How do states “save face” following a cyber intrusion directed at them? A new article identifies how Gulf states employ diverse rhetorical strategies—beyond attribution—to narrate cyber intrusions and keep cyber conflict contained.
In July 2017, nearly two months after Qatar had suffered a public cyber intrusion, the Qatari Ministry of Interior (MOI) revealed evidence concerning the intrusion. Rather than only providing technical details about the intrusion, the MOI broadcasted a dramatic video with intense music, thrilling graphics, and a spy-style vibe to reveal the intrusion step-by-step. In addition to delegitimizing cyber intrusions as acts of terrorism, the video emphasizes the Qatari remarkable success in containing the intrusion and detecting its source despite the intrusion’s sophistication.
This Qatari press conference was not unique. When cyber intrusions become public, states do not only engage in technical strategies to deal with the intrusion and identify the initiator, but also manage their public relations – they publish messages, hold press conferences, brief reporters, and rhetorically try to manage the crisis.
However, these performative and symbolic strategies are often left unnoticed in existing research on cyber discourse. Of course, many studies zoom in on the strategy of attribution, but as we see, much more is going on following a public cyber intrusion.
In this article, we explore the rhetorical strategies used by governments in the Gulf in response to a public cyber intrusion they suffered. We do so via an original discourse analysis of official statements and state-sponsored media reports in five cyber intrusions that differ in their targets and methods: Saudi Arabia’s response to cyber intrusion against its oil company Aramco (“Shamoon” 2012), Saudi Arabia’s response to a “hack-and-leak” intrusion (2015), Saudi Arabia’s response to intrusions using “Shamoon 2.0” malware (2017), Qatar’s response to a “hack-and-fake” intrusion (2017), and Bahrain’s response to multiple hacking operations (2019).
Responding to Public Cyber Intrusions
When a cyber intrusion becomes public knowledge, targeted states must find ways to address and explain the resulting social costs. The need to “save face” in these situations arises from the undesirable implications for the identity and image of the state in front of both domestic and international audiences. We suggest that states employ rhetorical strategies to “save face” – to protect their public image in front of domestic, regional, or international audiences.
To better understand these strategies, we propose a typology of “face-saving” strategies that can be categorized into three broad groups: diminishing strategies, self-complimenting strategies, and accusing strategies.
Diminishing strategies involve minimizing the effect of the intrusion, normalizing it, or debunking false information. Minimizing means that states try to reduce the magnitude of the intrusion. Normalizing means that states frame the intrusion as a common occurrence in global politics, highlighting that other countries also experience cyber intrusions. Debunking means that states try to dispute the authenticity of leaked information and provide evidence to counter false claims. These strategies serve to diminish the impact and prevent further dissemination of damaging information.
Self-complimenting strategies are used to enhance the positive perception of the targeted state. States employ bolstering rhetoric to emphasize their successes, international connections, and positive values. Reasserting control is a rhetorical move that showcases measures taken to ensure future protection, often involving investigations, new cyber institutions, and regulations. Correcting is a rhetoric that aims to replace leaked or fabricated information with a more positive narrative by providing an alternative and beneficial account.
Accusing strategies involve exposing the intrusion, condemning the perpetrators, and attributing the attack to specific actors. By adopting these strategies, states shift blame and position themselves as victims.
When thinking about the public response of states to public cyber intrusions, existing literature primarily discusses the risks of retaliation or escalation as well as attribution. However, as this article shows, states engage in multiple “face-saving” strategies to manage their image and legitimize their restraint. Attribution is only one rhetorical option out of many.
The results of our systematic discourse analysis suggest that different contextual factors shape the specific strategies used. In cyber intrusions that involve leaking or faking information involve, unique strategies of debunking or correcting were used.
Regarding attribution, the cases involving Saudi Arabia – a regional power – did not include public attribution. In contrast, Bahrain and Qatar – smaller powers – did attribute the intrusions but did so only after such attribution was made by American media. These suggestive contextual factors might be used in future research on the rhetoric of cyber responses in other areas.
Understanding these face-saving strategies is crucial for two reasons. First, it provides insights into the restraint and limited nature of cyber conflicts. Existing research focuses on operational aspects and restraint shown by targeted states, but the public narrative and strategic narration of these events are often overlooked. By adopting face-saving strategies, targeted states aim to reduce pressure to retaliate or escalate and justify why such actions are unnecessary. Second, this study contributes to constructivist scholarship by expanding the repertoire of strategies used by states to cope with embarrassment. By focusing on the Gulf countries, we highlight the agency of states in the Global South to interpret cyber intrusions in front of different audiences.
Yehonatan Abramson and Gil Baram are the authors of “Saving Face in the Cyberspace: Responses to Public Cyber Intrusions in the Gulf” in Contemporary Security Policy, which is available here.