WS #246 Cyber diplomacy, peace and development in the Middle East

Summary

This discussion focused on cyber diplomacy and peace in the Middle East, led by James Shires due to the absence of other panelists. Shires explained that cyber diplomacy involves diplomatic efforts around cybersecurity issues, distinct from digital diplomacy. He noted that cyber diplomacy in the Middle East has evolved significantly in recent years, with countries becoming more engaged in international cybersecurity processes.

The conversation covered various aspects of cybersecurity in the region, including the use of AI in conflicts, content moderation, and the role of private sector actors. Shires highlighted the complexities of defining cybersecurity universally, as definitions often reflect cultural values and opinions. He also discussed the challenges of assessing cybersecurity maturity in the Middle East compared to other regions, emphasizing the importance of considering local priorities and goals.

The discussion touched on the impact of external actors and infrastructure ownership on cyber diplomacy in the Middle East. Shires noted the push for data localization in Gulf states and the involvement of private sector companies in cybersecurity efforts. He also addressed the connection between cybersecurity and democracy, as well as the evolving role of private companies in conflict situations.

To promote cyber peace in the region, Shires recommended improving data collection on cyber threats, fostering multi-stakeholder collaboration, enhancing internet connectivity, and increasing engagement with UN processes. He emphasized the importance of regional mechanisms in developing cybersecurity practices and competencies that can be translated to the global level.

Keypoints

Major discussion points:

– Cyber diplomacy in the Middle East, including challenges and opportunities

– Use of AI and digital technologies in conflicts, particularly in Gaza

– Data localization and digital sovereignty efforts in the region

– Role of private sector companies in cybersecurity and conflicts

– Need for better data and multi-stakeholder approaches to cyber peace

Overall purpose/goal:

The discussion aimed to explore cyber peace and diplomacy issues in the Middle East, covering both regional dynamics and connections to global cybersecurity governance. It sought to provide nuanced perspectives beyond typical Western framings of cyber threats in the region.

Speakers

– James Shires, Co-director at Virtual Routes

Area of expertise: Cyber peace and diplomacy in the Middle East

(Multiple audience members asked questions and made comments)

Cyber Diplomacy and Peace in the Middle East: A Comprehensive Overview

This impromptu discussion, led by Dr. James Shires, co-director of Virtual Routes, focused on cyber diplomacy and peace in the Middle East. The conversation covered various aspects of cybersecurity in the region, including the use of AI in conflicts, content moderation, and the role of private sector actors.

Definition and Scope of Cyber Diplomacy

Dr. Shires began by clarifying the definition of cyber diplomacy, distinguishing it from digital diplomacy. He explained that cyber diplomacy specifically refers to diplomatic efforts surrounding cybersecurity issues, characterised by the involvement of transnational stakeholders and the private sector. This definition set the foundation for the subsequent discussion, focusing on cybersecurity aspects in international relations rather than broader digital issues.

Evolution of Cyber Diplomacy in the Middle East

The discussion highlighted that Middle Eastern states have become increasingly engaged in cyber diplomacy in recent years, particularly concerning the UN cybercrime convention negotiation process. Dr. Shires noted a significant shift from little engagement to active participation in the UN processes. He also underlined the concept of “maturity” in assessing cyber diplomacy landscapes, emphasizing the importance of understanding regional contexts.

Challenges in Cybersecurity

Several challenges in the realm of cybersecurity were discussed:

1. Infrastructure Vulnerabilities: Dr. Shires pointed out that some countries, such as Iran, are more vulnerable to cyberattacks due to infrastructure weaknesses.

2. Data Localisation: There is a significant push for data localisation and digital sovereignty in Gulf states, reflecting concerns about data ownership and control.

3. AI in Conflicts: The use of AI targeting systems in conflicts, particularly in Gaza, was raised as a major concern. This led to an extensive discussion about the potential for indiscriminate attacks and the ethical implications of AI in warfare.

4. Private Sector Involvement: The increasing role of private sector tech companies in cybersecurity and conflicts was noted, particularly in the context of Israel and Gaza. This highlighted the complex landscape of cyber actors in the region.

5. Content Moderation and Disinformation: The challenges of managing online content and combating disinformation in the region were discussed.

Defining Cybersecurity

A significant part of the discussion focused on the challenges of defining cybersecurity. Dr. Shires emphasized that there is no universally agreed definition, and that different actors often have varying interpretations based on their interests and contexts. This lack of a common definition was noted as an ongoing challenge in the field of cyber diplomacy.

Recommendations for Cyber Peace

In response to a question from the audience, Dr. Shires offered several recommendations to promote cyber peace in the region:

1. Improved Data Collection: There is a need for better data on cyber threats and actors in the region.

2. Multistakeholder Collaboration: Working collaboratively with civil society and industry was suggested as a crucial approach to addressing cybersecurity issues.

3. Enhanced Engagement with the UN Processes: While developing regional cybersecurity practices, there should be increased engagement with UN processes.

Reconstruction Efforts

The discussion briefly touched on reconstruction efforts in conflict-affected areas like Gaza and Yemen, highlighting the importance of considering cybersecurity in post-conflict rebuilding.

Conclusion

The discussion provided a comprehensive overview of the current state of cyber diplomacy and peace in the Middle East. It highlighted the complex interplay between technological advancements, geopolitical interests, and ethical considerations in the realm of cybersecurity. The conversation emphasized the need for improved data collection, multi-stakeholder collaboration, and engagement with international processes to address the evolving challenges in this field. As the region continues to develop its cyber capabilities and diplomatic strategies, these insights will be crucial in shaping future policies and practices in cyber diplomacy and peace.

