Cybersecurity in the MENA region: Shared Insecurities, Diverse Responses

Abstract: Cyber insecurity is a multifaceted problem, and one further complicated by the political divides in the Middle East and North Africa (MENA). This paper tackles two questions: first, what are the main sources of cyber insecurity in the region? Second, how have states sought to respond to these cyber insecurities? The paper first highlights a range of cyber threat actors both inside and outside the region, as well as several structural factors that perpetuate cyber insecurities. The second part moves to state responses, treating national and international responses in turn. It argues that the MENA region demonstrates diverse responses to cyber insecurity. Nationally, states have sought to increase cybersecurity capacity, making significant institutional and bureaucratic changes to prioritize digital defense – and sometimes offense. Internationally, some states have participated in negotiations on international cyber norms, while others have remained apart. The paper concludes with several policy recommendations based on recent shifts in political alignment across the region.

Cybersecurity is an uncomfortably elastic topic. It stretches from fundamental questions about privacy, identity, and freedom online, to the complex technological dependencies seemingly miraculously strung together to facilitate our daily digital lives. It encompasses new modes of economic activity, legal and illegal, as well as geopolitical issues around state competition and conflict. Cybersecurity issues are both global, in that they depend on transnational infrastructure and reshape geographical paradigms of international politics, and local, in that they appear differently in different contexts: social, national, and regional. Cybersecurity, including in Middle East and North Africa (MENA), is thus a multifaceted problem.[1] This paper provides a snapshot of cybersecurity in the MENA region, focusing on two questions: first, what are the main sources of cyber insecurity in the region? Second, how have states sought to respond to these cyber insecurities?

These research questions deliberately move away from cybersecurity as a goal, ideal state, or best practice, to focus on cyber insecurity. One of the most immediately obvious aspects of cyber insecurity, in the MENA region and elsewhere, is the sheer range of threats: from the hacker stereotypes present in much popular culture to concerns around criminal gangs, spies, or soldiers acting in cyberspace. However, this focus on threat “actors” misses key sources of cyber insecurity that are not agential, but structural. Structural sources of cyber insecurity are aspects of digital economies and societies that enable threat actors to operate. These range from the socio-technical systems of vulnerability discovery, fixing, and updating that govern nearly all digital technologies, to the trust individuals and organizations must place in online interactions, especially during a global pandemic. This paper argues that key structural and agential sources of cyber insecurity are shared across the MENA region, providing a basis for common action.

The second research question focuses on states as a locus for responses to these sources of insecurity. This is not because states are the only actors who are able to muster sufficient responses. In many cases, state action is insufficient or even inappropriate for addressing such cyber insecurities without broader market-based cooperation or societal shifts. Nonetheless, states are key to cybersecurity responses, as experiences worldwide have shown that laissez faire approaches – whether in social media regulation against influence campaigns or encouraging companies to disclose and remedy data breaches – make little headway without state support or intervention. This paper argues that, despite shared insecurities in cyberspace, states in the MENA region have adopted noticeably diverse responses due to their varying political priorities. Some see strong, centralized institutional development as crucial to effective cybersecurity, while others have distributed both responsibility and capability across state organizations. Similarly, at an international level, some states have engaged extensively in cybersecurity governance negotiations, while others have remained apart, seeing distance from these processes as their best way to ensure flexibility and retain sovereignty.

The paper is structured around the two research questions. The first part analyzes sources of cyber insecurity in the MENA region, looking at agential and then structural factors. The second part moves to state responses, treating national and international responses in turn. The paper concludes with several policy recommendations based on recent shifts in political alignment across the region.

[1] This paper takes the MENA region to include the Arabic-speaking states of northern Africa, the Arabian Peninsula, the Persian Gulf (including Iran), and the Levant (including Israel and the occupied Palestinian territories), with Turkey as the most north-easterly point. This definition follows standard practice but is, of course, slightly arbitrary.