https://orcid.org/0000-0001-6410-1212
ABSTRACT
How do states “save face” following a cyber intrusion directed at them? Recent scholarship demonstrates that the covert nature of cyber intrusions allows states to respond with restraint, avoiding escalation. But what happens when cyber intrusions become public and are highly visible? This article examines the rhetorical strategies employed by authoritarian Gulf states to mitigate the image-related costs associated with a public cyber intrusion. Drawing on the conceptual language of image-repair and crisis communication theories and employing discourse analysis of original data in Arabic, we identify three types of face-saving strategies: diminishing, self-complimenting, and accusing. Our findings indicate that intrusions involving leaking or faking information bring about unique “face-saving” strategies that do not only deal with the intrusion itself but also with the subsequent information crisis. Overall, the article identifies how states employ diverse rhetorical strategies—beyond attribution—to narrate cyber intrusions and keep cyber conflict contained.
In July 2017, nearly two months after Qatar had suffered a cyber intrusion, the Qatari Ministry of Interior (MOI) held a press conference to reveal evidence concerning the intrusion. Rather than only providing technical details, the MOI broadcasted a dramatic video with intense music, thrilling graphics, and a spy-style vibe to reveal the intrusion step-by-step (Qatar MOI, 2017). In addition to delegitimizing cyber intrusions as acts of terrorism, the video emphasized the Qatari remarkable success in containing the intrusion and detecting its source despite the intrusion’s sophistication.
The Qatari press conference is not unique. When cyber intrusions become public knowledge, states do not only engage in technical strategies to block the intrusion and identify the initiator, but also manage their public relations—they publish messages, hold press conferences, brief reporters, and rhetorically try to manage this crisis. These performative, social, and symbolic strategies are often left unnoticed in existing research on cyber discourse. While extant studies examine different elements in the discursive construction of cyberspace, threats, and responses (e.g., Branch, Citation2019; Dunn Cavelty, Citation2008, Citation2013; Hansen & Nissenbaum, Citation2009; Jarvis et al., Citation2017), we know less about the narration of cyber intrusions after they had happened. Of course, many studies zoom-in on the discourse of attribution or credit-claiming by the initiators (e.g., Brown & Fazal, Citation2021; Egloff, Citation2020a, Citation2020b; Lupovici, Citation2016a; Poznansky & Perkoski, Citation2018), but as this article demonstrates, there is much more going on discursively following cyber intrusions.
This article explores the rhetorical strategies used by governments in response to a public cyber intrusion they suffered. In addition to obscuring the extent of the damage inflicted, protecting intelligence sources or technical capabilities, and identifying the initiator, we suggest that states employ rhetorical strategies to “save face”—to protect their public image in front of domestic, regional, or international audiences. Drawing on two scholarly traditions—the sociology of accounts and apologies (Benoit, Citation2014; Schlenker, Citation1980; Scott & Lyman, Citation1968) and self-presentation theories (Goffman, Citation1959)—the article maps and categorizes the rhetorical strategies used by Gulf countries to narrate the public cyber intrusion and manage their public impression. We do so via an original discourse analysis of official statements and state-sponsored media reports in five cyber intrusions that differ in their targets and methods: Saudi Arabia’s response to cyber intrusion against its oil company Aramco (“Shamoon,” August 2012), Saudi Arabia’s response to a “hack-and-leak” intrusion (May-June 2015), Saudi Arabia’s response to intrusions using “Shamoon 2.0” malware (November 2016-January 2017), Qatar’s response to a “hack-and-fake” intrusion (May 2017), and Bahrain’s response to multiple hacking operations (July-August 2019).Footnote1
Examining the strategies used by these states to “save face” is important for two reasons. Empirically, these strategies are a crucial stepping-stone to understanding the restraint and the limited nature of cyber conflicts. Existing International Relations (IR) scholarship focuses on the operational aspects of offensive cyber operations (OCOs), showing that targeted states practice restraint in their response to cyber intrusions, and that escalation is not a common practice (Fischerkeller et al., Citation2022, pp. 130–141; Gartzke, Citation2013; Jacobsen, Citation2021; Kaminska, Citation2021; Lindsay, Citation2013; Valeriano & Maness, Citation2015).Footnote2 However, we have little knowledge of how that restraint is legitimized, justified, and buttressed publicly. As Steele (Citation2019) argues, in addition to systemic considerations, normative commitments, or institutional constraints, restraint needs to be strategically narrated. When cyber intrusions go public—such as in the cases below—targeted states employ “face-saving” strategies to contain the crisis and avoid escalation. In light of research that emphasizes the importance of public attitudes toward retaliation against cyber intrusions (Hedgecock & Sukin, Citation2023; Kreps & Schneider, Citation2019), the rhetorical strategies described below can be used to reduce pressure to retaliate as well as to justify why retaliation is not necessary. In the broader discussion about the possibilities for de-securitizing cyber intrusions, the content of the rhetoric described below can be seen as an attempt to “lower the cyber rhetoric and hyperbole” or “tone down” its existential dimensions (Burton & Lain, Citation2020, pp. 462–463).
Theoretically, our findings broaden constructivist scholarship on the repertoire of strategies used by states to cope with image-related damage. Existing works on stigma, shaming, and wrongdoing examine how states respond to accusations regarding their normative transgressions, and how they deal with the harm to their image and identity—employing strategies of avoidance, rejection, acceptance, or containment (Adler-Nissen, Citation2014; Haugevik & Neumann, Citation2021; Subotic & Zarakol, Citation2013). In contrast, this article analyzes a different type of image-related harm, caused by being vulnerable. Doing so, allows us to uncover additional micro-strategies used by states to manage their images. Thus, the empirical findings from the cyber context can serve as a starting point to explore “face-saving” discourse in other contexts of perceived state failures—inability to deal with an environmental disaster, a health crisis, or even in response to some kinetic attacks. We discuss these possibilities in the concluding section.
The Gulf countries are particularly useful for theory development regarding face-saving rhetoric in the cyber context. These countries are particularly concerned about their domestic and international image and they tie this image to their level of technological development (Hertog & Luciani, Citation2011, p. 248; Shires, Citation2021b, p. 27). Further, focusing on the Gulf countries sheds light on a non-Western cyber conflict context and underscores the agency of states located in the Global South to publicly interpret cyber intrusions in front of domestic, regional, and international audiences.
We begin by situating this study within the intersection of cyber conflict and impression management. Building on existing literature on offensive cyber operations, we suggest that public, visible, and high-profile cyber intrusions might be perceived by domestic and international audiences as embarrassing to the targeted states. To manage this public impression, states adopt “face-saving” strategies intended to mitigate the harm to the state’s image. Following a methodological section detailing our procedure for discourse analysis, the article introduces a typology of “face-saving” strategies drawing partly on the conceptual language of “image-repair” and crisis communication theories (Benoit, Citation2014; Coombs, Citation1998). We find that Gulf countries have a repertoire of strategies—diminishing strategies, self-complimenting strategies, and accusing strategies—used to narrate the intrusion. Specifically, our discourse analysis shows that intrusions that involved faking or leaking information included additional rhetorical strategies than intrusions that involved hacking alone. We conclude our discussion by suggesting how our findings can travel beyond the cyber domain and the Gulf region.
Cyber intrusions and image costs
Our research question—how do states “save face” following a public cyber intrusion that they suffered—rests on the assumption that the publicity of the intrusion entails image-related costs. First, when a cyber intrusion becomes public knowledge (i.e., exposed by the media, the initiators, or third-party actors), it reveals the targeted state’s shortcomings and vulnerabilities. It publicly shows the targeted state’s incompetence to prevent or block an intrusion and its failure to guarantee security for its government offices, critical infrastructure, citizens, or investors. In addition to technical reasons and intelligence concerns (Broeders et al., Citation2019; Riemer, Citation2021), states' inability to block or prevent a cyber intrusion might be experienced (or at least seen by others) as damaging their self-image.Footnote3
The existing literature on cyber conflict already points to these image-related costs faced by targeted states. Rid (Citation2012) suggests that there are incentives for governments and firms to keep cyber intrusion secret “lest they would expose their vulnerabilities and damage their reputation as a place for secure investment” (pp. 28–29). Waxman (Citation2013) claims that targeted states “may be reluctant to disclose details or even the very existence of cyberattacks, whether to protect secrets about their vulnerabilities and defenses, prevent public panic, avoid political embarrassment, or escape unwanted domestic pressure to take retaliatory actions” (p. 119). Libicki (Citation2012) explains that targeted states might say nothing in response to a cyber intrusion because it would require them to “admit that their machines and they, by extension, were conned,” and because “there is no pride involved in being a victim” (p. 45). While in some cases, targeted states prefer to disclose the fact that they have been attacked (for instance, to justify retaliation), existing data show that targeted states often choose not to do so (Baram & Sommer, Citation2019).
Second, some cyber intrusions purposefully seek to embarrass the target by revealing sensitive data, government secrets, intimate details, or even planting “fake news” (Kostyuk & Zhukov, Citation2019, p. 320; Lindsay, Citation2015, pp. 56–57; Nye, Citation2017, p. 48; Sharp, Citation2017; Shuya, Citation2018, p. 11). This intensifies the concern for the state image—not only that the initiator successfully penetrated supposedly protected computer systems, but it also manipulated sensitive information or exposed private information to the public. Leaking sensitive information often reveals a gap between the government’s statements and its practice or reveals governmental wrongdoing that the government was trying to hide. Indeed, Shires (Citation2020) conceptualizes “hack-and-leak” intrusions as a simulation of a scandal aimed to embarrass the target.