James Shires: Good afternoon. This is slightly awkward, because this session was organized on cyber peace and diplomacy in the Middle East. Unfortunately, the speakers were unable to make it due to urgent health issues. So they didn’t manage to make it on their flight. I am the only speaker who was planning to this session, who is actually here in person. But we emailed the Secretariat to say, can we cancel the session due to the lack of speakers? They did not remove it from the agenda. And so you are all here, because you’re expecting to see a session on cyber peace and diplomacy in the Middle East, although we do not have panelists. Now, and that applies to everyone online, as well. So hi, everybody online, and thank you for joining. We have two options. Option one is everyone enjoys the Riyadh sun, has a coffee, finds another workshop they would like to engage in. Option two is we have more of an open discussion on cyber peace and diplomacy in the Middle East. I should introduce myself. My name is James Shires. I’m co-director of an organization called Virtual Routes. And my background is on researching cyber peace and diplomacy in the Middle East. I wrote a book called ‘The Politics of Cybersecurity in the Middle East’, and have worked on this extensively throughout the region. So if you would like to have a conversation, an open conversation, about these issues with me, I am very open to that. If you would rather get a coffee or go to a different workshop, then I will not be offended in the slightest. Everyone is still here. OK. So let me set the scene somewhat, because this is a controversial topic. It’s one that doesn’t often get the attention it deserves. If you especially talk to outsiders, policymakers in Europe and the US, about cyber peace or cybersecurity in the Middle East, they will think of one country, usually. And they’ll worry about a country that has both been the target of significant cyber operations, and has also conducted those offensive cyber operations itself. And that’s Iran. So the framing in a lot of the Western policy world on cyber Middle East is an Iranian cyber threat. Just as if you were to go to the same conferences, and say you’re worried about the major threats, you would hear talk of another three or four similar states. The same list of states. But that is not the kind of cyber peace and diplomacy in the Middle East that I want to talk about today. Because my experience and my research in this area suggests that there’s a lot more nuance. There’s a lot more interesting things going on. And that, actually, there are some really promising signs of cyber diplomacy in the Middle East that other areas can work on as well. I can talk about a few of those examples if we’d like to. But I can also just open the floor to your own reflections. We have someone who already said it. We, I think the scheduling for the panels is currently, I would say, in flux. As in, the secretariat have not responded too much to request to cancel or move panels around. Any rescheduling for me, I think, is risky. Because it probably just wouldn’t happen. So, would anyone like to open the floor for any questions? Why did you come to this session? What did you expect to hear from this session? I have a microphone, I can pass around.

AUDIENCE: Hello, everyone. So, maybe my question here is, what is cyber diplomacy to you? And how has the difference in the global landscape today inspired the creation, or like, the general idea of cyber diplomacy?

James Shires: There’s a whole set of questions on cyber diplomacy, as in the use of cyber or digital tools or digital diplomacy that is very interesting and important. How do ministries of foreign affairs adapt to the digital world? How do they use AI, for example, in their day-to-day lives? That’s not, for me, cyber diplomacy. It’s diplomacy about cybersecurity issues. It’s distinct because these issues have stakeholders that are much more transnational than many other issues, right, you can’t necessarily tie down the technical community governing the internet to particular states or responsible states. And it’s also a lot more based on the private sector as well, right? So that, for me, is cyber diplomacy in general. It has its own challenges based on the kinds of actors involved, and also the technical experience required for the issue itself. So if you want to engage in cyber diplomacy, there’s a relatively high bar to entry. Now, that’s not unusual in diplomacy. Most diplomacy on science and technology requires some level of existing knowledge, but cyber diplomacy may be more than others. So that would be my framework for what cyber diplomacy is. Now, please, go ahead.

AUDIENCE: How do you think it’s going to look five years from now, 10 years from now? Because maybe five years ago and 10 years ago, it wasn’t the same, it wasn’t what it is now.

James Shires: So to bring the conversation back to the Middle East, five years ago, there was very little cyber diplomacy in the Middle East, I would say, right? The extent to which most Middle East states engaged with UN cybersecurity governance processes was very little. You had some at places like the Open Ended Working Group, the OEWG, putting forward relatively virtual statements at the start of every group, right? So Iran would make sure it aligned with particular views, mainly sort of rejecting what it saw as kind of the Western dominance of these processes. And so would Syria align with that as well, right? So you saw some coalition building, but many other states just didn’t engage at all. That really changed with the UN Cybercrime Convention, right? Because there’s a long history to cybercrime laws in the region, right? They have not signed up to the Budapest Convention on Cybercrime, which was the European mechanism, but they did have very early cybercrime laws often in the Gulf, right? So the first in Saudi Arabia was in 2006, and then it was updated eight years later after the Arab Spring and after the Arab Convention on Cybercrime, right? But for by the League of Arab States. So the idea of a UN Convention on Cybercrime was something that really, I think, spoke to these states more so. And you had a lot of very active engagement, especially towards the end of that process. So that’s where I see that going from there. Now, you said, where does it go in the future? Now, we’ve had lots of attempts by Saudi Arabia and other states to put forward new means of cyber diplomacy. You’ve had things like the digital cooperation organization. I expect to see more of those efforts. I expect to see a lot more cyber diplomacy as soft power, as the ability to include things like cybersecurity issues on major geopolitical stages, you have the Doha forum in Qatar, you have the Manama dialogues in Bahrain, all of these states are trying to put forward, you know, their take and their interpretation of geopolitical issues and to act as a convening space for quite sensitive geopolitical topics. I expect cyberspace to continue and grow in those areas as well. There are more microphones, if anyone else would like to come in, please. One there and then we’re here. And do come to the purple table. It’s nice if you like it.

