Digital authoritarianism and the devolution of authoritarian rule: examining Syria’s patriotic hackers

ABSTRACT

Given the sensitive nature of cybersecurity in authoritarian regimes, the existence of semi-autonomous patriotic hackers raises questions about their function because no security-adjacent actor can survive without at least tacit regime approval. Reflecting the attention that the phenomenon has received from scholars of defence and cybersecurity, the hackers’ presence has to date been viewed as a pragmatic strategy that either compensates for autocrats’ own lack of technological capacity, or that deflects blowback from high-stakes cyber operations. But less is known about how the hackers’ presence relates to authoritarian stabilization and survival agendas. This prompts this article to ask: How does the devolution of cybersecurity functions to patriotic hackers influence regime stabilization and survival agendas? Observing patriotic hacking in Syria through work on authoritarian devolution, space and cybersecurity, the article argues that while there is much precedent for authoritarian power devolution, digital devolution has novel mechanisms and effects. This is because the internet enables regimes to consciously and instrumentally manipulate the process, thereby creating a sense of constantly shifting space between themselves and the hackers that facilitates new opportunities for authoritarian stabilization and survival.

KEYWORDS:

• Syrian electronic army
• patriotic hacking
• cybersecurity
• authoritarian practices
• authoritarian resilience
• Middle East
• digital devolution
• authoritarian survival
• authoritarian stabilization

Introduction

Technology has long sat at the heart of the Syrian regime, with President Bashar al-Assad playing a key role in bringing the internet to Syria before he became president. But cyber technology in Syria quickly became securitized. Falling under the purview of state security, it endowed the regime with a new digital authoritarian toolbox that it could deploy from the top-down in the name of authoritarian stabilization and de-democratization. It subsequently became difficult to disentangle technology from the regime’s ambitions and survival logics.

However, the regime’s tight grip on technology shifted after protests took hold across Syria in March 2011. It deployed its old, centralized technology playbook through its security agencies, which forced social media users to provide login details during interrogations, and throttled internet connections ahead of large demonstrations. But a new phenomenon simultaneously appeared by way of a patriotic hacking community that organized under the banner of the self-styled Syrian Electronic Army (SEA). Describing itself as independent of government, one member explained: “We could not stay passive towards the massive distortion of facts about the recent uprising in Syria … [The US government and media is] exploiting good thinking people by pumping reports of a … fake revolution.”¹ With President al-Assad declaring the SEA “a real army in virtual reality,”² the hackers’ emergence marked a major devolution of Syrian cyber policy in which so-called independent volunteers were permitted to – and lauded for – undertaking semi-autonomous online activities in service of their country. This was a significant moment for a regime that viewed control over technology as central to its ability to manage its population in other to mitigate threats from within. The ceding of control was a deliberate choice that provides an opportunity to observe the shifting boundaries of authoritarianism in the digital age, and to question how the decision to tolerate patriotic hackers interacts with long-held logics of authoritarian stabilization and survival.

This article defines patriotic hacking as the so-called self-mobilisation of technologically skilled civilians who undertake cyber activities to defend their home countries. Patriotic hackers exist across democratic and authoritarian states, and although claim independence from the government, they are sometimes government-instigated. Their operations fall somewhere on Healey’s 10-point “spectrum” of state responsibility that ranges from “state-prohibited,” “state-prohibited-but-inadequate” or “state-ignored,” to “state-encouraged,” “state-coordinated” or “state-integrated.”³ These categories can shift, meaning that one of the only static characteristics of patriotic hackers is the effort made to perform a civilian veneer. Dahan adds that patriotic hackers “see themselves as irregular soldiers, or conscripts fighting a war for their country, a form of cyber militia … Their world view tends to be narrow, nationalistic and parochial … [and they] always self identify themselves in nationalistic terms.”⁴ Although pro-regime and pro-opposition hackers exist in authoritarian contexts – and both are likely to argue that they are acting patriotically – the term “patriotic hackers” has been exclusively used to refer to those who mobilize to defend the incumbent government or regime.⁵

Given the sensitive nature of the internet in authoritarian regimes, the very existence of patriotic hackers raises questions about their function because no security-adjacent actor can survive in an authoritarian context without at least tacit regime approval. As such, their presence and tolerance has been viewed as a pragmatic authoritarian strategy that either compensates for a lack of technological capacity,⁶ or deflects potential blowback from high-stakes cyber operations.⁷ But while this reflects the attention that the phenomenon has received from scholars of defence and cybersecurity, less is known about how the hackers’ presence relates the way that authoritarian regimes stabilize their rule in order to survive. Indeed, while the decision to permit patriotic hackers in Syria was taken at a time of crisis, it existed alongside other sophisticated authoritarian practices,⁸ such as the unblocking of social media sites and the employment of Western public relations firms to launder the regime’s reputation. This authoritarian political context prompts this article to ask: How does the devolution of cybersecurity functions to patriotic hackers influence regime stabilization and survival agendas?

The article observes digital devolution in Syria through the regime-patriotic hacker relationship, first developing a theory of patriotic hacking in authoritarian regimes that sits at the intersection of work on authoritarian devolution, space and cybersecurity, before providing an overview of the phenomenon in Syria. It then examines shifting notions of distance between the regime and the hackers in Syria in order to observe how the regime has instrumentalized the digital devolution process to manage its population and serve its own stabilization and survival agenda. The article argues that while there is precedent for authoritarian power devolution, digital devolution has novel mechanisms and effects. This is because the internet enables regimes to manipulate the process, creating a constantly shifting sense of space that creates ambiguity at the boundaries the regime, generating a technology-spurred sense of omnipresence that augments authoritarian survival.

These findings contribute to knowledge on digital authoritarianism by conceptualizing the connection between digital devolution, and authoritarian stabilization and de-democratization agendas. The Syria case study highlights that while digital authoritarianism is conceived in terms of tangible practices such as artificial intelligence, digital surveillance or social media disinformation,⁹ international technological diffusion,¹⁰ and the impact on national security,¹¹ the phenomenon also encompasses complex and novel mechanisms of digital devolution that foster new ways of population management and authoritarian being. This also speaks to the study of authoritarianism by drawing attention to how authoritarian regimes are adapting to digital authoritarianism to seek new avenues for stabilization and survival. In the case of Syria, the regime and the hackers performed distance and “civilianness,” harnessing the hackers’ ability to morph between hyper-visibility and the shadows in order to expand its reach of power and manage its populations in new ways.

A theory of patriotic hacking in authoritarian regimes

Authoritarian regimes have long tactically devolved power. Although initially seen as an indicator of democratization, devolution has increasingly been associated with authoritarian de-democratization agendas to the extent that Landry noted in 2009 that China was one of the most decentralized countries on earth.¹² Given that the stability and survival of such regimes depends on their ability to manage their populations, including staving off challenges emanating from within, devolution has become a key tool of population management that enables regimes to recruit would-be domestic challengers into its periphery, while providing material inducements to others. For example, in Morocco, devolution was found to have been a tool of de-democratization because it helped the regime consolidate by both allowing it to leverage “good governance” discourses, while also positioning it to “come to the rescue” of their citizens when corrupt local representatives who had been the beneficiaries of decentralization ultimately failed to provide services.¹³ Understanding these dynamics of population management has led self-interested regimes to strategically devolve power – or at least give the impression of doing so – when they assess that the stabilization and survival benefits of the process outweigh the associated risks.

An example of devolution for legitimacy gains is the frequently used practice of devolving social service distribution to societal groups such as Government-Organised Non-Government Organisations (GONGOs), described by Hasmath et al as “usually founded and initially organized by the government to provide a service to society, one that the government is unable or unwilling to do.”¹⁴ GONGOs play an important legitimation role in authoritarian regimes, serving the dual purpose of co-opting would-be independent members of civil society, while also building an impression of a vibrant community in which individuals are autonomously mobilising. Authoritarian devolution also takes place in exchange for coercive resources. For example, Libya’s Muammar Gaddafi devolved some of his monopoly over violence to foreign mercenaries to both ward off internal unrest and conduct external operations. The establishment of what Yoroms describes as “community militias,” which are “recruited, trained and located within the communities” convey a similar coercive benefit.¹⁵ Such groups often enjoy state sanction and undertake violence alongside the state during times of war, while providing outlets through which local regime figures can exercise power and enrich themselves, and therefore gain a stake in protecting the status quo. Their existence too represents some devolution of authoritarian control, with Yoroms noting that they are often tolerated because they help “decentralise the cumbersome processes of security watch.”¹⁶

The Syrian regime too tactically devolved power to manage its population and serve its stabilization goals long before the digital authoritarian era. In the 1970s, President al-Assad’s father, then-President Hafez al-Assad devolved some legislative power by establishing the “opposition” National Progressive Front alliance to both draw potential competitors into the regime’s fold and create a pluralist veneer. The regime also devolved power to GONGOs such as the Syrian first lady’s Syria Trust for Development, and coercive and economic control to militias such as the Shabiha that have served as a tool of personal enrichment for mid-ranking members of the Assad family for decades. Such instances of devolution are united in their purpose to manage Syria’s population in order to ensure regime survival.

In this regard, while the decision of authoritarian regimes to devolve some power is not in itself unique, the nature of what this article terms “digital devolution” the digital devolution to patriotic hackers is novel and significant because of the digital authoritarian context in which it takes place. Political parties, GONGOs, mercenaries and militias are physical formations that can often be observed and demarcated from governments, with their relationships with the government changing at a slow pace or at key junctures, if at all. In contrast, while patriotic hacking communities consist of people, computing power and physical resources, their activities are characterized by the absence of corporeality that comes from hiding behind screens and firewalls. This renders them invisible, a characteristic that is also replicated in the opaque and nebulous regime-hacker nexus. As the nexus is in perpetual flux, it is often difficult to tell regimes and patriotic hackers apart, endowing the regime with greater capacity to instrumentalise the distance between the entities to serve its evolving stabilization goals. It is through the lenses of distance, (in)visibility and the technology-spurred blurring of reality that this article examines the mechanisms and effects of digital authoritarian devolution.

Distance is a useful metric of analysis because it can be used to observe the space between regimes and patriotic hackers, and to therefore draw conclusions about the devolution process and the so-called independence that is one of the defining features of the phenomenon. In this regard, the article examines distance in both the physical (Cartesian) and performative sense, treating physical distance as the real-world, measurable space between two actors. Perceived or performative distance on the other hand is the space (or lack thereof) between two actors that is constructed and performed. While the physical distance between regimes and patriotic hackers is mostly meaningless because true independence is incompatible with the hackers’ existence within an authoritarian context, performative distance matters. Indeed, scholars of topology have argued that the reach of power across space is determined by “relational distance, not a spatial metric.”¹⁷ Directly observing authoritarian contexts, this author argued elsewhere that

there is no direct correlation between the physical distance between two actors and the strength of power transmission: power can theoretically be strong over long distances and diffuse over short, or vice versa, depending on how that power is mediated.¹⁸

The spread of the internet has enhanced the ability of regimes to compress and manipulate distance, acting as a mediating tool that gives autocrats intensive access to those who may have previously been beyond physical reach.

Observing cyberwarfare, Warf and Fekete noted that “cyberattacks reveal the ongoing collision between absolute, Cartesian space – as epitomized by the Westphalian world-system of nation-states – and … emerging relational topologies.”¹⁹ They found that “relational geographies are constructed and reconstructed as systems of interconnectedness, unevenly binding people and locations together in ever-changing manifolds of power and interaction.”²⁰ Indeed, autocrats and their citizens are interconnected cyber nodes that can be nearer or farther depending on these power manifolds. Change takes place at speed: As Ng noted, big data generated in the digital era can “allow information to flow very quickly to the center,” a process that is hastening as regimes implement artificial intelligence technologies.²¹ The boundaries of authority today are fluid: control can be devolved over space but can also be retaken at warp speed.

The digital space has also augmented reality by blurring (in)visibility. This is intrinsic to the search and social media algorithms that now shape everyday life, which “tend to be invisible and often unaccountable.”²² The surveillance implications are even greater, because as Zeadally and Flowers explain, “Cyberwar is insidious, invisible to most, and is fought out of sight. It takes place in cyberspace, a location that cannot be seen, touched, nor felt.”²³ The absence of a physical body count often sees cyber activities dismissed as a lesser form of conflict, but Cristiano noted that:

Proximity to the event of war not only depends on physical closeness, but also on the interplay between distance and proximity beyond corporeality … That is to say that, embodied experiences of the violence of cyberwar in the context of Israel-Palestine remain influenced by those subjective experiences that precede and relate subjects to the conflict beyond its cyber mechanics and physical proximity.²⁴

Rather than minimize impact, the absence of physicality enables cyberwarfare to transcend distance and visibility, and to potentially reach farther and to penetrate more subjects. Lacking readily-observable physical perpetrators, malicious cyber activities cloak states in invisibility, with subjects not knowing that they are being watched unless the state makes itself known. But invisibility does not reduce the impact of cyber operations, which “fundamentally change users' Internet experience by fostering fear and paranoia about otherwise unnoticed and transparent aspects of their lives.”²⁵ Digital authoritarianism can also fuel the reverse, with algorithmic surveillance making both make regimes and citizens hyper-visible to one another.²⁶ In this way, patriotic hacking is imbued with the broader society-wide process of “technology-spurred blurring” that Jordan argued is underway, through which “the physical and the digital, the real and the virtual, interact” in a hybrid space.²⁷

This article brings together these concepts of devolution, distance, (in)visibility and a technology-spurred blurring to examine the space between the Syrian regime and the country’s patriotic hacking community. It uses space as a proxy to understand how digital devolution is impacting the way the Syrian regime is managing its population in the digital authoritarian era.

Background: patriotic hacking and Syria’s electronic armies

The Syrian patriotic hacking landscape is most often associated with the Syrian Electronic Army (SEA), which is a moniker employed by a range of pro-regime hackers. Although different individuals have been involved in the SEA at different times, other instances of pro-regime hacking such as Group 5 and the Syrian Malware Team have also been observed.²⁸ Skills vary drastically within the community, ranging from those capable of rudimentary phishing stunts to others who write custom malware. Acknowledging that the community is diverse and nebulous, this article refers to the SEA where it has been specifically identified, but otherwise uses the term “patriotic hacking community” to refer to pro-regime groups or individuals who exist outside formal regime structures but conduct cyber activities in alignment with the regime.

The SEA first became known after establishing its Facebook page in April 2011 and registering its website domain the following month. Describing itself as independent of government, its website claimed that it was an “electronic media arm that would take on the initiative to protect the homeland and support the reforms of President Bashar al-Assad.”²⁹ Initially, SEA operations were relatively unsophisticated, targeting the comments sections of opposition Facebook pages, and attacking the websites of Western institutions and media organizations. But the hackers’ capacity quickly grew, and by the end of that year, internet users began reporting malware attacks from regime-adjacent actors.

The regime emphasized that the SEA was a spontaneous civilian movement. State media broadcast adoring stories of young hacktivists sitting in internet cafes self-mobilising to protect the republic. One Syrian Arab News Agency article quoted a SEA member who said: “We are defending Syria's electronic borders in the same way the army defends the land, air and maritime borders.”³⁰ A 37-minute report that aired on the state-owned Syrian TV satellite service interviewed so-called rank-and-file SEA members. One member, Badr Ghanim explained:

They (the Western media) disdained the Syrian Electronic Army and accused it of being a government organization. The truth, however, is that it was created by Syrian youth who are not affiliated with any government organization. These youth have volunteered to serve the country in light of what we see and what they talk about Syria.³¹

In another Syrian TV report, journalist Ramita Shahhud opined

It is a modest and smart idea by the Syrian youth who have a sense of responsibility towards the homeland at difficult times. These youth possess a technological expertise … [and] have enthusiasm, sincerity, and love … Although they do not carry a rifle, they have clean hearts and minds with which they defend the homeland's stability during an ordeal, which we have realized that it is managed from dark operation rooms in countries that are far from us.³²

The SEA’s emergence neatly aligned with the regime narrative that civilians were spontaneously mobilising to reject the so-called foreign conspiracy engulfing the country. This added a much-needed boost to the regime’s domestic legitimacy, giving the impression that the regime was not alone in its condemnation of the uprising, and that its citizens actively supported its approach. It implied that Syria’s youth were so incensed by the so-called conspiracy engulfing Syria that they had taken matters into their own hands.

