June 16, 2011

Middle Eastern Security Complex Comes of Age in a World of Burgeoning Cyber Threats

SOURCE: http://www.defenceiq.com
Contributor: Nima Khorrami Assl

Cyberspace presents a formidable range of security challenges for states, commercial and international organisations, and, indeed, private individuals. As such, cybersecurity has grown in the public and media consciousness in recent years. This is due to the widely publicised notoriety of several key events, including the 2007 alleged Russian hacking of Estonian government and commercial websites, as well as the 2009 Stuxnet attack which, according to Phyllis Schneck, vice president and chief technology officer for public sector at McAfee, "changed the game in our awareness".

Centralising cyber as a state force

NATO has already established a cyber security centre of excellence in Tallinn, Estonia. The US Department of Defence is seeking more than $3.2 billion in cyber security funding for FY 2012, while the Wall Street Journal reports that a "soon-to be finalised" report by the Pentagon will outline conditions under which an assault on any element of the US governmental IT infrastructure can – and will - be considered an act of war; a proposal that has already been passed into law in Russia and one which the Iranian Parliament is giving "serious consideration". Likewise, the UK MoD, as part of its Strategic Defence and Security Review, has allocated £650m over the next four years to tackle cyber threats; a policy that has been replicated in Germany, France, Australia, China and India.

A concurrent response is emerging from the cyber-industrial complex, accompanied by a flurry of reports and conferences on cyber security. Forecasters are labelling cyber war preparedness as the “single greatest growth market in the defence and security sector” and predict that global spending will reach $12.5 billion this year, while nearly all major defence contractors, in addition to traditional information security firms, have launched cybersecurity divisions. These include Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems It would be no exaggeration to claim that the cyber security threat is now acquiring an even 'sharper edge' - replacing, perhaps, Islamic extremism as the top security threat to international peace and order.

In its present form, cyber force, if and when employed autonomously, falls short of emerging as an inde¬pendent coercive instrument of attack - as evident in the case of Stuxnet. It is best understood as a 'complementary' instrument of power that, from a strategic point of view, can greatly enhance "the ability of a nation to manipulate an adversary's – domestic or external – perceptions of the strategic environment to its own advantage."

Middle Eastern regimes and cyber capabilities

Developments in the Middle East vividly demonstrate how state sponsored cyber capabilities are taking shape. Israel’s newest counter-cyber terrorism unit has been designed to safeguard both government agencies and core private sector firms against cyber-espionage as well as hacking and denial of service attacks. Additionally, Israel's Military Intelligence has stood up a specialised signal intelligence and code-breaking unit – known as Unit 8200 – to oversee all cyber security affairs. The head of Israel's Military Intelligence, Maj. Gen. Amos Yadlin, has been particularly vocal in advertising the unit’s ability to prosecute state-on-state attacks capable of paralysing infrastructure and military command networks.

In Iran, efforts to gain control over the Internet began in earnest in 2001 when the government asserted control over all Internet access points coming into the country. Since then, the tightly controlled Islamic republic has promoted the development of domestic tools and technical capacity to carry out Internet filtering in order to reduce its reliance on Western technologies. Then came the disputed presidential election and soon after Iran's first cyber army was created. Most recently, reports are surfacing that Iran will soon set up its own internal network – dubbed as "halal Internet" – which will aim at replacing the global Internet network in the country.

A similar story is quickly spreading in the Arab world. Internet access control in the Arab world is multilayered. However, a renewed push to control access has been catalysed by the increase in incidents of hacking of both government and opposition websites. At the same time, the Arab Spring has led to the politicisation of cyberspace by enabling democratic movements to spread from one country to another. Meanwhile, many Arab governments - particular the GCC states - have been pushing for e-government as part of their attempt to reduce the cost of public administration. All these, in turn, indicate that Arab states have also made significant progress in acquiring cyber capabilities. In fact, Syria is now credited as being the first Arab state to have organised its own cyber army.

It seems clear that Middle Eastern states will not be able to match the technological or cyber capabilities of developed countries any time soon. What matters, however, is the fact that there is now a willingness and determination to close this technological gap, which in turn, reveals profound strategic implications for both regional and extra-regional actors.

For Middle Eastern states, mastering the intricacies of cyberspace is considered critical both as an offensive weapon against (domestic) political opposition and a 'defensive shield' to thwart cyber-attacks. Cyber power is a cost-effective – both in terms of human life and treasury assets – instrument of asymmetrical warfare that not only compensates for conventional power deficits among actors, but that can also produce significant psychological effects on the target society. Furthermore, the remote and indirect nature of cyber activity helps further define cyber power as a valuable intelligence tool that can be used stealthily, thereby making retaliation difficult.

Creating flux in unstable regions

The bad news is that these attributes create a strategic environment in which uncertainty is the norm. This, in a region like the Middle East where states tend to see cyberspace in political terms only, will likely amplify the likelihood of disproportionate responses and political controversies, thereby encouraging full-scale escalations. A strategy of deterrence is, at best, of limited utility because the cyber domain provides a high degree of anonymity and low barriers to entry. As such, states will be expected to initiate an attack, not least of all, because attacks in cyberspace are 'instantaneous'. They effectively and immediately put the defender under immense pressure.

For extra-regional actors, on the other hand, any improvement in regional states’ cyber capabilities tend to translate into a reduction in their capability to implement so called digital diplomacy policies. The emergence of the Internet as a political tool in recent months will ensure that regional actors, albeit to various extents, will seek to monitor and control cyber activities of their citizens even more rigidly. Some states might opt for an even more extreme option, seeking to disconnect the public from the wider world through under-investment in their IT infrastructure.

The dual strategy of sanctions and containment are also likely to lose their strategic relevance. It is hard to contemplate how western powers can sanction export of cyber technology at a time when, in the words of Col Stephen Korns, "many cyber weapons are commoditised and can be easily purchased off the shelf at affordable prices." Similarly, containment is likely to prove counterproductive given that the asymmetrical nature of cyber power can provide a counterbalance to force superiority of external actors.

It follows then that the concept of cyber power as a strategic tool has been disseminated widely enough to enable various state and non-state actors to exercise their cyber influence effectively. This, in the absence of a cyber power theory and international norms and procedures to regulate the cyberspace, makes cyber threats real and enduring.

The Middle East is a target-rich environment – oil refineries, water desalination plants, major ports, foreign military bases, nuclear sites, etc. – where there are adequate geopolitical, sectarian, and historical rivalries and enmities to provide actors with an incentive to employ cyber power in order to obtain their policy objectives. This does not mean that a 'pure' cyber conflict is imminent. What it implies is that the current Middle Eastern security environment and the nature of conflict are both changing rapidly. With more intra-state conflicts on the horizon, the western push for digital dialogue and diplomacy, in spite of all the opportunities that it offers, may very well lead to the loss of whatever Internet freedom that already exists while significantly endangering regional stability.

No comments: