Qatar Crisis: Lessons to Learn in The Age of Cyber Attacks

A Saudi woman and a boy walking past the Qatar Airways branch in the Saudi capital Riyadh, after it had suspended all flights to Saudi Arabia following a severing of relations between major gulf states and gas-rich Qatar, June 5. Fayez Nureldine/AFP/Getty

Intrigues, espionage, and manipulation of information are not new in international affairs and, to the extent to which it revolves around the circulation of disinformation, neither is the Qatar crisis. What differentiates the ongoing crisis in Qatar from conventional international crises, however, is the means—the deployment of cyber attacks—and the risk of escalation posed by this new brand of warfare.

According to reports, the worst rift between Qatar and its closest allies for many years was precipitated by a series of cyber attacks that have since been attributed to the United Arab Emirates. The attacks targeted the Qatar News Agency (QNA) Network, Qatar's state-owned media outlet. After apparently gaining access to the network in April this year, the hackers placed a fictitious report of the Emir of Qatar airing tensions with the U.S. president and praising Iran and the Palestinian militant group Hamas.

As a tool to alienate the U.S. and Qatar's Arab neighbours, the fabrication couldn't have been better. On June 5, Saudi Arabia, Bahrain, the UAE and Egypt announced they were severing ties with Qatar, citing concerns that the state was engaged in the funding and support of terrorism.

The attacks against QNA are only the latest of a series of state-sponsored/run cyber attacks that have grown exponentially in the past 12 months. They range from the Russian cyber-attack against a Ukrainian power plant, the Chinese and Russian infiltrations of U.S. Federal Offices, to the Shamoon/Greenbag cyber-attacks on government infrastructures in Saudi Arabia. Qatar Radio and Iran's Al-Aram news networks also appear to have been caught up in the latest dispute, with claims this week that they have also been hacked.

Non-kinetic cyber-attacks—aggressive attacks that do not cause destruction or casualties, like distributed denial of service attacks (DDoS) run against website and online services—appeal as a political tool as they cost little in terms of resources and risks to the attackers, while having high chances of being successful.

Uncertainty of attribution favouring plausible deniability, the ambiguity with which existing international laws apply to cyberspace, the low entry-cost of attacks, and the inherent vulnerable nature of information systems underpin states' tendency to resort to cyber-attacks more than to other aggressive means.

This tendency will continue. And it will pose increasing threats to international stability. Three factors—technological, economical, and political—support this view. The ever more likely AI leap of cyber capabilities—the use of AI and Machine Learning techniques for cyber offense and defense—indicates that cyber-attacks will escalate in frequency, impact, and sophistication, ultimately posing significant risks of escalation of disputes and conflicts in different parts of the world.

Technological progress goes hand-in-hand with an ever-expanding market of tools and skills, which makes available sophisticated cyber weapons (e.g. malware and indication of bugs in targeted systems, i.e. zero-day exploit) and powerful cyber capabilities to any actor (state or non-state) who may be able to afford them. This market poses serious risks to international stability, as it fosters the weaponization of cyberspace, and is likely to prompt a cyber arms race in which state actors will compete with other state and non-state actors.

Technological and economic factors indicate that cyberspace is quickly becoming a new domain for international relations. As such, it is a new arena in which states are keen to assert their authority, show their power, and prove their capabilities. This invites friction and tension that may easily escalate and jeopardize international stability and the security of our societies.

These risks are not inevitable. They can be contained by a regime of international norms delineating permissible and non-permissible state actions in cyberspace, proportionate responses to cyber-attacks, and guiding state's responses when attribution remains dubious. Notoriously, U.N. attempts to establish such a regime, through the U.N. Group of Governmental Experts, tasked with creating a "common understand" of state behavior in cyber-space, failed just a few weeks ago.

The Qatar crisis must recall the attention of political actors and civil societies of the urgent need to resume and finalize U.N. efforts to regulate state use of cyber-attacks. Without this regime, cyber-attacks will contribute to fuelling a cyber arms race, posing serious risks of conflict escalation, putting cyber stability under pressure, and making international stability a chimera. This is a key lesson that we should learn from the Qatar crisis. We better get it now. Before the intrigue turns into a conflict and we have to learn the lesson the hard way: facing violence, kinetic conflicts, and, ultimately, casualties.

Mariarosaria Taddeo is a researcher at the Digital Ethics Lab for the Oxford Internet Institute at the University of Oxford.