The GCC view of cyberthreats
All GCC countries face significant ‘traditional’ threats in cyberspace, including ransomware, cybercriminal fraud, and hacktivism.27 These threats have targeted individuals, commercial organizations and state entities.28 More specifically, the GCC has been the target of many advanced persistent threats (APTs) or state-sponsored campaigns. State-sponsored threats come in several guises: for example, global energy sector cyberespionage has been traced to China and Russia, while the Snowden revelations exposed US and allied cyberespionage in the region.29 Nonetheless, the main state-sponsored cyberthreat to GCC states and organizations comes from Iran, in line with wider geopolitical cleavages.
Iran was the victim of the infamous Stuxnet virus targeting its nuclear enrichment facilities, attributed to the US and Israel, and has since then developed significant offensive cyber capabilities.30 In addition to the Shamoon data deletion cyberattack against Saudi Aramco and RasGas in 2012,31 and its reoccurrence across several Saudi government networks in late 2016 and early 2017,32 Iran’s focus in the GCC has been primarily on espionage, matching its broader cyber strategy.33 Several sophisticated cyberespionage campaigns have been publicly attributed to Iranian state-linked actors since 2016, although the exact nature of state direction varies.34 In the last two years, cybersecurity companies have identified Iran-linked campaigns targeting high-value government targets, including police, foreign ministries and intelligence agencies in the GCC and the Middle East more widely.35
Iran was the victim of the infamous Stuxnet virus targeting its nuclear enrichment facilities and has since then developed significant offensive cyber capabilities
In addition to the ‘traditional’ cyberthreats above, other elements of the information environment are a key aspect of cybersecurity in the GCC. Per capita wealth and internet penetration in the GCC are extremely high, although with significant intra-GCC and within-state variation.36 In conjunction with explicit censorship and largely restrained traditional media, this has led to the GCC public sphere operating mainly on social media platforms, especially Twitter.37 Such platforms have been used to both test and reinforce prevalent social norms on family relationships, religion and gender, as well as by international dissidents and refugees.38 Social media has also been used by various factions in nearby conflicts, including by Islamic State of Iraq and Syria (ISIS), to recruit fighters and publicize atrocities, with messages directed at GCC populations as well as governments participating in military coalitions. Overall, because social media platforms were widely seen as contributing to the Arab Spring revolutions and simultaneous protests in the GCC, monitoring and controlling social media became a key aspect of cybersecurity for GCC governments.39
Internationally, this double perception of cyberthreats matches the sovereign and controlled model of the internet put forward by Russia and China, among others, since the late 1990s.40 The GCC countries all voted in favour of two Russian-sponsored resolutions in the UN General Assembly (UNGA) First and Third Committees in December 2018, one on cyber governance and one on cybercrime. The first one created an Open-Ended Working Group (OEWG) to study the existing norms contained in the previous UN Group of Governmental Experts (GGE) reports, identify new norms, and study the possibility of establishing regular institutional dialogue under the auspices of the UN.41 The second one requests the secretary-general to present a report based on the views of member states on the challenges that they face in countering the use of information and communications technologies for criminal purposes for consideration by the General Assembly.42 More recently, all GCC countries either voted in favour of or abstained (Saudi and Bahrain) from the newest Russian resolution on cybercrime, which would establish a committee of experts to consider a new UN cybercrime treaty.43 Several states, including the US, have argued that the Russian treaty plan paves the way for an overly restrictive approach to dealing with cybercrime at the global level.44 The GCC support of these resolutions, as well as their voting pattern in other UN discussions, suggests that they sit rather firmly within the ‘cyber sovereignty’ model of internet governance rather than a multi-stakeholder version.45 GCC states have also sought to protect regional interests through internet governance mechanisms, for example by preventing the creation of .persiangulf as a top-level domain – as they objected to the geographical term – through legal action against ICANN.46
However, a clear divide between cyberthreats of intrusion and influence is difficult to maintain for two reasons. First, intrusion and influence can be combined through ‘hack-and-leak operations’. Although the leaking of hacked emails from the US Democratic National Committee before the 2016 presidential election is the clearest recent example of this tactic, hack-and-leak operations came to prominence in the Gulf a year earlier, following the release of thousands of documents from the Saudi Ministry of Foreign Affairs by the Yemen Cyber Army in May 2015.47 Hack-and-leak operations were then a central feature of the June 2017 Gulf crisis, where the ‘quartet’ states of Bahrain, Egypt, Saudi Arabia and the UAE blockaded Qatar due to accusations of support for terrorist organizations.48
Second, as argued in the previous section, due to the increasing strategic use of both intrusion and influence operations, the US and other multi-stakeholder proponents have also moved to defend their national ‘information space’ and protect their national communications technology companies. While we do not intend to imply a false equivalence between these actions and extensive internet censorship and control, these shifts have made it harder to separate analytically two clearly polarized approaches to internet governance. Instead, the double threat perception of the GCC states is thus now shared by many other states. Consequently, this paper takes a comprehensive approach to cyber resilience that recognizes this double threat perception, including both resilience to ‘traditional’ cyberattacks and to attempts to influence the information environment in a state.