Reports this month that the United Arab Emirates orchestrated the hacking of a Qatari news agency, helping to incite a crisis in the Middle East, are as unsurprising as they are unwelcome. For years, countries — in particular Russia — have used cyberattacks and the dissemination of disinformation through social media and news outlets to provoke protests, sway elections and undermine trust in institutions. It was only a matter of time before smaller states tried their hand at these tactics.
With few accepted rules of behavior in cyberspace, countries as big as China or as small as Bahrain can be expected to use these kinds of attacks. And they may eventually spill over into real-world military conflicts.
The hacking attacks in the Gulf seem to follow a typical pattern of going after the media and the email accounts of prominent individuals. According to American intelligence officials, in late May, hackers supported by the United Arab Emirates infiltrated Qatari government news and social media sites. The attackers planted quotations falsely attributed to Sheikh Tamim bin Hamad al-Thani, Qatar’s leader, praising Iran, Hamas and Israel.
It’s unclear if the Emirates undertook the hacking or hired freelancers to do the dirty work. (Emirati officials have denied playing any role.) But either way, the objective was achieved. The Emirati government, along with Saudi Arabia, Bahrain and Egypt, used the planted quotations as a pretext to ban Qatari news outlets and to break off diplomatic and trade relations with Qatar. The countries presented Qatar with a list of 13 demands for resolving the crisis, including cutting ties with Iran, closing a Turkish military base in Qatar and closing the Qatari-financed network Al Jazeera. Qatari officials called the demands an infringement on their country’s sovereignty. Tensions continue as American and Turkish officials try to mediate a resolution.
The hacking and disinformation attack on Qatar is not unprecedented. In August 2012, for example, the Indian government accused Pakistani hackers of trying to provoke communal violence. One part of the cyberassault involved posting pictures on websites of corpses described as people killed by Muslims in India’s northeast. (In fact, they were manipulated photos of casualties from an earthquake in Tibet.) The hackers also sent text messages warning that an attack on students and workers from northeastern India living in Mumbai and Bangalore was imminent. Thousands of migrants began a panicked flight back to their homes.
More recently, in June, hackers believed to be tied to the Vietnamese government stole and released transcripts of the talks between President Rodrigo Duterte of the Philippines and President Trump, and between Mr. Duterte and President Xi Jinping of China. The timing of the leak suggests that Vietnam, which along with several other Southeast Asian countries is involved in disputes with Beijing in the South China Sea, hoped to pressure Mr. Duterte and sabotage the Philippines’ relations with China.
There is little to stop other countries from trying similar influence operations. These tactics are cheap, and they are easily deniable. None of the victims — including the United States and its European allies — have come up with a way to impose significant consequences on the attackers. For example, the Obama administration expelled Russian diplomats, seized diplomatic compounds and imposed sanctions in retaliation for the Russian hacking of the Democratic National Committee in 2016. Still, American officials say they expect to see Russian hackers return for the 2018 elections.
In addition, efforts to define international rules of cyberconflict lag far behind the use of attacks. In two previous meetings, a group of government experts convened by the United Nations decided that the United Nations Charter applies in cyberspace and that cyberattacks on critical infrastructure and computer emergency response teams should be off limits during peacetime. But the most recent round of negotiations on the topic ended with participants unable to agree whether international law applied to cyberspace.
It’s only a matter of time before a state’s response to a cyberattack escalates into full-blown military conflict. Cyberattacks that embarrass or threaten the legitimacy of weak leaders, for example, could cause them to overreact — or worse to unleash a war to create a diversion.
Big and small countries alike should want to make sure that hacking attacks do not lead to war. But there is little hope that competing states will ever be able to agree on how to define, much less limit, information operations.
For now, the onus is on individual states to identify vulnerable targets, better defend them, and, if and when an attack succeeds, counter the spread of lies and disinformation. Countries should also work with like-minded partners to detail what types of interference will provoke what types of reactions, from sanctions to retaliatory cyberattacks. As the latest crisis in the Gulf shows, small states are learning from the big ones how to exploit cyberattacks to create political disruption. As a result, we all are much less secure in cyberspace — and in the real world, too.