’s Cyber Essentials Plus,
that defines the minimum security controls required of all government agencies. This
baseline should include mandatory multi-factor authentication for all government employee
accounts, endpoint detection and response deployment on all government endpoints,
network monitoring with minimum alert coverage requirements, patch management obligations
with compliance reporting, and annual penetration testing for all internet-facing
government systems. The NCSC should have the authority to conduct compliance assessments
against this baseline and to require agencies that fail assessments to implement
remediation plans within defined timeframes.
The doubling of alerts and the 175% incident surge indicate that detection capacity
is growing faster than response capacity. The NCSC should invest in automated incident
triage and response playbooks that reduce the analyst time required to handle medium-severity
incidents - which at 88% of the total represent the bulk of the operational load
- .freeing senior analyst capacity for the serious and critical incidents that
require expert judgment. Security orchestration, automation, and response (SOAR)
platforms can automate the most common response actions for known incident types,
including isolation of compromised endpoints, blocking of identified malicious IP
addresses, and notification of affected agencies. This automation would allow the
NCSC’s analyst capacity to scale to meet growing incident volumes without a
proportional increase in headcount.
Jordan’s NCSC has demonstrated measurable progress in national cybersecurity
incident detection and response, but the 7,846 vulnerabilities in government infrastructure
and the 175% incident surge are indicators of a threat environment that is growing
faster than the defenses being built to contain it - a gap that only a
comprehensive mandatory security baseline for government agencies, backed by the
accountability mechanisms a personal data protection law would introduce, can
systematically close.