DON'T LOSE ACCESS:
Your IP access to ForeignPolicy.com will expire on June 15.
To ensure uninterrupted reading, please contact Rachel Mines, sales director, at firstname.lastname@example.org.
Elephants in the Room
America’s Arab Allies Should Work Together to Stop Iranian Cyberattacks
Instead of a comprehensive solution to the region’s security threats, the Trump administration should narrow its focus.
Given his past statements regarding Islam, his administration’s mishandled rollout of the travel moratorium on certain Muslim-majority countries, and his general penchant for undiplomatic statements, President Donald Trump’s first trip to the Middle East last month was a surprising success. Saudi Arabia rolled out the red carpet for him as it never had for his predecessor, he inked a $110 billion arms agreement with Saudi Arabia, and his speech in Riyadh to more than 50 leaders and representatives from across the Muslim world, calling for them to unite to resist Iranian aggression and fight the sources of extremism that have metastasized in the threat posed by the Islamic State, was generally well-received.
Yet if Trump benefited from low expectations prior to last month’s Arab Islamic American Summit, his administration may soon fall victim to the unrealistically high expectations created by the president’s successful sales pitch as the anti-Obama to the region’s leaders. Specifically, prior to the president’s trip, his administration dropped significant hints about establishing an Arab NATO to contain Iran and fight the Islamic State. Although Trump never mentioned this project during his Riyadh address, Saudi King Salman subsequently claimed the leaders of the 55 nations who took part had pledged a force of 34,000 “reserve” troops to the alliance. (Whether any of the other leaders actually agreed to this declaration is another matter). While perhaps a good idea in theory, the history of similar past projects — from Gamal Abdel Nasser’s failed pan-Arab movement to the Saudi-proposed Islamic Military Alliance — is one of repeated failure.
As if to illustrate the difficulty Sunni Arab states have overcoming their internecine rivalries and cooperating with one another, the Gulf Cooperation Council (GCC) has already fallen into another bitter feud since Trump’s visit to the region. The proximate cause this time was a report by Qatar’s state media that the country’s emir, Sheikh Tamim bin Hamad Al Thani, had cautioned against confrontations with Iran as well as defending Hamas and Hezbollah — in other words, directly contradicting the Riyadh summit’s message. Although Qatar quickly claimed the news agency had been hacked by an “unknown entity,” on Monday Bahrain, Saudi Arabia, the United Arab Emirates, and non-GCC member Egypt announced they were cutting diplomatic and even transportation ties to Qatar. This break makes the already remote prospect of an Arab NATO appear risible for the foreseeable future. By directing U.S. policy towards an objective every U.S. president since Dwight Eisenhower has failed to achieve, Trump risks engendering a sense of disappointment in the region that will further erode U.S. credibility and drive Middle East actors towards accommodation with one or the other of the twin threats emanating from the region.
Rather than attempting to resolve the dynastic rivalries and ingrained cultural obstacles that inhibit Arab military cooperation in a single bold stroke, the Trump administration should attempt something counterintuitive for its famously grandiose leader: play small ball. Instead of a comprehensive solution to the region’s security threats, the Trump administration should narrow its focus and first establish institutions to counter Iran’s asymmetric threats. Specifically, it should work with America’s GCC partners to address the threat posed by Tehran’s malicious cyber activity.
There are there are several reasons why strengthening the GCC’s common cybersecurity efforts is both necessary and more feasible than replicating NATO’s security architecture in the Middle East. First, in the near- to mid-term, the most immediate threat posed by Iran is not a conventional military attack. Although Iranian aggression throughout the region is dangerous and must be contained, the United States and its Arab allies still maintain a decisive qualitative advantage in conventional military capability over Iran. Moreover, the approximately 35,000 U.S. troops in the region serve as a tripwire to deter any overt military aggression by Tehran against the GCC. The more immediate threat, therefore, stems from Iranian soft power.
One area in which Iran’s propensity for asymmetric warfare has increasingly been deployed is in the cyber realm. Last year Iranian hackers attacked Saudi Arabia’s aviation agency, damaging thousands of computers and “erasing critical data and bringing operations there to a halt for several days,” according to a report by Bloomberg. This was merely the latest example of Iranian cyberattacks against America’s GCC allies. In the wake of Saudi Arabia’s 2016 execution of a prominent Shia cleric, Sheikh Nimr al-Nimr, after his conviction on terrorism charges, Iran severed diplomatic ties and hackers attacked key websites belonging to the Saudi Defense Ministry. In 2012, Iranian hackers used the Shamoon virus to attack oil and gas companies in Saudi Arabia and Qatar, destroying 30,000 computers at Saudi Aramco, the national petroleum and natural gas company. From 2012 to 2014, Iran’s Operation Cleaver targeted companies in Kuwait, Qatar, Saudi Arabia, United Arab Emirates, and 12 other countries. And from 2008 to 2010, hacker groups linked to the Iranian military claimed credit for hacking thousands of websites in Europe, the Gulf countries, and the United States in response to perceived slights against Iran. (This does not even take into account Iranian cyberattacks on the U.S. banking system, on U.S. military networks, and on U.S. critical infrastructure).