Indeed, there is little doubt that the activities of the patriotic hacking community aligned closely with the regime’s stabilization and survival agenda at a time when its resources were being diverted away from domestic population management to mount what would become a massive war effort. But the very fact of the community’s existence and persistence also implied some level of regime tolerance, if not sanction. Maurer characterized the relationship between the regime and the SEA as “closer to passive support than to active orchestration,”³³ while Bertram concluded that although “the available data neither conclusively connected the Assad regime to the SEA, nor did it equivocally separate them,” the relationship was “close enough.”³⁴ Lewis argued that.

It’s not plausible that they’re acting independently, without any connection to the government. Ask yourself: are there any anti-Assad groups in Syria who have been able to carry out this kind of thing? If the answer is no, it means the government is either consenting to or directing SEA activity. One technique would be to have a domestic intelligence agent recruit one person, who then sets up informal online groups. So the link to the government could be very tenuous – but it’s still there.³⁵

Given that the regime is not known for its proclivity for power-sharing, it is unrealistic that the patriotic hackers could conduct operations from inside Syria if their existence was not understood to serve the regime in some way.

This sense was underlined through the regime’s cultivation of the community. President al-Assad’s endorsement noted above, which came just months after the SEA emerged, was so unprecedented that the Committee to Protect Journalists’ Danny O’Brien grimly noted at the time:

To my knowledge the first time a head of state has explicitly approved of such actions. Governments are usually careful to distance themselves from nationalistic hacking groups, even if they tacitly permit it through lack of law enforcement. By mentioning the Electronic Army, al-Assad is signaling his support of computer sabotage and vigilante censorship in the name of his country. At least, that is how his online supporters are likely to interpret his words.³⁶

This sense of support was echoed in a remarkable editorial in the state-owned al-Thawra newspaper, which even carried a pointed threat for Facebook’s parent company Meta from a SEA member, who warned that “a number of programmers and Syrian university students … [have] in store a surprise Facebook’s administration will never forget.”³⁷ The regime may too have been directly supporting the community’s development. A supposed leaked 2012 intelligence briefing from Syria’s General Intelligence Division in Beirut detailed the outcomes of a three-day training course that it had run for Syrian and Lebanese youth in Lebanon who wished to support the regime in cyberspace. Although the document has not been independently verified, the workshop’s action plan proposed several strategies that would later become key tools of Syrian patriotic hacking.³⁸

Material links also existed between the two actors. The SEA’s first website was hosted by the Syrian Computer Society (SCS), which was chaired by Bashar al-Assad until he became president, and there was some membership crossover between the two entities. It is difficult to overstate the significance of these connections, which enabled the SEA to operate in a way that might not otherwise be possible: one senior SEA figure explained: “If we host our website outside of Syria servers [sic], it will get deleted and probably hacked.”³⁹ This connection paid dividends in 2013 when the SEA's .com and .org domains were seized by US authorities, and it was quickly able migrate its site onto a .sy domain. Indeed, it was clear from the outset that the relationship between the Syrian regime and the country’s patriotic hackers was not clear cut: The hackers were neither a formal arm of the regime, nor were they totally independent.

Authoritarian devolution in a digital authoritarian world

While the work of Maurer, Bertram and Lewis depicted distance between the Syrian regime and the country’s patriotic hacking community as a predominantly static relationship that is either independent, dependent or somewhere in between,⁴⁰ the section below shows that one of the most notable features of digital devolution is the way that the perception of distance between a regime and the object of devolution can regularly change, making power appear more of less devolved at specific points in time. The patriotic hacking community was always going to be physically close to the regime given the authoritarian context. Nonetheless the Syrian regime constantly strategically manipulated the sense of distance between itself and the patriotic hackers, moving regularly and seamlessly across Healey’s 10-point spectrum of state influence to signal independence or power, and to manage its population in line with its stabilization and survival needs.⁴¹ The section below uses the lenses of distance, speed and visibility to examine the devolution of cyber security functions to the patriotic hacking community, and to observe the technology-spurred authoritarian blur that emerged as its consequence.

Performing distance

The performance of distance was a key aspect of the regime’s digital devolution because the standing of both the regime and the patriotic hacking community heavily depended on the hackers being recognized as civilian and independent. Distance however would predominantly need to be performed because as noted above, the two actors were never totally separate, even in the heady early days of the 2011 uprising. The patriotic hackers’ public performances are important because as Lokot found of pro-Russian and pro-Ukrainian hacking collectives, “the performative, public nature of hackers’ online discursive work seems to represent the front stage where the actors manage the public’s impressions and articulate particular elements of their identity.”⁴² This identity would become central to the construction of the devolution process, and its efforts to depict the hackers as civilian, independent and distant from the regime. These distant operations sometimes took place in full view, while at other times the SEA lived in the shadows, quietly carrying out malicious activities that aligned with regime goals but that were carried out from such remoteness that they were impossible to attribute to the regime. This juxtaposition of closeness and distance, visibility and invisibility, would come to exemplify digital devolution in the context of digital authoritarianism.