Public discourse also reproduces the perception that being attacked in cyberspace damages the state’s image. For instance, successful intrusions into the websites or services of government agencies are described as “embarrassing” or “humiliating” (Ashkenaz, Citation2022; Bob, Citation2022; Kahan, Citation2020; Kalman, Citation2011). Referring to the theft of US government workers’ data from the Office of Personnel Management (OPM), attributed to China, Gen. Michael Hayden, former director of the CIA, reflected on the US image, noting: “This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information” (Paletta, Citation2015). Following the hack of the British Army social media accounts, a UK parliament member claimed it was “embarrassing” (Clinton, Citation2022). As the literature on emotions and IR argues, these various affective modes—shame, humiliation, or embarrassment—have undesirable implications for states’ sense of Self and how they are seen by significant others (Lupovici, Citation2016b, pp. 66–69; Subotic & Zarakol, Citation2013).Footnote4 Anecdotally, the term “p0wned” is used in hackers’ slang to signal humiliation—being defeated or controlled by someone else.
The understanding that states are concerned about their image and that image-related concerns matter for conflict escalation is not new to IR literature. Several studies indicate that humiliating or embarrassing an opponent might magnify pressures to retaliate due to the psychological features of specific leaders, public demands, or concerns regarding the international image of the state (Carson, Citation2016; Masterson, Citation2022; Wolf, Citation2011; Yarhi-Milo, Citation2018). Another line of research elaborates on the “face work” employed by states to mitigate embarrassment, shame, or guilt. For instance, in response to international accusations regarding normative transgressions, states use strategies such as apologizing, counter-shaming, or containing in order to protect the damage to their image (Adler-Nissen, Citation2014; Haugevik & Neumann, Citation2021; Kampf & Löwenheim, Citation2012; Lind, Citation2011; O. Löwenheim & Heimann, Citation2008; Snyder, Citation2020). A public cyber intrusion brings about an analytically different challenge to the state’s image, similar to the one felt when admitting a failure or an injury.
When a cyber intrusion becomes public knowledge, states need to mitigate these image-related costs by narrating the event. As the broader research agenda linking constructivist IR to cybersecurity highlights, cyber intrusions are not merely technical phenomena but socio-political ones that are inter-subjectively interpreted. For instance, several studies trace how cyber-related discourse (e.g., representations, metaphors, and analogies but also non-textual practices) constitutes cyberspace as a domain, frames particular policy problems and solutions, and forges links between cyber, security, or risks (Branch, Citation2019; Deibert & Rohozinski, Citation2010; Dunn Cavelty, Citation2008, Citation2013; Hansen & Nissenbaum, Citation2009; Jarvis et al., Citation2014). Similarly, attribution, rather than being a purely technical process, is a socially managed one that instills meaning in an uncertain cyber intrusion (Egloff, Citation2020b; Lupovici, Citation2016a). Moreover, cyber intrusions might challenge states’ ability to function as ontological security providers. Such intrusions may challenge the state’s role to serve as a secure space for the nation (Lupovici, Citation2023). Thus, public and visible cyber intrusions require states to craft symbolic and performative strategies to “save face”—to protect or enhance their image, perform as security providers, and avoid the unease associated with the intrusion. In addition to other goals, such as obscuring the extent of the damage inflicted or repairing diplomatic relations with the potential initiator, targeted states need to address, explain, and narrate what happened. The following section discusses these strategies.
Responding to public cyber intrusions
When cyber intrusions remain covert (not publicly known or exposed), they take place “backstage” without much public audience. In such cases, targeted states can choose to remain silent—concealing the fact that they have been attacked, avoiding public embarrassment altogether, and removing the need to employ a rhetorical strategy. For instance, several successful hacking operations by CopyKittens—a cyber espionage group associated with Iran—were never reported in the mainstream Arab media. Despite the successful extraction of a large amount of government and military data in Saudi Arabia and the exposure of the intrusion by private cyber companies, the Saudi government never disclosed that such an intrusion took place.
When cyber intrusions have visible consequences, such as damage to the global oil supply, a massive leak of data, or a kinetic impact, it is harder for states to remain silent. In these moments, states can seize the inherent ambiguity and the lack of details to deny that there was any intrusion. For instance, states can claim that a technical malfunction or an accident happened, thus suggesting that the incident was out of their control. For example, the cyber intrusion that caused a major power outage at the Natanz nuclear facility in April 2021, was first described by Iran as an “accident” (Coulter, Citation2021).
These two strategies—staying silent or denying a cyber intrusion took place—are not always viable. Cyber intrusions sometimes become public knowledge when they are exposed by external actors or by the targeted state itself.Footnote5 In such moments, states need to face domestic, regional, and international audiences and explain why were they targeted, why was the intrusion successful, and what measures have been taken to address the situation. In other words, states engage in “remedial self-presentation” (Schlenker & Darby, Citation1981) to narrate their failure and cast themselves in a less negative light.Footnote6
To identify these rhetorical strategies, we draw on literature focusing on “Image Repair” and Situational Crisis Communication Theory (SCCT) (Benoit, Citation2014; Coombs, Citation1998). These works primarily examine the strategies used by corporations to repair their reputations following a crisis. By releasing official statements, organizing press conferences, conducting interviews, and sending messages to the public, corporate officials engage in rhetorical strategies aimed at framing the crisis in a certain way and protecting the corporation’s reputation in front of multiple audiences. These strategies involve denial (“the event did not happen”), evading responsibility (“the event was accidental”), reducing offensiveness (“the event was not that bad” or “despite the event, we are so good”), mortification (“we apologize for the event”), and corrective action (“we are taking steps to prevent future similar events”) (Benoit, Citation2014, pp. 22–29).
Translating these insights to the cyber realm, we expect the choice of rhetorical strategy to depend on the kind of event. Specifically, intrusions that involve leaking sensitive information or spreading fake rumors might be particularly damaging to the state’s image. Not only that targeted states have to deal with the intrusion itself but they also need to address the scandal regarding the leaked or falsified information (Shires, Citation2020). In these cases, we expect to find intense rhetorical strategies addressing the leaked or falsified information. Drawing on the conceptual language of “image repair” and crisis communication theories, this article employs original discourse analysis to identify the rhetorical strategies used by Gulf states to mitigate the image-related costs caused by a publicly visible cyber intrusion and when they use each. To do so, we use an abductive methodological approach as detailed in the following section.
Methodology
Case-selection
Our analytical approach to studying states’ discursive responses to cyber intrusions follows several steps. The research question, which focuses on governments’ rhetorical responses, led us to focus only on intrusions that targeted government agencies or critical infrastructure within a country. Intrusion that targeted non-state actors, commercial companies, or societal organization were not studied. We further limited the universe of cases to include only cyber intrusions that took place in the Gulf countries for three main reasons. First, in general, cyber interactions tend to be of regional character and the Middle East has been known as one of the most active regions in terms of cyber activity (Valeriano & Maness, Citation2015, p. 129). However, the Gulf countries share unique features that distinguish them from other countries in the region both domestically and in relation to cyber conflict (Shires, Citation2018, p. 34). The exclusion of other countries in the region is also useful to limit the comparison to relatively similar political systems and patterns of civil-society relations.
Second, the Gulf countries are particularly useful for theory development regarding “saving face” strategies. These countries have been known to be particularly occupied with their domestic and international image. Their political economic strategy is significantly based on projecting a strong, innovative, and technologically modern image abroad (Cooke, Citation2014; Gray, Citation2016; Kamrava, Citation2013). In addition, their neo-patrimonial and authoritarian character means that domestic political rule is based on fostering an image of strong leadership, maintaining a high degree of control over information, and silencing criticism in order to sustain regime legitimacy (Dukalskis, Citation2021; Gray, Citation2011, p. 7; Khatib & Maziad, Citation2019, p. 9).
Third, most of the scholarly and policy debate about cyber conflict has focused on Russia, China, and the United States as well as the challenges posed by North Korea and Iran (Buchanan & Cunningham, Citation2020; Farwell & Rohozinski, Citation2011; Lindsay et al., Citation2015; Shackelford et al., Citation2017). Little attention has been paid to the Arab world compared to other regions (For an exception, see Shires, Citation2021b). Similarly, most works on cyber intrusions rely on English sources. Instead, we analyze original documents in Arabic to study how state elites mediate cyber intrusion to their public.
To identify the relevant cyber intrusions, we built an original dataset of Arabic sources using the general framework of the Dyadic Cyber Incident Dataset (DCID) version 1.1 as a baseline and added data for the years 2010–2019, based on the Council on Foreign Relations Cyber Operations Tracker dataset. We included only intrusions that were verified by two credible and reliable sources (such as cybersecurity companies’ reports as well as media reports such as the New York Times, Washington Post, Wall Street Journal, and more). Overall, our data includes the following five cases:Footnote7
Cyber intrusion on the Saudi oil company Aramco (Shamoon, August 2012): On August 15, 2012, Saudi Arabia's national oil and gas firm—and the world’s largest oil producer—Saudi Aramco, suffered a major cyberattack that infected more than 35,000 computers in the company’s network. The incident was first revealed on Pastebin by a message from a hacking group named “Cutting Sword of Justice” (Weitzenkorn, Citation2012). Later that day, Aramco’s Facebook page posted an English message noting that the company had isolated its systems as a precautionary measure due to a network disruption caused by a virus (Lennon, Citation2012). Despite its vast resources, Saudi Aramco took almost two weeks to recover from the attack and restore the damage (Bronk & Tikk-Ringas, Citation2013). The malware that was used for this attack, called Shamoon and revealed by the Russian-based cybersecurity company Kaspersky, erased data on three-quarters of Aramco’s corporate PCs—documents, spreadsheets, e-mails, files, and more. It was estimated that Iran was the initiator of this attack (Perlroth, Citation2012).
