1,020
Views
0
CrossRef citations to date
0
Altmetric
Research Articles

Saving face in the cyberspace: Responses to public cyber intrusions in the Gulf

ORCID Icon & ORCID Icon

ABSTRACT

How do states “save face” following a cyber intrusion directed at them? Recent scholarship demonstrates that the covert nature of cyber intrusions allows states to respond with restraint, avoiding escalation. But what happens when cyber intrusions become public and are highly visible? This article examines the rhetorical strategies employed by authoritarian Gulf states to mitigate the image-related costs associated with a public cyber intrusion. Drawing on the conceptual language of image-repair and crisis communication theories and employing discourse analysis of original data in Arabic, we identify three types of face-saving strategies: diminishing, self-complimenting, and accusing. Our findings indicate that intrusions involving leaking or faking information bring about unique “face-saving” strategies that do not only deal with the intrusion itself but also with the subsequent information crisis. Overall, the article identifies how states employ diverse rhetorical strategies—beyond attribution—to narrate cyber intrusions and keep cyber conflict contained.

In July 2017, nearly two months after Qatar had suffered a cyber intrusion, the Qatari Ministry of Interior (MOI) held a press conference to reveal evidence concerning the intrusion. Rather than only providing technical details, the MOI broadcasted a dramatic video with intense music, thrilling graphics, and a spy-style vibe to reveal the intrusion step-by-step (Qatar MOI, 2017). In addition to delegitimizing cyber intrusions as acts of terrorism, the video emphasized the Qatari remarkable success in containing the intrusion and detecting its source despite the intrusion’s sophistication.

The Qatari press conference is not unique. When cyber intrusions become public knowledge, states do not only engage in technical strategies to block the intrusion and identify the initiator, but also manage their public relations—they publish messages, hold press conferences, brief reporters, and rhetorically try to manage this crisis. These performative, social, and symbolic strategies are often left unnoticed in existing research on cyber discourse. While extant studies examine different elements in the discursive construction of cyberspace, threats, and responses (e.g., Branch, Citation2019; Dunn Cavelty, Citation2008, Citation2013; Hansen & Nissenbaum, Citation2009; Jarvis et al., Citation2017), we know less about the narration of cyber intrusions after they had happened. Of course, many studies zoom-in on the discourse of attribution or credit-claiming by the initiators (e.g., Brown & Fazal, Citation2021; Egloff, Citation2020a, Citation2020b; Lupovici, Citation2016a; Poznansky & Perkoski, Citation2018), but as this article demonstrates, there is much more going on discursively following cyber intrusions.

This article explores the rhetorical strategies used by governments in response to a public cyber intrusion they suffered. In addition to obscuring the extent of the damage inflicted, protecting intelligence sources or technical capabilities, and identifying the initiator, we suggest that states employ rhetorical strategies to “save face”—to protect their public image in front of domestic, regional, or international audiences. Drawing on two scholarly traditions—the sociology of accounts and apologies (Benoit, Citation2014; Schlenker, Citation1980; Scott & Lyman, Citation1968) and self-presentation theories (Goffman, Citation1959)—the article maps and categorizes the rhetorical strategies used by Gulf countries to narrate the public cyber intrusion and manage their public impression. We do so via an original discourse analysis of official statements and state-sponsored media reports in five cyber intrusions that differ in their targets and methods: Saudi Arabia’s response to cyber intrusion against its oil company Aramco (“Shamoon,” August 2012), Saudi Arabia’s response to a “hack-and-leak” intrusion (May-June 2015), Saudi Arabia’s response to intrusions using “Shamoon 2.0” malware (November 2016-January 2017), Qatar’s response to a “hack-and-fake” intrusion (May 2017), and Bahrain’s response to multiple hacking operations (July-August 2019).Footnote1

Examining the strategies used by these states to “save face” is important for two reasons. Empirically, these strategies are a crucial stepping-stone to understanding the restraint and the limited nature of cyber conflicts. Existing International Relations (IR) scholarship focuses on the operational aspects of offensive cyber operations (OCOs), showing that targeted states practice restraint in their response to cyber intrusions, and that escalation is not a common practice (Fischerkeller et al., Citation2022, pp. 130–141; Gartzke, Citation2013; Jacobsen, Citation2021; Kaminska, Citation2021; Lindsay, Citation2013; Valeriano & Maness, Citation2015).Footnote2 However, we have little knowledge of how that restraint is legitimized, justified, and buttressed publicly. As Steele (Citation2019) argues, in addition to systemic considerations, normative commitments, or institutional constraints, restraint needs to be strategically narrated. When cyber intrusions go public—such as in the cases below—targeted states employ “face-saving” strategies to contain the crisis and avoid escalation. In light of research that emphasizes the importance of public attitudes toward retaliation against cyber intrusions (Hedgecock & Sukin, Citation2023; Kreps & Schneider, Citation2019), the rhetorical strategies described below can be used to reduce pressure to retaliate as well as to justify why retaliation is not necessary. In the broader discussion about the possibilities for de-securitizing cyber intrusions, the content of the rhetoric described below can be seen as an attempt to “lower the cyber rhetoric and hyperbole” or “tone down” its existential dimensions (Burton & Lain, Citation2020, pp. 462–463).

Theoretically, our findings broaden constructivist scholarship on the repertoire of strategies used by states to cope with image-related damage. Existing works on stigma, shaming, and wrongdoing examine how states respond to accusations regarding their normative transgressions, and how they deal with the harm to their image and identity—employing strategies of avoidance, rejection, acceptance, or containment (Adler-Nissen, Citation2014; Haugevik & Neumann, Citation2021; Subotic & Zarakol, Citation2013). In contrast, this article analyzes a different type of image-related harm, caused by being vulnerable. Doing so, allows us to uncover additional micro-strategies used by states to manage their images. Thus, the empirical findings from the cyber context can serve as a starting point to explore “face-saving” discourse in other contexts of perceived state failures—inability to deal with an environmental disaster, a health crisis, or even in response to some kinetic attacks. We discuss these possibilities in the concluding section.