To complement its public claims of “civilianness” and give the impression of a complete devolution of control, the SEA was sometimes hyper-visible, performing distance by employing a very different strategy to that of the highly secretive and opaque Syrian regime. This saw it build a public Spectacle surrounding its existence by documenting website vandalism and Distributed Denial of Service (DDoS) attacks across its website and social media accounts, and providing an app for members to track the latest scalps. This contrasted starkly with the regime’s own shadowy intelligence operations. The SEA’s posts sought to build anticipation and theatre: it regularly staged multi-day public countdowns before announcing the latest victims of a hacking campaign. In other cases, instead of revealing a successful hack, the SEA announced that it will “break good news soon,”⁴³ presumably aiming to build excitement among supporters and fear among potential victims. The hackers initially targeted high profile media organizations, universities and institutions, including Harvard University, which had its homepage replaced in September 2011 with a photo of President al-Assad and text that declared that the “Syrian Electronic Army was here.” In 2013, the New York Times’ landing page was replaced with an image and text in the colours of the Syrian flag that stated “Hacked by Syrian Electronic Army.”⁴⁴ These highly public performances that mocked and vandalized powerful symbols of the West simultaneously constructed the SEA as an agile, innovative and independent actor whose love for the regime would mean that no enemy was safe from ridicule and embarrassment. With the message aimed at the regime’s domestic audience, the activities also constructed the regime’s external “others” as weak, even though they were supposed to be among the best-resourced universities and media organizations in the world.

Distance from the regime was further performed by the drastically different tone set by the SEA’s activities, which suggested that the relationship could be described at the time on Healey’s spectrum as something akin to “state-ignored,” or completely devolved.⁴⁵ Where the regime was rigid, militaristic, stern and secretive, the SEA built a light-hearted and puerile façade that was characterized by its dynamism and irreverent sense of humour. Creating the impression of youthful pranksters whose behaviour could not plausibly be regime-directed, the SEA took over the BBC Weather account on Twitter, posting a Tweet that announced “Saudi weather station down due to head-on collision with camel.” In another, it gained control of the E! News account, posting a bogus story about the US pop star Justin Bieber’s sexuality before announcing: “The Syrian Electronic Army was here! Fans of @justinbieber, you have been trolled.”⁴⁶ In 2013, the SEA hacked the Reuters Twitter account, posting pro-regime political cartoons.⁴⁷ These activities complemented the regime’s narrative noted above that the SEA was a spontaneous youth movement. It is difficult to overstate the contrast between this playful energy and the formal, dense and vitriolic messaging that emanated from the Syrian regime. It served to draw a clear line between the two entities.

Distance, therefore, gave the impression of a substantial devolution of power that complemented the regime’s strategy of authoritarian stabilization and survival. Digital devolution supported the regime’s legitimacy-building agenda by building a façade that conferred scale and dynamism to the Syrian loyalist community. The hackers’ distinctive tone provided an alternative avenue of persuasion that amplified the regime’s official narratives. A similar process emerged through China’s so-called volunteer commentators in the Fifty-Cent army, who spread the Communist Party’s messaging online. Han argued this was viewed as valuable because “When the state media lost their credibility, the Fifty-cent army could have helped the state “guide” (yindao, 引导) popular opinion more effectively to soothe the adverse effects of online crises and spread pro-government voices.”⁴⁸ The Syrian regime knew too that amplifying its message to its domestic constituency was essential to stabilization. It desperately needed to balance its violent coercive activities against the protest movement with these performative legitimacy-building techniques that built a veneer of popular support. Al-Assad’s approval of the SEA and its generous coverage in Syrian state media highlighted that the regime was adapting to the digital authoritarian era, and viewed digital devolution as a tool for enhancing domestic legitimacy and therefore promoting survival.

The performance of devolution and distance also benefited the regime because it empowered the hackers to undertake activities against the regime’s foreign opponents that would mark a significant breach of international diplomatic norms should they be traced back to the regime. This was the case in 2013, when the SEA stole hundreds of sensitive documents, emails and contracts from regime enemies Turkey, Saudi Arabia and Qatar that purportedly detailed those countries’ involvement in conspiracy across the Arab world after the 2011 uprisings.⁴⁹ The SEA also published stolen Qatari documents via a Wikileaks-style data and email dump on its own website.⁵⁰ No state could undertake such activity without risking significant backlash, however the regime’s decision to devolve some control and convey ambiguity on the exact nature of its relationship with the hackers created the impression that the SEA was an entirely separate entity. Although the attacks never unearthed seriously compromising material, they nonetheless built on the SEA’s domestic theatre that sought to embarrass regime opponents and signal strength to the regime’s constituents.

But like other forms of devolution, digital devolution carried risk as there was always a danger that the patriotic hackers would turn their skillsets inward to undermine the regime, or undertake provocative behaviour that inadvertently left the regime vulnerable to external retaliation. Although the regime's ability to rapidly absorb the hackers shielded it somewhat from domestic risk, the external risk manifested in 2013 when the SEA undertook a phishing attack that gained it access to the Associated Press Twitter account. The SEA posted a single Tweet from the account that read: “Breaking: Two Explosions in the White House and Barack Obama was injured.” Although the hack was no different to many of the SEA’s other high-profile media take-downs, it had a significant but probably unintended impact: in the subsequent three minutes, US$136.5 billion was wiped off the S&P500 index. The outsized consequences of the hack presented a very real risk of US retaliation and exemplified the lightning speed of digital devolution, both in terms of how quickly an operation could have impact, but also how quickly a digital authoritarian regime can respond to shield itself.

To signify distance from the hackers, the Syrian Computer Society immediately removed the SEA website from its servers, prompting the SEA to release furious criticism of the organization: “We are extremely surprised … This happened due to reasons beyond our control and due to the weak will of some administrators of the Syrian Computer Society.”⁵¹ It is impossible to know whether the statement reflected genuine shock or was performative in itself, but the SEA’s web hosting was ultimately transferred to servers inside regime-ally Russia, putting a level of physical distance between the regime and hacking operations even if the hackers themselves were still mostly based in Syria. The regime’s performance of distance proved protective: When three SEA members were later indicted on broad-ranging charges of criminal conspiracy in the US, including a charge of “engaging in a hoax regarding a terrorist attack” related to the Associated Press events,⁵² the FBI indictment described the SEA as “a group of hackers that supports the regime of Syrian President Bashar al-Assad” rather than a regime asset.⁵³ In this regard, digital devolution acted as a source of internal and external stabilization and survival.