Hack-and-leak intrusion in Saudi Arabia (May-June 2015): On May 20, 2015, as a Saudi-led coalition was conducting airstrikes in Yemen, the “Yemen Cyber Army” announced that they had hacked several Saudi ministries in “Operation Hussein Badreddin Al-Houthi,” named after the deceased leader of the Houthi armed movement in Yemen. The group declared they had gained “full control” of over 3,000 computers and servers belonging to Saudi Arabia’s Foreign, Interior, and Defense Ministries (Fars News Agency, Citation2015). They also released nearly 2,000 internal emails, documents, and information about citizens and personnel of the Saudi MFA (Paganini, Citation2015) In the following weeks, additional documents have been released and the group even threatened to wipe the MFA’s computers automatically. Finally, on June 19th, 2015, WikiLeaks released “The Saudi Cables” partially based on the “Yemen Cyber Army’s” hack (WikiLeaks, Citation2015). It has been estimated that Iran stands behind the “Yemen Cyber Army” (Franceschi-Bicchierai, Citation2015), although others have argued that this group is used as a front for the Russian group Sofacy (Bartholomew & Guerrero-Saade, Citation2016).
Shamoon 2.0 in Saudi Arabia (November 2016-January 2017): At the end of 2016 and the beginning of 2017, Saudi Arabia suffered another major cyberattack, with similar characteristics to the 2012 one. These intrusions were publicly revealed by several US security firms (e.g., CrowdStrike, Palo Alto Networks, and Symantec) (Finkle & Wagstaff, Citation2016). Thousands of computers were damaged at the headquarters of the General Authority of Civil Aviation starting in mid-November, erasing critical data and bringing operations to a halt for several days (Riley et al., Citation2016). Another victim of this attack was the Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and U.S. company Dow Chemical. In this case, too, cybersecurity researchers estimated Iran was the initiator of the attack (Williams, Citation2017).
Hack-and-fake intrusion in Qatar (May-June 2017): On May 24, 2017, the Qatari News Agency's (QNA) website, Twitter, and YouTube accounts published false statements allegedly made by the Emir of Qatar, Sheikh Tamim bin Hamad Al Thani. The false statements—focused on Qatar’s foreign policy—served as a pretext for a broader diplomatic crisis. Despite repeated Qatari statements that the information was fabricated, media outlets in the U.A.E. and Saudi Arabia engaged in a “sustained medial onslaught” against Qatar (Fattah, Citation2017; Ulrichsen, Citation2017). Further, only a few days after the incident, on June 5, Saudi Arabia, Egypt, Bahrain, and the U.A.E. (“The Quartet”) severed diplomatic and economic ties with Qatar, withdrew their nationals, and issued a travel ban on Qatar (Mitchell, Citation2021; Soubrier et al., Citation2021). While IP address data pointed to Russia, additional information and investigation pointed to the UAE as a more likely initiator (Shires, Citation2021a).
Series of cyber intrusions in Bahrain (July-August 2019): In July-August 2019, Bahraini authorities detected and reported that several networks of Bahrain’s government agencies, including the Electricity and Water Authority, the National Security Agency, the Ministry of Interior, and the Office of the First Deputy Prime Minister were hacked. No discernible damage was reported, so the nature of these intrusions was not very visible publicly. The primary repercussion of these intrusions on Bahraini citizens seemed to be that during June, July, and August 2019, electricity and water bills were tremendously higher than usual, leading to many citizens’ complaints. It was estimated that Iran was the initiator of this attack (Doffman, Citation2019; Hope et al., Citation2019).
These cyberattacks and intrusions vary along two main dimensions: the method of the attacks and the type of target. The method of the attack ranges from hacking, hacking-and-leaking, hacking-and-faking, or covert disruption. The targets of the intrusions range from critical infrastructures (such as Saudi oil company Aramco) to governmental agencies (such as government ministries) as well as national media channels (such as the Qatari national news agency). The vast difference between the cases is quite useful for identifying common and divergent rhetorical strategies used when facing a public cyber intrusion.
Discourse analysis
Once all our cases were identified, we moved to systematically collect discursive responses to these intrusions. First, we checked whether a specific intrusion was reported in the state’s newspapers and whether state officials responded to this intrusion. Second, we collected all statements that were issued by an official state figure. In each country, we surveyed the official websites of the relevant authorities as well as their Facebook and Twitter accounts. We also looked at widely-circulated and semiofficial newspapers known to reflect the government’s approach (in Saudi Arabia—al-Riadh and al-Madina; in Bahrain—al-Bilad, al-Ayam; in Qatar—al-Watan and al-Raya). In addition, we included additional Arabic news sources, such as Alarabiya Net, Al-Jazeera, and Bahrain Mirror looking for references for cyber intrusions.Footnote8
To map the rhetorical strategies used in these texts, we employed abductive methodological reasoning. As explained by Friedrichs and Kratochwil (Citation2009), “[i]nstead of trying to impose an abstract theoretical template (deduction) or ‘simply’ inferring propositions from facts (induction), we start reasoning at an intermediate level (abduction)” (p. 709). This means that we moved back and forth between the categories already identified by “image-repair” and crisis communication theories and the empirical textual data at hand. On the one hand, we compared the textual data to existing categories identified by the literature (e.g., “bolstering” or “minimizing”). On the other hand, we coded new categories based on the emerging data. The coding procedure involved two independent research assistants blind to each other coding. After coding one case, we had a collaborative meeting to refine the labels and continued coding independently all the other cases. Thus, our abductive method combined the deductive ascription of preexisting categories with an inductive interpretation of the text. The full discursive data, which includes about 240 statements, appears in the supplemental material file.
Messages are crafted to shape the opinion of a target audience. Looking at discourse in Arabic makes it difficult to determine which audience was targeted. While governments probably address their domestic audience, they also take into consideration regional Arab-speaking audiences. This is particularly true in the Gulf context, where neighboring countries are involved in initiating the cyber intrusions described below. Official press conferences and announcements are also targeting international audiences, as English-speaking media picks up and translates government messages. Thus, our analysis cannot determine audience-related influences, and this aspect merits additional research.
“Face-saving” strategies following public cyber intrusions
Based on the discursive data, we can identify multiple “face-saving” strategies used by Gulf countries following a public cyber intrusion. These can be classified under three broad categories: diminishing strategies, self-complimenting strategies, and accusing strategies. These differ from one another in their object of focus (the attack, the state itself, or the initiator) and in the way they address the image-related needs of the state. Diminishing strategies reduce the impact and the seriousness of the intrusion itself. Self-complimenting strategies seek to portray the targeted state in a good and positive light. Accusing strategies direct the attention toward the initiator. below summarizes the various strategies.Footnote9
Table 1. Rhetorical strategies following a cyber intrusion.
Diminishing strategies
Diminishing strategies involve (1) minimizing the effect of the intrusion or (2) normalizing it as a routine part of international politics. In cases of hack-and-leak and hack-and-fake intrusions, another strategy manifests itself: (3) debunking—claiming that the information is fabricated.
First, states use a minimizing strategy to reduce the impact, magnitude, or scale of the incident, claiming that nothing serious has happened (“it’s not as bad as it seems”). This strategy seeks to convince the audience that the incident is not significant and that no serious damage was incurred, thus reducing the damage to the state’s image. For instance, following the 2012 intrusion on Aramco, the spokesperson of the Ministry of Interior, Maj. Gen. Al-Turki, organized a press conference, claiming that “the hacking attempt did not reach its goals” (Al-Ghamdi, Citation2012). Immediately after, the chairperson of the investigation committee and the deputy director-general of strategic planning in Aramco added that despite some damage, “the attackers did not reach their intended goal … ” and that “there was no impact on the company's continued oil and gas production” (Al-Ghamdi, Citation2012). Following the 2017 intrusion using Shamoon 2.0, the Saudi Ministry of Environment, Water and Agriculture stated that “our systems operate at full capacity and were not affected by that attacks of Shamoon 2.0 attacks and the ransomware virus” (Okaz, Citation2017). To mitigate the public damage caused by planning fake information on the Qatari news website, Qatar’s Minister of Foreign Affairs emphasized that “the cooperation between Qatar and the United States or any other friendly country was not affected” (Qatar MFA, Citation2017f).
