Main Logo Expert commentary on tech and security

Race matters in cybersecurity

Densua Mumford / James Shires 13 November 2023
Share On:
How racial hierarchies impact the digital security field in the Gulf
Main Top Image
This image was created with the assistance of Midjourney

“I met with people who ran government organisations, and they refused to talk because I’m not White.”

This quote is from a British-Bangladeshi cybersecurity expert working in the Gulf, recalling how his South Asian ethnicity meant his professional counterparts did not take him as seriously as his White colleagues. There is a worldwide shortage of cybersecurity experts amid growing global demand. What is less clear is who counts as a cybersecurity expert – whose advice is listened to and who gets to be in the room when decisions are made.

Expertise and race in the Gulf

In a recent article, we used interviews to identify a pattern of such racialised experiences in the cybersecurity field. We argue that race significantly influences the content and boundaries of cybersecurity expertise. Race contributes to what we call “hierarchies of rationality” (whose knowledge and decisions are considered sensible or rational) and “hierarchies of authority” (whose opinions are listened to and whose decisions are followed). In short, race matters in cybersecurity.

Data supporting this argument comes from interviews with cybersecurity professionals in the Arab Gulf states (Bahrain, Oman, Qatar, Saudi Arabia, and the United Arab Emirates). Our interviewees identified three distinct racialised identities: White Euro-American experts, ‘native’ Gulf clients and managers (ie, Gulf nationals – although this is, in turn, a contested category), and South Asian contractors. These are culturally created stereotypes rather than ‘natural, biological’ divisions – not least because, as the opening quotation shows, individual experts do not fit neatly into these categories.

In the Gulf, racialised hierarchies of rationality and authority contribute to cyber insecurity in two main ways. First, they influence the overall digital economy of which cybersecurity is an essential part. One of our interviewees noted that Gulf states are often seen as perpetual outsourcers, unable or unwilling to develop their own technologies or companies. This perception means that external companies see these countries as “a big ATM machine … they come for money, not for research”. On the flip side, another interviewee reported that international companies complain of technological ‘fetishisation’, where regional clients “just go for the latest shiny gadget, the latest shiny thing that looks impressive”. In this way, racial stereotypes reinforce the idea that Gulf Arab professionals are incapable of identifying the best security solutions for themselves and that only certain European or US suppliers are acceptable (or even willing) to provide it. This environment leads to suboptimal cybersecurity outcomes through unbalanced and often unhelpful trade and investment.

Second, racialised hierarchies influence specific cybersecurity decisions. Some interviewees said that “there is a lot of saving face by lots of people in key roles … they have no trust [in] their board because of their nationality”. Cybersecurity analysts and managers, especially of South Asian ethnicities, are wary of sharing information about cybersecurity threats, internally or with other organisations, because “if an incident happens, the stakes are high, and you could be kicked out of the country”. Although these are dynamics that can be found worldwide — especially around poor information sharing, which is a cybersecurity issue replicated in the United States, Europe, and beyond — these interviewees perceived the situation to be worse in the Gulf due to the racialised nature of this hierarchy.

Contextualising racial hierarchies

Racialised hierarchies depend entirely on context: they do not function in the same way in all regions (and, of course, there are differences between and within countries). In the Gulf, two aspects of the political and cultural context are key.

First, the Gulf states are heavy investors in military hardware, especially from Europe and the United States. Analysts often observe a tension between the procurement of advanced military equipment by Gulf nations from their European and American allies, and a perceived inability to use it effectively. One study attributed this to “patterns of behaviour derived from the dominant Arab culture,” which possesses “traits of centralization of authority, passivity, conformity, deference to authority, shame avoidance, manipulation of information, disdain for technical work, and atomization of knowledge.” Underpinning this quote and the hierarchies above is a concept known as “military Orientalism”, which leads to a binary distinction between the rational and knowledgeable Euro-American White expert and the (Gulf) Arab client, seen as culturally passive, conformist, and lacking imagination.

The other notorious form of hierarchy in the Gulf is that between expatriate or migrant workers and ‘native’ Gulf citizens, exemplified in the “kafala” system of employment guarantees. The kafala system is rooted in British colonial practices and economically links the Gulf to the Indian subcontinent. It imposes “racial hierarchies of difference” that support “strategies of commodification and exploitation of labour within global capitalist systems”. Here the Gulf citizen is at the top, Asian and African migrants are at the bottom, and Euro-Americans are relatively privileged. The kafala context underpins the racialised lack of trust and personal insecurity among cybersecurity professionals.

Moving forward?

What can we do to address these racial stereotypes? From a technical perspective, cybersecurity certifications and standards go some way to levelling the playing field. However, their frequent framing in terms of cybersecurity ‘maturity’ – hierarchal progression towards a particular state – is problematic on a deeper level. Studies in other fields have shown that even neutral, contemporary technological concepts like maturity import racialised meanings rooted in colonial dynamics and perpetuate or exacerbate global inequalities, for example, by generating paternalistic and context-insensitive guidance for ‘immature’ audiences. To make headway, cybersecurity standards need to reflect the full plurality of the communities that use digital technologies. Similarly, greater locally contextualised and produced cybersecurity education would counter often unhelpful global comparisons to particular ‘advanced’ states.

We can also look to work tackling similar stereotypes, like gender. The ‘gender gap’ in cybersecurity is well-known: the field suffers from low levels of women’s participation in cybersecurity governance, a privileging of largely masculinised technical expertise, and differences in personal attitudes toward cybersecurity based on gender. Treating social and identity aspects of cybersecurity together (in the jargon, ‘intersectionally’) is a promising avenue for reducing discrimination on multiple fronts. For example, countering mis- and dis-information efforts should focus on the additional harms experienced by Black women on social media, known as ‘misogynoir’. Similarly, commercial spyware regulation must take into account its use to target LGBTQIA+ groups, in interpersonal gendered disputes, and to suppress union activities.

More generally, we advocate for a decolonial approach to cybersecurity that ensures knowledge is created and shaped by affected communities and therefore materially serves the many rather than just the few. Decolonial cybersecurity, like its close fellows in technology and Artificial Intelligence (AI), means developing expertise and technology that reflects the lived experiences and meaning-makings of a plurality of cultures. This means as a field we must ensure equal, critical engagement with culturally diverse knowledge systems and practices. There is precedent for this: for example, the Indigenous AI project aims to develop AI based on the needs and knowledge systems of Indigenous peoples. Similar moves in cybersecurity to engage with the diverse global stock of knowledges will not only greatly expand our understanding of cybersecurity, but also foster research that addresses the particular security needs of a plurality of communities.

avatar
Densua Mumford
avatar
James Shires

Related

Featured image
Binding Edge
The mechanisms of cyber-enabled information campaigning
Jelena Vićić / Richard Harknett 21 June 2024
Read more arrow
Featured image
Binding Edge
Dalits battle caste-based cyber insecurity every day
Anubha Gupta 21 November 2023
Read more arrow
Featured image
Binding Edge
War in Ukraine and the private sector
Hugo Rosemont 12 March 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 15 December 2024, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.