In the Middle East, War Is Going Digital

Given this year’s news cycle, you might already have forgotten that, this past December, news broke that Russia had conducted a major hack of U.S. intelligence agencies. Around the same time, a smaller story about government-led hacking in the Middle East came out. Saudi Arabia, it was alleged, was spying on journalists from Al Jazeera, the state-funded media network of its rival Qatar, using Israeli spyware. Both stories involved cyber-infiltration and data theft. But the stories had a more important commonality: No one seemed especially shocked by them.

The Gulf is rapidly becoming a laboratory for the ethics and practices of hybrid warfare. A new report (which one of us directed) from the Middle East and North Africa Forum at the University of Cambridge explores the drivers, and the direction, of the Gulf’s evolving strategy. With conflicting religious agendas and rival international backers, Saudi Arabia and Iran have spent almost 30 years locked in geopolitical struggle. Both have sought to build leverage over one another using methods short of war—backing regional proxies, amplifying the voices of the other’s political opposition groups, and, increasingly, using targeted cyberattacks. For both, cyberwarfare offers an ethical out—it kills less people than conventional war—but can cause great havoc and disruption.

Saudi Arabia and Iran have very different approaches to cyberwar. Saudi Arabia has chosen to outsource most of its cyberdevelopment, purchasing bespoke tools from private contractors in the United States, Israel, and the United Kingdom to conduct specific cyberoperations. Saudi Arabia has used legions of bots to bolster the kingdom’s image on social media at times of crisis, most recently for damage control after the murder of Jamal Khashoggi. At the same time, the kingdom has attempted to strengthen its cyberdefenses, in particular by creating a broad institutional infrastructure to handle cybersecurity. In 2017, this began with the launch of a National Cybersecurity Authority, a Saudi equivalent to U.S. Cyber Command under the direct authority of the King’s office, as well as the Saudi Federation for Cybersecurity, Programming and Drones, an organization under the auspices of the Saudi Olympic Committee leading the charge to build a pool of skilled Saudi cyberwarriors.

Iran, meanwhile, has developed its own integrated, multiplatform offensive program. Hampered by sanctions and its international pariah status, its program is mostly homegrown, though with some help from Russia and China. In 2013 China committed to helping Iran develop a national internet, known as SHOMA, independent of the World Wide Web, a partnership expected to expand with a 25-year security deal the two states are currently negotiating. Iran’s developments in the field have contributed to its status as one of the region’s most advanced cyberpowers.

The intensification of the cyber-standoff in the Gulf holds lessons for all states regardless of their size, wealth, or ideology. For no state in the world is it a question anymore of if espionage, sabotage, and social engineering are slipping undetected into their computer networks, but rather how to address the escalating threat, and how fast.