Second, states use a normalizing strategy to reduce the uniqueness of the event, framing it as a routine part of global politics (“nothing is out of the ordinary”). By claiming that other states experience cyber intrusions or that they happen all the time, this strategy de-individuates the targeted state (i.e., avoids signaling it out) and reduces some level of responsibility from the targeted state. In the case of hack-and-leak or hack-and-fake intrusions, states can claim that the information leaked does not reveal anything out of the ordinary. Following the 2012 intrusion on Aramco, the company stated that “Aramco is not the only company that was exposed to this type of operations, and this isn't the first nor the last time we'll see this type of attack” (Al-Hawawi, Citation2012). In 2016, after the intrusion of the Saudi Ministry of Foreign Affairs, Abdullah Al-Saadoun, the chairperson of the Security Affairs Committee in the Saudi Shura Council stated that: “the Kingdom is targeted the same as other countries, and all countries suffer from these attacks” (Al-Turaisi, Citation2016). In Bahrain, a technology expert and a parliament member noted the fact that there are numerous intrusions all over the world and emphasized that even American companies lost money due to cyber intrusions (Al-Bilad, Citation2019).
Third, in the context of hack-and-leak or hack-and-fake cyber intrusions, states can use a debunking strategy and claim that the information is fabricated (“this is a lie”). When using this strategy, states will provide evidence that the information is untrue and will try to change the narrative to highlight their version of the truth. Debunking does not only involve disputing the content of the information but also preventing the dissemination of the information by issuing “fake news” warnings or even shutting down media channels (especially in more authoritarian settings). In the Qatari, Bahraini, and Saudi (2015) cases, official representatives issued statements emphasizing the leaks are fabricated (Al-Bilad, Citation2017; GCO, Citation2017; Qatar MFA, Citation2017b, Citation2017a; Saudi Arabia, MFA, 2015a, 2015b).
Overall, diminishing strategies help protect the image of the targeted state by reducing the magnitude of the failure and trying to change beliefs regarding the responsibility of the targeted state. A minimization strategy seeks to convince the audience that the intrusion was not significant (hence, the state failure was not that bad). In addition to the domestic audience, this strategy can be also used to signal to the initiator that their intrusion did not achieve its goals. By employing these strategies, the victim aims to downplay potential tensions and subtly communicate a message to the adversary. A normalization strategy seeks to convince the audience that cyber intrusions are a regular feature of international politics (hence, there is nothing uniquely wrong about the targeted state). A debunking strategy seeks to convince the audience that leaked information is wrong (hence, rectifying the image of the targeted state).
Self-complimenting strategies
States can use self-complimenting strategies to highlight their positive traits. They “mitigate the negative effects of the act on the actor by strengthening the audience’s positive affect for the actor” (Benoit, Citation2014, p. 24). Specifically, our findings identify three such strategies. First, as image-repair theorists note, states can use a bolstering strategy to identify themselves “with something viewed favorably by the audience” (Ware & Linkugel, Citation1973, p. 277). In this strategy, states emphasize their successes, their international connections, and their good values (“look how good we are”).
In several of our cases, the state officials emphasized their success in quickly blocking the intrusion or continuing their operations despite it. Some statements highlight that the state did so independently without help from external sources (Al-Ghamdi, Citation2012), while other statements emphasize how quick and efficient the state was in dealing with the intrusion or how many intrusions had been blocked before (Al-Arabiya, Citation2017; Al-Bilad, Citation2019; Al-Hawawi, Citation2012). Further, the statements often noted the good standing of the state within the international community and their ability to secure international cooperation to investigate the intrusion (Al-Ghamdi, Citation2012; Qatar MFA, Citation2017c, Citation2017d, Citation2017e).
Second, states can assure the audience that measures have been taken to guarantee future protection. We label this strategy reasserting control as it involves a symbolic display of efforts showing that the government is committed and well-functioning (“everything is under control”). Our findings show that states repeatedly emphasized that they would investigate, establish new cyber institutions, and develop new cyber regulations. Further, in many cases, press conferences included specific and detailed technical explanations to signal authoritative and thorough knowledge regarding what happened. Qatar, which suffered a hack-and-fake intrusion, even produced an impressive and dramatic movie clip documenting the intrusion step-by-step. The image-related dimensions of this clip, broadcasted publicly during a press conference, are self-evident (Al-Shiyadhmi, Citation2017).
Third, in the context of hack-and-leak and hack-and-fake intrusions, states need to work “uphill” to correct the information that was leaked or faked. Thus, states use the strategy of correcting, which involves rebutting misinformation by providing an alternative and beneficial description of the “truth” (“let me tell you what really happened”). The goal of a correcting strategy is to replace the image cultivated by the leaked or fabricated information with a new—more positive—image. The correcting strategy was intensively used by Qatar following the planting of a fake news story on the QNA website. Qatari officials released statements emphasizing that “the relationship between Qatar and the United States is strong and strategic” or that “Qatar has always maintained friendly relations with the Gulf States” (Qatar MFA, Citation2017f; وزارة الخارجية - قطر, Citation2017). The correcting strategy was used only in the Qatari case. In this case, a lot of embarrassing information was published in a short time and it seems that choosing the correcting strategy was an efficient way for Qatar to mitigate the embarrassment.
Overall, self-complimenting strategies aim to improve the image of the targeted states following a public cyber intrusion. A bolstering strategy seeks to shift the discussion to emphasize the positive traits of the targeted state. Reasserting control seeks to convince the audience that the state is competent, capable, and manages the situation. As Shandler and Gomez (Citation2022) show, cyber intrusions diminish public confidence in the government. Thus, reasserting control aims to restore such confidence within the domestic public as well as international businesses. A correcting strategy seeks to present information in a way that will shed good light on the targeted state.
Accusing strategies
States can adopt accusing strategies to denigrate the attacking state and cast it in a bad light. By accusing another actor, the state shifts the blame to the external actor and situates itself as a victim of bad behavior by others (Benoit, Citation2014, p. 25). We classify the sub-strategies following Finnemore and Hollis who identify three discrete processes (Citation2020, p. 974).
First, once the intrusion becomes public knowledge, states employ the strategy of exposing. They disclose what happened to third parties, acknowledging publicly that they have been attacked (“we have been attacked”). In all of our cases, state officials issued brief statements admitting that there was an intrusion and providing general details about it. The degree of exposure was dependent on the degree of publicity the intrusion received. For instance, immediately after the Saudi 2015 intrusion, the Spokesperson of the Saudi Ministry of Foreign Affairs, Osama Bin Ahmed Nuqli, only stated that the MFA computer was hacked (Saudi Arabia MFA, 2015a). About a month later, when Saudi documents were leaked, Nuqli issued a new statement connecting the leaked documents to the earlier cyber intrusion (Saudi Arabia MFA, 2015b).
Second, in addition to exposing the intrusion, states can engage in the strategy of condemning (“they are bullies”), which is the process of signaling disapproval of what happened, delegitimizing it, and casting the other side in a bad light. Our findings demonstrate that states often use negative and derogatory labels to describe the cyber intrusion or its initiators, such as crime/criminals, terrorism, enemies of the state, illegitimate actions, and shameful acts. This strategy was used by all states as well and was among the first ones to be used.
Third, states can also ascribe the intrusion to a particular actor, a strategy known as attributing (“this is who did it”). The vast literature on attribution highlights the technical, political, and social aspects related to attribution. While attribution can help states “name and shame” the initiator and address public demands for answers, there are also some incentives to eschew attribution, such as maintaining secrecy or strategic calculations (Borghard & Lonergan, Citation2019; Egloff, Citation2020b, Citation2020a; Rid & Buchanan, Citation2015).
Overall, accusing strategies seek to shift audience perceptions regarding responsibility—rather than focusing on the failure of the targeted state, these strategies seek to attribute responsibility to a malevolent actor. A second possible goal is norm-setting or norm-reinforcing. By denigrating the intrusion (and/or the initiator) the targeted state reproduces what is appropriate behavior in international politics (Egloff, Citation2020b; Egloff & Smeets, Citation2021). That said, harsh accusing strategies could potentially increase the risk of escalation (Egloff, Citation2020b).
Rhetorical strategies in practice
In addition to identifying the variety of strategies employed by the Gulf States following a public cyber intrusion, we can move on to offer some general insights regarding the practical use of these strategies. We find that the various strategies were used differently across our cases ().
Table 2. Distribution of strategies per intrusion.
On the one hand, we find that exposing the intrusion, condemning it, and normalizing it were commonly used in all of our cases. Similarly, the rhetorical strategies of reasserting control following the intrusion and bolstering the image of the targeted state also appeared in all cases. This suggests that the Gulf countries are indeed sensitive to their image following a cyber intrusion and indicates that these strategies might serve as “building blocks” of image management rhetoric. It could also suggest that there is a common repertoire of rhetorical strategies commonly used in the region (or internationally) following a failure event. On the other hand, we find that hack-and-leak and hack-and-fake intrusions involve additional strategies that do not appear in other intrusions. Specifically, the strategies of debunking (“this is a lie”) and correcting (“let me tell you what really happened”) are uniquely used when private information is leaked or fake information is disseminated. This finding is also supported in the Saudi case, where the strategy of debunking primarily appeared after the Saudi Cables were released. It seems that this strategy is more useful when the fabricated information is already outed by others, and the victim states use it to minimize the reputational damage in the fastest way possible—by claiming it is a lie. Further, the strategy of minimizing was used in most cases except the Bahraini one. This can be explained by the fact that there was no visible damage in the Bahraini intrusion.
