Tue, May 11, 2021

Co-opting cybersecurity in Egypt

MENASource by Bassant Hassib and James Shires

Related Experts: James Shires,

Digital Policy Middle East North Africa Politics & Diplomacy

Nesma Nasr, an Egyptian textile engineer, works on her computer at her home in Cairo, Egypt March 26, 2021. Picture taken March 26, 2021. REUTERS/Hanaa Habib

Cybersecurity is a key area of contest for digitalized politics, especially in uncertain and turbulent situations. Nowhere is this more starkly illustrated than in states such as Egypt, where the period since the January 2011 revolution has seen several changes of government and the subsequent consolidation of executive power in the military, increasingly strict limits on free speech, and extensive violence by Islamist groups against the state and civilian targets and by the state against protesters and dissidents.

In a recent article, we argue that cybersecurity provides a way for the Egyptian government to “manipulate uncertainty”to its advantage. It uses cybersecurity policies, practices, and technologies to make opponents more predictable while retaining or increasing its freedom of action.

Cybersecurity and political uncertainty

To understand the role of cybersecurity in Egyptian politics, we first must think a little more deeply about uncertainty in politics more generally. In hybrid authoritarian systems such as Egypt, which combine “façade” democracy with entrenched elite power, the incumbent is highly likely to remain in office throughout a critical political juncture (a referendum, protests, constitutional change, parliamentary elections, and so on). This is clearly the case for current President Abdel Fattah El-Sisi, who assumed power in June 2013 and, in 2019, extended constitutional limits on presidential terms to allow him to remain in position until 2030.

But some uncertainty always remains and, so, incumbents seek to over-determine their continued grasp on power. In Egypt, this over-determination was demonstrated by excluding all serious opposition, including Sisi’s former military colleagues, from the 2018 elections. Inflated reports of extremely low voter turnout in these elections underline Sisi’s concern over popular support despite his tight grasp over Egyptian politics.

Uncertainty is also something over which one can exert control. Studies of post-2011 Egyptian online political clusters have investigated how both elites and organized opposition groups drive or diminish fear and uncertainty. This research highlights how, in pre-Sisi Egypt, fear and uncertainty over the political transition began in activist social media groups, spreading at different rates and intensities to Muslim Brotherhood supporters and “apolitical” social media groups.

How does cybersecurity fit into this picture? Cybersecurity concerns simultaneously unarguable yet difficult to define risks that change rapidly with technological developments. This flexibility means that cybersecurity policies and technologies are ideal candidates for political strategies aimed at manipulating uncertainty.

Cybersecurity strategies and laws

During Egypt’s “revolutionary situation” after President Hosni Mubarak stepped down on February 11, 2011, national cybersecurity policy was limited to a National Information and Communications Technology (ICT) strategy, first published in 2012 but later relaunched under Sisi. A National Cybersecurity Strategy was only released years later in December 2018. This new strategy replicated many ambiguities in the earlier ICT strategy, highlighting vague threats of cyberterrorism and cyberwarfare.

Despite this delay, cybersecurity institutions and legislation were already well underway. In 2014, the Egyptian government established a Supreme Cybersecurity Council, including a committee tasked with monitoring cyberspace for any “deviant” public opinion and “terrorist” content. The Supreme Cybersecurity Council also weighed in on more traditional cybersecurity issues, responding to global ransomware strains that affected Egypt in 2017 and occupying a central position in Decree 994 that year, requiring greater cybersecurity measures from government organizations.

Relevant laws soon followed suit. Shortly following Sisi’s re-election, a cybercrime law that had been repeatedly re-drafted over the preceding years was approved by the Egyptian parliament in August 2018. This law vaguely identifies cybercrimes as including activities that might harm “society’s security and cohesion.” Egyptian NGOs have argued that the imprecision of key terms in the drafting process resulted from the deliberate exclusion of relevant legal and technical experts. The executive list implementing this law was only published in August 2020 and received similar criticism.

This law has been used in conjunction with longstanding legal tools governing protests, media regulation, fake news, and a permanent state of emergency to suppress political activism. Most notably, the 2018 media regulation, or “Facebook” law, includes provisions to block any popular social media account (over five thousand followers) for publishing “fake news”. These laws have also been used to police social norms on appropriate behavior for women and silence the LGBTQ community in Egypt.