The Gulf countries are particularly useful for theory development regarding face-saving rhetoric in the cyber context. These countries are particularly concerned about their domestic and international image and they tie this image to their level of technological development (Hertog & Luciani, Citation2011, p. 248; Shires, Citation2021b, p. 27). Further, focusing on the Gulf countries sheds light on a non-Western cyber conflict context and underscores the agency of states located in the Global South to publicly interpret cyber intrusions in front of domestic, regional, and international audiences.

We begin by situating this study within the intersection of cyber conflict and impression management. Building on existing literature on offensive cyber operations, we suggest that public, visible, and high-profile cyber intrusions might be perceived by domestic and international audiences as embarrassing to the targeted states. To manage this public impression, states adopt “face-saving” strategies intended to mitigate the harm to the state’s image. Following a methodological section detailing our procedure for discourse analysis, the article introduces a typology of “face-saving” strategies drawing partly on the conceptual language of “image-repair” and crisis communication theories (Benoit, Citation2014; Coombs, Citation1998). We find that Gulf countries have a repertoire of strategies—diminishing strategies, self-complimenting strategies, and accusing strategies—used to narrate the intrusion. Specifically, our discourse analysis shows that intrusions that involved faking or leaking information included additional rhetorical strategies than intrusions that involved hacking alone. We conclude our discussion by suggesting how our findings can travel beyond the cyber domain and the Gulf region.

Cyber intrusions and image costs

Our research question—how do states “save face” following a public cyber intrusion that they suffered—rests on the assumption that the publicity of the intrusion entails image-related costs. First, when a cyber intrusion becomes public knowledge (i.e., exposed by the media, the initiators, or third-party actors), it reveals the targeted state’s shortcomings and vulnerabilities. It publicly shows the targeted state’s incompetence to prevent or block an intrusion and its failure to guarantee security for its government offices, critical infrastructure, citizens, or investors. In addition to technical reasons and intelligence concerns (Broeders et al., Citation2019; Riemer, Citation2021), states' inability to block or prevent a cyber intrusion might be experienced (or at least seen by others) as damaging their self-image.Footnote3

The existing literature on cyber conflict already points to these image-related costs faced by targeted states. Rid (Citation2012) suggests that there are incentives for governments and firms to keep cyber intrusion secret “lest they would expose their vulnerabilities and damage their reputation as a place for secure investment” (pp. 28–29). Waxman (Citation2013) claims that targeted states “may be reluctant to disclose details or even the very existence of cyberattacks, whether to protect secrets about their vulnerabilities and defenses, prevent public panic, avoid political embarrassment, or escape unwanted domestic pressure to take retaliatory actions” (p. 119). Libicki (Citation2012) explains that targeted states might say nothing in response to a cyber intrusion because it would require them to “admit that their machines and they, by extension, were conned,” and because “there is no pride involved in being a victim” (p. 45). While in some cases, targeted states prefer to disclose the fact that they have been attacked (for instance, to justify retaliation), existing data show that targeted states often choose not to do so (Baram & Sommer, Citation2019).

Second, some cyber intrusions purposefully seek to embarrass the target by revealing sensitive data, government secrets, intimate details, or even planting “fake news” (Kostyuk & Zhukov, Citation2019, p. 320; Lindsay, Citation2015, pp. 56–57; Nye, Citation2017, p. 48; Sharp, Citation2017; Shuya, Citation2018, p. 11). This intensifies the concern for the state image—not only that the initiator successfully penetrated supposedly protected computer systems, but it also manipulated sensitive information or exposed private information to the public. Leaking sensitive information often reveals a gap between the government’s statements and its practice or reveals governmental wrongdoing that the government was trying to hide. Indeed, Shires (Citation2020) conceptualizes “hack-and-leak” intrusions as a simulation of a scandal aimed to embarrass the target.

Public discourse also reproduces the perception that being attacked in cyberspace damages the state’s image. For instance, successful intrusions into the websites or services of government agencies are described as “embarrassing” or “humiliating” (Ashkenaz, Citation2022; Bob, Citation2022; Kahan, Citation2020; Kalman, Citation2011). Referring to the theft of US government workers’ data from the Office of Personnel Management (OPM), attributed to China, Gen. Michael Hayden, former director of the CIA, reflected on the US image, noting: “This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information” (Paletta, Citation2015). Following the hack of the British Army social media accounts, a UK parliament member claimed it was “embarrassing” (Clinton, Citation2022). As the literature on emotions and IR argues, these various affective modes—shame, humiliation, or embarrassment—have undesirable implications for states’ sense of Self and how they are seen by significant others (Lupovici, Citation2016b, pp. 66–69; Subotic & Zarakol, Citation2013).Footnote4 Anecdotally, the term “p0wned” is used in hackers’ slang to signal humiliation—being defeated or controlled by someone else.

The understanding that states are concerned about their image and that image-related concerns matter for conflict escalation is not new to IR literature. Several studies indicate that humiliating or embarrassing an opponent might magnify pressures to retaliate due to the psychological features of specific leaders, public demands, or concerns regarding the international image of the state (Carson, Citation2016; Masterson, Citation2022; Wolf, Citation2011; Yarhi-Milo, Citation2018). Another line of research elaborates on the “face work” employed by states to mitigate embarrassment, shame, or guilt. For instance, in response to international accusations regarding normative transgressions, states use strategies such as apologizing, counter-shaming, or containing in order to protect the damage to their image (Adler-Nissen, Citation2014; Haugevik & Neumann, Citation2021; Kampf & Löwenheim, Citation2012; Lind, Citation2011; O. Löwenheim & Heimann, Citation2008; Snyder, Citation2020). A public cyber intrusion brings about an analytically different challenge to the state’s image, similar to the one felt when admitting a failure or an injury.