When appeared, the strategy of attribution emerged relatively little in government discourse. Interestingly, only in the Qatari and Bahraini cases, there was a clear public attribution directed at the UAE and Iran, respectively. However, in both cases, such attribution came only after an American source had already attributed the intrusion. It is plausible that Bahrain and Qatar preferred to “pass the buck,” allowing the hegemon to publicly attribute the intrusion, minimizing the risk of escalation and retaliation. These findings resonate with recent works that claim that attribution is a political decision as well as a technical one. The rhetorical strategy of attribution did not appear in any of Saudi Arabia’s intrusions. This behavior might be explained by the Saudi’s inclination not to risk escalation or compel the perpetrator to respond if attribution is publicly made. Since Saudi Arabia and Iran are in constant rivalry and share inspiration as regional powers, choosing the option of a public attribution strategy might have greater escalation risks compared to the cases of Qatar and Bahrain.
In terms of sequencing, we did not find a particular order in the appearance of rhetorical strategies. As can be seen in the supplementary file, early responses were relatively short and mainly included the strategies of exposing coupled with minimizing and normalizing.
Conclusions
When thinking about the public response of states to public cyber intrusions, existing literature primarily discusses the risks of retaliation or escalation (Healey & Jervis, Citation2020; Libicki, Citation2020; Valeriano et al., Citation2018) as well as attribution (Egloff, Citation2020b; Rid & Buchanan, Citation2015). However, as this article shows, states engage in multiple “face-saving” strategies to manage their image and legitimize their restraint. Attribution is only one rhetorical option out of many.
Our systematic discourse analysis of five cyber intrusions in Gulf states advances three findings. First, drawing partly on the conceptual language used by “image-repair” and crisis-communication theories, the article categorizes three broad “face-saving” strategies adopted by states following a public cyber intrusion: diminishing strategies, self-complimenting strategies, and accusing strategies. Second, the results suggest that different contextual factors shape the specific strategies used. In cyber intrusions that involve leaking or faking information, unique strategies of debunking or correcting were used. Third, regarding attribution, the cases involving Saudi Arabia—a regional power—did not include public attribution. In contrast, Bahrain and Qatar—smaller powers—did attribute the intrusions but did so only after such attribution was made by American media. These suggestive contextual factors might be used in future research on the rhetoric of cyber responses in other areas.
It is important to acknowledge that our findings are not exhaustive and do not include all possible strategies. For instance, our focus on public cyber intrusion means that the strategies of silence (not responding at all) or denial (claiming that nothing happened) were not really usable strategies. Further, theoretically, states also have the option of apologizing to their public for not preventing the intrusion. While apologizing might be considered appropriate in some contexts (Aldar et al., Citation2021; Lind, Citation2011; N. Löwenheim, Citation2009),Footnote10 it seems unlikely that a public apology by the targeted states would help mitigate any image-related costs. Instead, apologizing would probably be interpreted as an admission of failure and responsibility.
The discursive toolkit identified in this article is not necessarily unique to the Gulf countries. Israel, Albania, and the US—different from the Gulf countries and each other in their regime type—also employed similar strategies in response to cyber intrusions directed at them. For instance, after a cyber intrusion against Israel's water facilities in April 2020, Israeli officials employed the rhetorical strategies of minimizing and reasserting control, stating “[t]he attempted attack was dealt with by the Water Authority and National Cyber Directorate. It should be emphasized that there was no harm to the water supply and it operated, and continues to operate, without interruption” (TOI, Citation2020). Albania's response to the Iranian cyberattack against its governmental systems in September 2022 also involved minimizing and reasserting control. In a video message, the Albanian Prime Minister stated that “The said attack failed its purpose. Damages may be considered minimal compared to the goals of the aggressor. All systems came back fully operational and there was no irreversible wiping of data” (Republic of Albania, Citation2022). Both countries also used accusing strategies and attributed these intrusions to Iran.
In response to the data breach of the OPM in June 2015, The White House Press Secretary primarily employed the strategy of exposing and reasserting control, while avoiding attribution early on. It also used a normalizing strategy stating that “to say that our computer systems in the federal government are at risk is not news … all of the computer networks on which we interact on a daily basis—whether that’s at work, or when we’re checking our email, or purchasing an airline ticket—that there is risk associated with that” (The White House, Citation2015). In contrast, following the SolarWinds intrusion into United States government networks in December 2020 the White House added a new rhetorical strategy detailing the retaliatory measures taken against Russia (The White House, Citation2021)—a strategy that can be classified under “bolstering” attempts.
Additional research is required in order to delve more into the conditions that explain variations in the rhetorical repertoire of states—Under which conditions do states use silence compared to rhetoric in response to cyber intrusions? Under which conditions do states use some strategies and not others? And under which conditions do states engage in short, laconic messages compared to detailed press conferences or engaging videos? Possible factors could be related to the type of attack, the extent of the damage, the attack's degree of publicity, the suspected initiator, and the strategic culture of the specific state. Moreover, while this research does not examine the effectiveness of these rhetorical strategies, experimental social science can identify the micro-foundations that make some strategies more persuasive than others.
The rhetorical strategies presented here should not be seen as necessarily tied to the cyber context. For example, scholars on public relations have already examined the use of image-repair strategies by governments or individual leaders following health or environmental crises (Benoit & Henson, Citation2009; Chon & Kim, Citation2022; Zhang & Benoit, Citation2009). IR scholars can extend the framework suggested here to study how states deal with image-related damage caused by kinetic attacks. A quick look at how Israel discursively responded to incendiary kites fired from the Gaza Strip (causing forest and farmland fires in Israel) provides some preliminary suggestions.
First, similar to the cyber context, accusation strategies also seem to appear in the Israeli response (labeling an intrusion as “terrorism” or an infringement of international law, identifying an actor, or condemning the act). Second, self-complimenting strategies also seem to appear in both contexts but in different ways. For instance, Israel’s Defense Minister used a bolstering strategy emphasizing that 400 out of 600 kites were intercepted (Hay, Citation2018). However, Israel’s rhetoric also pointed to its past reputation as a way to bolster its image as a deterring actor—“We will act and exact a heavy price. We’ve done it in the past. Remember that, because we will do it again now” (Ahronheim et al., Citation2020). This rhetorical move of referencing the past was not found in our cases. Third, diminishing strategies, while extensively appearing in our findings, do not seem to be rhetorically prevalent in the Israeli response. These suggestive ideas imply that there might be important normative and socio-political differences in the ways states are expected to manage their image in the cyber vs. the kinetic spheres.
In sum, this article shows that in addition to covert technical and political strategies to deal with cyber intrusion, states engage in performative public strategies to manage their image. Identifying the various strategies directs our attention to the agency of states—how targeted states perceive the context of the intrusion, interpret it, and narrate it. Diminishing the magnitude of a cyber intrusion, complimenting the successes of the Self, and accusing the adversary of bad behavior allows states to mitigate image-related costs in front of a domestic and international audience and perform their role as ontological security providers (Lupovici, Citation2023). “Face-saving” strategies are the bread and butter of international society—justifications, apologies, rejections, or acknowledgments—are some of the ways states resolve tensions, legitimize their behavior, and reinforce or contest norms. In the case of public cyber intrusions, these rhetorical strategies narrate the intrusion, justify the lack of retaliation, and potentially facilitate the de-securitization of the event.
Supplemental Material
Download MS Excel (177.6 KB)Acknowledgments
The authors thank Or Greif, Noya Peer, and Jason Silverman for valuable research assistance, and James Shires and Tarek Tutunji for commenting on previous drafts. Previous versions of this article were presented at the annual meeting of the International Studies Association—Northeast Region (2020) and the Joint Sessions of the European Consortium for Political Research (2022).
Disclosure statement
No potential conflict of interest was reported by the author(s).
Additional information
Funding
Notes on contributors
Yehonatan Abramson
Yehonatan Abramson is a Senior Lecturer in the Department of International Relations at the Hebrew University of Jerusalem, Israel. His research interests include International Relations Theory, diaspora politics, and critical security studies. His work appeared in journals such as the European Journal of International Relations, International Studies Quarterly, Political Geography, the Journal of Ethnic and Migration Studies, and Social Studies of Science.
Gil Baram
Gil Baram is a post-doctoral research scholar at the Center for Long-Term Cybersecurity and the Berkeley Risk and Security Lab, University of California Berkeley. Her work interests include states decision-making during offensive cyber operations, intelligence and covert actions, and empirical cyber research. Her work appeared in journals such as the Journal of Global Security Studies, the Journal of Cyber Policy, and Israel Studies Review.
Notes
1 Hack-and-leak operations are defined as “an intrusion into specific digital systems and networks (hack) and an attempt to influence certain audiences through the public release of information obtained through that intrusion (leak).” Hack-and-fake operations are similarly defined but they involve the public fabrication of information. See Shires, 2019.
2 For the bigger question of whether cyber capabilities are escalatory, see Borghard & Lonergan, Citation2019; Healey & Jervis, Citation2020.
3 A similar point is made with regard to countries’ failure to deter (especially when these countries see themselves as deterring actors). Their inability to prevent a challenger damages their sense of Self (Fettweis, Citation2013; Lupovici, 2016b).
4 In contrast to shame, which is associated with “perceived deficiencies of one's core self,” embarrassment is associated with “deficiencies in one's presented self.” Thus, shame is a more enduring sense of negative self-evaluation, while embarrassment is tied to more transient, situation-specific failures and pratfalls” (Tangney et al., 1996, p. 1258; cf. Subotic & Zarakol, Citation2013). Humiliation is understood as “as an act of extreme disrespect that intends to deprive an actor of its status as an autonomous agent that counts” (Wolf, 2017, p. 494). It is a result of the actions of another (rather than a failure of the Self) (Lupovici, 2016b, p. 66).