The introduction of sprawling media, terrorism, and cybercrime laws all aiming to criminalize similar activities appears designed to increase uncertainty for activists and opposition figures about what is and is not acceptable online and minimize uncertainty for the government, ensuring that at least one of the three legal regimes will capture almost any undesirable online activity.

Online censorship

During the 2011 revolution, Mubarak made several attempts to inhibit internet connectivity for protesters, the most infamous of which was the blocking of Facebook and Twitter during the initial protests, followed by a five-day internet shutdown.

Sisi’s government has greatly refined this capability in the last eight years. Online censorship increased, especially from 2016 onwards, blocking many independent news outlets, such as Mada Masr, and non-governmental organizations’ (NGO) websites, such as Human Rights Watch and Reporters without Borders. In September 2019, technical measurements showed that the government slowed down and temporarily disabled Facebook from allowing people to share locations and pictures during protests, while other social media became unavailable or intermittent. However, censorship has been erratic and not systematically enforced, raising questions about the government’s capacity and technological ability.

Cybersecurity is one of several frequent and overlapping justifications for censorship, in addition to strengthened counterterrorism and media regulation, and the Supreme Cybersecurity Council reportedly plays a key role in facilitating online censorship.

Online censorship minimizes the government’s uncertainty by limiting the opportunity for individuals to criticize the government and engage in collective action online, but also increases the uncertainty of activists who do not know when or why they would be blocked. Such relationships of uncertainty mirror broader offline patterns of arbitrary detention.

Surveillance

By 2009, Egypt already possessed technology that allowed large-scale access to telephone networks. When protestors broke into the headquarters of an Egyptian security agency in March 2011, they famously retrieved and disclosed tenders for targeted surveillance technologies. After Sisi’s rise to power in 2013, the new regime purchased more surveillance technologies, including French/Emirati company Nexa Technologies, a local affiliate of US company Blue Coat, and Italian company Hacking Team.

These surveillance programs are often undertaken in the name of cybersecurity. The Blue Coat-linked tender was reportedly termed a “Social Networks Security Hazard Monitoring Operation,” echoing benign technical and policy measures in cybersecurity. Additionally, companies selling targeted surveillance capabilities have embraced descriptions such as “offensive cybersecurity” to help market their products.

Egyptian security agencies also appear to have tried to develop their own capabilities. A Toronto-based institute, The Citizen Lab, has analyzed phishing campaigns against Egyptian NGOs that trick recipients into providing their personal information and passwords, as well as overcoming protective measures such as two-factor authentication. Research by Amnesty International revealed links between these phishing campaigns and the commercial surveillance software above.

The increasing procurement and use of surveillance tools seek to minimize uncertainty through (apparent) predictive capability, as it provides governments—specifically security agencies—with more and more detailed intelligence about their targets. In contrast, the secrecy of such intelligence databases, and the opacity of the national security apparatus more widely, means that citizens and activists are uncertain as to the extent of digital surveillance in any specific instance.

Conclusion

Most observers and practitioners assume that cybersecurity seeks to reduce or manage uncertainty and risk. However, the evolution of supposed “cybersecurity” policies, practices, and technologies in Egypt shows that cybersecurity can also be used to manipulate uncertainty, incorporating surveillance, censorship, and legal ambiguity to increase and exploit uncertainty for political advantage.

Many other hybrid and authoritarian states, including in the Middle East and North Africa, have treated cybersecurity in similar ways, while what academic Seva Gunitsky calls “the great convergence” between democracies and authoritarian states suggests that the former may increasingly adopt information controls and forms of cybersecurity originally developed in the latter.

Bassant Hassib is an assistant professor of political science at the British University in Egypt, and a Leicester Institute for Advanced Studies Fellow at the University of Leicester.

James Shires is an assistant professor at the Institute for Security and Global Affairs, University of Leiden, a fellow with the Cyber Statecraft Initiative at the Atlantic Council, and an associate fellow with The Hague Program for Cyber Norms.