Race matters in cybersecurity
“I met with people who ran government organisations, and they refused to talk because I’m not White.”
This quote is from a British-Bangladeshi cybersecurity expert working in the Gulf, recalling how his South Asian ethnicity meant his professional counterparts did not take him as seriously as his White colleagues. There is a worldwide shortage of cybersecurity experts amid growing global demand. What is less clear is who counts as a cybersecurity expert – whose advice is listened to and who gets to be in the room when decisions are made.
Expertise and race in the Gulf
In a recent article, we used interviews to identify a pattern of such racialised experiences in the cybersecurity field. We argue that race significantly influences the content and boundaries of cybersecurity expertise. Race contributes to what we call “hierarchies of rationality” (whose knowledge and decisions are considered sensible or rational) and “hierarchies of authority” (whose opinions are listened to and whose decisions are followed). In short, race matters in cybersecurity.
Data supporting this argument comes from interviews with cybersecurity professionals in the Arab Gulf states (Bahrain, Oman, Qatar, Saudi Arabia, and the United Arab Emirates). Our interviewees identified three distinct racialised identities: White Euro-American experts, ‘native’ Gulf clients and managers (ie, Gulf nationals – although this is, in turn, a contested category), and South Asian contractors. These are culturally created stereotypes rather than ‘natural, biological’ divisions – not least because, as the opening quotation shows, individual experts do not fit neatly into these categories.
In the Gulf, racialised hierarchies of rationality and authority contribute to cyber insecurity in two main ways. First, they influence the overall digital economy of which cybersecurity is an essential part. One of our interviewees noted that Gulf states are often seen as perpetual outsourcers, unable or unwilling to develop their own technologies or companies. This perception means that external companies see these countries as “a big ATM machine … they come for money, not for research”. On the flip side, another interviewee reported that international companies complain of technological ‘fetishisation’, where regional clients “just go for the latest shiny gadget, the latest shiny thing that looks impressive”. In this way, racial stereotypes reinforce the idea that Gulf Arab professionals are incapable of identifying the best security solutions for themselves and that only certain European or US suppliers are acceptable (or even willing) to provide it. This environment leads to suboptimal cybersecurity outcomes through unbalanced and often unhelpful trade and investment.
Second, racialised hierarchies influence specific cybersecurity decisions. Some interviewees said that “there is a lot of saving face by lots of people in key roles … they have no trust [in] their board because of their nationality”. Cybersecurity analysts and managers, especially of South Asian ethnicities, are wary of sharing information about cybersecurity threats, internally or with other organisations, because “if an incident happens, the stakes are high, and you could be kicked out of the country”. Although these are dynamics that can be found worldwide — especially around poor information sharing, which is a cybersecurity issue replicated in the United States, Europe, and beyond — these interviewees perceived the situation to be worse in the Gulf due to the racialised nature of this hierarchy.
Contextualising racial hierarchies
Racialised hierarchies depend entirely on context: they do not function in the same way in all regions (and, of course, there are differences between and within countries). In the Gulf, two aspects of the political and cultural context are key.
First, the Gulf states are heavy investors in military hardware, especially from Europe and the United States. Analysts often observe a tension between the procurement of advanced military equipment by Gulf nations from their European and American allies, and a perceived inability to use it effectively. One study attributed this to “patterns of behaviour derived from the dominant Arab culture,” which possesses “traits of centralization of authority, passivity, conformity, deference to authority, shame avoidance, manipulation of information, disdain for technical work, and atomization of knowledge.” Underpinning this quote and the hierarchies above is a concept known as “military Orientalism”, which leads to a binary distinction between the rational and knowledgeable Euro-American White expert and the (Gulf) Arab client, seen as culturally passive, conformist, and lacking imagination.
The other notorious form of hierarchy in the Gulf is that between expatriate or migrant workers and ‘native’ Gulf citizens, exemplified in the “kafala” system of employment guarantees. The kafala system is rooted in British colonial practices and economically links the Gulf to the Indian subcontinent. It imposes “racial hierarchies of difference” that support “strategies of commodification and exploitation of labour within global capitalist systems”. Here the Gulf citizen is at the top, Asian and African migrants are at the bottom, and Euro-Americans are relatively privileged. The kafala context underpins the racialised lack of trust and personal insecurity among cybersecurity professionals.
What can we do to address these racial stereotypes? From a technical perspective, cybersecurity certifications and standards go some way to levelling the playing field. However, their frequent framing in terms of cybersecurity ‘maturity’ – hierarchal progression towards a particular state – is problematic on a deeper level. Studies in other fields have shown that even neutral, contemporary technological concepts like maturity import racialised meanings rooted in colonial dynamics and perpetuate or exacerbate global inequalities, for example, by generating paternalistic and context-insensitive guidance for ‘immature’ audiences. To make headway, cybersecurity standards need to reflect the full plurality of the communities that use digital technologies. Similarly, greater locally contextualised and produced cybersecurity education would counter often unhelpful global comparisons to particular ‘advanced’ states.
We can also look to work tackling similar stereotypes, like gender. The ‘gender gap’ in cybersecurity is well-known: the field suffers from low levels of women’s participation in cybersecurity governance, a privileging of largely masculinised technical expertise, and differences in personal attitudes toward cybersecurity based on gender. Treating social and identity aspects of cybersecurity together (in the jargon, ‘intersectionally’) is a promising avenue for reducing discrimination on multiple fronts. For example, countering mis- and dis-information efforts should focus on the additional harms experienced by Black women on social media, known as ‘misogynoir’. Similarly, commercial spyware regulation must take into account its use to target LGBTQIA+ groups, in interpersonal gendered disputes, and to suppress union activities.
More generally, we advocate for a decolonial approach to cybersecurity that ensures knowledge is created and shaped by affected communities and therefore materially serves the many rather than just the few. Decolonial cybersecurity, like its close fellows in technology and Artificial Intelligence (AI), means developing expertise and technology that reflects the lived experiences and meaning-makings of a plurality of cultures. This means as a field we must ensure equal, critical engagement with culturally diverse knowledge systems and practices. There is precedent for this: for example, the Indigenous AI project aims to develop AI based on the needs and knowledge systems of Indigenous peoples. Similar moves in cybersecurity to engage with the diverse global stock of knowledges will not only greatly expand our understanding of cybersecurity, but also foster research that addresses the particular security needs of a plurality of communities.