Drawing the patriotic hackers close

The Associated Press incident highlighted the dynamic nature of digital devolution by illustrating that the SEA’s distance from the regime was fluid and subject to sudden change. This meant that the regime could lengthen distance to shield itself, as it did in the case of a feared US backlash. But digital devolution is neither a one-directional nor a static process: distance can also be shortened and the sense of devolution reversed to promote internal and external stabilization. Indeed, for all the public emphasis on the SEA’s independence and distance, there have been times when the regime has drawn the patriotic hacking community so close that the blurred boundaries rendered the two actors almost indistinct.

Closeness between the regime and the hackers was most apparent when the regime’s survival was at stake, with the cadence of patriotic hacking operations closely tracking variations in the regime’s pulse. For example, as the Syrian opposition gained significant ground in late 2012 after establishing the National Coalition for Syrian Revolutionary and Opposition Forces (better known as the Syrian Opposition Coalition or SOC), the regime shut down the internet across Syria. The regime drew the patriotic hackers close to complement these efforts at halting opposition momentum, with the blackouts going hand-in-hand with the release of malware targeting the opposition that bore the unique fingerprint of Syria’s patriotic hackers.⁵⁴ The malware was traced to one of the few IP addresses inside Syria that had remained online during the blackout, suggesting that in contrast with some of the examples above, the regime-hacker relationship at that specific point in time could be described on Healey’s state-influence spectrum as “state-coordinated” if not “state-ordered.”⁵⁵ Indeed, by working closely with the hackers, the regime was able to augment its own cyber strategy by deploying patriotic hacker resources and skillsets alongside its own direct actions to manage its population. In this way, while digital devolution have given the regime benefits through distance, the flexibility and changeability of digital devolution also enabled the regime to leverage the hackers to draw distant opponents into its immediate orbit, enabling it to exercise power over them in a way that would not be possible offline. The regime would repeat this pattern many more times to achieve internal and external stabilization, including when it faced the threat of US military action after it used chemical weapons in 2013 and 2017.

Indeed, Franceschi-Bicchierai observed that there was some credence to the idea that “the SEA acted as spying group for the government of Syrian President Bashar al-Assad.”⁵⁶At times, the SEA did little to deny the operational overlap, with one senior member admitting that it does transfer some hacked data to “the security apparatus in Syria.”⁵⁷ In one case, after the Syrian opposition leaked emails exchanged between President Al-Assad and his wife, the SEA hacked the inbox of the opposition Syrian National Council Chairman, Burhan Ghalioun. It subsequently published Ghalioun’s emails, which it maintained proved the regime’s claims that Ghalioun was collaborating with the US and Saudi Arabia.⁵⁸ The hack formed part of the hackers’ sustained harassment of the Syrian opposition that ultimately amounted to a digital war of attrition. In this way, the regime leveraged the hackers’ physical and performative closeness to distract the opposition from its primary goal of overthrowing President al-Assad, freeing itself to focus solely on stabilization and survival.

In another example in late 2013, hackers targeted 63 activists, journalists and opposition military figures as the armed opposition prepared an assault on the strategic town of Khirbet Ghazaleh.⁵⁹ The hack stole battle plans including fighter rosters, munitions calculations and annotated satellite maps. FireEye, the cybersecurity firm that uncovered the attack, noted its precision, observing that despite the scale of operation, stolen data was chosen with care: “There were only a few instances where the group downloaded movies, empty files, end user licensing agreements, baby pictures, school papers, and other seemingly extraneous material.”⁶⁰ The identity of the hackers, who appeared to be based in Lebanon, was unknown, although FireEye noted that they used “eerily similar methods” to those mentioned in the leaked summary of the 2012 Syrian intelligence cyber training workshop in Lebanon noted above. In this regard, the shadowiness of the operation exemplified the technologically-spurred blurring of the lines between the physical and the digital, the real and the virtual, in that it almost completely concealed the identity of the perpetrator.⁶¹ What was not blurred however was the identity of the potential beneficiary: FireEye explained that the hack provided “actionable military intelligence for an immediate battlefield advantage.”⁶² In this case, the boundaries between state and non-state were blurred beyond recognition as the two entities acted in unison to stabilize the regime. It was as if the digital devolution had never taken place. Distance in the digital authoritarian sense could therefore be a metric, idea or both, and the Syrian regime leveraged this dynamic digital devolution process in order to survive.

This distance shifted further as the war entered semi-dormancy in the late 2010s and the regime signalled a desire to formally integrate the hackers into its own structure. In 2018, al-Masri speculated that the SEA was being re-launched with a “new mission as a domestic cyber police” as the regime attempted to “reimpose sovereignty over the Syrian populations and territories that it controls.”⁶³ In an interview that same year posted on the SEA YouTube channel, a purported SEA leader Yassir al-Sadiq appeared to re-frame the group’s history, claiming that while the SEA was never funded by the regime, it was “established with government approval. We have documented everything we do with the government, and we work under the supervision of the government.”⁶⁴ He expressed hope that the SEA would receive government funding in the future. A report released by Meta in late 2021 further suggested that the SEA was moving along Healey’s spectrum towards state-integration: Meta identified two malware campaigns emanating directly from the Syrian Air Force Intelligence Directorate, one of which was directly linked to the SEA, which it argued had “been subsumed into the Syrian government forces in recent years.”⁶⁵ This exemplified the impermanence of digital devolution: It can be reversed at any time, highlighting the softness of concepts such as civilianness, independence or distance in the context of digital authoritarianism, which are subject to constant change in line with authoritarian population management needs and broader stabilization and survival agendas.