When a cyber intrusion becomes public knowledge, states need to mitigate these image-related costs by narrating the event. As the broader research agenda linking constructivist IR to cybersecurity highlights, cyber intrusions are not merely technical phenomena but socio-political ones that are inter-subjectively interpreted. For instance, several studies trace how cyber-related discourse (e.g., representations, metaphors, and analogies but also non-textual practices) constitutes cyberspace as a domain, frames particular policy problems and solutions, and forges links between cyber, security, or risks (Branch, Citation2019; Deibert & Rohozinski, Citation2010; Dunn Cavelty, Citation2008, Citation2013; Hansen & Nissenbaum, Citation2009; Jarvis et al., Citation2014). Similarly, attribution, rather than being a purely technical process, is a socially managed one that instills meaning in an uncertain cyber intrusion (Egloff, Citation2020b; Lupovici, Citation2016a). Moreover, cyber intrusions might challenge states’ ability to function as ontological security providers. Such intrusions may challenge the state’s role to serve as a secure space for the nation (Lupovici, Citation2023). Thus, public and visible cyber intrusions require states to craft symbolic and performative strategies to “save face”—to protect or enhance their image, perform as security providers, and avoid the unease associated with the intrusion. In addition to other goals, such as obscuring the extent of the damage inflicted or repairing diplomatic relations with the potential initiator, targeted states need to address, explain, and narrate what happened. The following section discusses these strategies.

Responding to public cyber intrusions

When cyber intrusions remain covert (not publicly known or exposed), they take place “backstage” without much public audience. In such cases, targeted states can choose to remain silent—concealing the fact that they have been attacked, avoiding public embarrassment altogether, and removing the need to employ a rhetorical strategy. For instance, several successful hacking operations by CopyKittens—a cyber espionage group associated with Iran—were never reported in the mainstream Arab media. Despite the successful extraction of a large amount of government and military data in Saudi Arabia and the exposure of the intrusion by private cyber companies, the Saudi government never disclosed that such an intrusion took place.

When cyber intrusions have visible consequences, such as damage to the global oil supply, a massive leak of data, or a kinetic impact, it is harder for states to remain silent. In these moments, states can seize the inherent ambiguity and the lack of details to deny that there was any intrusion. For instance, states can claim that a technical malfunction or an accident happened, thus suggesting that the incident was out of their control. For example, the cyber intrusion that caused a major power outage at the Natanz nuclear facility in April 2021, was first described by Iran as an “accident” (Coulter, Citation2021).

These two strategies—staying silent or denying a cyber intrusion took place—are not always viable. Cyber intrusions sometimes become public knowledge when they are exposed by external actors or by the targeted state itself.Footnote5 In such moments, states need to face domestic, regional, and international audiences and explain why were they targeted, why was the intrusion successful, and what measures have been taken to address the situation. In other words, states engage in “remedial self-presentation” (Schlenker & Darby, Citation1981) to narrate their failure and cast themselves in a less negative light.Footnote6

To identify these rhetorical strategies, we draw on literature focusing on “Image Repair” and Situational Crisis Communication Theory (SCCT) (Benoit, Citation2014; Coombs, Citation1998). These works primarily examine the strategies used by corporations to repair their reputations following a crisis. By releasing official statements, organizing press conferences, conducting interviews, and sending messages to the public, corporate officials engage in rhetorical strategies aimed at framing the crisis in a certain way and protecting the corporation’s reputation in front of multiple audiences. These strategies involve denial (“the event did not happen”), evading responsibility (“the event was accidental”), reducing offensiveness (“the event was not that bad” or “despite the event, we are so good”), mortification (“we apologize for the event”), and corrective action (“we are taking steps to prevent future similar events”) (Benoit, Citation2014, pp. 22–29).

Translating these insights to the cyber realm, we expect the choice of rhetorical strategy to depend on the kind of event. Specifically, intrusions that involve leaking sensitive information or spreading fake rumors might be particularly damaging to the state’s image. Not only that targeted states have to deal with the intrusion itself but they also need to address the scandal regarding the leaked or falsified information (Shires, Citation2020). In these cases, we expect to find intense rhetorical strategies addressing the leaked or falsified information. Drawing on the conceptual language of “image repair” and crisis communication theories, this article employs original discourse analysis to identify the rhetorical strategies used by Gulf states to mitigate the image-related costs caused by a publicly visible cyber intrusion and when they use each. To do so, we use an abductive methodological approach as detailed in the following section.

Methodology

Case-selection

Our analytical approach to studying states’ discursive responses to cyber intrusions follows several steps. The research question, which focuses on governments’ rhetorical responses, led us to focus only on intrusions that targeted government agencies or critical infrastructure within a country. Intrusion that targeted non-state actors, commercial companies, or societal organization were not studied. We further limited the universe of cases to include only cyber intrusions that took place in the Gulf countries for three main reasons. First, in general, cyber interactions tend to be of regional character and the Middle East has been known as one of the most active regions in terms of cyber activity (Valeriano & Maness, Citation2015, p. 129). However, the Gulf countries share unique features that distinguish them from other countries in the region both domestically and in relation to cyber conflict (Shires, Citation2018, p. 34). The exclusion of other countries in the region is also useful to limit the comparison to relatively similar political systems and patterns of civil-society relations.

Second, the Gulf countries are particularly useful for theory development regarding “saving face” strategies. These countries have been known to be particularly occupied with their domestic and international image. Their political economic strategy is significantly based on projecting a strong, innovative, and technologically modern image abroad (Cooke, Citation2014; Gray, Citation2016; Kamrava, Citation2013). In addition, their neo-patrimonial and authoritarian character means that domestic political rule is based on fostering an image of strong leadership, maintaining a high degree of control over information, and silencing criticism in order to sustain regime legitimacy (Dukalskis, Citation2021; Gray, Citation2011, p. 7; Khatib & Maziad, Citation2019, p. 9).

Third, most of the scholarly and policy debate about cyber conflict has focused on Russia, China, and the United States as well as the challenges posed by North Korea and Iran (Buchanan & Cunningham, Citation2020; Farwell & Rohozinski, Citation2011; Lindsay et al., Citation2015; Shackelford et al., Citation2017). Little attention has been paid to the Arab world compared to other regions (For an exception, see Shires, Citation2021b). Similarly, most works on cyber intrusions rely on English sources. Instead, we analyze original documents in Arabic to study how state elites mediate cyber intrusion to their public.

