June 15, 2021
The 5×5—The state of cybersecurity in the Middle East
On May 25, a threat intelligence firm published a report detailing the use of a newly discovered strain of wiper—a malware utilized to overwrite a victim’s data—that disguises itself as ransomware. Dubbed “Apostle” by the firm, the wiper has primarily targeted Israeli computers, in addition to at least one facility in the United Arab Emirates (UAE), and been attributed with medium confidence to an adversary with ties to Iran. If indeed Iranian, the campaign would represent only the latest evidence of ongoing geopolitical competition and conflict amongst Middle Eastern powers unfolding in cyberspace. Past highlights of Israeli-Iranian cyber exchanges include an Iranian intrusion against a water treatment facility in Israel that threatened to sicken hundreds when the hackers attempted to alter chemical levels in the water. Israel allegedly retaliated by targeting the computer networks of a Bandar Abbas port, disrupting Iranian traffic for days. And that’s without mentioning the paterfamilias of offensive cyber capabilities.
Countering Iran has, to a great extent, motivated the Arab-Israeli rapprochement in recent years. In cyberspace, a domain in which Iranian aggression is particularly manifest, cooperation between Israeli and the UAE government agencies and firms has been so active that it should be considered one of the driving forces behind the diplomatic normalization outlined in the Abraham Accords.
A recent flare-up in the Israel-Palestinian conflict tested the strength of the Abraham Accords…and they appear to have passed. But how will this and other developments in the region affect cybersecurity cooperation, and what does the future of the Middle East’s cyber landscape look like? We asked five experts for their perspectives.
#1 To what extent, if any, will recent flare-ups in the Israel-Palestinian conflict affect regional cooperation on cybersecurity?
Kirsten Fontenrose, director, Scowcroft Middle East Security Initiative, Middle East Programs:
“The regional flare-ups will not impact cybersecurity cooperation at all. The potential for cyber cooperation between the two most cyber-capable governments in the region outside of Iran, Israel and the UAE, was one of the drivers of the Abraham Accords, and this will not be abandoned. Further, this cooperation happens behind secure doors and does not present an obvious target for complaint by publics on either side of the flare-up.”
Bassant Hassib, assistant professor of political science, British University in Egypt; fellow, Leicester Institute for Advanced Studies, University of Leicester:
“The Palestinian-Israeli situation is not a new issue, and nevertheless governments in the Gulf and Egypt carried on with their interest-based cooperation with Israel, like the recent UAE-Israeli agreement on science and technology. Cooperation between Israel and the Palestinian Authority will not change, since the infrastructure is controlled by Israel, but the advantageous status of Hamas in the recent flare-ups suggests a possible support by the Palestinians for a less cooperative approach on cybersecurity. Finally, new dynamics of cooperation on the societal level will develop: for instance, to circumvent content moderation in Arabic on social media, users in the Middle East started to use applications that alters the Arabic letters in a way that manipulates algorithms.”
Amit Sheniak, post-doctoral research fellow, Federmann School of Public Policy and Government, Hebrew University of Jerusalem; research fellow, Federmann Cyber Security Research Center:
“Unlike the Iranian cyber threat, in the near- to medium-term future I do not believe that the Palestinian-Israeli conflict will serve as an incentive for a regional cybersecurity cooperation. The Palestinian cyber-threat to Israel, usually lacks advance technological sophistication, yet it can be characterized as very successful in its social design, based on close knowledge of Israeli culture, language, etc. Thus, most of Hamas cyberattacks were aimed at luring soldiers and civilians to fall for malware and phishing traps, yet this kind of cyber threat will not benefit much from a regional cyber cooperation. Although, Israel’s experience using advanced cyber-espionage and data-analysis capabilities—gained as part of counterterrorism operations in the Palestinian Territories—does serve to incent friendly regional powers to cooperate with Israel on cybersecurity.”
James Shires, senior fellow, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security; assistant professor, Institute for Security and Global Affairs, University of Leiden:
“If we take cybersecurity to include issues of disinformation and content moderation, then the 2021 Gaza war has revealed the extent to which the current content moderation policies of major social media companies are not fit for purpose, as they stifle legitimate protest. More narrowly, well-established cybersecurity cooperation between Israel and the Gulf states will continue regardless, although it may not be trumpeted as loudly in the short term. Israel-Egypt cooperation is more intriguing, given Egypt’s dual role in both containing and providing a diplomatic conduit to Hamas.”