AUDIENCE: Thank you. So when I look at cybersecurity, there’s a digital infrastructure component, right? So we are seeing in some of the wars targeted removal of ICT infrastructure, which means people are not. And that’s a big part. So how would so one question is, in that realm, how would cyber diplomacy actually act? The second one is actually the softer part. So there’s the algorithmic part, right? So when you are having a project that can identify targets very specifically that are downloaded from one area, and then remove them in war, this becomes a major challenge, but it may not just it may not be war, it could be disinformation. So we’re also seeing a lot of disinformation come in at the same time. So I think there’s three things that I’m looking at. One is the information and the literacy and maybe how that works over there. Romania just now had an issue where they actually cancelled their presidential elections or postponed it because of this issue. Where would it come in? So rebuilding after, for example, a war, we often see it’s the same people who supply the equipment for the war, which I find very strange. So just asking your view of very delicate balances.

James Shires: Okay, that’s three big questions, right? There’s one cyber tools in conflict and regulating cyber tools in conflict. There’s two, which is content issues like misinformation and disinformation. And there’s three, which is conflict reconstruction, right? So let’s let’s let’s talk about them separately, right? The first one, cyber tools in conflict. Now, here, I would like to do a little bit of a contrast with a global perspective. In the years after the Stuxnet virus, when everyone thought this is the advent of cyber war, you had lots of commentators saying, this is what cyber war will look like. It’ll be high sophistication, extremely high resource investment targeted at sort of strategic sites. You have a lot of speculation in the following years about what cyber war will look like after that. You then have the Ukraine conflict in 2022. And this challenges expectations, right? Cyber tools are blunted, right? The cyber defenders seem to have a good chance of repelling cyberattacks. There’s a lot of capacity building and investment going into Ukraine’s allies doing that. Then you have Israel’s invasion of Gaza. And there, the only cyber component, really sort of truly understood is the sort of the link to actors outside the conflict for a very simple reason. All infrastructure in Gaza is targeted and pretty much destroyed. Not just telecoms infrastructure, but water and energy and everything else. So there is no cyber tools in conflict in the Gaza side, because there is no use of cyber tools there. On the other side, you have a bigger conversation about the role of digital intelligence in targeting in conflict. That’s not necessarily sort of cybersecurity narrowly understood. Compromising devices, getting into devices. But this idea that in conflict, you use digital signals and device signals to do kinetic targeting, i.e. to kill people and bomb people, is extremely obvious in both those conflicts. In Ukraine, it goes from things like mobile phones on the frontline, and malicious apps being used by soldiers, then being used for drone strikes. In Gaza, it’s stuff like AI targeting systems, putting up lists of potential target sites to Israeli missile strikes, right? So this idea of digital targeting in conflict changes the landscape significantly, it sometimes gives greater advantage to already asymmetric conflicts. And by that, I mean, it enables states to bomb more, and to bomb more indiscriminately. The third, so that’s, that’s just a quick thing on cyber tools in conflict, right, as where we are now. The second point is on content and disinformation. Now, we’ve already talked about cybercrime laws. Now, most cybercrime laws in this region have a strong content component, right? They have a error saying disinformation or fake news or certain kinds of content will be prosecuted, will be considered crimes under this law. That’s not the case in other regions. So the Budapest Convention, for example, very clearly excluded content from its list of potential criminalizable offences. This was very much a political decision, right, as one that a lot of, for want of a better word, Western countries rejected wholesale up until the concerns about mis and disinformation stemming from largely from the US elections, right? They then understood that there was some need to focus on disinformation and content issues. There’s also a parallel discussion of online safety, right, of bullying and much more human security issues affecting content moderation and regulation. So both of these pressures have essentially slightly flattened the spectrum of positions for how to regulate content online. Most states now agree that there should be some regulation of online content. They disagree significantly about how much and what kinds of content, right? But most of these disagreements don’t necessarily lie in the technology itself, they lie in the definitions underlying that technology. For example, of a what is a criminal act online? What is a what violates national laws on media freedom and similar, right? So there’s a wide range of spectrum there. And there are a wide range of positions here in the region as well. Now, of course, there’s mis and disinformation become such a tangled topic, because you have to really piece it apart, right? So when you tracking disinformation operations around the Gaza conflict, right, they are doing, essentially, they are tracking kinds of the kinds of opinion that might be widely seen on many streets in many, many Arab countries, right. So it’s very difficult to disentangle the identification of disinformation from the political sides and positions that are taken by the people feeding that, or either promoting or reading that information. I’ll probably leave that there, because there’s a lot more we could say about that. The third point, say again, reconstruction. Now, I don’t have much to say on reconstruction, especially in the Middle East context, because the obvious point places here are in the war after the war in Yemen, and whatever will happen after Gaza, right, there will be a lot of investment required on. And of course, increasingly, you see Lebanon requiring massive reconstruction funds as well, right? The way in which cyber relates to that is in a way quite surface level, right, because frankly, it’s physical reconstruction, it’s all other kinds of infrastructure need to be rebuilt. But maybe there’s an opportunity there, right? Maybe there’s ability to bring in new forms of like very modern telecoms infrastructure, right? This is me trying to be as optimistic as possible in a situation that is incredibly pessimistic. So I would say there is maybe some potential for reconstruction, but the big decisions about who pays for it, even when it happens, right, we’re not there yet. So I wouldn’t be able to comment any further. There’s a question online. So should I read out the question? Well, yeah. Gaza has become the world’s first laboratory for testing and using, this is a question, artificial intelligence-based systems and weapons to commit apartheid war crimes and genocide against the oppressed Palestinian people. That has led to huge numbers of civilian deaths. What can be the role and responsibility of the United Nations governments in dealing with the weaponization of artificial intelligence that is contrary to human values and international law? So thank you very much for this question. And I’m not sure where to look because panelists can’t really see me. So this is a crucial point, right? And I have a feeling that many of you are at this panel because it is the only panel on any topic remotely like this at the current IGF, right? You scroll through the schedule. There is a panel tomorrow afternoon on transnational repression and cybercrime. So you should make sure that you attend that if you’re around. But there is not much discussion of conflict in general. There is certainly not much discussion of the conflict in Gaza, and let alone any discussion of the use of AI targeting tools that I mentioned. The Lavender system or others in terms of how that should be addressed by the UN. Now, I’ll make two short points. One is that the UN system is already mobilizing to look at the war in Gaza from a point of view of international law and what is prosecutable and not, especially by the International Criminal Court. So that is already happening. It happens slowly. There are prosecutors there looking at the well-publicized indictments of the leaders on both sides that is happening. So that is happening by the ICC, which obviously there are discussions of jurisdiction. But the UN system itself, there are also resolutions condemning what is happening, but then go into the existing geopolitical divides, right? Whether this is a security council or at the General Assembly. So the UN system is mobilizing, but always could do more. Now, this is better. Now, in terms of the IGF, question one would be whether the IGF should address AI itself, right? It is the internet governance forum. One could argue it has a narrow mandate to address internet governance, which does not include all the many social and conflict-related implications of AI, right? So it could say this is not part of our mandate. Now, we have already heard from the many high level speeches yesterday and so far, but the Internet Governance Forum does intend to include AI very firmly within its remit and you can see from many panels on AI ethics and responsibility and social impacts that this is the case. So I would say that certainly the Internet Governance Forum should look at the use of AI in conflict. It should link to other initiatives like the REAM summits, responsible use of military AI to understand not only how AI is being used now, but what is the potential for putting guardrails on it in future. If the lessons from the cyber security debate are anything, like tell us anything, they tell us that the intergovernmental multilateral process for putting anything in place around AI, especially military will be long and convoluted and probably dissatisfactory at the end. So, but there’s still hope. Please go ahead, yeah. I’m actually also going to, I had another meeting I thought, so the power wasn’t going on, but I’m just going to send a quick message while you discuss that, please.