To identify the relevant cyber intrusions, we built an original dataset of Arabic sources using the general framework of the Dyadic Cyber Incident Dataset (DCID) version 1.1 as a baseline and added data for the years 2010–2019, based on the Council on Foreign Relations Cyber Operations Tracker dataset. We included only intrusions that were verified by two credible and reliable sources (such as cybersecurity companies’ reports as well as media reports such as the New York Times, Washington Post, Wall Street Journal, and more). Overall, our data includes the following five cases:Footnote7

  1. Cyber intrusion on the Saudi oil company Aramco (Shamoon, August 2012): On August 15, 2012, Saudi Arabia's national oil and gas firm—and the world’s largest oil producer—Saudi Aramco, suffered a major cyberattack that infected more than 35,000 computers in the company’s network. The incident was first revealed on Pastebin by a message from a hacking group named “Cutting Sword of Justice” (Weitzenkorn, Citation2012). Later that day, Aramco’s Facebook page posted an English message noting that the company had isolated its systems as a precautionary measure due to a network disruption caused by a virus (Lennon, Citation2012). Despite its vast resources, Saudi Aramco took almost two weeks to recover from the attack and restore the damage (Bronk & Tikk-Ringas, Citation2013). The malware that was used for this attack, called Shamoon and revealed by the Russian-based cybersecurity company Kaspersky, erased data on three-quarters of Aramco’s corporate PCs—documents, spreadsheets, e-mails, files, and more. It was estimated that Iran was the initiator of this attack (Perlroth, Citation2012).

  2. Hack-and-leak intrusion in Saudi Arabia (May-June 2015): On May 20, 2015, as a Saudi-led coalition was conducting airstrikes in Yemen, the “Yemen Cyber Army” announced that they had hacked several Saudi ministries in “Operation Hussein Badreddin Al-Houthi,” named after the deceased leader of the Houthi armed movement in Yemen. The group declared they had gained “full control” of over 3,000 computers and servers belonging to Saudi Arabia’s Foreign, Interior, and Defense Ministries (Fars News Agency, Citation2015). They also released nearly 2,000 internal emails, documents, and information about citizens and personnel of the Saudi MFA (Paganini, Citation2015) In the following weeks, additional documents have been released and the group even threatened to wipe the MFA’s computers automatically. Finally, on June 19th, 2015, WikiLeaks released “The Saudi Cables” partially based on the “Yemen Cyber Army’s” hack (WikiLeaks, Citation2015). It has been estimated that Iran stands behind the “Yemen Cyber Army” (Franceschi-Bicchierai, Citation2015), although others have argued that this group is used as a front for the Russian group Sofacy (Bartholomew & Guerrero-Saade, Citation2016).

  3. Shamoon 2.0 in Saudi Arabia (November 2016-January 2017): At the end of 2016 and the beginning of 2017, Saudi Arabia suffered another major cyberattack, with similar characteristics to the 2012 one. These intrusions were publicly revealed by several US security firms (e.g., CrowdStrike, Palo Alto Networks, and Symantec) (Finkle & Wagstaff, Citation2016). Thousands of computers were damaged at the headquarters of the General Authority of Civil Aviation starting in mid-November, erasing critical data and bringing operations to a halt for several days (Riley et al., Citation2016). Another victim of this attack was the Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and U.S. company Dow Chemical. In this case, too, cybersecurity researchers estimated Iran was the initiator of the attack (Williams, Citation2017).

  4. Hack-and-fake intrusion in Qatar (May-June 2017): On May 24, 2017, the Qatari News Agency's (QNA) website, Twitter, and YouTube accounts published false statements allegedly made by the Emir of Qatar, Sheikh Tamim bin Hamad Al Thani. The false statements—focused on Qatar’s foreign policy—served as a pretext for a broader diplomatic crisis. Despite repeated Qatari statements that the information was fabricated, media outlets in the U.A.E. and Saudi Arabia engaged in a “sustained medial onslaught” against Qatar (Fattah, Citation2017; Ulrichsen, Citation2017). Further, only a few days after the incident, on June 5, Saudi Arabia, Egypt, Bahrain, and the U.A.E. (“The Quartet”) severed diplomatic and economic ties with Qatar, withdrew their nationals, and issued a travel ban on Qatar (Mitchell, Citation2021; Soubrier et al., Citation2021). While IP address data pointed to Russia, additional information and investigation pointed to the UAE as a more likely initiator (Shires, Citation2021a).

  5. Series of cyber intrusions in Bahrain (July-August 2019): In July-August 2019, Bahraini authorities detected and reported that several networks of Bahrain’s government agencies, including the Electricity and Water Authority, the National Security Agency, the Ministry of Interior, and the Office of the First Deputy Prime Minister were hacked. No discernible damage was reported, so the nature of these intrusions was not very visible publicly. The primary repercussion of these intrusions on Bahraini citizens seemed to be that during June, July, and August 2019, electricity and water bills were tremendously higher than usual, leading to many citizens’ complaints. It was estimated that Iran was the initiator of this attack (Doffman, Citation2019; Hope et al., Citation2019).

These cyberattacks and intrusions vary along two main dimensions: the method of the attacks and the type of target. The method of the attack ranges from hacking, hacking-and-leaking, hacking-and-faking, or covert disruption. The targets of the intrusions range from critical infrastructures (such as Saudi oil company Aramco) to governmental agencies (such as government ministries) as well as national media channels (such as the Qatari national news agency). The vast difference between the cases is quite useful for identifying common and divergent rhetorical strategies used when facing a public cyber intrusion.