The outcome: being simultaneously near and far amid digital devolution

While questions of distance in the regime-hacker nexus have been a pre-occupation of the regime, hackers and observers alike, the ultimate effect of digital devolution was that the space between the regime and its citizens became immaterial. The constant instrumentalization of space meant that the regime could straddle invisibility, visibility, distance and proximity as it saw fit. Similar to Cristiano’s findings on cyberwarfare,⁶⁶ the SEA has often been dismissed because many of its public-facing activities appeared staged solely for their Spectacle.⁶⁷ But perhaps corporeality was not the point: As the co-founder of the National Alliance for Syria Sarab al-Jijakli surmised:

If the goal is to exert influence and put people on notice that they have reach everywhere, I think it’s successful … If it's to change hearts and minds of the revolutionaries or the world at large, I don’t think they achieve that. But I don’t think that’s the goal.⁶⁸

By being sometimes near and sometimes far – while maintaining overlapping agendas and goals – the hackers and the regime combined to send a message to their opponents that nobody was beyond their reach. The manipulation of distance and the skewing of scale echoed Warf and Fekete’s observation that technology unevenly bounds objects across space,⁶⁹ enabling it to reach distant opponents – either in reality or cognitively – and creating an impression that the regime was everywhere. Digital devolution, therefore, sows the seeds of citizen paranoia and fundamentally changes how the regime manages its population because it enables it to reach further and more intensively into their lives than ever before.

In late 2013, the SEA publicly announced that it had hacked the email accounts of seven high profile Syrian opposition figures, only three of whom confirmed that their accounts had been compromised. When approached by Vice, Washington DC-based SOC figure Oubab Khalil, who was also an alleged victim, claimed to not be aware that he had been hacked: “I have not known about this before, that’s like the first time [I’ve heard] about this … [but] If they have access, they have access.”⁷⁰ Another so-called target, SOC advisor Oubai Shahbandar, emphatically denied that his accounts had been compromised. Although the SEA provided screenshots that purported to prove the operation’s success, the truth will likely never be known, and in some ways was not important. The invisibility and unknowability of patriotic hackers, and their shadowy nexus with the regime meant that the opposition had to live with the fear that they had already been compromised. Opponents could never truly know where the regime or its followers were at any one time, and hackers often leave no trace. This instrumentalization of distance between the Syrian regime and the country’s patriotic hackers in the context of the technology-spurred blurring of the world had enabled the Syrian regime to transcend space; to be everywhere while being nowhere at all. Digital devolution had added omnipresence to the regime’s stabilization and survival toolkit.

Conclusion

The nexus between the Syrian regime and the country’s patriotic hacking community provides a key opportunity to observe digital devolution in the context of digital authoritarianism. The devolution process was manipulated by the regime to at times perform distance from the hackers by drawing out space to garner legitimacy and build a veneer of civilian approval. At other junctures, the regime drew the hackers close to exercise greater control or to achieve coercive goals, appearing to reverse the entire devolution process. Over the course of the hackers’ first decade of operation, the hackers could be described at various points on Healey’s spectrum of state-influence, seamlessly changing shape alongside the regime’s stabilization needs and survival agenda.

But the emergence of patriotic hackers in Syria marked more than just the strategic devolution of control that has previously been noted in authoritarian regimes. While the hackers’ existence undoubtedly conferred de-democratization benefits onto the regime, digital devolution had the added benefit of blurring space, power and the boundaries of the regime itself. First, this served the regime’s survival agenda: where the delegation of such security-adjacent tasks would once have been laden with risk, the dynamic nature of digital devolution meant that the regime could both hide behind the attribution blur to shield itself from external blowback, while also minimizing the domestic risk of the devolution by being able to re-take control over the hackers to ensure a total alignment in goals. Second, the hybridity and absence of corporeality in the online realm supported continual shifts in the regime-hacker nexus, creating such ambiguity that it became impossible for opponents to differentiate between the hackers and the state, or to even know whether they had been successfully targeted. It is difficult to overstate the implications of these shifts in the existing practices of how the Syrian regime manages its population to mitigate threats from within.

These findings are significant for scholars of digital authoritarianism and authoritarianism more broadly as they provide insights into the ways that authoritarian regimes are adapting to the digital world, and instrumentalizing digital practices to manage their populations and serve their survival agendas. While devolution has long played a role in authoritarian regime stabilization agendas, this article has drawn attention to the novel mechanisms of digital devolution, and in particular the process of constant authoritarian decentralization and re-centralization that it supports. The findings suggest that digital devolution can blur the normative boundaries of authoritarian regimes, representing new processes of population management that facilitate innovative modes of de-democratization and stabilization. Further work is now required to examine other examples of digital devolution to understand its broader novelty and effects.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by Australian Research Council: [grant number DE220100622].

Notes on contributors

Dara Conduit

Dara Conduit is an Australian Research Council DECRA Research Fellow and a Lecturer in Political Science in the School of Social and Political Sciences at the University of Melbourne, and a Non-Resident Scholar at the Middle East Institute in Washington D.C.

