Middle East cyber priorities for the Biden administration

This article is based on a private roundtable discussion with individuals involved in or familiar with the Biden administration transition process.
 

The new administration in Washington faces a laundry list of complex domestic and foreign challenges competing for attention. As it has for decades, the Middle East in particular continues to present problems for American foreign policy practitioners, and the fast-growing digital competition in cyberspace between regional actors raises an entirely new set of questions and dilemmas for the Biden administration. To say that the new president has a lot of issues on his plate related to the Middle East is something of an understatement, and while Iran’s nuclear program is the priority, it is imperative that this administration find a way to deal with the nuclear issue without neglecting the important role the U.S. must play in various aspects of regional cybersecurity. To promote stability in the Middle East and safeguard its interests, the new administration should adopt policies designed to limit damaging activities in cyberspace, support cyber norms in conjunction with strong cooperation agreements, recognize the obstacles to creating a NATO-like regional security alliance, and implement policies restricting the misuse of U.S. technologies by allies to commit human rights violations and spy on their own people.

Without distracting from the nuclear question, the Biden administration should concentrate its cyber efforts on preventing and discouraging malign cyber behavior in the Middle East by upholding five rules for countering adversarial cyber activity. Where possible, the administration’s objectives should be to employ, deploy, and engage in cyber best practices, create normative impact, and leverage software solutions to target common attack vectors like phishing.

The need for norms and cooperation agreements

Because the U.S. can only do so much on its own and has other more urgent priorities, it must reduce the risk of conflict and rely on partners in the region by improving their collective capabilities through supporting cyber norms in conjunction with strong cooperation agreements. Having taken the important first step of announcing its support for cyber norms, the Biden administration has indicated cybersecurity is an area of concern. While adopting norms is certainly helpful, the U.S. should go a step further and complement norms with better cooperation agreements in the Middle East as part of a broader multilateral approach. This process could be facilitated either via a formal U.N. process, or through a more informal, collaborative approach. The 2015 U.S.-China Cyber Agreement that saw the countries set limits and requirements on the use of espionage for intellectual and commercial gain could serve as a potential model for such an approach. Developing robust, well-functioning cyber norms is easier said than done, however, and getting them to take hold will take time, especially internationally.

Several obstacles will stand in the Biden administration’s way as it looks to implement cyber cooperation agreements. First, under President Donald Trump, American military commanders in the field were granted an unprecedented level of operating leeway, including in the cyber sphere. As a course correction, the new administration will need to think hard about recalibrating and building stability. Along with plenty of challenges, the current time of transition affords the U.S. a unique opportunity to take stock of its tool kit of cyber capabilities and determine where and when it is appropriate to restrain or deploy them. The U.S. should be more explicit about the motivations underlying its cyber activities through documents like Department of Defense strategy reports, and learn the lesson that just because it has a certain capability does not mean it needs to use it. Recalibration and greater policy clarity regarding strategies like “defend forward” and “persistent engagement” will be most successful if employed through a whole-of-government approach.

Israel, the region’s most significant cyber actor, could be another stumbling block to expanded cyber cooperation. It may prove difficult to convince Israel to enter an agreement formalizing cyber norms as it generally avoids willfully tying its hands. It also has a high threshold for what constitutes a violation of sovereignty and views most of its actions as already acceptable under international law as it applies to cyberspace.

Regional cooperation and the Abraham Accords

While the Biden administration has been busy attempting to reverse the effects of Trump’s foreign policy more broadly, Axios reports that one development from the Trump era Biden seeks to preserve is the Abraham Accord diplomatic openings. The relationships between Israel and several Arab states that are now coming into the open are being driven by factors including a conception of shared interest, reduced feeling on the part of some Arab leaders for the Palestinian cause, and the desire to form an alliance to confront a rising Iran and its proxies, missiles, and nuclear program. As these relationships continue to deepen and expand, a substantial opportunity for intelligence and cyber cooperation exists for Israel and its newfound Arab partners.

An important decision on Biden’s desk will be what to make of the makeshift Arab-Israeli regional defense coalition meant to counter Iran that he inherited from his predecessor –– one with a series of issues preventing the creation of a formal alliance. Despite Biden’s apparent support for maintaining the Abraham Accord normalization agreements, there are significant obstacles standing in the way of a more ambitious Middle Eastern collective security architecture. The idea of a Middle East Strategic Alliance (MESA) ran into several geopolitical roadblocks in the form of Arab states’ conflicting interests in Yemen and increasing polarization in the Sunni world. Beyond an unfavorable geopolitical landscape, implementation issues and bureaucratic problems further inhibited its creation. A regional security alliance would also struggle to navigate the gray lines of cyber conflict and reaching decisions on collective responses, given the tenacious difficulty of attribution and associated entanglement of sensitive, intelligence-based sources and methods. While MESA may not be viable for the time being, Biden should capitalize on the Abraham Accords as an opportunity to support greater regional cooperation. He could push for integrated ballistic missile defense and collective cyber defense against Iran in the region to strengthen alliances and demonstrate U.S. commitment.

Human rights and cyber capabilities

After four years of the Trump administration largely turning a blind eye to human rights abuses by Middle Eastern allies, the new administration seems set to reemphasize human rights, and one important question will be what the U.S. should do about states using and selling their cyber capabilities to carry out human rights abuses and surveillance. Since the Arab Spring a decade ago, authoritarian governments in the region have been keen on using offensive cyber tools to keep a close eye on their populations. These technologies that have proliferated in the region over the past decade are known as dual use, because while governments use them for their intended purpose –– security –– they are also highly susceptible to abuse. Evolving policy to regulate these destabilizing, potentially repressive cyber capabilities will be difficult, as the U.S. wants its regional partners to possess the technology to compete and defend themselves in the cyber sphere while also respecting civilians’ civil liberties. Progressives will undoubtedly pressure President Biden to turn the heat up on allies like Israel, the UAE, and, in particular, Saudi Arabia that have either used or sold technology to the detriment of human rights. While these relationships will experience friction under the new administration, they will almost certainly remain intact as the U.S. views these partners as critical to long-term regional stability. One potential policy approach would be for the U.S. to push for stricter oversight on an international level of dual use technologies.

By following the guidance offered here the Biden administration will avoid wasting its time trying to form a regional security alliance modeled after NATO and put itself in a strong position to prevent dangerous cyber behavior, facilitate the creation of cyber norms bolstered by greater inter-state cooperation, and take a significant step towards increasing accountability for regional allies who misuse their cyber capabilities. These policy prescriptions are pragmatic and do not require an inordinate amount of time or resources to implement. Most of all, they are strategies that acknowledge cyber’s increasingly important role in the Middle East and its implications for U.S. interests without overshadowing or deprioritizing other regional challenges.

Christopher Bass is research assistant with MEI’s Cyber Program and a junior at Georgetown University's School of Foreign Service. Michael Sexton is a Fellow and Director of the Cybersecurity Initiative at MEI. The views expressed in this piece are their own.

Photo by Christopher Pike/Bloomberg via Getty Images