Discourse analysis

Once all our cases were identified, we moved to systematically collect discursive responses to these intrusions. First, we checked whether a specific intrusion was reported in the state’s newspapers and whether state officials responded to this intrusion. Second, we collected all statements that were issued by an official state figure. In each country, we surveyed the official websites of the relevant authorities as well as their Facebook and Twitter accounts. We also looked at widely-circulated and semiofficial newspapers known to reflect the government’s approach (in Saudi Arabia—al-Riadh and al-Madina; in Bahrain—al-Bilad, al-Ayam; in Qatar—al-Watan and al-Raya). In addition, we included additional Arabic news sources, such as Alarabiya Net, Al-Jazeera, and Bahrain Mirror looking for references for cyber intrusions.Footnote8

To map the rhetorical strategies used in these texts, we employed abductive methodological reasoning. As explained by Friedrichs and Kratochwil (Citation2009), “[i]nstead of trying to impose an abstract theoretical template (deduction) or ‘simply’ inferring propositions from facts (induction), we start reasoning at an intermediate level (abduction)” (p. 709). This means that we moved back and forth between the categories already identified by “image-repair” and crisis communication theories and the empirical textual data at hand. On the one hand, we compared the textual data to existing categories identified by the literature (e.g., “bolstering” or “minimizing”). On the other hand, we coded new categories based on the emerging data. The coding procedure involved two independent research assistants blind to each other coding. After coding one case, we had a collaborative meeting to refine the labels and continued coding independently all the other cases. Thus, our abductive method combined the deductive ascription of preexisting categories with an inductive interpretation of the text. The full discursive data, which includes about 240 statements, appears in the supplemental material file.

Messages are crafted to shape the opinion of a target audience. Looking at discourse in Arabic makes it difficult to determine which audience was targeted. While governments probably address their domestic audience, they also take into consideration regional Arab-speaking audiences. This is particularly true in the Gulf context, where neighboring countries are involved in initiating the cyber intrusions described below. Official press conferences and announcements are also targeting international audiences, as English-speaking media picks up and translates government messages. Thus, our analysis cannot determine audience-related influences, and this aspect merits additional research.

“Face-saving” strategies following public cyber intrusions

Based on the discursive data, we can identify multiple “face-saving” strategies used by Gulf countries following a public cyber intrusion. These can be classified under three broad categories: diminishing strategies, self-complimenting strategies, and accusing strategies. These differ from one another in their object of focus (the attack, the state itself, or the initiator) and in the way they address the image-related needs of the state. Diminishing strategies reduce the impact and the seriousness of the intrusion itself. Self-complimenting strategies seek to portray the targeted state in a good and positive light. Accusing strategies direct the attention toward the initiator. below summarizes the various strategies.Footnote9

Table 1. Rhetorical strategies following a cyber intrusion.

Diminishing strategies

Diminishing strategies involve (1) minimizing the effect of the intrusion or (2) normalizing it as a routine part of international politics. In cases of hack-and-leak and hack-and-fake intrusions, another strategy manifests itself: (3) debunking—claiming that the information is fabricated.

First, states use a minimizing strategy to reduce the impact, magnitude, or scale of the incident, claiming that nothing serious has happened (“it’s not as bad as it seems”). This strategy seeks to convince the audience that the incident is not significant and that no serious damage was incurred, thus reducing the damage to the state’s image. For instance, following the 2012 intrusion on Aramco, the spokesperson of the Ministry of Interior, Maj. Gen. Al-Turki, organized a press conference, claiming that “the hacking attempt did not reach its goals” (Al-Ghamdi, Citation2012). Immediately after, the chairperson of the investigation committee and the deputy director-general of strategic planning in Aramco added that despite some damage, “the attackers did not reach their intended goal … ” and that “there was no impact on the company's continued oil and gas production” (Al-Ghamdi, Citation2012). Following the 2017 intrusion using Shamoon 2.0, the Saudi Ministry of Environment, Water and Agriculture stated that “our systems operate at full capacity and were not affected by that attacks of Shamoon 2.0 attacks and the ransomware virus” (Okaz, Citation2017). To mitigate the public damage caused by planning fake information on the Qatari news website, Qatar’s Minister of Foreign Affairs emphasized that “the cooperation between Qatar and the United States or any other friendly country was not affected” (Qatar MFA, Citation2017f).

Second, states use a normalizing strategy to reduce the uniqueness of the event, framing it as a routine part of global politics (“nothing is out of the ordinary”). By claiming that other states experience cyber intrusions or that they happen all the time, this strategy de-individuates the targeted state (i.e., avoids signaling it out) and reduces some level of responsibility from the targeted state. In the case of hack-and-leak or hack-and-fake intrusions, states can claim that the information leaked does not reveal anything out of the ordinary. Following the 2012 intrusion on Aramco, the company stated that “Aramco is not the only company that was exposed to this type of operations, and this isn't the first nor the last time we'll see this type of attack” (Al-Hawawi, Citation2012). In 2016, after the intrusion of the Saudi Ministry of Foreign Affairs, Abdullah Al-Saadoun, the chairperson of the Security Affairs Committee in the Saudi Shura Council stated that: “the Kingdom is targeted the same as other countries, and all countries suffer from these attacks” (Al-Turaisi, Citation2016). In Bahrain, a technology expert and a parliament member noted the fact that there are numerous intrusions all over the world and emphasized that even American companies lost money due to cyber intrusions (Al-Bilad, Citation2019).

Third, in the context of hack-and-leak or hack-and-fake cyber intrusions, states can use a debunking strategy and claim that the information is fabricated (“this is a lie”). When using this strategy, states will provide evidence that the information is untrue and will try to change the narrative to highlight their version of the truth. Debunking does not only involve disputing the content of the information but also preventing the dissemination of the information by issuing “fake news” warnings or even shutting down media channels (especially in more authoritarian settings). In the Qatari, Bahraini, and Saudi (2015) cases, official representatives issued statements emphasizing the leaks are fabricated (Al-Bilad, Citation2017; GCO, Citation2017; Qatar MFA, Citation2017b, Citation2017a; Saudi Arabia, MFA, 2015a, 2015b).

Overall, diminishing strategies help protect the image of the targeted state by reducing the magnitude of the failure and trying to change beliefs regarding the responsibility of the targeted state. A minimization strategy seeks to convince the audience that the intrusion was not significant (hence, the state failure was not that bad). In addition to the domestic audience, this strategy can be also used to signal to the initiator that their intrusion did not achieve its goals. By employing these strategies, the victim aims to downplay potential tensions and subtly communicate a message to the adversary. A normalization strategy seeks to convince the audience that cyber intrusions are a regular feature of international politics (hence, there is nothing uniquely wrong about the targeted state). A debunking strategy seeks to convince the audience that leaked information is wrong (hence, rectifying the image of the targeted state).