Mohammed Soliman, non-resident scholar, Cyber Program, Middle East Institute; senior associate, Middle East and North Africa Practice, McLarty Associates:
“The regional cyber cooperation is centered around the UAE and Israel, which have been partnered in developing emerging technologies and cyber capabilities since the signing of the Abraham Accords. The Gaza war and evictions in occupied East Jerusalem will have a limited impact on the existing cyber cooperation between the UAE and Israel, but there will be less media coverage of this sort of cooperation.”
#2 How are China and Russia shaping the landscape of cyber conflict in the Middle East?
Hassib: “Russia’s support to the Assad regime probably involves increasing the regime’s surveillance and cyber defense capabilities. The investments of Chinese companies in artificial intelligence (AI) surveillance in the Gulf and their sales of armed drones are significant for the Gulf states in countering extremism and securing urban spaces, as well as in their conflict with the Iran-backed Houthis. However, given the wider Russian and Chinese approaches to authoritarian cybersecurity, their growing technology and cyber interest in the Middle East would reinforce authoritarian cybersecurity in the region.”
Sheniak: “There is hardly any common knowledge of Chinese cyber operations conducted against Middle Eastern countries, and China is not an active cyber player in the Middle East public sphere. However, the growing international technological competition and friction between China and the United States (especially throughout the Trump administration) has the potential to spill over and affect cyber conflicts in the Middle East. This is due to China’s role in building advanced information technology infrastructure such as 5G telecommunications, and the resulting US efforts to choose non-Chinese vendors (i.e., the “Clean Network Initiative”). Additionally, China’s recent cyber-cooperation agreements with Iran might push other regional powers, such as the Gulf states, to further advance their cooperation with the United States.”
Shires: “Russia is shaping cyber conflict predominantly through its actions in Syria and through private military companies in Libya. The Syrian conflict is highly mediatized, so Russian troops have become part of this terrible online archive, and Russia is likely providing technical assistance on surveillance and cyber operations to the Assad regime. Both Russia and China conduct extensive cyber espionage in the region, especially on energy sector targets, with the growing role of Chinese technology companies in Middle East security markets likely to reinforce digital authoritarianism in the long term.”
Soliman: “China and Russia are largely influencing cyber conflict in the Middle East by building Iran into a formidable cybersecurity giant. China is in the process of directly honing Iran’s cyber capabilities. Tehran and Beijing are committed to finding “common solutions” to their “common challenges” in the context of the United States “spreading its hegemony on new strategic technologies such as artificial intelligence.” In addition to Beijing, Moscow is the primary supporter of Iran’s cyber capabilities through cybersecurity cooperation, technology transfer, and combined training, which significantly upgraded Tehran’s offensive capabilities.”
#3 What level of involvement should the US government have in cyber conflict happening in the Middle East?
Fontenrose: “The United States has interest in ensuring that systems operated by regional governments that are interoperable with US systems are protected against cyberattack. In addition, the United States has interest in helping Gulf states ensure they can protect critical infrastructure that facilitates the flow of energy and international trade through international shipping lanes. The United States should share expertise on cyber defense with its partners in the Middle East to help them continue to build capabilities to defend their populations and economies against crippling or even life-threatening cyberattacks.”
Hassib: “Further US involvement would only exacerbate the consequences of offensive cyberattacks in relation to the Israeli-Iranian conflict. This was evident following the Stuxnet virus attack on Iran, where the latter has developed significant cyber capabilities since then, resulting in further offensive cyber exchanges with Israel and the United States. US involvement will also have consequences for the states of the Gulf Cooperation Council, which have been subject to several significant cyberattacks—some of them attributed to Russia and Iran.”
Sheniak: “Assuming that there are no grand scale cyber operations between states, and the current level at which cyber operations are conducted in the Middle East fall mostly below the threshold of war (or as part of a kinetic friction), the United States should not be directly involved in a cyber conflict in the Middle East. The United States should keep the current level of involvement, continuing the cybersecurity cooperation with its allies in the Middle East, focusing on cyber defense, information sharing, research and development, and foreign military financing of defensive cybersecurity.”
Shires: “The United States is in the midst of a long-term trend towards strategic disengagement from the region, and this should apply equally to cyber conflict. Its allies in the region are perfectly capable of investing sufficiently in digital defense (especially with international assistance), as well as acting independently when it comes to mounting offensive operations. So, there is much to lose from blowback, as well as burning hard-to-come-by tools and deepening reputational damage, with little to gain from getting further involved.”
Soliman: “The United States should involve itself in the cyber conflict in the Middle East since it is a problem that directly threatens US interests in the region. Iran has branded itself as a stark regional antagonist to US economic, political, and military influence in the region. As such, it is within US interests to hamper Iranian progression in cyberwarfare, which will seek to infiltrate and destroy US regional allies’ economies and intelligence bases.”
