Between Multistakeholderism and Sovereignty: Cyber Norms in Egypt and the Gulf States

On Oct. 4, the United Kingdom strongly denounced “reckless” and “irresponsible” cyber attacks conducted by the Russian military intelligence service against a wide range of targets, including the Organization for the Prevention of Chemical Weapons, the United Kingdom’s Foreign and Commonwealth Office and its Defence and Science Technology Laboratory. The U.K. statement emphasized that these attacks were “without regard for international law or established norms,” contrasting Russian actions with the “united” approach of the United Kingdom, its allies and the international community. The U.K. Defense Secretary even drew on language previously used to describeNorth Korean cyberattacks, labeling Russia a “pariah state.”

This extreme rhetoric, portraying cyber space as a black-and-white competition between the good guys and the bad, obscures a more complicated global context. Many scholars and policymakers lament the current state of “cyber norms,” especially after the failure of the U.N. Group of Governmental Experts to agree on the application of international law in cyber space in 2017. The difficulty of reaching global agreement on cyber norms is generally attributed to a bipolar division in cyber security governance, reflecting two opposing political systems and sets of values. On one hand, there is a group of what experts have called “likeminded” states. This group generally includes the United States and European countries, and it believes in an open and free internet driven largely by global market competition with some government regulation and civil society observation (known as multistakeholderism). The second group includes Iran, Russia, and China, and prioritizes state control over national “borders” in cyber space with strict governmental limits on content (known as cyber sovereignty.) These differences have been described as the cyber space element of a resurgent Cold War, in which neoliberal and democratic structures confront information control, authoritarianism, and rule-breaking.

To understand the true nature of this supposed bipolar division in cyber norms, it may be instructive to turn away from the headline-grabbing (and undoubtedly illegitimate) activities of Russian intelligence agencies and to look at more complex edge cases. More specifically, where do Egypt and the six states of the Gulf Cooperation Council (GCC) — Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates (UAE) — fit into this picture?

As I argue in a forthcoming paper for the Hague Program on Cyber Norms, these states share a curious position most cyber security scholars have not considered. On one hand, these countries’ more authoritarian approach to regulations, laws, and participation in international institutions places them in a similar category to Russia, China, and other proponents of cyber sovereignty. On the other hand, unlike Russia and China, Egypt and the Gulf states also have strong diplomatic and security relationships with Western liberal democracies that champion the multistakeholder model. This complex picture, which reflects the broader tensions in these states’ historical relationships with Western democracies dating back to the Cold War, suggests that a binary understanding of global cyber norms is incomplete. Policymakers in the United States, the United Kingdom, and other democratic countries should consider how their cyber security cooperation with Egypt and the GCC states affects wider attempts to embed particular cyber norms in the international system.

Understanding Egypt and the GCC States’ Approach

The GCC states and Egypt are not liberal democracies. They have all — to varying degrees — adopted a position of quiet cooperation and hostile confrontation with the regional cyber powers of Israel and Iran, respectively. There are also many wider differences in their economies, societies, and access to internet technologies. There are deep political disputes between Egypt and the GCC states, illustrated starkly by the split between Qatar and the “quartet” states — Bahrain, Egypt, Saudi Arabia and the UAE — in June 2017, with Oman and Kuwait taking a neutral position.

Despite their differences, all these states’ approach to cyber issues exhibit some similarities with the authoritarian, cyber sovereignty-focused approach of Russia, China, and Iran. Cyber sovereignty emphasizes the strong assertion of territorial boundaries and state control over internal infrastructure, transnational connections, and content produced within or by citizens of that state. For example, Article 31 of Egypt’s 2014 constitution, drafted after the 2013 coup and subsequent election of President Abdel Fattah Al-Sisi, states: “the security of information space is an integral part of the system of national economy and security. The state commits to taking the necessary measures to preserve it.” Given the wide powers allocated to military and security agencies under this constitution, and the censorship practiced under Sisi, it is safe to assume that “the security of information space” (‘amn al-fida’ al-mu’alumati) is defined broadly along Russian or Chinese lines.

The GCC states have similar outlooks on the control of national information, also demonstrated through broad practices of censorship. As Joyce Hakmeh has demonstrated, the GCC states — and, in August 2018, Egypt — have all passed cyber crime laws that contravene internationally recognized rights to freedom of expression. Finally, all these states have supported an increased role for the United Nations in cyber security regulation and standards. The United Nations is generally the preferred venue for proponents of cyber sovereignty because its state-only structures increase the relative power of non-Western states. In contrast, multistakeholderism also includes (mainly Western) private companies and civil society representatives. Despite occasional reports of bilateral cooperation with Russia and China (for example, Egypt’s 2014 intent to work with China on combatting ‘cybercrimes’), the United Nations appears to be the main forum where these Middle Eastern and North African states work together on cybersecurity.

