SUMMARY:
The latest news in cyber security? Saudi Arabia is finally taking it seriously. Last week, the kingdom announced the formation of a “National Cyber Security Authority”, closely linked to the king and consisting of a number of high-ranking officials.
Minister of State Dr. Musaed Al-Aiban, a respected official, has been appointed chairman of the new authority, which will begin operation on 31 October 2017. The composition of the new authority draws together many high-ranking officials in the kingdom. The head of state security, the head of general intelligence, the deputy interior minister, and the assistant to the minister of defense, will all be included.
In some respects, the new authority’s mission is quite straightforward. It aims to protect Saudi Arabia from cyber attack, a pressing concern given the number of recent attacks. However, like almost everything else in the kingdom, it also has a large economic element. The authority will also endeavor to develop the kingdom’s nascent cyber industry, according to Al-Aiban in an interview with Ciso Magazine: it “will give top priority to attract and hire qualified national cadres, build partnerships with public and private entities, and stimulate innovation and investment in cybersecurity to contribute for achieving a technological renaissance that serves the future of the Kingdom’s national economy”, he said.
It is also likely that the authority will oversee the purchase of advanced cyber warfare tools, nominally from the US. This was was something also visible in the deal that Trump made with the kingdom back on his first foreign visit last year. The deal that he negotiated with the Saudis commits the US to collaborate on cyber security with the kingdom, and hints that in return Saudi will purchase advanced tools.
Some of the most vehement opposition to that deal, you may remember, came from Israel. To some degree, this is understandable: as far as Israel is concerned, any extension of Saudi’s military expertise is undesirable. However, there is also a deep irony contained within the deal, and brought to light by the formation of the NCSA: many of the cyber security systems that Saudi will buy were made by Israel.
The formation of the new authority comes in the wake of a number of cyber attacks on the kingdom in the past few years. These attacks have spiked in the last year, and seem to have mostly targeted commercial facilities, at least according to the information released publicly.
The first widely reported attack on the kingdom was in 2012, when the Shamoon virus targeted computers held by Saudi Aramco. In recent months, the virus has resurfaced, and Reuters reported back in January that the government had warned companies about an increased level of cyber threat. The Saudi government has denied that such attacks have taken place, but in reality it is well known that oil wells, in particular, have been temporarily rendered inoperable by cyber attacks.
Though the origin, and level of official sanction, of cyber attacks is notoriously hard to trace, suspicion over these attacks has fallen squarely on one target: Iran. The original version of the Shamoon virus, which displayed an image of a burning American flag to its victims, was traced to the country, and it seems likely that the more recent attacks also originate there.
Recent attacks have focused attention on cyber warfare in the Middle East, which has traditionally been overlooked by security experts. As Bloomberg notes, the growing technical sophistication of many countries in the region, the relatively low cost of developing cyber weapons, and simmering geo-political tensions, make it likely that many more cyber attacks will occur in years to come.
It is in this environment that the NCSA has been set up, and that has created a Saudi demand for cyber security systems. And like many of the other weapons systems currently used by the Saudi military – from fighter jets to sea defense – these will likely be bought from the US. A recent statement by the US Department of State makes this clear, re-enforcing the USA’s commitment to “ongoing cyber security co-operation” between the two companies.
There is a strange paradox here, though. The fact is that many of the cyber warfare systems used by the US were first developed in Israel. Though Israel, like Saudi, buys most of its traditional weapons systems from the US, cybersecurity and is one area in which it is a world leader, and commerce goes the other direction. These exports are now worth billions of dollars per year. “Today we provide something like 10 percent of the global market in cybertechnology products, [and] 20 percent in total global investment in cybertechnology is invested in Israel,” Isaac Ben-Israel, a former general who founded the National Cyber Bureau in Israel, told CNBC.
Thus, the newly formed NCSA, charged with defending Saudi Arabia from cyber attack by regional enemies, is likely going to buy defensive systems developed by those same enemies. What this means for the security afforded by such systems remains to be seen, but in any case this strange paradox is a good indication of the confusing, multi-polar power games that characterize cyber warfare today.
Israel, in carving out a position at the forefront of the cyber security market, has shown great foresight. The increasing frequency of cyber attacks across the Middle East and elsewhere has led to many countries in the region, Saudi Arabia included, desperately seeking quick, effective, and cheap cyber security systems.
With no time to develop a domestic industries, many countries will be forced to put their ideological differences with Israel aside, and pragmatically buy cyber weapons from them. For Israel, this is a win-win situation: the country will benefit from selling cyber warfare tools, but will also know how to defend itself when these same weapons are turned back on their producer.
Seen in the broadest perspective, the current situation is indicative of the power shift that is occurring both in the Middle East and further afield. Even 20 years ago, achieving military dominance in the Middle East was enormously expensive. Cyber weapons are so cheap, once the expertise to develop them is in place, that they promise to reconfigure the nature of power relations in the region.
Instead of small countries bankrupting themselves, or relying on foreign support, to develop conventional armed forces, the coming world of cyber warfare threatens to radically level the playing field. Small countries that have so far been limited by their relative lack of military power — think Saudi Arabia, but also Iran, and perhaps even Palestine — will shortly be able to develop, buy, and deploy cyber weapons as powerful as those used by the USA.
Whether this shift will be good for the region is debatable. It might be that an increased level of cyber threat discourages other forms of escalation. On the other hand, cyber weapons significantly reduce the cost, both in monetary and political terms, of military intervention, and therefore may make this more likely. At the moment, all that can be said is that cyber warfare is going to become a major field of conflict in the Middle East, that Israel will likely be the biggest beneficiary of this, and that this strange new world will change the balance of power in the region forever.