An imbalance towards centralized cyber resilience
The first element of centralization against information threats is cybercrime legislation. A cybercrime law that is fit for purpose should consist of a substantive part (elaborating on the crimes and sanctions in case of breach of the law) and a procedural part (elaborating on the processes to be followed in a cybercrime investigation, prosecution and adjudication). GCC cybercrime laws in their current form do not serve that purpose. Instead, they focus on content, expanding the definition of cybercrime to a wide array of acts using vague language that covers a large number of actions.69 These acts include but are not limited to insulting or defaming religion or religious values, invading privacy, damaging the state’s reputation, criticizing the ruler, his family or a public official and changing or overthrowing the ruling regime. Consequently, by focusing on criminalizing these acts, these laws have played more of a role in restricting online speech rather than in combating cybercrime.70
Furthermore, legislative tools for controlling online speech are not restricted to cybercrime laws. Penal codes across the GCC include various clauses on lese majeste and respectful behaviour on moral, family and religious subjects, and have been applied to social media comments.71 Offline media laws have been extended to cover social media, notably in Kuwait’s e-media law of 2016. Counterterror laws have also been used to control a wide range of social media content, with the justification that any dissident and controversial opinion could provoke violence and unrest. Even with these legislative tools, identifying social media users relies on centralized surveillance capabilities detailed below.72
Second, governments have mobilized the affordances of social media platforms themselves to prevent popular expressions of dissatisfaction. Research indicates that Saudi Arabia and the UAE use large networks of automatically created accounts (botnets) to follow and retweet en masse.73 This technique can be used to support government or approved public figures, to counter anti-government views, or simply to distract attention from certain individuals or groups. These botnets were especially active following the Qatar split in 2017. In Saudi Arabia, open source investigations indicate that one individual, Saud Al Qahtani, was largely responsible for this social media control strategy, which was linked to cases of detention and mistreatment.74 In a clear example of centralization, Al Qahtani reportedly used his positions as head of the Saudi Federation for Cybersecurity, and in the Royal Court as head of the ‘Cybermedia Group’, to exert influence over social media in Saudi Arabia.
The telecoms sector is another way in which information threats are managed in a highly centralized manner.75 Although the GCC telecoms sector was privatized in the early 2000s, with a single national entity split into two or three, most companies retained a substantial government share and close links to security organizations.76 National telecoms laws and regulatory agencies mandate government access for national security reasons.77 Consequently, national telecoms companies play a key role in national monitoring and filtering due to their control of internet traffic over national borders, and outsource this responsibility to other companies.78 In addition to traffic management and analysis and the censorship of specific websites or content, telecoms companies often use specialized equipment to block Voice over IP (VOIP) services such as Skype, encrypted messaging, encrypted VOIP, and virtual private networks (VPNs). Motivations for the blocking are open to speculation, with possible reasons including the size of the expatriate community in the GCC countries and the desire to protect the revenues resulting from international calling, in addition to official concerns over security issues arising from the use of unlicensed over-the-top applications (OTT) (such as WhatsApp, Skype, Facebook Live, etc.) calling and content distribution channels. Evidently, however, there is an overlap between commercial and security motivations for such blocking.79
GCC states have themselves acquired and used offensive cyber capabilities from the private sector and centralized the underlying intelligence and surveillance infrastructure on which these capabilities depend. In 2012, the Washington Post reported that US defence company Booz Allen Hamilton had been requested by the Qatari government to provide a cyber operations centre to conduct hacking operations against its regional adversaries.80 Separately, Raytheon’s ‘Intelligence and Information Systems Division’ played the role of ‘integrator’ for the UAE’s then-National Electronic Security Agency (NESA) since its founding in 2012.81 Although Raytheon was the main contractor for the UAE government, reports suggest that Raytheon subcontracted much of the work to US technology company Cisco and Booz Allen Hamilton, and that US company Verint later took over the contract (more recent reorganizations have created NESA’s successor, the Signals Intelligence Agency (SIA)). Separately, a BBC investigation in 2017 reported that Danish company ETI, acquired by BAE Systems in 2010, had sold national-level surveillance technologies to Saudi Arabia, UAE, Qatar and Oman.82 Moreover, since the Arab Spring protests, Bahrain has developed technologies to identify the IP address of social media users, which has also been used to detain individuals.83
GCC states have acquired and used offensive cyber capabilities from the private sector and centralized the underlying intelligence and surveillance infrastructure on which these capabilities depend
More targeted offensive cyber capabilities have been reportedly used by GCC governments, including technologies sold by: Italian company Hacking Team (in which a Saudi-controlled company has a significant stake)84 in all GCC states other than Kuwait and Qatar; German-British company Finfisher in all GCC states other than Kuwait; and Israeli company NSO Group in the UAE and Saudi Arabia.85 These technologies include expensive exploits of widespread and difficult-to-detect vulnerabilities; consequently, their use increases cybersecurity risks overall. There has been significant publicity around these technologies due to their presence on the devices of dissidents and activists worldwide, including contacts of murdered journalist Jamal Khashoggi.86 Other offensive cyber companies for hire in the Gulf include less well-known South Asian contractors.87 In particular, there are companies in the UAE that blur the lines between offensive capability and benign cybersecurity protection. For example, Dark Matter provides cybersecurity solutions to industry and government, and was reportedly involved in large-scale telecoms interception and targeting of individuals deemed to be a threat.88 One report, by a former NSA and Dark Matter employee, suggested these targets included US citizens.89 This activity led Mozilla to withdraw certificate signing permission for the Firefox browser from Dark Matter in July 2019, thereby undermining a potential cybersecurity improvement.90 Other than the proliferation of the use of spyware to conduct offensive cyber operations, the 2017 GCC split itself may have occurred due to an offensive cyber operation using a different approach. Several media reports indicated that contractors working for the UAE had altered the website of the Qatar News Agency to insert pro-Iran comments prior to the crisis.91
Overall, the GCC approach to its internet environment is extremely centralized, providing resilience against perceived threats to political stability, especially on social media. This centralized approach cements the idea of a national information environment itself, as opposed to a supposedly free flow of information on the global internet. However, this centralization often has clear negative consequences for human rights, especially those connected to privacy and freedom of expression. Furthermore, a centralized approach focusing on content control can actively reduce cybersecurity provision for individuals and organizations more widely. In sum, the GCC states have over-emphasized centralized over distributed approaches to cyber resilience, due to their emphasis on control of the information environment.