Self-complimenting strategies

States can use self-complimenting strategies to highlight their positive traits. They “mitigate the negative effects of the act on the actor by strengthening the audience’s positive affect for the actor” (Benoit, Citation2014, p. 24). Specifically, our findings identify three such strategies. First, as image-repair theorists note, states can use a bolstering strategy to identify themselves “with something viewed favorably by the audience” (Ware & Linkugel, Citation1973, p. 277). In this strategy, states emphasize their successes, their international connections, and their good values (“look how good we are”).

In several of our cases, the state officials emphasized their success in quickly blocking the intrusion or continuing their operations despite it. Some statements highlight that the state did so independently without help from external sources (Al-Ghamdi, Citation2012), while other statements emphasize how quick and efficient the state was in dealing with the intrusion or how many intrusions had been blocked before (Al-Arabiya, Citation2017; Al-Bilad, Citation2019; Al-Hawawi, Citation2012). Further, the statements often noted the good standing of the state within the international community and their ability to secure international cooperation to investigate the intrusion (Al-Ghamdi, Citation2012; Qatar MFA, Citation2017c, Citation2017d, Citation2017e).

Second, states can assure the audience that measures have been taken to guarantee future protection. We label this strategy reasserting control as it involves a symbolic display of efforts showing that the government is committed and well-functioning (“everything is under control”). Our findings show that states repeatedly emphasized that they would investigate, establish new cyber institutions, and develop new cyber regulations. Further, in many cases, press conferences included specific and detailed technical explanations to signal authoritative and thorough knowledge regarding what happened. Qatar, which suffered a hack-and-fake intrusion, even produced an impressive and dramatic movie clip documenting the intrusion step-by-step. The image-related dimensions of this clip, broadcasted publicly during a press conference, are self-evident (Al-Shiyadhmi, Citation2017).

Third, in the context of hack-and-leak and hack-and-fake intrusions, states need to work “uphill” to correct the information that was leaked or faked. Thus, states use the strategy of correcting, which involves rebutting misinformation by providing an alternative and beneficial description of the “truth” (“let me tell you what really happened”). The goal of a correcting strategy is to replace the image cultivated by the leaked or fabricated information with a new—more positive—image. The correcting strategy was intensively used by Qatar following the planting of a fake news story on the QNA website. Qatari officials released statements emphasizing that “the relationship between Qatar and the United States is strong and strategic” or that “Qatar has always maintained friendly relations with the Gulf States” (Qatar MFA, Citation2017f; ‏وزارة الخارجية - قطر‎, Citation2017). The correcting strategy was used only in the Qatari case. In this case, a lot of embarrassing information was published in a short time and it seems that choosing the correcting strategy was an efficient way for Qatar to mitigate the embarrassment.

Overall, self-complimenting strategies aim to improve the image of the targeted states following a public cyber intrusion. A bolstering strategy seeks to shift the discussion to emphasize the positive traits of the targeted state. Reasserting control seeks to convince the audience that the state is competent, capable, and manages the situation. As Shandler and Gomez (Citation2022) show, cyber intrusions diminish public confidence in the government. Thus, reasserting control aims to restore such confidence within the domestic public as well as international businesses. A correcting strategy seeks to present information in a way that will shed good light on the targeted state.

Accusing strategies

States can adopt accusing strategies to denigrate the attacking state and cast it in a bad light. By accusing another actor, the state shifts the blame to the external actor and situates itself as a victim of bad behavior by others (Benoit, Citation2014, p. 25). We classify the sub-strategies following Finnemore and Hollis who identify three discrete processes (Citation2020, p. 974).

First, once the intrusion becomes public knowledge, states employ the strategy of exposing. They disclose what happened to third parties, acknowledging publicly that they have been attacked (“we have been attacked”). In all of our cases, state officials issued brief statements admitting that there was an intrusion and providing general details about it. The degree of exposure was dependent on the degree of publicity the intrusion received. For instance, immediately after the Saudi 2015 intrusion, the Spokesperson of the Saudi Ministry of Foreign Affairs, Osama Bin Ahmed Nuqli, only stated that the MFA computer was hacked (Saudi Arabia MFA, 2015a). About a month later, when Saudi documents were leaked, Nuqli issued a new statement connecting the leaked documents to the earlier cyber intrusion (Saudi Arabia MFA, 2015b).

Second, in addition to exposing the intrusion, states can engage in the strategy of condemning (“they are bullies”), which is the process of signaling disapproval of what happened, delegitimizing it, and casting the other side in a bad light. Our findings demonstrate that states often use negative and derogatory labels to describe the cyber intrusion or its initiators, such as crime/criminals, terrorism, enemies of the state, illegitimate actions, and shameful acts. This strategy was used by all states as well and was among the first ones to be used.

Third, states can also ascribe the intrusion to a particular actor, a strategy known as attributing (“this is who did it”). The vast literature on attribution highlights the technical, political, and social aspects related to attribution. While attribution can help states “name and shame” the initiator and address public demands for answers, there are also some incentives to eschew attribution, such as maintaining secrecy or strategic calculations (Borghard & Lonergan, Citation2019; Egloff, Citation2020b, Citation2020a; Rid & Buchanan, Citation2015).

Overall, accusing strategies seek to shift audience perceptions regarding responsibility—rather than focusing on the failure of the targeted state, these strategies seek to attribute responsibility to a malevolent actor. A second possible goal is norm-setting or norm-reinforcing. By denigrating the intrusion (and/or the initiator) the targeted state reproduces what is appropriate behavior in international politics (Egloff, Citation2020b; Egloff & Smeets, Citation2021). That said, harsh accusing strategies could potentially increase the risk of escalation (Egloff, Citation2020b).