5 The targeted states can also leak information to encourage external actors to reveal the intrusion.
6 In addition to rhetorical strategies, states also develop legal and institutional responses, see Shires, 2021b.
7 The datasets we use did not contain any cyber incidents involving the UAE that met our inclusion criteria—such as a range of years, a public response that can be examined in more detail, etc.
8 We specifically examined the dates in which cyber intrusions were revealed as well as key terms in Arabic, such as cyber, hacking, and electronic attack.
9 The impact of these strategies is beyond the scope of this article.
10 However, states can also refuse to apologize to protect their identity, see Zarakol, Citation2010.
References
- وزارة الخارجية - قطر. (2017, May 26). Twitter Post. @MofaQatar_AR. https://twitter.com/MofaQatar_AR/status/867849549519388674
- Adler-Nissen, R. (2014). Stigma management in international relations: Transgressive identities, norms, and order in international society. International Organization, 68(1), 143–176. https://doi.org/10.1017/S0020818313000337
- Ahronheim, A., Lazaroff, T., & Harkov, L. (2020, August 11). Netanyahu, Gantz warn Hamas against continued explosive balloon launches. Jerusalem Post, https://www.jpost.com/breaking-news/netanyahu-warns-all-irans-proxies-will-pay-price-for-explosive-balloons-638225
- Al-Arabiya. (2017, January 24). تعرف على تاريخ فايروس “شمعون” في السعودية. alarabiya.net. https://bit.ly/3kgms91
- Al-Bilad. (2017, June 3). توضيح من وزارة الخارجية بشأن اختراق حساب (تويتر) لمعالي وزير الخارجية. Albiladpress.Com. http://www.albiladpress.com/index.php/news/2017/3155/bahrain/431070.html
- Al-Bilad. (2019, September 3). الوزير ميرزا يفتتح مؤتمر أمن المعلومات. Albiladpress.Com. http://www.albiladpress.com/news/2019/3977/bahrain/594628.html
- Aldar, L., Kampf, Z., & Heimann, G. (2021). Reframing, remorse, and reassurance: Remedial work in diplomatic crises. Foreign Policy Analysis, 17(3), 1–20. https://doi.org/10.1093/fpa/orab018
- Al-Ghamdi, M. (2012, December 10). محاولة اختراق أرامكو تهدف للإضرار بالاقتصاد الوطني ومنع تدفق الزيت إلى الأسواق المحلية والعالمية. AlRiyadh.com. http://www.alriyadh.com/791584
- Al-Hawawi, S. (2012, August 27). أرامكو: 30 الف جهاز أصيب بالفايروس. tech-wd.com. https://www.tech-wd.com/wd/2012/08/27/saudi-aramco-restores-network-services/
- Al-Shiyadhmi, M. (2017, July 20). الداخلية القطرية تؤكد اختراق وكالة الأنباء من الإمارات. Al-Jazeera.net. https://www.aljazeera.net/news/arabic/2017/7/20/الداخلية-القطرية-تؤكد-اختراق-وكالة
- Al-Turaisi, A. (2016, September 8). مختصان: المملكة تواجه حرباً إلكترونية واسعة. AlRiyadh.com. http://www.alriyadh.com/1531929
- Ashkenaz, A. (2022, April 13). Putin humiliated: 400,000 secret files leaked by hackers. Daily Express, https://www.express.co.uk/news/science/1595341/putin-news-anonymous-hack-secret-kremlin-files-leaked-ukraine-war-aerogas
- Baram, G., & Sommer, U. (2019). Covert or not covert: National strategies during cyber conflict. 1–16. https://doi.org/10.23919/CYCON.2019.8756682
- Bartholomew, B., & Guerrero-Saade, J. A. (2016). Wave your false flags! Deception tactics muddying attribution in targeted attacks. Virus Bulletin Conference.
- Benoit, W. L. (2014). Accounts, excuses, and apologies: Image repair theory and research (2nd ed.). SUNY Press.
- Benoit, W. L., & Henson, J. R. (2009). President Bush’s image repair discourse on Hurricane Katrina. Public Relations Review, 35(1), 40–46. https://doi.org/10.1016/j.pubrev.2008.09.022
- Bob, Y. J. (2022, November 21). Iran hackers closer to penetrating Israel, US drones—cyberdefense CEO. The Jerusalem Post, https://www.jpost.com/middle-east/iran-news/article-722964
- Borghard, E. D., & Lonergan, S. W. (2019). Cyber operations as imperfect tools of escalation. Strategic Studies Quarterly, 13(3), 122–145.
- Branch, J. (2019). What’s in a name? Metaphors and cybersecurity. International Organization, 1–32. https://doi.org/10.1017/S002081832000051X
- Broeders, D., Boeke, S., & Georgieva, I. (2019). Foreign intelligence in the digital age. Navigating a State of ‘Unpeace.’ The Hague Program for Cyber Norms, https://papers.ssrn.com/sol3/papers.cfm?abstract_id = 3493612
- Bronk, C., & Tikk-Ringas, E. (2013). The cyber attack on Saudi aramco. Survival, 55(2), 81–96. https://doi.org/10.1080/00396338.2013.784468
- Brown, J. M., & Fazal, T. M. (2021). #Sorrynotsorry: Why states neither confirm nor deny responsibility for cyber operations. European Journal of International Security, 6(4), 401–417. https://doi.org/10.1017/eis.2021.18
- Buchanan, B., & Cunningham, F. S. (2020). Preparing the cyber battlefield: Assessing a novel escalation risk in a sino-American crisis (fall 2020). Texas National Security Review, 3(4), 54–81. https://doi.org/10.26153/tsw/10951
- Burton, J., & Lain, C. (2020). Desecuritising cybersecurity: Towards a societal approach. Journal of Cyber Policy, 5(3), 449–470. https://doi.org/10.1080/23738871.2020.1856903
- Carson, A. (2016). Facing off and saving face: Covert intervention and escalation management in the Korean War. International Organization, 70(1), 103–131. https://doi.org/10.1017/S0020818315000284
- Chon, M.-G., & Kim, S. (2022). Dealing with the COVID-19 crisis: Theoretical application of social media analytics in government crisis management. Public Relations Review, 48(3), 102201. https://doi.org/10.1016/j.pubrev.2022.102201
- Clinton, J. (2022, July 3). British army confirms breach of its Twitter and YouTube accounts. The Guardian, https://www.theguardian.com/uk-news/2022/jul/03/british-army-confirms-breach-of-its-twitter-and-youtube-accounts
- Cooke, M. (2014). Tribal modern: Branding new nations in the Arab Gulf. University of California Press.
- Coombs, W. T. (1998). An analytic framework for crisis situations: Better responses from a better understanding of the situation. Journal of Public Relations Research, 10(3), 177–191. https://doi.org/10.1207/s1532754xjprr1003_02
- Coulter, M. (2021, April 11). Accident’ at Iran’s Natanz nuclear plant as new uranium enrichment starts. The Guardian, https://www.theguardian.com/world/2021/apr/11/accident-at-irans-natanz-nuclear-plant-as-new-uranium-enrichment-starts
- Deibert, R. J., & Rohozinski, R. (2010). Risking security: Policies and paradoxes of cyberspace security. International Political Sociology, 4(1), 15–32. https://doi.org/10.1111/j.1749-5687.2009.00088.x
- Doffman, Z. (2019, August 8). Iranian hackers suspected of cyberattacks on Bahrain—A warning beyond the gulf: Report. Forbes, https://www.forbes.com/sites/zakdoffman/2019/08/08/iranian-hackers-suspected-of-cyberattacks-on-bahrain-sending-message-beyond-the-gulf-report/
- Dukalskis, A. (2021). Making the world safe for dictatorship. Oxford University Press.
- Dunn Cavelty, M. (2008). Cyber-security and threat politics: US efforts to secure the information age. Routledge.
- Dunn Cavelty, M. (2013). From cyber-bombs to political fallout: Threat representations with an impact in the cyber-security discourse. International Studies Review, 15(1), 105–122. https://doi.org/10.1111/misr.12023
- Egloff, F. J. (2020a). Contested public attributions of cyber incidents and the role of academia. Contemporary Security Policy, 41(1), 55–81. https://doi.org/10.1080/13523260.2019.1677324
- Egloff, F. J. (2020b). Public attribution of cyber intrusions. Journal of Cybersecurity, 6(1), 1–12. https://doi.org/10.3929/ethz-b-000442557
- Egloff, F. J., & Smeets, M. (2021). Publicly attributing cyber attacks: A framework. Journal of Strategic Studies, 1–32. https://doi.org/10.1080/01402390.2021.1895117
- Fars News Agency. (2015, May 23). Saudileaks 3: Riyadh confirms hacking of foreign ministry servers. Fars News Agency, https://en.farsnews.ir/newstext.aspx?nn = 13940302001087
- Farwell, J. P., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23–40. https://doi.org/10.1080/00396338.2011.555586
- Fattah, Z. (2017, May 30). Gulf spat escalates as Saudi Arabia, U.A.E. Media attack Qatar. Bloomberg.Com, https://www.bloomberg.com/news/articles/2017-05-30/gulf-spat-escalates-as-saudi-arabia-u-a-e-media-attack-qatar
- Fettweis, C. J. (2013). The pathologies of power: Fear, honor, glory, and hubris in U.S. Foreign policy. Cambridge University Press.
