by James Shires

Cybersecurity is an important issue worldwide. It is relevant to governments concerned about geopolitical rivals, companies concerned about reputation, fraud and commercial secrets, and individuals concerned about privacy, data protection and surveillance.

This is especially true in the Gulf states. The immediate pretext for the Qatar crisis in June 2017 was a video of the Qatari Emir that appeared on the website of the Qatar News Agency just after midnight on 24 May 2017, with text that portrayed him as expressing support for Iran and the Muslim Brotherhood.  The Washington Post reported unnamed US national security officials as saying that this operation was carried out by contractors working for the UAE government. The correct analysis of this controversial incident, with far-reaching consequences, depended fundamentally on cybersecurity expertise. It is no surprise that Qatar’s investigation was supported by the US FBI and the UK National Crime Agency. Given the extent of misunderstandings, contest, and deliberate misinformation around cybersecurity, this blog post examines the emergence of cybersecurity expertise in the GCC states.

A skills gap or flexible performance?

Cybersecurity experts are in great demand globally, including in the Middle East. A survey in 2015 predicted a ‘shortfall’ of 1.5 million ‘information security professionals’ worldwide by 2020. The message is clear: there is a cybersecurity ‘skills gap’, where ‘cyberattacks are growing, but the talent pool of defenders is not keeping pace’. However, there is ‘surprisingly little consensus’ around the cybersecurity skillset. This post takes a different approach to cybersecurity expertise, seeing it not as knowledge in a static, codified form, but as practice and performance. To be an expert, one must act as an expert.

Cybersecurity expert performance of course requires familiarity with internet networks and computer programs. But it also includes the judgement and communication of reputational risk, threats to life and safety, financial risk, and national security. Some scholars describe this expert performance as that of a ‘cyber-guru’, who simplifies and overstates risks to maximise cybersecurity ‘hype’. In contrast, other views of expertise suggest that ‘the uncertainty and ambivalence of professional knowledge may be the subtle secret of its success’.

To rethink the cybersecurity skills gap, we can see cybersecurity experts as conducting what Seabrooke terms ‘epistemic arbitrage’. This is where experts ‘mediate between knowledge pools for strategic advantage and, if successful, they can become the “arbiters” on what knowledge and practices are most influential’. This competitive rug-pulling in turn stretches and reshapes the domain itself, redistributing its increasing social, political and financial capital between software engineers and hardware manufacturers, lawyers, accountants and insurers, psychologists, intelligence professionals and political scientists. A gap is the wrong metaphor for this process, as it obscures the influence of changing expert performance on increasing cybersecurity risks.

Cybersecurity conferences in the GCC

To explore expert performance in cybersecurity, I conducted participant observation at four cybersecurity conferences in the GCC in 2016 and 2017 as part of a wider project on cybersecurity in the Middle East. Over the last decade, ‘Middle East’ cybersecurity conferences have multiplied across the Gulf Cooperation Council (GCC) countries. Although there are of course substantial differences between the economies and politics of the GCC states that affect their approach to cybersecurity, these conferences are a common theme. The rise in conferences can be attributed to two specific reasons, as well as the overall threat picture sketched above.

First, the technologically advanced ‘late-rentier’ GCC states are an attractive destination for cybersecurity exports. Gartner valued the 2014 ‘Middle East and North Africa’ cybersecurity market at just over a billion dollars, rising to 1.3 billion in 2016. Other reports, although using higher values than Gartner, put the region at around 7 percent of the global cybersecurity market in value, and the UAE and Saudi Arabia are commonly highlighted as regional targets. In tandem, arms companies with a longstanding and lucrative presence in the Gulf have diversified into cybersecurity over the last decade.

Second, there are strong security and intelligence partnerships between the GCC states and cybersecurity ‘leaders’, including the US, the UK, and Israel. Intelligence agencies from these states often train their Gulf counterparts in cybersecurity, as the UK Prime Minister Theresa May stated in a 2016 launch of the UK’s Gulf Strategy. This relationship is part cooperative and part clandestine. On one hand, the GCC states receive benefits apart from improved cybersecurity: Saudi Arabia and the UAE have been approved ‘Third Parties’, able to access some US signals intelligence. On the other, intelligence access is secured independently: for example, the US National Security Agency (NSA) reportedly obtained persistent access to a vast quantity of financial information from UAE banking services provider Eastnets.

The financial and strategic importance of the GCC has thus encouraged the creation of an extensive professional community centred around cybersecurity conferences. But how is cybersecurity expertise performed at these conferences?

Between Hackers and Security Trade Fairs

To understand cybersecurity expertise in the Gulf, we can position cybersecurity conferences between two similar cases. On one hand, Coleman has argued that ‘hacker’ conferences embody a particular ‘lifeworld’, brought into being through hackers spending short, intense periods of time together focusing on their common passion. On the other, Alexander has suggested that trade fairs for security products in the UK (defence technologies, policing equipment, surveillance, and so on) “are pivotal in the dissemination, propagation, and reformulation of changing attitudes towards security’, as they underpin the ‘logic of a particular mind-set regarding what it means to consume security as a commodity’.

The fundamental division in the physical space of cybersecurity conferences, including those I attended in the Gulf, is between the outer layer of company-branded booths and the inner layer of presentation rooms; in other words, between a space for commerce (the trade stands) and a space for knowledge (the central auditorium and breakout rooms). Speakers conform to this division in their on-stage performance, disclaiming any ‘sales pitch’ when delivering talks. This separation creates a guiding principle—or myth—of ‘pure’ cybersecurity knowledge, untainted by competitive political and commercial struggles. It also cultivates the ability to alter their performance between these spaces—to shift repertoire—as a core skill for cybersecurity experts. The same people deliver their independent expert judgement on stage, and then an unashamedly partisan view of their superior product after returning to their booth. Cybersecurity expertise is thus not just the successful performance of risk management, but one which is essentially flexible, with several registers and the capacity for context-based improvisation.

This physical separation and performative disconnect between knowledge and commerce suggests that cybersecurity expertise does not match either close comparison above: it is neither an explicit commodification of security nor a liberated hacker’s lifeworld. Instead, the heart of cybersecurity expertise is the simultaneous embrace of an underlying commercial logic and the ideal of a neutral judgement of new technological risks.

The appropriate performance of cybersecurity expertise is increasingly relevant in the Gulf states, as they face new cyberattacks, create or relaunch national cybersecurity organisations, and champion local companies with an expansive definition of ‘cybersecurity’. Friendly governments, along with defence companies like BAE, Booz Allen Hamilton, and Raytheon, as well as smaller start-ups, provide expertise and technology for defensive cybersecurity, national surveillance and more offensive options. Overall, decisions by companies worried about competitors, governments worried about other states, and individuals worried about surveillance, are ultimately made based on cybersecurity expertise, and so understanding its performance matters to us all.

James Shires is a Research Affiliate at the Centre for Technology and Global Affairs and a PhD candidate in the Department of International Relations, University of Oxford. He tweets at @jamessshires