Export knowledge: cybersecurity, maturity, and ‘shiny toys’

Mini-abstract:
This article examines concepts of cybersecurity (im)maturity in the states of the Gulf Cooperation Council (GCC), drawing on interviews with cybersecurity professionals in the region. It distinguishes between two aspects of immaturity. First, tickbox immaturity is the implementation of standards in a ‘deficient’ manner, through surface-level implementation of prescriptions rather than a deeper attitude of proactive risk management. Second, blackbox immaturity is the reliance on technologies manufactured elsewhere, which are often “shiny toys”: high level, sophisticated defence systems inappropriate to the real threats faced.

Abstract:
In International Relations (IR), the concept of maturity echoes earlier ideas such as civilization and development, which structured the global order in explicitly unequal ways as part of colonial and postcolonial relationships between the global centre – usually the ‘West’ - and its various peripheries. Despite these connotations of historic exploitation, a ‘vanilla’ version of maturity is common in international security practices, largely drawn from the discourse of international consultants, organizational theory, and the applied sciences. This article uses critical and postcolonial theory in IR and science and technology studies (STS) to investigate maturity, and argues that current concepts of maturity are vulnerable to similar critiques as those levelled against earlier universals.

This article uses the case study of cybersecurity in the states of the Gulf Cooperation Council (GCC): Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the UAE. It draws on 30 qualitative semi-structured interviews with cybersecurity professionals in these countries conducted in 2016 and 2017, as well as a range of other sources. It distinguishes between two aspects of immaturity, which I call ‘tickbox’ and ‘blackbox’. Tickbox immaturity is the implementation of standards in a ‘deficient’ manner, through surface-level implementation of prescriptions rather than a deeper attitude of proactive risk management. Blackbox immaturity is the reliance on technologies manufactured elsewhere, as part of outsourcing and maintenance contracts by external parties. Both aspects of maturity are identified by individuals in all three key subject positions in GCC cybersecurity: Western contractors, local managers, and expatriate employees. However, they locate the sources of tickbox immaturity differently: some point to essentialist notions of culture, and others to unequal power dynamics around immigration. Furthermore, I argue that blackbox immaturity is a result of commercial struggles by Western companies to define what counts as cybersecurity expertise. This creates an Orientalized view of cybersecurity in the region as being centred only on “shiny toys”: high level, sophisticated defence systems which are often inappropriate for the real threats faced.