- Finkle, J., & Wagstaff, J. (2016, December 1). Shamoon virus returns in new Gulf cyber attacks after four-year hiatus. Reuters. https://www.reuters.com/article/us-cyber-saudi-shamoon-idUSKBN13Q38B
- Finnemore, M., & Hollis, D. B. (2020). Beyond naming and shaming: Accusations and international law in cybersecurity. European Journal of International Law, https://papers.ssrn.com/abstract = 3347958
- Fischerkeller, M. P., Goldman, E. O., & Harknett, R. J. (2022). Cyber persistence theory: Redefining national security in cyberspace. Oxford University Press.
- Franceschi-Bicchierai, L. (2015). There’s evidence the “Yemen cyber army” is actually Iranian. In VICE, https://www.vice.com/en_us/article/wnj9gq/theres-evidence-the-yemen-cyber-army-is-actually-iranian
- Friedrichs, J., & Kratochwil, F. (2009). On acting and knowing: How pragmatism can advance international relations research and methodology. International Organization, 63(4), 701–731. https://doi.org/10.1017/S0020818309990142
- Gartzke, E. (2013). The myth of cyberwar: Bringing war in cyberspace back down to earth. International Security, 38(2), 41–73. https://doi.org/10.1162/ISEC_a_00136
- GCO. (2017, May 24). مكتب الاتصال الحكومي:موقع وكالة الأنباء القطرية تم اختراقه.. ونسب تصريح مغلوط لصاحب السمو. Government Communication Office. https://www.gco.gov.qa/ar/2017/05/24/1915/
- Goffman, E. (1959). The presentationn of self in everyday life. Anchor Books.
- Gray, M. (2011). A theory of “late rentierism” in the Arab States of the Gulf. CIRS, https://www.files.ethz.ch/isn/134326/No_7_MatthewGrayTheoryLaterRentierismArabStatesGulf.pdf
- Gray, M. (2016). Political economy dynamics in the Arab Gulf States: Implications for political transition. In A. Saikal (Ed.), The arab world and Iran: A turbulent region in transition (pp. 45–65). Palgrave Macmillan.
- Hansen, L., & Nissenbaum, H. (2009). Digital disaster, cyber security, and the Copenhagen school. International Studies Quarterly, 53(4), 1155–1175. https://doi.org/10.1111/j.1468-2478.2009.00572.x
- Haugevik, K., & Neumann, C. B. (2021). Reputation crisis management and the state: Theorising containment as diplomatic mode. European Journal of International Relations, https://doi.org/10.1177/13540661211008213
- Hay, S. (2018, April 6). Lieberman says Israel won’t accept burning kites becoming the norm. Ynetnews, https://www.ynetnews.com/articles/0,7340,L-5278488,00.html
- Healey, J., & Jervis, R. (2020). The escalation inversion and other oddities of situational cyber stability. Texas National Security Review, 3(4), 30–53.
- Hedgecock, K., & Sukin, L. (2023). Responding to uncertainty: The importance of covertness in support for retaliation to cyber and kinetic attacks. Journal of Conflict Resolution, 1–31. https://doi.org/10.1177/00220027231153580
- Hertog, S., & Luciani, G. (2011). Energy and sustainability policies in the Gulf States. In D. Held, & K. Ulrichsen (Eds.), The transformation of the Gulf (pp. 236–257). Routledge.
- Hope, B., Strobel, W. P., & Volz, D. (2019). High-level cyber intrusions hit Bahrain Amid tensions with Iran. In The Wall Street Journal, https://www.wsj.com/articles/high-level-cyber-intrusions-hit-bahrain-amid-tensions-with-iran
- Jacobsen, J. T. (2021). Cyber offense in NATO: Challenges and opportunities. International Affairs, 97(3), 703–720. https://doi.org/10.1093/ia/iiab010
- Jarvis, L., Macdonald, S., & Whiting, A. (2017). Unpacking cyberterrorism discourse: Specificity, status, and scale in news media constructions of threat. European Journal of International Security, 2(1), 64–87. https://doi.org/10.1017/eis.2016.14
- Jarvis, L., Nouri, L., & Whiting, A. (2014). Understanding, locating and constructing cyberterrorism. In T. M. Chen, L. Jarvis, & S. Macdonald (Eds.), Cyberterrorism: Understanding, assessment, and response (pp. 25–41). Springer. https://doi.org/10.1007/978-1-4939-0962-9_2
- Kahan, R. (2020, December 21). Amateur hackers are poking holes in Israel’s image as a cyber superpower. CTech, https://www.calcalistech.com/ctech/articles/0,7340,L-3883153,00.html
- Kalman, M. (2011, November 7). Israel denies anonymous cyber-attack to blame for websites failure. The Guardian, https://www.theguardian.com/world/2011/nov/07/israel-anonymous-cyber-attack-websites
- Kaminska, M. (2021). Restraint under conditions of uncertainty: Why the United States tolerates cyberattacks. Journal of Cybersecurity, 7(1), tyab008.
- Kampf, Z., & Löwenheim, N. (2012). Rituals of apology in the global arena. Security Dialogue, 43(1), 43–60. https://doi.org/10.1177/0967010611431095
- Kamrava, M. (2013). Qatar: Small state, big politics. Cornell University Press.
- Khatib, D. K., & Maziad, M., (2019). The Arab gulf states and the West: Perceptions and realities – opportunities and perils. Routledge.
- Kostyuk, N., & Zhukov, Y. M. (2019). Invisible digital front: Can cyber attacks shape battlefield events? Journal of Conflict Resolution, 63(2), 317–347. https://doi.org/10.1177/0022002717737138
- Kreps, S., & Schneider, J. (2019). Escalation firebreaks in the cyber, conventional, and nuclear domains: Moving beyond effects-based logics. Journal of Cybersecurity, 5(1), https://doi.org/10.1093/cybsec/tyz007
- Lennon, M. (2012, August 16). Saudi Arabia’s National Oil Company Kills Network After Cyber Attack. SecurityWeek. https://www.securityweek.com/saudi-arabias-national-oil-company-kills-network-after-cyber-attack/
- Libicki, M. C. (2012). Crisis and Escalation in Cyberspace. RAND Corporation. https://www.rand.org/pubs/monographs/MG1215.html
- Libicki, M. C. (2020). Correlations between cyberspace attacks and kinetic attacks, 1300, 199–213. https://doi.org/10.23919/CyCon49761.2020.9131731
- Lind, J. (2011). Sorry states: Apologies in international politics. Cornell University Press.
- Lindsay, J. R. (2013). Stuxnet and the limits of cyber warfare. Security Studies, 22(3), 365–404. https://doi.org/10.1080/09636412.2013.816122
- Lindsay, J. R. (2015). Tipping the scales: The attribution problem and the feasibility of deterrence against cyberattack. Journal of Cybersecurity, 1(1), 53–67. https://doi.org/10.1093/cybsec/tyv003
- Lindsay, J. R., Cheung, T. M., & Reveron, D. S., eds. (2015). China and cybersecurity: Espionage, strategy, and politics in the digital domain. Oxford University Press.
- Löwenheim, N. (2009). A haunted past: Requesting forgiveness for wrongdoing in international relations. Review of International Studies, 35(3), 531–555.
- Löwenheim, O., & Heimann, G. (2008). Revenge in international politics. Security Studies, 17(4), 685–724. https://doi.org/10.1080/09636410802508055
- Lupovici, A. (2016a). The “attribution problem” and the social construction of “violence”: taking cyber deterrence literature a step forward. International Studies Perspectives, 17(3), 322–342. https://doi.org/10.1111/insp.12082
- Lupovici, A. (2016b). The power of deterrence: Emotions, identity and American and Israeli wars of resolve. Cambridge University Press.