Rhetorical strategies in practice

In addition to identifying the variety of strategies employed by the Gulf States following a public cyber intrusion, we can move on to offer some general insights regarding the practical use of these strategies. We find that the various strategies were used differently across our cases ().

Table 2. Distribution of strategies per intrusion.

On the one hand, we find that exposing the intrusion, condemning it, and normalizing it were commonly used in all of our cases. Similarly, the rhetorical strategies of reasserting control following the intrusion and bolstering the image of the targeted state also appeared in all cases. This suggests that the Gulf countries are indeed sensitive to their image following a cyber intrusion and indicates that these strategies might serve as “building blocks” of image management rhetoric. It could also suggest that there is a common repertoire of rhetorical strategies commonly used in the region (or internationally) following a failure event. On the other hand, we find that hack-and-leak and hack-and-fake intrusions involve additional strategies that do not appear in other intrusions. Specifically, the strategies of debunking (“this is a lie”) and correcting (“let me tell you what really happened”) are uniquely used when private information is leaked or fake information is disseminated. This finding is also supported in the Saudi case, where the strategy of debunking primarily appeared after the Saudi Cables were released. It seems that this strategy is more useful when the fabricated information is already outed by others, and the victim states use it to minimize the reputational damage in the fastest way possible—by claiming it is a lie. Further, the strategy of minimizing was used in most cases except the Bahraini one. This can be explained by the fact that there was no visible damage in the Bahraini intrusion.

When appeared, the strategy of attribution emerged relatively little in government discourse. Interestingly, only in the Qatari and Bahraini cases, there was a clear public attribution directed at the UAE and Iran, respectively. However, in both cases, such attribution came only after an American source had already attributed the intrusion. It is plausible that Bahrain and Qatar preferred to “pass the buck,” allowing the hegemon to publicly attribute the intrusion, minimizing the risk of escalation and retaliation. These findings resonate with recent works that claim that attribution is a political decision as well as a technical one. The rhetorical strategy of attribution did not appear in any of Saudi Arabia’s intrusions. This behavior might be explained by the Saudi’s inclination not to risk escalation or compel the perpetrator to respond if attribution is publicly made. Since Saudi Arabia and Iran are in constant rivalry and share inspiration as regional powers, choosing the option of a public attribution strategy might have greater escalation risks compared to the cases of Qatar and Bahrain.

In terms of sequencing, we did not find a particular order in the appearance of rhetorical strategies. As can be seen in the supplementary file, early responses were relatively short and mainly included the strategies of exposing coupled with minimizing and normalizing.

Conclusions

When thinking about the public response of states to public cyber intrusions, existing literature primarily discusses the risks of retaliation or escalation (Healey & Jervis, Citation2020; Libicki, Citation2020; Valeriano et al., Citation2018) as well as attribution (Egloff, Citation2020b; Rid & Buchanan, Citation2015). However, as this article shows, states engage in multiple “face-saving” strategies to manage their image and legitimize their restraint. Attribution is only one rhetorical option out of many.

Our systematic discourse analysis of five cyber intrusions in Gulf states advances three findings. First, drawing partly on the conceptual language used by “image-repair” and crisis-communication theories, the article categorizes three broad “face-saving” strategies adopted by states following a public cyber intrusion: diminishing strategies, self-complimenting strategies, and accusing strategies. Second, the results suggest that different contextual factors shape the specific strategies used. In cyber intrusions that involve leaking or faking information, unique strategies of debunking or correcting were used. Third, regarding attribution, the cases involving Saudi Arabia—a regional power—did not include public attribution. In contrast, Bahrain and Qatar—smaller powers—did attribute the intrusions but did so only after such attribution was made by American media. These suggestive contextual factors might be used in future research on the rhetoric of cyber responses in other areas.

It is important to acknowledge that our findings are not exhaustive and do not include all possible strategies. For instance, our focus on public cyber intrusion means that the strategies of silence (not responding at all) or denial (claiming that nothing happened) were not really usable strategies. Further, theoretically, states also have the option of apologizing to their public for not preventing the intrusion. While apologizing might be considered appropriate in some contexts (Aldar et al., Citation2021; Lind, Citation2011; N. Löwenheim, Citation2009),Footnote10 it seems unlikely that a public apology by the targeted states would help mitigate any image-related costs. Instead, apologizing would probably be interpreted as an admission of failure and responsibility.

The discursive toolkit identified in this article is not necessarily unique to the Gulf countries. Israel, Albania, and the US—different from the Gulf countries and each other in their regime type—also employed similar strategies in response to cyber intrusions directed at them. For instance, after a cyber intrusion against Israel's water facilities in April 2020, Israeli officials employed the rhetorical strategies of minimizing and reasserting control, stating “[t]he attempted attack was dealt with by the Water Authority and National Cyber Directorate. It should be emphasized that there was no harm to the water supply and it operated, and continues to operate, without interruption” (TOI, Citation2020). Albania's response to the Iranian cyberattack against its governmental systems in September 2022 also involved minimizing and reasserting control. In a video message, the Albanian Prime Minister stated that “The said attack failed its purpose. Damages may be considered minimal compared to the goals of the aggressor. All systems came back fully operational and there was no irreversible wiping of data” (Republic of Albania, Citation2022). Both countries also used accusing strategies and attributed these intrusions to Iran.

In response to the data breach of the OPM in June 2015, The White House Press Secretary primarily employed the strategy of exposing and reasserting control, while avoiding attribution early on. It also used a normalizing strategy stating that “to say that our computer systems in the federal government are at risk is not news … all of the computer networks on which we interact on a daily basis—whether that’s at work, or when we’re checking our email, or purchasing an airline ticket—that there is risk associated with that” (The White House, Citation2015). In contrast, following the SolarWinds intrusion into United States government networks in December 2020 the White House added a new rhetorical strategy detailing the retaliatory measures taken against Russia (The White House, Citation2021)—a strategy that can be classified under “bolstering” attempts.

