Shining a Light on Cybersecurity Policy in the Middle East

Despite the growing profile of cyber hacks, leaks, and resulting diplomatic crises in Gulf Cooperation Council (GCC) countries, conversations about policy in the Middle East and North Africa (MENA) rarely address cybersecurity concerns. During the 2018-2019 academic year, a research collaboration between MEI and the Cyber Project at the Belfer Center looked to shift the dialogue.

Eric Rosenbach, Co-Director of the Belfer Center, and Michael Sulmeyer, former Director of the Belfer Center’s Cyber Project, proposed a faculty research project on “Cybersecurity and Cyber Defense in the Middle East” to tackle cybersecurity and the growth of digital technologies in the region. They argued that while countries in the Middle East have adopted new digital technologies, governments in the region pay insufficient attention to cybersecurity.

From a defense perspective, MENA governments view cybersecurity as a technological matter without need for policy input. Companies in the region also downplay cybersecurity risks for economic and reputational reasons. Meanwhile, some governments in the region consider cyber attacks a means to enhance their power vis-à-vis rival states without resorting to force. As a result, MENA has witnessed devastating cyber attacks on critical infrastructure and industries, as well as the more salacious leaks of diplomatic cables. To better understand regional events in cyberspace and to inform U.S. policy, the Cyber Project set out to explore prospects for developing cyber norms with MENA leaders, including regulation of certain technologies. The team recruited James Shires, who holds a DPhil in International Relations from the University of Oxford and researches cybersecurity in the Middle East, to lead the project as a joint MEI and Cyber Project fellow. Throughout the academic year, Shires’s research pointed to a need for innovation in cyber policy.

“For the United States, effective foreign policy regarding cybersecurity in the Middle East requires both identifying a clear national interest, connected to broader strategic goals, and a good understanding of the evolving landscape in which the U.S. is operating. Right now, both are lacking.” JAMES SHIRES

In his article for War on the Rocks, “Between multistakeholderism and sovereignty: cyber norms in Egypt and the Gulf states,” Shires explores the positions of Egypt and GCC states on cyber norms. He finds that while these states favor more authoritarian approaches to cyber regulation, similar to Russia, China, and Iran, diplomatic and security partnerships with the U.S. and its allies complicate their approaches to cyber norms.

As a result, Shires argues for “a broader approach to cybersecurity research”—beyond great power competition and tradeoffs between human rights and national security—to inform cyber policy in the region. He calls for further attention to the region in his article in the Journal of Cyber Policy, “Hack-and-Leak Operations: Intrusion and Influence in the Gulf.” In this article, Shires examines the 2015 hack and leak of documents from the Saudi Ministry of Foreign Affairs, proposing a new framework for understanding hack-and-leak operations based on their technical characteristics, political context, and intended audiences.

Ultimately, Shires’s research for the “Cybersecurity and Cyber Defense in the Middle East” project presents stark findings: digital technologies deeply impact foreign policy in the Middle East, and their impact demands innovative responses. These takeaways bring cybersecurity issues in the Middle East into the spotlight and prepare a path for future cyber research in the region.