Tim Maurer is the co-director of the Cyber Policy Initiative and a fellow at the Carnegie Endowment for International Peace. Since 2010, his work has been focused on cybersecurity, human rights in the digital age, and Internet governance, currently with a specific focus on cybersecurity and financial stability. Maurer is a member of several U.S. track 1.5 cyber dialogues and the research advisory group of the Global Commission on the Stability of Cyberspace. Previously, he was part of the Freedom Online Coalition’s working group “An Internet Free and Secure” and the Research Advisory Network of the Global Commission on Internet Governance. Recently, Maurer published Cyber Mercenaries: The State, Hackers, and Power. It’s to discuss his new book, and particularly the importance of cyber warfare in the Middle East, that Diwan interviewed Maurer in early February.

Michael Young: You’ve just published Cyber Mercenaries: The State, Hackers, and Power. What does the book argue?

Tim Maurer: The book explores the secretive relationships between states and hackers. As cyberspace has emerged as the new frontier for geopolitics, states have become entrepreneurial in their sponsorship, deployment, and exploitation of hackers as proxies to project power. Such modern-day mercenaries and privateers can cause significant harm, undermining global security, stability, and human rights.

MY: In your introduction you write that studying cyberspace can tell us a great deal about our changing world, writ large. What did you mean, and what does cyberspace tell us about our changing world?

TM: Looking at how states behave in cyberspace tells us how states view the changing world more broadly. For example, China and Russia use the concept of “information security,” in contrast to the United States which focuses on “cybersecurity.” The difference is that “information security” is defined by Moscow and Beijing to include content and information as potential threats. They therefore use various tools to control information online. That is a telling illustration of how important regime stability has become for these countries, whereas in many other countries that focus on “cybersecurity,” they emphasize the technical aspect of securing critical infrastructure.

The other side of the coin is that Russia, in particular, has also been experimenting with how it can use the technology for influence operations. The interference in the 2016 U.S. elections is the best example to date. The fact that Moscow dared to challenge Washington in this way also reveals that the international system and the role of Russia and the United States in it are changing.

MY: How has cyber warfare developed in the Middle East in the recent past, and what spurred its development?

TM: The Middle East has been in many ways a test lab for some of the world’s most powerful cyber weapons to date. The Stuxnet malware that targeted the Iranian nuclear facility at Natanz illustrated how powerful these new tools can be and that they can even affect some of the most sensitive systems in international security. A few years later, Saudi Aramco, one of the world’s largest oil companies, was hit with malware, destroying thousands of its hard drives that, while not disrupting oil production, certainly disrupted its business operations. Paired with activities by “hacktivist” groups such as the Syrian Electronic Army and others, as well as espionage campaigns targeting not only governments and companies but also dissident groups and nongovernmental organizations, hacking has become a new layer in the already multifaceted political fabric of the Middle East.

MY: Cyber warfare is regarded as an asymmetrical weapon, allowing states with relatively limited capacities to challenge far more powerful countries. Can this reality continue indefinitely, or are we likely to gradually see countries that have significant military capacities also assert their absolute superiority in cyber warfare, simply because they have more resources to invest in such a domain?

TM: It is difficult to predict what an equilibrium in cyberspace might look like in the future, primarily because cyberspace itself does not remain constant but is changing continuously as the technology evolves.

For example, in addition to 2 billion people gaining access to the Internet in the next few years, the Internet of Things will connect several billion additional devices to the Internet, as well. Combine this exponential growth of the network with potentially game-changing technological innovations that are on the horizon, such as quantum computing, and it is already hard to predict what this environment will look like in five, let alone ten, years.

We do know that over 30 countries are pursuing offensive cyber capabilities to date. We also know that governments are big bureaucracies that usually take a long time to innovate, adapt, and integrate new technologies. Which countries will emerge with an edge remains uncertain. Bigger countries certainly have the advantage to be able to use big data to feed the development of artificial intelligence, for example, which smaller countries will lack. States with significant military and intelligence capabilities will also be able to identify the source of malicious activity much better, combining technical and human intelligence. On the other hand, their resources are limited and the evolution in the past decade also illustrates that less powerful countries, such as Iran and North Korea, have been able to successfully leverage the new technology to their advantage.

MY: How has cyber warfare played out in the case of the Syrian conflict?

TM: At the beginning of the Syrian conflict, hacktivists groups, namely the Syrian Electronic Army, used to make news regularly. For example, in 2013 they claimed credit for hacking the Twitter account of the Associated Press and then tweeted that there had been an attack on the White House, causing the stock market to drop by several hundred points temporarily. There were also numerous reports about Syrian citizens’ phones and other devices getting hacked and the data being used to crack down on dissidents. However, as the conflict descended into all-out war and the country become engulfed in violence, these reports became fewer and the Syrian Electronic Army became less active.

MY: Iran has engaged substantially in cyber warfare. How successful has it been and how vulnerable is it to cyber warfare from its adversaries, such as Israel and the United States, particularly after the Stuxnet experience?

TM: Many cybersecurity experts were surprised by how fast Iran was able to develop and use offensive cyber capabilities. After Stuxnet became known to the public in 2010, few doubted that Tehran would eventually be able to develop offensive cyber tools, but most were surprised that only two years later Iranian hackers were able to launch a Distributed Denial of Service attack large enough to alarm some of the world’s largest financial institutions. In another incident, Iranian hackers also showed the intent to potentially harm critical infrastructure in the United States, when they tried to gain access to the computer systems of a water dam. With that said, Iran faces the same challenges as any other country in protecting against such threats. Identifying and patching vulnerabilities requires significant resources and it’s always a struggle to find and secure the weakest link. That’s why some scholars have called the current cybersecurity environment a regime of “mutually assured vulnerability.”

MY: Where do you see the region moving in the next decade on cyber warfare?

TM: It’s important to bear in mind how fast this field has been evolving. It was only eight years ago that Stuxnet became publicly known. At the same time, some half a dozen countries were considered cyber powers. Today, over 30 countries are aiming to become one. The Middle East is therefore likely to see more actors acquiring offensive cyber capabilities and using them to spy, disrupt, and destroy, in times of peace, in times of war, and the gray zone in between.