Additional research is required in order to delve more into the conditions that explain variations in the rhetorical repertoire of states—Under which conditions do states use silence compared to rhetoric in response to cyber intrusions? Under which conditions do states use some strategies and not others? And under which conditions do states engage in short, laconic messages compared to detailed press conferences or engaging videos? Possible factors could be related to the type of attack, the extent of the damage, the attack's degree of publicity, the suspected initiator, and the strategic culture of the specific state. Moreover, while this research does not examine the effectiveness of these rhetorical strategies, experimental social science can identify the micro-foundations that make some strategies more persuasive than others.

The rhetorical strategies presented here should not be seen as necessarily tied to the cyber context. For example, scholars on public relations have already examined the use of image-repair strategies by governments or individual leaders following health or environmental crises (Benoit & Henson, Citation2009; Chon & Kim, Citation2022; Zhang & Benoit, Citation2009). IR scholars can extend the framework suggested here to study how states deal with image-related damage caused by kinetic attacks. A quick look at how Israel discursively responded to incendiary kites fired from the Gaza Strip (causing forest and farmland fires in Israel) provides some preliminary suggestions.

First, similar to the cyber context, accusation strategies also seem to appear in the Israeli response (labeling an intrusion as “terrorism” or an infringement of international law, identifying an actor, or condemning the act). Second, self-complimenting strategies also seem to appear in both contexts but in different ways. For instance, Israel’s Defense Minister used a bolstering strategy emphasizing that 400 out of 600 kites were intercepted (Hay, Citation2018). However, Israel’s rhetoric also pointed to its past reputation as a way to bolster its image as a deterring actor—“We will act and exact a heavy price. We’ve done it in the past. Remember that, because we will do it again now” (Ahronheim et al., Citation2020). This rhetorical move of referencing the past was not found in our cases. Third, diminishing strategies, while extensively appearing in our findings, do not seem to be rhetorically prevalent in the Israeli response. These suggestive ideas imply that there might be important normative and socio-political differences in the ways states are expected to manage their image in the cyber vs. the kinetic spheres.

In sum, this article shows that in addition to covert technical and political strategies to deal with cyber intrusion, states engage in performative public strategies to manage their image. Identifying the various strategies directs our attention to the agency of states—how targeted states perceive the context of the intrusion, interpret it, and narrate it. Diminishing the magnitude of a cyber intrusion, complimenting the successes of the Self, and accusing the adversary of bad behavior allows states to mitigate image-related costs in front of a domestic and international audience and perform their role as ontological security providers (Lupovici, Citation2023). “Face-saving” strategies are the bread and butter of international society—justifications, apologies, rejections, or acknowledgments—are some of the ways states resolve tensions, legitimize their behavior, and reinforce or contest norms. In the case of public cyber intrusions, these rhetorical strategies narrate the intrusion, justify the lack of retaliation, and potentially facilitate the de-securitization of the event.

Supplemental material

Supplemental Material

Download MS Excel (177.6 KB)

Acknowledgments

The authors thank Or Greif, Noya Peer, and Jason Silverman for valuable research assistance, and James Shires and Tarek Tutunji for commenting on previous drafts. Previous versions of this article were presented at the annual meeting of the International Studies Association—Northeast Region (2020) and the Joint Sessions of the European Consortium for Political Research (2022).

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This project is a part of the research group “Cyber Conflicts in the Middle East” supported by The Federmann Cyber Security Research Center, The Leonard Davis Institute for International Relations, and The Harry S. Truman Research Institute for the Advancement of Peace, all at the Hebrew University of Jerusalem.

Notes on contributors

Yehonatan Abramson

Yehonatan Abramson is a Senior Lecturer in the Department of International Relations at the Hebrew University of Jerusalem, Israel. His research interests include International Relations Theory, diaspora politics, and critical security studies. His work appeared in journals such as the European Journal of International Relations, International Studies Quarterly, Political Geography, the Journal of Ethnic and Migration Studies, and Social Studies of Science.

Gil Baram

Gil Baram is a post-doctoral research scholar at the Center for Long-Term Cybersecurity and the Berkeley Risk and Security Lab, University of California Berkeley. Her work interests include states decision-making during offensive cyber operations, intelligence and covert actions, and empirical cyber research. Her work appeared in journals such as the Journal of Global Security Studies, the Journal of Cyber Policy, and Israel Studies Review.

Notes

1 Hack-and-leak operations are defined as “an intrusion into specific digital systems and networks (hack) and an attempt to influence certain audiences through the public release of information obtained through that intrusion (leak).” Hack-and-fake operations are similarly defined but they involve the public fabrication of information. See Shires, 2019.

2 For the bigger question of whether cyber capabilities are escalatory, see Borghard & Lonergan, Citation2019; Healey & Jervis, Citation2020.

3 A similar point is made with regard to countries’ failure to deter (especially when these countries see themselves as deterring actors). Their inability to prevent a challenger damages their sense of Self (Fettweis, Citation2013; Lupovici, 2016b).

4 In contrast to shame, which is associated with “perceived deficiencies of one's core self,” embarrassment is associated with “deficiencies in one's presented self.” Thus, shame is a more enduring sense of negative self-evaluation, while embarrassment is tied to more transient, situation-specific failures and pratfalls” (Tangney et al., 1996, p. 1258; cf. Subotic & Zarakol, Citation2013). Humiliation is understood as “as an act of extreme disrespect that intends to deprive an actor of its status as an autonomous agent that counts” (Wolf, 2017, p. 494). It is a result of the actions of another (rather than a failure of the Self) (Lupovici, 2016b, p. 66).

5 The targeted states can also leak information to encourage external actors to reveal the intrusion.

6 In addition to rhetorical strategies, states also develop legal and institutional responses, see Shires, 2021b.

7 The datasets we use did not contain any cyber incidents involving the UAE that met our inclusion criteria—such as a range of years, a public response that can be examined in more detail, etc.

8 We specifically examined the dates in which cyber intrusions were revealed as well as key terms in Arabic, such as cyber, hacking, and electronic attack.

9 The impact of these strategies is beyond the scope of this article.

10 However, states can also refuse to apologize to protect their identity, see Zarakol, Citation2010.

References