But despite their embrace of cyber sovereignty over multistakeholderism, in key areas of cyber security in public and private sectors, Egypt and the Gulf states work more closely with the “likeminded” states that champion multistakeholderism than with their rivals. This is based on broader security and intelligence partnerships: For example, the United Kingdom relies on Oman for signals intelligence collection highly valued by its Five Eyes partners, while Saudi Arabia and the UAE are approved “Third Parties,” able to access some U.S. signals intelligence. These links extend into cyber security, which is a key commercial and diplomatic pillar of the UK’s Gulf Initiative. The UAE has allegedly discussed joint “cyber tools … to contain and defeat Iranian aggression” with a Washington think tank, another sign of potential cooperation in the cyber realm. More broadly, there are UK-Saudi Arabia agreements to develop “strategic cooperation in cybersecurity” and U.S.-Egypt joint military exercises including cyber security (against a background of increased U.S. military aid).  Due to these extensive associations, these states cannot simply be labelled as “obstructionist” or spoiler forces against multistakeholder proponents and global cyber norms — a label more appropriately applied to Russia, China, and Iran.

Cyber security links to liberal Western democracies  also extend beyond state-to-state relationships, as the profile of commercial cyber security has risen following several significant cyber attacks. Private companies based in the United States and Europe sell a wide range of defensive cyber security solutions and cyber security consultancy services to most major companies and government organizations in Egypt and the Gulf, which they see as a lucrative market, while arms companies with a longstanding presence in the region offer national surveillance and offensive cyber capabilities. In these ways, Egypt and the Gulf states present a challenge to bipolar models of internet governance that presume the two sides simply form Cold War-style blocs.

A Middle Ground

These states’ approach — extensive cooperation despite substantive disagreement — echoes wider contradictions between the normative and strategic components of the relationships between Egypt and the Gulf states and their international allies. In the Cold War, the oil wealth of the Gulf states and Egypt’s central position in pan-Arabism and the Israel-Palestine conflict motivated the United States and Europe to work with these countries, overlooking inconsistencies with the rhetoric of worldwide democracy promotion. After the Cold War, joint concerns over Islamist terrorism and growing arms sales encouraged an equally muted public response to human rights violations from allied governments.

Both sides have attempted to square this circle. International allies argued that influence in private was more effective than public condemnation, and that working with these regimes was more likely to bring change than breaking away from them. The regimes themselves paid lip service to democracy and human rights, and activists and social movements made some genuine progress.

In cyber security, the same puzzle presents itself. There has been no indication of opposition by the U.S. and U.K. governments to the raft of new cyber crime laws in the Middle East. And although cyber security strategy documents in Egypt and the Gulf states have mirrored the language of human rights and a free and open internet, this has not been matched by their practice. More seriously, their offensive cyber activities do not fall within the limits set both rhetorically and in practice by the United States, the United Kingdom, and other “likeminded” states, which condemn the destabilizing use of cyber tools and permit cyber espionage only for narrow national security purposes. The GCC split itself was reportedlytriggered by a cyber operation carried out by contractors working for the UAE, who implanted fake text praising Iran on the website of the Qatari national news agency. The leaking of private emails of the UAE Ambassador to the United States may have been a Qatari response. Finally, as part of the ongoing disputebetween Canada and Saudi Arabia, Israel-manufactured spyware was identified on the devices of Saudi dissidents in Canada, and assessed to be controlled by the Saudi government. Egypt has conductedsimilar cyber attacks on journalists and civil society. Overall, the contradictions between cyber norms rhetoric and longstanding security alliances have been left unresolved, undermining the force of the norms the United Kingdom stresses in regard to states like Russia.

Conclusion

Amid deep conflict over basic norms, Egypt and the GCC states have maneuvered between two poles while enjoying the tacit, if not explicit, support of both sides. This has three key implications. First, global cyber norms are much more complex — and much more entangled with traditional governance practices, diplomatic relationships, and strategic concerns — than Western officials may like to admit. However uncomfortable it may be, international policymaking on cyber norms must take into account not only the “likemindedness” of some states, but also the fact of their strategic interests and relationships with other states that are less or not at all likeminded. Without this recognition, any attempt to create global cyber norms is hampered from the start. More broadly, to understand the complexity of cyber norms we must look outside the framework of great power competition.

Second, the United States and European allies of Egypt and the Gulf states need to decide where their priorities lie: Does consistency on global cyber norms outweigh broader security considerations? If a stable, coherent set of cyber norms is the primary aim, greater attention should be given to persuading friendly states to stay within the boundaries of these norms. However, if security alliances trump cyber norms, Western democracies should recognize that the rhetorical effect of denouncing Russian or Chinese action will be limited. For the United States, effective foreign policy regarding cyber security in the Middle East requires both the identification of a clear national interest, connected to broader strategic goals concerning the kind of cyber space the United States seeks to promote, and a good understanding of the evolving landscape in which the U.S. government and U.S. companies are operating. Right now, both are lacking.

Third, although the contradictions outlined here suggest that human rights and national security are important starting points for research, we should not confine cyber security research on these states to these well-trodden paths. In the Middle East, cyber security is changing regional alliances, altering the economic calculations of businesses, and reforging fundamental relationships between individuals and their governments. There are significant differences in cyber security approaches between these states, especially in Kuwait and Qatar. And there are many new initiatives and organizations, like Saudi Arabia’sNational Cyber Security Authority (al-hai’a al-watniyya lil-‘amn al-sibrani), Egypt’s High Council for Cybersecurity, the UAE’s National Electronic Security Agency, and Oman’s Arab Region Cybersecurity Centre. As our understanding of cyber security evolves and its connection to other areas of foreign policy deepens, a broader approach to cyber security research in this region is urgently needed to adequately understand these new dynamics and inform future policy choices.