Alexandra Paulus is a PhD candidate at Chemnitz University of Technology and Dr. Sven Herpig is Head of International Cyber Security Policy at Stiftung Neue Verantwortung.
While traditionally most discussion on cyber operations has focused on great powers, the reality is more nuanced. Aspiring regional powers and their competitors also increasingly employ cyber capabilities. Recent events have made us painfully aware of this reality as Iranian cyber forces allegedly infiltrated multiple targets in Bahrain, a close ally of Iran’s regional rival Saudi Arabia. It is timely to take a closer look at how regional power hierarchies motivate smaller states to conduct cyber operations and how these cyber operations could trigger conflict.
The Middle East Has Become a Playing Field For Cyber Operations
The Middle East has a long history of geopolitical cyber conflict. Aspiring regional powers conduct cyber operations for at least four reasons: 1) to punch above their geopolitical weight, 2) to signal claims to regional leadership, 3) to advance their regional interests below the threshold of armed conflict, and 4) to gather intelligence on rivals. In all four cases, the contenders for regional powers develop and use cyber capabilities to change regional affairs in their favor.
While the level of expertise needed heavily depends on the sophistication of the operation, the cost to set up infrastructure and conduct cyberattacks, though on the rise, is fairly low compared to conventional weapon systems and thus attractive for actors with limited resources. As early as 2000, Israeli and Palestinian attackers orchestrated defacements and denial of service attacks on government and private sector targets. In this conflict between two parties with uneven military and economic resources, Palestinians—while far from gaining the upper hand—successfully landed blows on the Israeli side.
Turkey has used cyber operations that express support for regional allies or criticism of foes to amplify its claims to regional leadership. In 2017, the Turkish hacker group Cyber Warrior, also known as Akıncılar, reportedly took government order and hacked the Times of Israel to post pro-Palestinian messages. The following year, the same group took over the website of Egypt’s state news agency to condemn death sentences for leaders of the Egyptian Muslim Brotherhood, whom Erdoğan supported after the Arab Spring. These messages emphasized Ankara’s commitment to its Sunni allies in regional power struggles at a time when the country was shifting its geopolitical orientation increasingly from Europe towards the Middle East.
Cyber capabilities also allow aspiring regional powers to achieve policy goals such as acquiring financial assets, conducting economic and political espionage, signaling capabilities, or even sabotaging rivals, while remaining below the threshold of armed conflict. For example, the United States and Israel attacked Iran’s nuclear enrichment program with the highly sophisticated malware known as Stuxnet to deter Iran’s nuclear program without triggering armed conflict. In part as a response to Stuxnet, business operations at Saudi Arabia’s national oil company Aramco were disrupted for two weeks with the Shamoon malware, allegedly an Iranian creation. This attack allowed Iran to signal its capabilities and resolve while staying below the threshold of armed conflict.
Cyber operations can be used to catalyze diplomatic pressure. In May 2017, attackers sponsored by the United Arab Emirates (UAE) placed fake quotes apparently from the country’s leader praising Iran and Israel on the website of the Qatar News Agency. The UAE, together with Bahrain, Egypt, and Saudi Arabia, used this incident as a pretext to isolate Qatar and sever diplomatic and economic ties.
States also conduct cyber espionage to gather intelligence on regional rivals. A case in point is the UAE’s “Project Raven,” a sophisticated cyber espionage program that collected intelligence on high-profile political figures, including Arab journalists who were believed to have connections to the Qatari government and the Muslim Brotherhood during the UAE’s 2017 attempt to isolate Qatar.
Risks of Regional Powers and Their Competitors Using Cyber Means
Although it is tempting for regional powers and their competitors to employ cyber means due to their versatility and low barriers to entry, cyber operations can lead to unpredictable outcomes. Without monitoring, signals intelligence, and a high level of forensic capabilities on the defenders’ side, attribution will remain murky, which allows attackers to choose whether to reveal the attack for signaling purposes. The use of cyber means, together with the attribution challenge, increases the risk of conflict escalation beyond the cyber domain, especially in already-volatile geopolitical environments that lack comprehensive dialogue fora. Tensions like those between nuclear powers India and Pakistan over Kashmir might see the use of cyber operations sparking an escalation with devastating consequences for the entire region.
Increasingly digitized countries without proper protection from cyber threats and heavy use of cyber means are a recipe for disaster. Instead of investing their limited resources in offensive cyber capabilities, regional powers and their competitors would be better off improving their cybersecurity and resilience. With entry costs low, and the benefits of cyber operations seemingly high, this, however, looks unlikely. In the short term, in the absence of regional efforts to define responsible behavior in cyberspace, the most likely outcome is conflict escalation and instability.