AUDIENCE: As the public researchers about cyber diplomacy in the Middle East, United Nations has published it. So if there is, where can we read this? It’s good to watch or it’s good to read these stuffs. I was just going to chime in on the last matter about the use of AI in kinetic conflict. So, on the military side, the phrase to look for is human in the loop, because that’s how military people think of it, right? Is if there’s a human in the decision-making loop and the kill chain, then there’s ultimately a person upon whom responsibility falls and they know how to do that. Whereas if it was just software all the way down, then it’s machine learning, training data, who filtered the data, blah, blah, blah, blah, blah, blah. And ultimately everyone can evade any responsibility for anything. And on the NGO side, there’s the campaign to stop killer robots, which is the coalition of NGOs that are working in this area.

James Shires: Thanks, Bill. And to tie that human in the loop conversation back to what the question was asking about, which is Israel’s actions in Gaza, right? There is not a discussion there about there not being humans in the loop, right? That is not the issue that is taking center stage. The issue is that the humans in the loop are operating with insufficient constraints on collateral damage, on targeting limitations, on the numbers of strikes they’re conducting, et cetera, et cetera. So it’s a very difficult, it’s a very different scenario about how to regulate the use of AI in conflict when the real problems coming from the use of AI are not from the use of itself. It’s from its incorporation into the existing decision-making, flaws in decision-making. I hope that helps answer the question. We had one here, which was, where’d you read about this, right? So there’s a book called Cyber War and Peace in the Middle East, which was published by the US DC-based Middle East Institute a couple of years ago. There’s a book on the politics of cybersecurity in the Middle East, which you don’t want to read. And there’s also recent work, especially on the AI and the Gaza War, for example, by Anwar Majeneh, who’s at Stonehill College in the US. So yeah, there’s a few people writing on this, but it’s not a very large community either. So I can have my card afterwards. I will send you a list of references. Can I go online and then come back to you? Because I think there was an online question. So again, I’ll read it out. Existing internet governance system is not sufficient to respond to the policy issues related to data, domain names, safety, health, common infrastructure, technical standards and content, and requires the adoption of a comprehensive approach and a new architecture. Can the smart combination of multilateral governance model plus multi-stakeholder consultation be appropriate? Can the model of ICAO, the International Aviation Organization, be a good example to ensure the legality, health, and safety of cyberspace? So I guess this is not a Middle East-related question, but it is an important question. It’s well, how fit for purpose is the current internet governance system? Now, the International Civil Aviation Organization is a really interesting example, because there you have an extremely highly regulated industry, right? Not only is airplane building a very highly regulated activity, but airplane communications, everything to do with airspace, is extremely highly regulated, right? So in a way, it is kind of the opposite of the internet, right? The internet, by default, by design, in the technologies, is not regulated, right? Anyone can use it, they can set it up, they can create a network, they can connect that network to other networks, and so on, right? So, in a way, the ICAO is the wrong, is exactly, entirely the wrong end of the spectrum to think about internet governance, right? You have very few actors who are already used to highly, high levels of regulation, cooperating to ensure they can build and maintain sort of safe passage for aircraft. The internet, on the other hand, is sort of a really wide diversity of actors, all of whom are able to do what they want and try and do what they want really quickly, and so you have to try and bring those in. So, I think a combination of a multilateral governance model plus multistakeholder consultation, I think, would just be insufficient, right? You just would not get the right people around the room, you would not be enabled to enforce or act on any recommendations or things that are made because you wouldn’t have, yeah, the multilateral governance would not be effective. That’s what I’d say there, but I know there are other people in the room who might want to come in as well. So, would you like to come in? You want to come in, please? You have a, you have a question? Okay, we have two questions, and if you’d have, you have a question, right? Okay, I’ve answered it already. Okay, you have a question, you go. And we have one at the back there, go ahead.