Iran’s deployment of offensive cyber capabilities is part of a strategic culture that emphasizes deniability through the use of surrogates and focuses on attacking soft targets to allow Iran to pursue strategic objectives beyond the capabilities of its conventional forces. In 2015, then-Director of National Intelligence James Clapper told a Senate hearing that although Iran had “lesser technical capabilities in comparison to Russia and China,” its pattern of destructive attacks demonstrates it is a “motivated and unpredictable” cyber actor. The Pentagon subsequently warned in its 2016 annual report to Congress on Iranian military power that Tehran has continued to improve its offensive cyber capabilities since the 2015 nuclear agreement. With the influx of $100 billion in sanctions relief thanks to the Iran nuclear agreement, and the apparent hiring of Russian cyber mercenaries in recent attacks, Iran’s threat in the cyber realm will only continue to grow.
Beyond strategic incentives to cooperation, Iran’s malicious cyber activity threatens other GCC interests. In 2016, PricewaterhouseCoopers found that in the previous year 85 percent of Middle East companies had suffered cyberattacks, with 18 percent suffering more than 5,000 attacks. More than fifty percent of the companies surveyed had suffered more than half-a-million dollars in losses as a result of these attacks. Iranian digital assaults against corporate targets in the region were so numerous that in 2015 the State Department issued an unprecedented security report warning American businesses operating abroad of Iran’s rapidly improving cyber capabilities. Internet penetration rates in the Middle East have increased from 29.8 to 57 percent since 2010, and Kaspersky Labs recently wrote, “We have witnessed the Middle East becoming one of the major cyber battlefields.” Although the head of Saudi Arabia’s National Cyber Security Center recently said, “We have a close relationship between the GCC countries and cyber security,” in the wake of the WannaCry ransomware attacks. “[I]t isn’t enough. We should be doing more.”
Amidst the broader disasters that marked the Obama administration’s policymaking in the Middle East (such as the Iran nuclear deal, the withdrawal of U.S. forces from Iraq, the Syrian red line, the constant undermining of Israel), its cyber initiatives in the region stand out as a rare bright spot. During the 2015 Camp David summit, President Barack Obama pledged support to the Gulf States to defend against cyberattacks from Iran, and during his trip to Saudi Arabia to sell the Iran nuclear deal, Secretary of Defense Ash Carter discussed cyber security with King Salman. Gen. Lloyd Austin, then head of U.S. Central Command, reportedly tried to persuade America’s Gulf Cooperation Council allies into working together to protect against cyber-attacks.
The Trump administration should build upon these initiatives and work towards establishing a Gulf Cybersecurity and Communications Integration Center comparable to the one run by the U.S. Department of Homeland Security. Such an operations center would serve as a clearinghouse for information sharing on cyberattacks in the region and thereby improve the capacity of each state to respond to future incursions. Whereas an Arab NATO would require interoperability at the outset, a cybercecurity center could build upon the present bicycle-spoke structure of U.S.-Gulf partnerships by placing America at the center of this initiative, with each member states’ computer emergency response teams using the intelligence generated by the center to respond to attacks against their government networks. In the near term, this would also allow Qatar to participate without either it or its GCC rivals having to lose face by breaking the diplomatic impasse. Increased interactions could generate sufficient trust to allow GCC members to manage the operations center on their own, possibly even establishing a common emergecy response team to counter cyberattacks emanating from Iran. And if successful, the interoperability and institution-building generated in the cyber realm could be expanded to other military dimensions. (Additionally, by addressing cybersecurity first, the Trump administration could advance its stated goal of integrating Israel into the region’s security structures, as Israel’s unique expertise in cyber defense and shared interest in countering the Iranian cyber threat provide a potential under-the-radar avenue for cooperation with the GCC).
By focusing on containing Iran and defeating the Islamic State, Trump has set the right goals for U.S. policy in the Middle East. But eventually the hosannas the president has received in the region for merely not being Obama will fade, and his administration will have to find a way to operationalize the rhetoric the president articulated in Riyadh. Instead of committing diplomatic capital to grand gestures with little probability of success and significant risks accompanying failure to address an Iranian conventional threat that is deterrable in the near- to mid-term, the Trump administration should focus on improving institution building and interoperability to counter the more immediate threats posed by Iranian asymmetric efforts in cyberwarfare. Just as Mario Cuomo famously observed — “You campaign in poetry; you govern in prose” — successful alliance management is built upon smaller initiatives that incrementally improve joint capabilities.
Photo credit: MANDEL NGAN/AFP/Getty Images