Notes

1 Bea, “Can the SEA Weaponize Twitter.”

2 Al-Assad, “Speech by President Bashar Al-Assad.”

3 For an interesting discussion of the 10-point spectrum of state responsibility for patriotic hacking, see: Healey and Grinberg, “‘Patriotic Hacking’ is no Exception.”

4 Dahan, “Hacking for the Homeland.”

5 See for example: Healey and Grinberg, “‘Patriotic Hacking’ Is No Exception”; Lokot, “Public Networked Discourses”; Hare, “Privateering in Cyberspace.”

6 Feldstein, The Rise of Digital Repression, 77.

7 Young, “Why Authoritarian Governments Love.”

8 Morgenbesser, The Rise of Sophisticated Authoritarianism.

9 Glasius, “Illiberal and Authoritarian Practices”; Feldstein, The Rise of Digital Repression; Deibert, “Cyberspace Under Siege.” ; Khalil, “Digital Authoritarianism.”

10 Meserole, “Exporting Digital Authoritarianism”; Kerr, “Information, Security, and Authoritarian Stability.”

11 Morgus, “The Spread of Russia’s Digital Authoritarianism.”

12 Landry, Decentralized Authoritarianism in China, 3.

13 Clark, Local Politics in Jordan and Morocco, 7.

14 Hasmath, Hildebrandt, and Hsu, “Conceptualizing GONGOs”, 271.

15 Yoroms, “Militias as a Social Phenomenon”, 35.

16 Yoroms, 36.

17 Allen, Topologies of Power, 3.

18 Conduit, “Authoritarian Power in Space, Time and Exile”, 2.

19 Warf and Fekete, “Relational Geographies of Cyberterrorism and Cyberwar”, 146.

20 Ibid., 146.

21 LeVine, “Artificial Intelligence Is Making It Easy.”

22 Brake, “The Invisible Hand of the Unaccountable Algorithm”, 27.

23 Zeadally and Flowers, “Cyberwar”, 14.

24 Cristiano, “Bodies of Cyberwar”, 152–3.

25 Gertz, Verbeek, and Douglas, “Cyberwar and Mediation Theory”, 72.

26 Cristiano and Distretti, “Toward an Aesthetics by Algorithms.”

27 Jordan, “Blurring Boundaries”, 181.

28 Scott-Railton et al., “Group 5: Syria and the Iranian Connection,” 5; Wilhoit and Haq, “Connecting the Dots”; Dvilyanski and Agranovich, “Taking Action Against Hackers.”

29 Syrian Electronic Army, “The Story of the Syrian Electronic Army.”

30 SANA, “Syria’s E-Army Foils Plots.”

31 Syrian TV Satellite Service, “Syrian Electronic Army.”

32 Shahhud, “Syrian TV Reports.”

33 Maurer, Cyber Mercenaries. 89.

34 Bertram, “‘Close Enough’”, 12.

35 Cited in Walker and Hall, “Associated Press, Financial Times and BBC Have Been Hacked.”

36 O’Brien, “Syria’s Assad Gives Tacit OK.”

37 Newsdesk, “After Being Shut Down.”

38 General Intelligence Directorate, “Memorandum to Inform the Director General.”

39 Faris, “The Hackers of Damascus”, 76.

40 Maurer, Cyber Mercenaries; Bertram, “‘Close Enough’”; Walker and Hall, “Associated Press, Financial Times and BBC Have Been Hacked.”

41 Healey and Grinberg, “‘Patriotic Hacking’ Is No Exception.”

42 Lokot, “Public Networked Discourses”, 104.

43 Noman, “The Emergence of Open and Organized Pro-Government Cyber Attacks.”

44 Poulsen, “SEA Takes Down The New York Times.”

45 Healey and Grinberg, “‘Patriotic Hacking’ Is No Exception.”

46 Jeffries, “SEA: Pro-Government Propaganda, or Just Trolling.”

47 Rusch, “Thomson Reuters Twitter Account Hacked.”

48 Han, Contesting Cyberspace in China, 128.

49 Al Akhbar English, “SEA Releases Secret Documents.”

50 Syrian Electronic Army, “Home.”

51 Choney, “SEA Kicked off the Web.”

52 Department of Justice, “Computer Hacking Conspiracy Charges Unsealed.”

53 FBI, “Two From SEA Added to Cyber’s Most Wanted.”

54 Galperin and Marquis-Boire, “The Internet Is Back in Syria.”

55 Healey and Grinberg, “‘Patriotic Hacking’ Is No Exception.”

56 Franceschi-Bicchierai, “The SEA’s Most Dangerous Hack.”

57 Ferran, “Interview With Alleged Member of the SEA.”

58 Galperin and Marquis-Boire, “New Wave of Facebook Phishing Attacks.”

59 Regaldo, Villeneuve, and Scott-Railton, “Behind the Digital Front Lines.”

60 Ibid., 6.

61 Jordan, “Blurring Boundaries”, 181.

62 Regaldo, Villeneuve, and Scott-Railton, “Behind the Digital Front Lines”, 18.

63 Al-Masri, “The New Face of the SEA.”

64 Syriana FM, “Interview with the Leadership.”

65 Dvilyanski and Agranovich, “Taking Action Against Hackers.”

66 Cristiano, “Bodies of Cyberwar.”

67 See for example: Deibert, “SEA: Disruptive Attacks and Hyped Targets.”

68 Jeffries, “SEA: Pro-Government Propaganda, or Just Trolling.”

69 Warf and Fekete, “Relational Geographies of Cyberterrorism and Cyberwar.”

70 Franceschi-Bicchierai, “The SEA’s Most Dangerous Hack.”