AUDIENCE: Can you hear me? I can hear you, yeah. So, the fact that we have like different definitions for that certain cybersecurity term, we are going to lead an effort to find like a unified definition for a single cybersecurity term. What the step that should be followed?

James Shires: So, we would like to have a single universally agreed definition of cybersecurity. Now, the problem arises, right, when you start stepping outside of technical definitions of security, right? So, the classic technical definition are things like confidentiality, availability, and integrity, right? And you can define those definitions and you can define those properties within networks relatively well, right? With those classic Alice Bob diagrams about who can read what when, that’s how you’d get to those definitions. But even then, integrity, right? Which is usually the communication is the same as coming out as it was going in, and it also hasn’t had some kind of time, it has the right timestamp as well, right? Because if you delay communication, that’s also a failure of integrity. These properties have also been redefined, right? So, a lot of the disinformation and misinformation work is badged as integrity work, right? So, maybe Facebook or Meta would try and think about their content moderation efforts within that framework. So, you very quickly get pushing at the boundaries of these technical concepts to make them include much thicker ideas about what shouldn’t be included. And that’s the root of the problem with defining cybersecurity. Because then you get into things like, okay, well, what is security? It means, does it mean that you don’t have the, there’s no access to a network, right? You have a secure network. That’s a very kind of black and white definition, right? There’s inside and outside. Is it being able to respond and make sure you can continue to function, right? That’s much more resilience focused definition of security. Or as many people around this forum say, is it, should there be a human idea of cybersecurity, right? It’s like, it’s actually, what does it mean for people, whether something, whether they are secure or not in what they do online. And that’s possibly the thickest definition you have, which includes everything to do with content, all the technical aspects of cybersecurity and everything else. So, the reason we find it hard to define cybersecurity is because contained within this discussion is a lot of our own values and opinions and our cultural background as well, right? So, we start unpicking those whenever we start to get to the definition. So, I don’t think there will be a single definition. I might be wrong. If someone can give me a single universally agreed definition of cybersecurity, I’d love to hear it. Do you have a microphone? Yeah, that feels odd.

AUDIENCE: Yeah, I was just wondering, how would you assess the maturity of the cyber diplomacy landscape in the Middle East compared to other regions of the global South, whether it be Africa or Southeast Asia or Latin America or the Caribbean?

James Shires: Yeah. So, I would say maturity is an, I don’t like the term maturity, point one. There’s a ITU maturity index. There’s a lot of maturity surveys. And it implies that all that’s needed is sort of a certain amount of capacity and then everyone will engage in the same way, right? So, the problems come from lack of maturity. I actually think that that’s not necessarily the case here, right? So, you have very deliberate choices by states, what they invest in. Do they invest in cyber diplomacy? Like, classically understood. Do they see the UN discussions, the OEWG, et cetera, as providing value? Or do they do something else as well, right? Do they do something more national or more regional? So, I think you can do a regional comparison. You can do them based on indexes, such as the ITU index. You can do them based on the Oxford Cybersecurity Capacity Building, maturity model, right? There’s a lot of ways you can do inter-regional comparison. My preference is always to say, okay, what is the, what are people, or decision makers and leaders in the region, what do they want to get out of these discussions? And are they getting those out of them? Are they getting what they want out of them? So, for example, with the ITU index, right, are they able to communicate that their, that their country is digitally advancing, right? That it’s a tech power or a tech hub for the region, right? You’ve seen that very powerfully in the UAE, in Saudi Arabia, right? Are they able to say, in terms of capacity building, to devote projects, to devote funding to projects they are interested in, right? In maybe countries that they have a diplomatic interest in, whether that’s in the Horn of Africa, in Djibouti or somewhere else. Yes, of course, right? And are they able to do education? There’s a lot of very impressive open education initiatives in Arabic and in English, in the Emirates and Qatar and Saudi Arabia, to really reach the population. So, yes, there’s a lot of activity there, right? The way that, when I’ve done, I’m speaking to people at professional conferences, things like that in the region, often this then becomes, so if you reject the global indexes of maturity and you say, it’s all about what you want, this then becomes a conversation about standards. Okay, how many companies in the region are obeying ISO 27,000? How many of them are obeying the NIST or how many of them are adopting the NIST standard, right? Because you don’t obey it. And there you might get a much lower answer, right? You might say, actually, they’re either doing it for only audit purposes, but they are not sort of practicing the kinds of measures that they would advise, or they are even not engaging in the standards conversation at all. And there you can point to probably more reliable metrics. There are lower levels of maturity, especially in some sectors in this region that would need a lot of advancing to go further on. But that’s possible at a regional level, right? So you could do that through the GCC, through the Gulf Cooperation Council Committee. Yeah, further on as well, so please.

AUDIENCE: Thank you, so if I look at, I guess the whole panel’s on cyber diplomacy and peace, right, so there’s an angle where you have to look at peace within the Middle East, that is Middle East by Middle East, and maybe there’s Middle East with others, because we know there’s a lot of actors outside Middle East involved in the Middle East, which disrupts peace, right? So if cyber diplomacy is about influence and getting people aligned to the cause, and everybody wants peace, because peace is when you prosper, you don’t prosper very much unless you’re selling things that disrupt that, right? So most of the hardware and the tech comes from other sides of the world. How will this impact cyber diplomacy in the future when you control the narrative, or you control the data? And we see that already, I think out of 500 cables, most of them, 99% is private sector cables. And if you look at the private sector companies owning them, you know where they are, they’re mostly in the West. So do you think this becomes a challenge in the future?

