Abstract
The Middle East has always been intriguing to scholars and practitioners with various interests: culture, civilization, religion, conflict, etc. More than a decade ago, the region had very little to offer to anyone interested in the interplay between technology and politics. However, in the last decade, the Middle East, particularly the Gulf states, has embarked on an extensive digitalization campaign imbuing society with technology. The Gulf Cooperation Council (GCC) states have placed digitalization at the core of their grand economic visions and have made strides in ensuring cybersecurity.
However, scholars are yet to settle for a universal definition of cybersecurity. Drawing on interviews and extensive fieldwork, The Politics of Cybersecurity in the Middle East, examines the contours of “cybersecurity,” its varying shades, and how relevant actors—states and non-states ones—repurpose the concept for “strategic gains.” The malleable nature of cybersecurity makes it more challenging to delimit the attributes of this novel field, which has encapsulated “many older informational and security concerns reincarnated in digital forms” (p. 235). James Shires’s penchant for the cybersecurity issues in the Middle East and his rich experience accumulated through multiple visits to the region as a research affiliate at the Cyber Studies Programme, University of Oxford is visible in the clarity with which such complex issues have been dealt in the book.
The attempt to probe the idea vis-à-vis the Middle East is undeniably a valuable addition to the limited corpus on cybersecurity in the region. However, the “Middle East” for the book is limited to Egypt and GCC states, as “these states are together a key transnational site for many regional processes relevant to cybersecurity: flows of technologies, knowledge, capital and people” (p. 25). The core concept of the book is that of “moral maneuvers,” through which James Shires attempts to illustrate the ambiguity around cybersecurity and the propensity of actors: states, companies, and other organizations to interpret, reinterpret, and inscribe the meaning for strategic purposes. The author introduced “moral maneuvers” as modifying value-based and technological claims within an esoteric field for strategic gains (p. 4). Shires, from the outset, clarify that even though the “moral maneuver” would have a tinge of normative values, the reinterpretation must be purely strategic. Therefore, any alteration for conceptual clarity and a genuine normative goal would not qualify.
Furthermore, the author explained that the actors most likely attempt “moral maneuvers” in the field with “symbolic capital” that attracts significant attention and resources and relies on expert interpretation. Egypt and the GCC countries that have witnessed a fair share of cyber threats and the interplay of politics with technology offer a fertile ground for actors to set out “moral maneuvers” for strategic gains. Also, Shires opined that the fractured global cybersecurity governance with the structured division between the “likeminded” Western states and Russia, China and Egypt and GCC’s propensity to use institutions as they see fit creates ample space for moral maneuvers. While using “moral maneuver” as a framework, the author traced varying conceptions of cybersecurity, all existing simultaneously and equally dealt with in separate chapters.
For examining cybersecurity as a dimension of state conflict, the author focused on threat perception in the Gulf concerning Iran. Following the infamous “Shamoon” malware incident that wiped data from approximately 35,000 computers belonging to Saudi Aramco and another cyber incident in the region 2 weeks later, threat perception around Iranian cyber capabilities was amplified. This is not to say that Iran was incapable of inflicting serious costs on regional infrastructures. However, for relevant actors like Gulf states, threat intelligence, and defense companies had strategic calculations in portraying Iran as “unpredictable” and “destructive.” For states, the wider international context and securitization around Iranian activities in the region gave them enough room for a “moral maneuver” to harness political capital. The Shamoon wiper incident that deleted data across computers was recognized as destruction at par with “kinetic” or “physical destruction.”
Similarly, cyber threat intelligence and defense companies came out with multiple reports to double down on threats from Iranian cyber activities to access lucrative markets in the Gulf. As a result, both the state and companies positively reinforced and reinterpreted cybersecurity as a dimension of state conflict, with Iran as the focal point. However, the exaggerations and alterations have also met resistance from cybersecurity experts, who saw such attacks as “low threat,” merely causing temporary downtime.
Furthermore, Shires explores the interplay between cybersecurity and human rights issues. In contrast to the concurrence of actors like states and companies in positively reinforcing and reinterpreting cybersecurity, the two main actors are at odds. The opposed “moral maneuvers” are nonetheless productive as it still generates a distinct dimension of cybersecurity. For the NGOs, the state’s “targeted surveillance” practice is anathema to individuals’ right to privacy and freedom and sees such monitoring as a human rights issue. With technical details in their numerous reports, NGOs like Amnesty International or the Citizen Lab emphasize the role of targeted surveillance in the causation of human rights violations.
Similarly, cybersecurity companies also play a central role in ways that both protect and diminish human rights, making them a relevant actor in “moral maneuver.” The companies are more commercially oriented and seek to maintain export flexibility. Given the prevailing human rights and ethics, companies themselves shift and weave their narrative around norms and standards, as long as it enables their sales to key markets in the Gulf. They, too, attempt “moral maneuver” for strategic gains by drastically shifting from portraying themselves as technology providers to incorporating human rights perspectives.
New actors like national telecom companies and tight-knit relationships with security authorities engender another crucial conception of cybersecurity revolving around the question of information control. Interestingly, this form of cybersecurity is not related to intrusion, unlike those mentioned above. Instead, for instance, the threat is from expanding the scope of cybercrime by the states to include unsuitable online speech, which impinges on an individual’s right to share content on social media platforms. The state does this “moral maneuver” in collaboration with telecom companies to expand the scope of cybercrime to include political speech as “content crime.” The author also explains that cybersecurity as information control also normalizes surveillance at a national level (p. 199).
While expounding on cybersecurity as a problem of foreign interference, Shires analyzed how “moral maneuvers” are not just inhibited by cybersecurity experts and communities. By examining a few media-reported cases, the author emphasized that the relationship between cybersecurity and foreign interference is not as “settled” as the previous conceptions. Furthermore, the author demonstrated that regardless of the malleability of cybersecurity, growth of it as a concept is not permanent when there are “strategically attractive” alternatives like “leak, disinformation and media ownership.” Therefore, the scope of “moral maneuvers” is limited if better choices or frameworks are at the disposal of the relevant actors.
The book is profusely illustrated with actual cyber incidents in the region, most of which had a short shelf life of media coverage for unknown reasons. The lucid account of the region’s politics and debates around “cybersecurity” brilliantly disentangles the complexity that mires the subject. Even though the book’s scope is limited to Egypt and GCC, the author gave a panoramic view of the Middle East through the tables. Given the abundance of literature on cybersecurity contestations and cooperation centered on the Western countries or “great powers,” the author provides a refreshing account of politics and cybersecurity in the Middle East. The riveting account is undoubtedly a primer for scholars and practitioners of cybersecurity and the Middle East, even those with very little or no technical background.