More from the Cyber Statecraft Initiative:
#4 What non-state actor(s) are the most influential on the cybersecurity of the Middle East now? Which will be five years from now and why?
Hassib: “Facebook and Instagram are currently the most influential and will continue to be five years from now, given their role in content moderation. Similarly, digital infrastructure and cloud computing companies are influential for their role in the digital economies and in shaping the regional geopolitics of cybersecurity. Surveillance software companies like NSO Group continue to be significant for governments in the region. The role of the Islamic State and the Muslim Brotherhood in funding and organizing their activities through cyberspace is still visible, however declining due to the acquired capabilities by the states in the region.”
Sheniak: “Like other regions in the world, most Middle Eastern non-state actors operate in the cyber-domain for the purpose of enabling their interests in the physical domain—using it for encrypted communication, for the purpose of recruiting activists, gathering funds, and gaining knowledge. Most non-state actors that conduct high-level cyber operations are backed by states, either as their proxies (i.e., Hezbollah) or under guidance (i.e., Hamas and Palestinian Islamic Jihad). Yet, I believe that the most influential Middle Eastern non-state cyber actor to date was the Islamic State, because of its usage of online social media as a tool for psychological warfare, supporting its spread in the Middle East and quest for international Islamic legitimacy. This is why the United-States and Britain worked together to counter Islamic State cyber operations.”
Shires: “Some of the most influential non-state actors in the Middle East now are “access-as-a-service” companies, who sell spyware and other surveillance capabilities to governments that cannot or do not want to develop their own. These actors—and the emerging regional vulnerability research scene that supports them—will continue to be important, given the attractiveness of such capabilities to many Middle East states. But the most influential actors in five years will be the same ones that are influential now: the big tech companies, whose dominance of the digital economy and growth into cloud and cable markets is already reshaping regional geopolitics.”
Soliman: “Non-state actors are becoming another big player in the cyberweapons race, mainly Hezbollah, and to a lesser extent Hamas. Hezbollah is on an upward trajectory of growth in terms of cyberwarfare development and could be the most influential non-state actor in the region if it continues on this trend. For instance, Hezbollah continues to upgrade and improve its custom Explosive Trojan RAT’s functionality. RAT is a malware program that includes a back door for administrative control over the target computer.”
#5 What are the regional powers in the Middle East that punch above their weight in cybersecurity? Below?
Fontenrose: “Above their weight: Israel and the UAE. At their weight: Iran. Below their weight: Saudi Arabia.”
Hassib: “Israel is the most advanced state in the Middle East when it comes to defense technologies and cybersecurity capabilities, followed by the Gulf states, which witnessed significant development in cybersecurity on the levels of strategies, legislation, organizations, multilateral regional initiatives, and to some extent in the military sectors. However, its role and engagement in international cybersecurity governance are limited, and their national measures should be balanced with individual cybersecurity in terms of digital rights and privacy. Egypt and most of the North African states are still developing their cybersecurity capabilities, despite Egypt’s active role in regional and international cybersecurity governance.”
Sheniak: “Cyber-power tends to overlap with the preexisting division of power in the world, therefore in the Middle East the leading regional military powers are the also the cyber powers of the region. Israel, Iran, and Turkey do not “punch above the weight”—their cybersecurity abilities correlate with their military and intelligence community abilities and doctrine, their security/military engineering capabilities, and most importantly their hi-tech ecosystems. This is probably why we should expect Gulf states to become regional cyber powers in the near future.”
Shires: “Israel, of course, punches above its “weight”, largely due to decades of military-associated investment in the technology sector. The Gulf states have, by and large, highly mature cybersecurity policies, laws, and institutions, even if their human rights implications are problematic. Diplomatically, the picture is completely different, with Syria, Iran, and Egypt engaging most vocally with international cybersecurity governance negotiations, while the former states remain mostly silent.”
Soliman: “Israel is one of the most advanced cybersecurity and cyber defense players in the world. They are able to diminish threats of their enemies exceptionally well because they develop their cyber defense and intelligence capabilities in response to explicitly mentioned enemies. In turn, Iran is punching above its weight with attacks on Israel. For example, Iran has attacked agricultural water pumps in the upper Galilee and in the center of the country, but both times did no actual damage to Israel’s water system. In the broad tech space, the UAE is pivoting to deep-tech in areas such as cloud computing, blockchain, and AI. And with its cyber partnership with Israel, the UAE will have a shorter path in reaching those goals.”
Simon Handler is assistant director of the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and international security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
Image: Banner image: The "Cyber Horse" sculpture, made from computer parts, at a conference in Tel Aviv, Israel. Credit: Pixbay/kumar1988