James Shires: I certainly think it does. I think, so there’s a very, there’s two answers to the question. One, like, ownership of hardware, of infrastructure, and ownership of data are both really live issues, especially for this region. There’s a strong push for data localization. So if you look at cloud regulations in the Gulf States, you look at agreements that they’ve struck with main cloud providers, they are really pushing for localization agreements through partnership with local companies. So if you have Google Cloud Platform, Amazon, etc., then they are working with partner companies, and they are also asking for dedicated data centers. Now, I published something quite recently on this, on the role of cloud computing and cybersecurity in diplomatic interaction, so between Israel and the UAE through the Abraham Accords, and some of that analysis showed how meaningless some of this is. So the requirements that Israel and the UAE put on the data centers, they said you have to have local data centers. Okay, great. But actually, we want a whole cloud region. Okay, right. So we want our own independent cloud region here, which is actually at least three independent… If you remember that, at least three independent data centers are at least like certain physical distance apart, right? And they didn’t build these data centers. They just rented some of them. Some of them weren’t sufficiently apart to count as a cloud region, so they just changed the definition slightly, right? So this demand for localization is kind of met in name but not in reality. So yeah, that’s point one. Point two is kind of the role of external actors, right? And here, you know, you have to look at what is really going on in terms of offensive cyber tools. And here we switched tack slightly to go to kind of a threat landscape. There’s an actor called, by the threat, intelligence industry predatory sparrow, which has been linked to cyber attacks in Iran that have had disruptive effects on railways, on steel plants, on fuel stations, things like that. Now, part of this is because kind of the infrastructure in Iran, as far as I know, is outdated, right? It doesn’t have the ability to modernize its whole digital critical infrastructure, right? So relatively easy to target. But also, you know, this actor, whoever it is, activist or state sponsored, is pushing the boundaries, right? They are disrupting critical infrastructure to a certain extent and then rolling back on that, not going as far as they claim they could do. So there’s also actors in the Middle East that are consciously pushing the boundaries of what is acceptable through cyber conflict and seeing how far they can go there. And that’s a really worrying trend. Please, I don’t know if this one works.

AUDIENCE: I think it does. We’ll share a mic. I’ll put these on so I can hear. No, actually, I don’t need it. Thanks for organizing this session. Actually, it’s a good opportunity because we get a chance to talk. So I really like this. I had a couple of reflections. I don’t come from the security field. But one thing that has, and I’m based in Belgium. My name is Jamal Shaheen. I’m based in Belgium at the University of Belgium. So I just had a couple of questions. And I’ll start with one, which is about in Europe, at least, we see this connection between cybersecurity. It’s now with the new European Commission that’s just been put in. They’re bringing this connection between cybersecurity and democracy or stability of institutions in the field. And I was wondering whether that’s something that you’ve seen panning out in this area. And then the second question was, as part of the Ukraine conflict, I’ve noticed that companies like Microsoft have been publishing reports, threat reports. Which have been saying what Microsoft as a private actor has been doing to defend Ukraine. And changing the landscape from security actor to the types of security actors that you talk about when you talk about cyber diplomacy. Maybe incorporating different types of actors. I was wondering how that’s playing out in this region, particularly in light of the last question. When we talk about different types of actors. Is the private sector now playing a bigger role? And of course, that private sector being largely based outside of the region. Is that playing an important role in this space? And how will that play out? Because then the opposite of that is they’re moving towards more calls for digital sovereignty. You call data localization, but digital sovereignty. Which only further gives space for more conflictual responses. I’m a bit concerned about that kind of evolution of this dialogue.

James Shires: Yeah. Oh, yeah. That’s right. Thank you. Thank you. Very. Yeah. Really interesting points. Right. So. On the first one, this idea that the private sector is becoming almost a combatant. Right. They are providing support in Ukraine via Microsoft. Critical services. Some of them defense services. Some of the military services. Right. And it’s very hard to distinguish. If you provide a cloud platform to the Ukrainian government, some of it is used for defense. Some of it is not. What is a legitimate target then for the other side? How far do they become involved in that war? These are really difficult questions that I think a lot of people are very worried about. And I also think that the boundaries are being really tested there. So, in the Middle East complex that I’ve talked about, in Yemen and in Gaza, there’s not the same question at the moment. There’s not the same involvement of private sector actors on the defensive. Now, there are on the Israeli side. So, it’s a major cybersecurity hub. There are big Israeli companies. You might want to check out the Palestine Laboratory, which is a very carefully researched book on the use of the Palestinian territories for developing technologies throughout Israel’s history. So, that’s not just to do with AI in Gaza now, but it’s a longer term phenomenon. And that means that companies are very closely connected to the Israeli state. That’s not a new thing, and it’s entirely conscious as well. You have Israeli leaders like Netanyahu very much selling the cybersecurity industry through things like NSO Group and others that they sell. It’s very much to this region and this country as well, that they are using cyber offensive and defensive as diplomacy. And a lot of the recruitment comes out of the military. So, this idea that the private sector is involved comes from a very, I guess it would say a European or American squeamishness. A Silicon Valley idea that these companies are not part of the state. They’re not associated with state military activities. It just doesn’t exist in the Israeli context. Right. So, that’s why it’s really different. And because they’re such a central hub, they don’t have the need for international companies to come in the same way. And of course, on the other side in Gaza and Yemen, they’re not getting the same level of support. Just to state the blatantly obvious. There is no one going in and saying, okay, we will migrate your cloud infrastructure online. We will provide you with a digital e-government service. None of that is happening purely because of political priorities.

AUDIENCE: If we needed cyber peace or we needed peace in the region, and you come back to your main frame of question, what are the four or five things you recommend we do? Three things. Thank you so much for giving me a wrap up.

