Gulf states engaged in cyber-espionage, hacking, and harassment must not be given carte blanche to poison the cyber-realm simply because they are U.S. security partners.
The Justice Department recently announced that three former U.S. intelligence operatives have admitted to conducting hacking operations on behalf of the United Arab Emirates. The three men had been hired by a U.A.E.-based firm with close ties to the government, where they developed two software exploits that gave their firm the ability to remotely compromise millions of devices. In the past, the United Arab Emirates and other Gulf autocracies have employed software developed by the Israeli NSO group to conduct cyber-espionage, as well as campaigns of intimidation and harassment, against a wide range of targets not only in their own region but also in Europe and North America, as well. This represents the latest escalation in the increasingly malign role that several Gulf states, most of all Saudi Arabia and the United Arab Emirates , have adopted in the cyber realm. These attacks constitute not only a threat to the individuals and institutions targeted, but to the liberal international system on which democracies rely. The United States and its allies will need to develop a concerted approach to discouraging, managing, and ultimately deterring these attacks.
Earlier this year, the New Yorker reported that the CIA was looking into threatening messages sent to decorated former FBI agent Ali Soufan, who has written extensively about ties between the Saudi government and violent Islamist groups, including al-Qaeda. Soufan had hired cybersecurity experts to investigate a social media campaign against him, and they quickly discovered an extensive online harassment campaign seemingly orchestrated by a Saudi online provocateur known as al-Ghawi. Al-Ghawi describes himself as a journalist and stars in a YouTube program in which he denounces those he claims to be enemies of Saudi Arabia. More disturbingly, the firm found that al-Ghawi had conducted a similar campaign of denunciation and harassment against Washington Post journalist Jamal Khashoggi in the months leading up to his murder by Saudi security forces at their consulate in Istanbul. Further reporting, including by the Intercept, has identified harassment and abuse campaigns al-Ghawi has conducted against Montreal-based Saudi activist Omar Abdulaziz, Qatar-based data scientist Geoff Golberg, Washington-based think tank director Sarah Leah Whitson, and State Department senior advisor Ariane Tabatabai (who previously worked at the Alliance for Securing Democracy).
So how have we gotten to the point that security forces with close working ties to the U.S. military are conducting campaigns of harassment and intimidation against American policymakers and intelligence officers? The answer, in part, is the reliance that U.S. foreign policy has placed on Gulf monarchies for the past half-century. Since the 1979 Islamic Revolution in Iran, the United States has worked closely with Saudi Arabia and other Gulf states as key security partners not only in containing Iran, but also during two wars in Iraq, as well as in the global war on terror. The strategic value to both sides has made these partnerships endure even though Saudi Arabia, the United Arab Emirates, Qatar, Bahrain, Kuwait, and Oman are all authoritarian monarchies whose fundamental values and worldview differ sharply from those of the United States.
In today’s globalized social and news media ecosystem, though, this delicate balance is becoming harder to maintain. Increasingly, the Gulf states deploy the tools of online interference and manipulation pioneered by U.S. adversaries like Russia, China, and Iran, including hack and leak operations, coordinated inauthentic social media activity, and campaigns of harassment and intimidation. With Saudi Arabia, the United Arab Emirates, Qatar, and other Gulf states increasingly targeting U.S. citizens and residents, and those of U.S. allies, it is more important than ever for the United States to take a strong stand against such behavior. This means making it clear that even U.S. security partners will not be permitted to use the Internet to pollute the information ecosystem, or silence journalists and dissidents, because these behaviors are destructive to U.S. security and interests in their own right. They also contribute to a culture of impunity globally that imperils the liberal order on which the United States relies.
The challenge of Gulf-based authoritarian interference is closely tied to the rise of Crown Prince Mohammed bin Salman (MBS) in Saudi Arabia. MBS tried to redefine his country’s image as one of a modern and reforming state, a hub for technology, and a stable partner for the United States against Iran. This image was shattered in 2018 when Saudi operatives killed and dismembered Jamal Khashoggi, which was followed by a months-long purge of the Saudi elite that led to hundreds being detained—including members of the royal family, former officials, and businessmen held at the Ritz-Carlton in Riyadh. In fact, this seemingly new and highly visible approach to 21st century authoritarianism is just a new facet of a larger program of information manipulation, intimidation, and abuse that had been developing for several years.
