The role of cybersecurity in the future of geopolitics in the Middle East and the surrounding regions will have much to do with individual state and enterprise preparedness. With cyber threats a growing source of interstate tension, governments must take measures to increase national cyber preparedness that are tailored to their vulnerabilities and cyber ecosystems.
Israel and Estonia are examples of states that prove this rule. Despite their relatively small size, both have demonstrated an exceptional capacity to deter or defend against cyber aggression from their much larger, more aggressive neighbors — Iran and Russia, respectively. Iran has engaged in offensive cyber operations in Saudi Arabia, Israel, and Bahrain, while Russia done the same in Ukraine, Georgia, Estonia, and Kyrgyzstan. While many of the victims of these cyber attacks have been overwhelmed by the massive force Iran and Russia can deploy, Estonia and Israel stand out for their strong cyber defenses and resilience in the face of aggression. Each provides insights that are applicable to small and medium-sized states elsewhere, including Eastern Europe, Central Asia, and the Middle East, suggesting ways in which they can protect themselves against cyber attacks and asymmetric warfare more broadly.
Since its founding, Israel has faced a variety of threats. While the specter of war may not be as pronounced today as it was in its early years, the asymmetric threat from militants and Iran remains substantial. As warfare has evolved into the 21st century, so too has the Israel Defense Forces (IDF), and its Unit 8200, focused on signals intelligence and cyber operations, has become the most sophisticated cyber force in the Middle East, on par with the U.S. National Security Agency (NSA). It became well known following the discovery of the Stuxnet virus, designed in cooperation with the NSA, which interfered with the operation of Iranian nuclear centrifuges.
Unit 8200, like the rest of the IDF, recruits officers straight from high school, and this has profound implications for building a robust cybersecurity workforce. In effect, it constitutes a massive cyber talent pipeline, and its young, skilled, and well-connected alumni have been key to Israel’s burgeoning tech sector. Its high turnover rate — 90% of Unit 8200’s workforce serves for less than five years — is actually a boon for cybersecurity. Historically, cyber attacks on private sector targets often have the greatest impact, and overreliance on the government for protection is unrealistic. With a thriving private cybersecurity industry, driven in large part by Unit 8200 alumni, Israel maintains an enviable regional cybersecurity posture.
Israel’s case does come with a cautionary note though. Its tech sector has gained business around the world, establishing relationships with countries that are not natural or historical allies. Much of this, however, has come from the sale of hacking and surveillance tools by firms like NSO Group, which has faced harsh criticism after its tools have been uncovered on the phones of journalists, activists, and politicians, and the firm is currently embroiled in a legal battle for allegedly breaching Facebook’s WhatsApp. While cyber exports can be a boon for diplomacy and the economy, there are ethical and practical reasons to set regulations on the sale of dual-use technologies to guard against proliferation.
Despite the current scrutiny of firms like NSO Group, Israel remains a formidable example for smaller countries, and highlights the lesson that conscription or mandatory national service that includes a cyber defense component can be an effective way of developing a skilled cybersecurity workforce.
In 2007, after Estonia announced it would relocate a Soviet memorial from the capital of Tallinn, it was hit by a barrage of denial of service cyber attacks against its government, banks, and media. The attacks, quickly attributed to Russia, helped catalyze a surge in cybersecurity expertise in an already tech-savvy country, and Estonia now punches well above its weight in terms of its cybersecurity talent and scholarship on cyber defense.
The 2007 cyber attacks against Estonia, a NATO member, prompted new questions about what principles like sovereignty and warfare mean in cyberspace. If they constituted a military attack, that would trigger collective defense under NATO’s Article 5. At that time (and still today), however, there is not a consensus on what constitutes sovereignty in cyberspace.
After 2007, NATO established a cyber defense center in Tallinn, which produced the groundbreaking Tallinn Manual, outlining how international legal norms like sovereignty should apply to cyberspace. The alliance and the clear definition of what NATO would consider a cyber attack and trigger Article 5 has, perhaps more so than anywhere else, established cyber deterrence in Estonia.
As Estonia makes clear, defense pacts and clearly defined terms are key to maintaining cyber security — a lesson that is very much applicable to states in Eastern Europe, Central Asia, and the Middle East. Ukraine and Georgia, which have both experienced serious cyber aggression from Russia, could seek to join or establish alliances with well-defined red lines to trigger collective defense.
There are caveats, however. Unlike Estonia, Ukraine and Georgia are not NATO members and cannot easily recreate its deterrent power. Other existing alliances, like the Gulf Cooperation Council, could serve as starting points for similar security arrangements. In Eastern Europe, eastward expansion of NATO or the EU could be a way of establishing better cyber defense and deterrence — as could additional foreign assistance, like that included in the Georgia Support Act in Congress.
Another obstacle to recreating Estonia’s success is the fact that cyber attacks do not always take place in isolation. In Georgia and Ukraine, they have historically occurred in tandem other forms of armed and asymmetric conflict. In such cases, it may not be easy to mobilize the resources to grow a cyber security talent base and establish international pacts on legal norms.
Nevertheless, Estonia presents three prescriptions for effective national cyber security: credible defense alliances, clear definitions, and the mobilization of talent toward the sector.
Despite their small size, Israel and Estonia provide two salient examples of how vulnerable states in Eastern Europe, Central Asia, and the Middle East can defend against cyber aggression. Notably, the strategies that have made them effective do not exclusively have implications for cyber defense. Israel’s conscription is often held up as a social equalizer and driver for broad economic innovation. NATO is older than cyberspace and establishes security and deterrence in physical conflict as well — but the cyber domain will almost certainly be a major theater of war in the future.
The United States can play a role in supporting these countries’ cyber defense. NATO’s support following the 2007 cyber attacks on Estonia was pivotal to improving its cyber security posture. Similar leadership and messaging following cyber aggression against countries like Ukraine, Georgia, and Saudi Arabia could have a deterrent effect on Iran and Russia.
As they seek to secure themselves in cyberspace against norm-defying foes, small and medium-sized countries would do well to study the successes of Israel, Estonia, and other such cases. National service requirements, formidable security alliances, and clearly defined red lines currently stand out as some of the most impactful strategies to establish national cyber security. A country’s cyber vulnerabilities are only as grave as its individual preparedness — and states throughout the regions most directly impacted by Iranian and Russian cyber threats would do well to think big on cybersecurity, whatever their size.
Michael Sexton is a Fellow and the Director of MEI's Cyber Program. Eliza Campbell is the Associate Director of MEI's Cyber Program. The views expressed in this article are their own.
Photo by Maurizio Gambarini/picture alliance via Getty Images