James Shires: And for those online, I know we had a couple of questions. I hope you found this stimulating. And just to remind everyone who’s joined a little bit later, I am kind of having a discussion because many of the panelists couldn’t originally make it. So thank you, everyone, for sticking with it. What are the four or five things in terms of cyber peace? Now, the first is data, right? Data on use of cyber tools in conflict, on the actors using those tools, right? At the moment we rely on, as this gentleman said, private sector threat intelligence reports that are very skewed towards certain actors. It’s not a good source of data, but it’s the only one most researchers have. So, new and different kinds of data about what kinds of cyber security threats there are on the ground, right? And then you can have a conversation about how to counter those threats once you know more about them. Working in a multistakeholder way, right? Working more with civil society, with industry and with internet governance organizations that aim to promote non-political aims, right? So, there’s a lot of controversy here in the region, right? You have everything we’ve talked about so far today from content moderation and censorship to offensive cyber tools and spyware and things like that. Finding ways where countries can agree that they want greater and better internet access, maybe, and better connectivity would be number two, right? And using diplomacy to achieve those aims. And then number three would be plugging in as much as possible to the UN processes, right? They have all the flaws that I’ve already talked about, but at the moment there are no alternatives, right? And if you use regional mechanisms, whether it’s the GCC, whether it’s other regional groupings, to develop your own practices, to develop states’ competencies and collaboration in cyber security, and then translate that to the global level, to the multilateral level, that I think would be the last recommendation. Thank you all for what has been an extremely interesting conversation. Please do follow up. I have some cards here. I know I said I promised people some references. I promised people some things to read, and I will definitely do that if you come and approach me afterwards. So thank you so much.

Agreement Points

Importance of data on cyber threats

James Shires

AUDIENCE

Gather better data on cyber threats and actors in the region

There is a need for more data on cyber threats and tools used in conflicts in the region

Both James Shires and an audience member emphasized the need for better data on cyber threats and tools used in conflicts in the Middle East region.

AI use in conflicts raises concerns

James Shires

AUDIENCE

AI targeting systems are being used in conflicts like Gaza, raising concerns about indiscriminate attacks

There are calls for the UN and IGF to address the use of AI in conflicts

Both James Shires and an audience member expressed concerns about the use of AI in conflicts, particularly in Gaza, and the need for addressing its implications.

Similar Viewpoints

Both recognize the increasing role of private sector and non-governmental actors in cybersecurity and conflicts, suggesting a need for multi-stakeholder approaches.

James Shires

AUDIENCE

Work in a multi-stakeholder way with civil society and industry

Private sector tech companies are playing an increasing role in cybersecurity and conflicts

Unexpected Consensus

Limitations of current cyber diplomacy frameworks

James Shires

AUDIENCE

Engage more with UN processes while developing regional cybersecurity practices

There are calls for the UN and IGF to address the use of AI in conflicts

Despite different focuses, both James Shires and the audience member unexpectedly agreed on the need for more engagement with international bodies like the UN, while also recognizing the limitations of current frameworks in addressing emerging issues like AI in conflicts.

Overall Assessment

Summary

The main areas of agreement centered around the need for better data on cyber threats, concerns about AI use in conflicts, the increasing role of private sector in cybersecurity, and the need for more engagement with international bodies while developing regional practices.

Consensus level

There was a moderate level of consensus on key issues, particularly on the need for better data and addressing AI in conflicts. This consensus suggests a shared recognition of emerging challenges in cybersecurity and diplomacy in the Middle East, which could potentially lead to more collaborative efforts in addressing these issues.

Different Viewpoints

Definition and scope of cyber diplomacy

James Shires

AUDIENCE

Cyber diplomacy is diplomacy about cybersecurity issues, distinct due to transnational stakeholders and private sector involvement

There are calls for the UN and IGF to address the use of AI in conflicts

While James Shires focuses on cybersecurity issues in his definition of cyber diplomacy, an audience member suggests expanding its scope to include AI use in conflicts, implying a broader interpretation of cyber diplomacy.

Unexpected Differences

Role of private sector in cybersecurity and conflicts

James Shires

AUDIENCE

Infrastructure vulnerabilities make some countries like Iran easier targets for cyberattacks

Private sector tech companies are playing an increasing role in cybersecurity and conflicts

While James Shires focuses on state-level vulnerabilities and attacks, an audience member unexpectedly brings up the increasing role of private sector tech companies in cybersecurity and conflicts. This difference highlights a potential gap in the discussion about the evolving landscape of cyber actors.

Overall Assessment

summary

The main areas of disagreement revolve around the scope of cyber diplomacy, the focus of data collection efforts, and the role of different actors in cybersecurity and conflicts.

difference_level

The level of disagreement appears to be moderate. While there are some differences in perspective, they seem to stem from different areas of focus rather than fundamental disagreements. These differences highlight the complexity of cyber diplomacy and security in the Middle East, suggesting a need for a more comprehensive and multi-stakeholder approach to address the region’s cybersecurity challenges.

Partial Agreements

Both James Shires and the audience agree on the need for better data on cyber threats in the region. However, they differ in their focus, with Shires emphasizing the importance of unbiased data sources, while the audience member specifically highlights the need for data on tools used in conflicts.

James Shires

AUDIENCE

Gather better data on cyber threats and actors in the region

There is a need for more data on cyber threats and tools used in conflicts in the region

Similar Viewpoints

Both recognize the increasing role of private sector and non-governmental actors in cybersecurity and conflicts, suggesting a need for multi-stakeholder approaches.