Throughout the Gulf region, the advent of new technology has been a double-edged sword. On the one hand, it has no doubt allowed cities like Dubai and Doha to become thriving business hubs. On the other, authoritarian regimes in the region have leveraged these advances to tighten their grip on their societies and to impede democratic reform. These states have benefited from new surveillance technology in particular, and they routinely use foreign threats—from terrorism to Covid-19 to alleged Iranian espionage—to justify their intrusive policies. Particularly egregious instances included the hacking of dozens of diplomats, journalists, and activists across the Gulf by a U.A.E.-linked surveillance operation conducted under the guise of countering terrorism. Across the border in Saudi Arabia’s Eastern Province, the country’s Shia minority are subjected to surveillance, arbitrary detention, and even death on the basis of vague or ill-supported charges of spying for Iran. Some of these actors have not stopped their efforts at their own borders. The United Arab Emirates and Saudi Arabia have also used social media to promote narratives hostile to Iran and favorable to their own interests to audiences around the world. And following the Gulf split in 2017—a diplomatic rift with Qatar on one side and Saudi Arabia, the United Arab Emirates, Bahrain, and Egypt on the other—the Saudi-led bloc used these tools to isolate and pressure Qatar. In those instances and others, cyber tools were deployed far beyond the region, affecting the media and information ecosystems in many languages and countries, including in the United States and other democracies.
For U.S. policymakers and their European counterparts, the Gulf monarchies have long presented a conundrum, and these regimes’ bold forays into authoritarian influence campaigns make this challenge more pressing than ever. Several of these states have played an important role in managing some of the Middle East’s most pressing problems. U.S. bases in Qatar and Saudi Arabia have facilitated U.S. and coalition forward presence and military operations in the region. U.S. counter-terrorism operations have benefited from intelligence-sharing with Gulf countries. And Oman helped establish a critical back channel between the United States and Iran, in essence paving the way for the 2015 nuclear deal. At the same time, some of these countries have worked to leverage their position and wealth to manipulate democratic processes and institutions in the United States and elsewhere in pursuit of their interests, many of which run counter to democratic principles. This includes the hacking of Jeff Bezos, which was carried out with the involvement of the Saudi crown prince himself, and was intended, according to UN special rapporteurs Agnès Callamard and David Kaye, “to influence, if not silence, the Washington Post’s reporting on Saudi Arabia.” It also includes the hack and leak operation targeting Republican National Committee Finance Chairman Elliot Broidy by Qatari agents, who perceived him as an advocate for Saudi interests. And of course it includes numerous social media influence operations designed to mislead and misinform media consumers and harass and intimidate journalists and activists.
To be clear, Gulf countries are not the only malign actors in this space in the Middle East. As ASD’s prior research on Iranian efforts to undermine democracy shows, Tehran uses information manipulation and cyber operations to undercut democracy abroad. In recent years, Iran has consistently appeared alongside Russia and China in U.S. government assessments of authoritarian actors seeking to interfere in democracies. But managing an adversary bent on destabilizing behavior is a very different challenge than dealing with security partners who undertake the same activities.
Under the Trump administration, Saudi leadership had fairly broad latitude to pursue the regional and domestic policies of their choosing. This proved true even when those policies plainly conflicted with U.S. values—including, for instance, the 2019 mass execution of 37 dissidents, including a Case Western Reserve student. It also proved true when concrete U.S. interests were at stake, as when Saudi Arabia and the United Arab Emirates used cyberattacks to create the pretense for a blockade of Qatar, another key U.S. security partner and host to the largest U.S. air base in the Gulf. Even when Saudi Arabia attacked U.S. persons directly, as when MBS ordered the murder and dismemberment of Jamal Khashoggi or when he personally facilitated the hacking of Jeff Bezos’ phone, the United States did not forcefully respond.
Coalition politics often necessitate compromises of one sort or another, but Washington should be wary of giving autocratic security partners wide latitude to deploy the tools of authoritarian influence used by adversaries often to achieve similar ends. Managing regional adversaries is an urgent priority, but so too is competitive success in the emerging, asymmetric contest between democracies and autocracies, which is playing out in the information domain. By normalizing information manipulation, surveillance, and digital harassment, Saudi Arabia and other Gulf states undermine U.S. interests and serve the long-term strategic aims of Russia, China, and, notably, even Iran.
Given the substantial influence Washington has over some of its most irresponsible security partners, it can do more to inflict real costs on states when they or harass and murder U.S. citizens and residents or work to denigrate and compromise U.S. institutions for their own short-term benefit.
The views expressed in GMF publications and commentary are the views of the author alone.