- Lupovici, A. (2023). Ontological security, cyber technology, and states’ responses. European Journal of International Relations, 29(1), 153–178. https://doi.org/10.1177/13540661221130958
- Masterson, M. (2022). Humiliation and international conflict preferences. The Journal of Politics, 84(2), 874–888. https://doi.org/10.1086/715591
- Mitchell, J. S. (2021). Transnational identity and the Gulf crisis: Changing narratives of belonging in Qatar. International Affairs, 97(4), 929–944. https://doi.org/10.1093/ia/iiab013
- Nye, J. S. (2017). Deterrence and dissuasion in cyberspace. International Security, 41(3), 44–71. https://doi.org/10.1162/ISEC_a_00266
- Okaz. (2017, March 22). «المياه»: لم نتأثر بـ«شامون 2» والإيقاف لحماية الأنظمة. Okaz. https://www.okaz.com.sa/flags/na/1534960
- Paganini, P. (2015, May 24). Yemen cyber army hacked principal Saudi Gov networks. Security Affairs, https://securityaffairs.co/wordpress/37132/hacking/yemen-cyber-army-saudi-gov.html
- Paletta, D. (2015, June 16). Former CIA chief says government data breach could help China recruit spies. Wall Street Journal, https://www.wsj.com/articles/former-cia-chief-says-government-data-breach-could-help-china-recruit-spies-1434416996
- Perlroth, N. (2012, October 23). In Cyberattack on Saudi Firm, U.S. Sees Iran firing back. New York Times (Online), https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html
- Poznansky, M., & Perkoski, E. (2018). Rethinking secrecy in cyberspace: The politics of voluntary attribution. Journal of Global Security Studies, 3(4), 402–416. https://doi.org/10.1093/jogss/ogy022
- Qatar MFA. (2017a, May 24). مصدر مسؤول بوزارة الخارجية: ستتم ملاحقة المسؤولين عن قرصنة موقع وكالة الأنباء القطرية. Ministry of Foreign Affairs - Qatar. https://bit.ly/3kmGkHD
- Qatar MFA. (2017b, May 24). وزارة الخارجية تنفي صدور تصريحات لسعادة وزير الخارجية. Ministry of Foreign Affairs - Qatar. https://bit.ly/3xERtXY
- Qatar MFA. (2017c, May 25). استعداد دولي للتعاون مع قطر في التحقيق بشأن جريمة القرصنة الإلكترونية. Ministry of Foreign Affairs - Qatar. https://bit.ly/2VwUewc
- Qatar MFA. (2017d, May 25). وزير الخارجية: قطر ستتصدى للحملة الإعلامية التي تستهدفها. Ministry of Foreign Affairs - Qatar. https://bit.ly/3r9FXBn
- Qatar MFA. (2017e, June 7). تصريح لوزارة الداخلية بشأن قرصنة موقع وكالة الأنباء القطرية. https://bit.ly/3yN0RsK
- Qatar MFA. (2017f, June 10). لقاء وزير الخارجية مع قناة “ روسيا اليوم” عن أزمة الخليج. Ministry of Foreign Affairs - Qatar. https://bit.ly/3hDEsbG
- Qatar MOI (Director). (2017, July 20). Hacking of QNA Website and Social Media Accounts. https://m.facebook.com/moigovqatar.en/videos/hacking-of-qna-website-and/1204739016299152/
- Republic of Albania. (2022, September 7). Video message of Prime Minister Edi Rama, regarding the response of the Albanian government to the cyber attack against the digital infrastructure of the Government of the Republic of Albania. https://kryeministria.al/en/newsroom/videomesazh-i-kryeministrit-edi-rama-lidhur-me-vendimin-e-qeverise-shqiptare-si-kunderpergjigje-ndaj-aktit-te-sulmit-te-rende-kibernetik-ndaj-infrastruktures-digjitale-te-qeverise-se-republikes-se-s/
- Rid, T. (2012). Cyber war will not take place. Journal of Strategic Studies, 35(1), 5–32. https://doi.org/10.1080/01402390.2011.608939
- Rid, T., & Buchanan, B. (2015). Attributing cyber attacks. Journal of Strategic Studies, 38(1–2), 4–37. https://doi.org/10.1080/01402390.2014.977382
- Riemer, O. (2021). Politics is not everything: New perspectives on the public disclosure of intelligence by states. Contemporary Security Policy, 42(4), 554–583. https://doi.org/10.1080/13523260.2021.1994238
- Riley, M., Carey, G., & Fraher, J. (2016, December 1). Destructive hacks strike Saudi arabia, posing challenge to trump. Bloomberg.Com, https://www.bloomberg.com/news/articles/2016-12-01/destructive-hacks-strike-saudi-arabia-posing-challenge-to-trump
- Saudi Arabia, MFA. (2015a, May 23). أوضح رئيس الإدارة الإعلامية بوزارة الخارجية … Facebook. https://www.facebook.com/ksamofa/photos/a.501311693212397/1060172627326298
- Saudi Arabia, MFA. (2015b, June 20). عقب رئيس الإدارة الإعلامية بوزارة الخارجية … Facebook. https://www.facebook.com/ksamofa/photos/a.501311693212397/1079703598706534
- Schlenker, B. R. (1980). Impression management: The self-concept, social identity, and interpersonal relations. Brooks Cole.
- Schlenker, B. R., & Darby, B. W. (1981). The use of apologies in social predicaments. Social Psychology Quarterly, 44(3), 271–278. https://doi.org/10.2307/3033840
- Scott, M. B., & Lyman, S. M. (1968). Accounts. American Sociological Review, 33(1), 46–62. https://doi.org/10.2307/2092239
- Shackelford, S. J., Sulmeyer, M., Deckard, A. N. C., Buchanan, B., & Micic, B. (2017). From Russia with love: Understanding the Russian cyber threat to U.S. Critical Infrastructure and What to Do About It. Nebraska Law Review, 96(2), 320–338.
- Shandler, R., & Gomez, M. A. (2022). The hidden threat of cyber-attacks–undermining public confidence in government. Journal of Information Technology & Politics, 1–16.
- Sharp, T. (2017). Theorizing cyber coercion: The 2014 North Korean operation against sony. Journal of Strategic Studies, 40(7), 898–926. https://doi.org/10.1080/01402390.2017.1307741
- Shires, J. (2018). Enacting expertise: Ritual and risk in cybersecurity. Politics and Governance, 6(2), 31–40. https://doi.org/10.17645/pag.v6i2.1329
- Shires, J. (2019). Hack-and-leak operations: Intrusion and influence in the Gulf. Journal of Cyber Policy, 4(2), 235–256. https://doi.org/10.1080/23738871.2019.1636108
- Shires, J. (2020). The simulation of scandal: Hack-and-leak operations, the Gulf States, and U.S. Politics. Texas National Security Review, 3(4), 10–29.
- Shires, J. (2021a). The cyber operation against Qatar news agency. In M. Zweiri, M. M. Rahman, & A. Kamal (Eds.), The 2017 gulf crisis: An interdisciplinary approach (pp. 101–113). Springer. https://doi.org/10.1007/978-981-15-8735-1_6
- Shires, J. (2021b). The politics of cybersecurity in the Middle East. Oxford University Press.
- Shuya, M. (2018). Russian cyber aggression and the new cold war. Journal of Strategic Security, 11(1), 1–18.
- Snyder, J. (2020). Backlash against naming and shaming: The politics of status and emotion. The British Journal of Politics and International Relations, https://doi.org/10.1177/1369148120948361
- Soubrier, E., Moritz, J., & Freer, C. (2021). Introduction: New trends in Gulf international relations and transnational politics. International Affairs, 97(4), 925–928. https://doi.org/10.1093/ia/iiab087
- Steele, B. J. (2019). Restraint in international politics. Cambridge University Press. https://doi.org/10.1017/9781108644082
- Subotic, J., & Zarakol, A. (2013). Cultural intimacy in international relations. European Journal of International Relations, 19(4), 915–938. https://doi.org/10.1177/1354066112437771
- The White House. (2015, June 5). Press Briefing by Press Secretary Josh Earnest, 6/5/2015. Whitehouse.Gov. https://obamawhitehouse.archives.gov/the-press-office/2015/06/05/press-briefing-press-secretary-josh-earnest-652015
- The White House. (2021, April 15). Background Press Call by Senior Administration Officials on Russia. Whitehouse.Gov. https://www.whitehouse.gov/briefing-room/press-briefings/2021/04/15/background-press-call-by-senior-administration-officials-on-russia/
- TOI. (2020, May 19). 6 facilities said hit in Iran’s cyberattack on Israel’s water system in April. Times of Israel, https://www.timesofisrael.com/6-facilities-said-hit-in-irans-cyberattack-on-israels-water-system-in-april/
- Ulrichsen, K. C. (2017, June 1). What’s going on with Qatar? The Washington Post. https://www.washingtonpost.com/news/monkey-cage/wp/2017/06/01/whats-going-on-with-qatar/
- Valeriano, B., Jensen, B., & Maness, R. C. (2018). Cyber strategy: The evolving character of power and coercion. Oxford University Press.
- Valeriano, B., & Maness, R. C. (2015). Cyber war versus cyber realities: Cyber conflict in the international system. Oxford University Press.
- Ware, B. L., & Linkugel, W. A. (1973). They spoke in defense of themselves: On the generic criticism of apologia. Quarterly Journal of Speech, 59(3), 273–283. https://doi.org/10.1080/00335637309383176
- Waxman, M. C. (2013). Self-defensive force against cyber attacks: Legal, strategic and political dimensions. International Law Studies, 89, 109–122.
- Weitzenkorn, B. (2012, August 28). Oil giant admits hack of 30,000 computers. NBC News, https://www.nbcnews.com/id/wbna48814107
- WikiLeaks. (2015, June 19). The Saudi Cables. WikiLeaks.Org. https://wikileaks.org/saudi-cables/press
- Williams, B. (2017, February 7). Iran’s cyber strategy: A case study in Saudi Arabia. C4ISRNET. https://www.c4isrnet.com/home/2017/02/07/irans-cyber-strategy-a-case-study-in-saudi-arabia/
- Wolf, R. (2011). Respect and disrespect in international politics: The significance of status recognition. International Theory, 3(1), 105–142. https://doi.org/10.1017/S1752971910000308
- Wolf, R. (2017). Identifying emotional reactions to status deprivations in discourse. International Studies Review, 19(3), 491–496. https://doi.org/10.1093/isr/vix033
- Yarhi-Milo, K. (2018). Who fights for reputation: The psychology of leaders in international conflict. Princeton University Press.
- Zarakol, A. (2010). Ontological (In)security and state denial of historical crimes: Turkey and Japan. International Relations, 24(1), 3–23. https://doi.org/10.1177/0047117809359040
- Zhang, E., & Benoit, W. L. (2009). Former Minister Zhang’s discourse on SARS: Government’s image restoration or destruction? Public Relations Review, 35(3), 240–246. https://doi.org/10.1016/j.pubrev.2009.04.004