James Shires

AUDIENCE

Work in a multi-stakeholder way with civil society and industry

Private sector tech companies are playing an increasing role in cybersecurity and conflicts

Key Takeaways

Cyber diplomacy in the Middle East has increased in recent years, especially around cybercrime conventions

Middle Eastern states are using cyber diplomacy as soft power to promote their geopolitical interests

AI targeting systems are being used in conflicts like Gaza, raising concerns about indiscriminate attacks

There is a push for data localization and digital sovereignty in Gulf states

Private sector tech companies are playing an increasing role in cybersecurity and conflicts in the region

Resolutions and Action Items

Gather better data on cyber threats and actors in the Middle East region

Work in a multi-stakeholder way with civil society and industry on cybersecurity issues

Engage more with UN processes while developing regional cybersecurity practices

Unresolved Issues

How to effectively regulate the use of AI in military conflicts

The role of the UN and IGF in addressing AI weaponization

How to balance digital sovereignty efforts with international cooperation on cybersecurity

The lack of a universally agreed definition of cybersecurity

Suggested Compromises

None identified

For me, cyber diplomacy is the, is diplomacy about cybersecurity issues, right? There’s a whole set of questions on cyber diplomacy, as in the use of cyber or digital tools or digital diplomacy that is very interesting and important. How do ministries of foreign affairs adapt to the digital world? How do they use AI, for example, in their day-to-day lives? That’s not, for me, cyber diplomacy. It’s diplomacy about cybersecurity issues.

speaker

James Shires

reason

This comment provides a clear definition and scope for cyber diplomacy, distinguishing it from digital diplomacy. It sets the foundation for the rest of the discussion by clarifying the topic.

impact

This definition helped focus the conversation on specific aspects of cybersecurity in international relations, rather than broader digital issues.

Gaza has become the world’s first laboratory for testing and using artificial intelligence-based systems and weapons to commit apartheid war crimes and genocide against the oppressed Palestinian people. That has led to huge numbers of civilian deaths. What can be the role and responsibility of the United Nations governments and UNIGF in dealing with the weaponization of artificial intelligence that is contrary to human values and international law?

speaker

Online Audience Member

reason

This comment brings up a highly controversial and current issue, connecting AI, cybersecurity, and ongoing conflicts. It challenges the discussion to address real-world applications and ethical implications.

impact

This question shifted the conversation towards the ethical use of AI in conflict situations and the role of international organizations in regulating such technologies.

As the public researchers about cyber diplomacy in the Middle East, United Nations has published it. So if there is, where can we read this? It’s good to watch or it’s good to read these stuffs.

speaker

Audience Member

reason

This question highlights the need for accessible, credible sources of information on cyber diplomacy in the Middle East, pointing to a gap in public knowledge.

impact

It led to a brief discussion on available resources and literature on the topic, potentially helping attendees find more information after the session.

Ownership of hardware, of infrastructure, and ownership of data are both really live issues, especially for this region. There’s a strong push for data localization.

speaker

James Shires

reason

This comment introduces the important concepts of data sovereignty and localization, which are crucial in understanding the geopolitics of cybersecurity in the Middle East.

impact

It broadened the discussion to include economic and political aspects of cybersecurity, beyond just technical issues.

In Europe, at least, we see this connection between cybersecurity. It’s now with the new European Commission that’s just been put in. They’re bringing this connection between cybersecurity and democracy or stability of institutions in the field. And I was wondering whether that’s something that you’ve seen panning out in this area.

speaker

Jamal Shaheen

reason

This comment introduces a comparative perspective, bringing in European approaches to cybersecurity and its connection to democratic institutions.

impact

It prompted a discussion on the differences between European and Middle Eastern approaches to cybersecurity, highlighting the importance of regional context.

Overall Assessment

These key comments shaped the discussion by broadening its scope from a narrow focus on cyber diplomacy to include ethical considerations of AI in conflict, data sovereignty, and regional differences in approaches to cybersecurity. The discussion evolved from defining terms to exploring real-world applications and implications, particularly in the context of ongoing conflicts in the Middle East. The comments also highlighted the interconnectedness of cybersecurity with broader political, economic, and ethical issues, demonstrating the complexity of the topic and the need for multifaceted approaches in both research and policy-making.

How will cyber diplomacy look 5-10 years from now?

speaker

Audience member

explanation

Understanding future trends in cyber diplomacy is important for anticipating challenges and opportunities in the field.

How would cyber diplomacy act in the realm of targeted removal of ICT infrastructure during conflicts?

speaker

Audience member

explanation

This is crucial for understanding the role of cyber diplomacy in protecting critical infrastructure during conflicts.

What can be the role and responsibility of the United Nations, governments, and UNIGF in dealing with the weaponization of artificial intelligence that is contrary to human values and international law?

speaker

Online participant

explanation

This question addresses the urgent need for international governance and regulation of AI in warfare.

What steps should be followed to find a unified definition for cybersecurity terms?

speaker

Audience member

explanation

A common understanding of cybersecurity terms is essential for effective international cooperation and policy-making.

How would you assess the maturity of the cyber diplomacy landscape in the Middle East compared to other regions of the global South?

speaker

Audience member

explanation

This comparison is important for understanding regional differences and potential areas for improvement in cyber diplomacy.

How will the control of hardware, tech, and data by Western companies impact cyber diplomacy in the future?

speaker

Audience member

explanation

This question addresses the potential power imbalances in cyber diplomacy due to technological disparities between regions.

Is there a connection between cybersecurity and democracy or stability of institutions in the Middle East, similar to what is seen in Europe?

speaker

Jamal Shaheen

explanation

Understanding this connection is important for assessing the broader societal impacts of cybersecurity policies.

How is the role of private sector companies in cybersecurity and conflict playing out in the Middle East?

speaker

Jamal Shaheen

explanation

This question explores the changing dynamics of cyber actors and the potential implications for regional stability and sovereignty.