The Web (In)Security of MENA Civil Society and Media

Alexei Abrahams, Harvard University[i]

Civil society and news media across the Middle East and North Africa (MENA), whether coordinating protests or subverting state-sanctioned discourse, increasingly rely upon digital communications to reach their audiences.[ii] The majority of these communications, however, travel over infrastructure controlled by the same state and corporate authorities that civil society seeks to challenge. A growing body of scholarly evidence worldwide confirms that authorities exploit their ‘man-in-the-middle’ positions to interfere with civil society’s communications.[iii] Prominently, investigations by watchdog organizations like Citizen Lab or Amnesty International have proven that states hack the digital devices of activists and human rights defenders to surveil and repress them.[iv] Within the Middle East, for example, there have been confirmed cases of digital surveillance of human rights defenders in the UAE, Saudi Arabia, Egypt, and Morocco.[v]

Are civil society and media in the MENA taking precautions to secure themselves against cyber attack? This question may seem natural to ask, but it has rarely been pursued by scholars. For a start, political scientists typically view security as a matter over which the state (the ‘monopolist of violence’) has chief prerogative, in which case the relevant question is not ‘what is civil society doing to protect itself from attack?’ but rather ‘what is the state doing to protect civil society from attack?’[vi] This question, of course, breaks down in situations where the state is itself the primary perpetrator of attacks against civil society. Indeed, in the MENA region, civil society is (correctly) viewed as a challenge to authoritarian control and is therefore routinely surveilled and repressed by the state, with digital surveillance and repression being merely the latest category of abuse. Shifting gears, one might turn to Western powers further up the international order to pressure the governments of Egypt, Saudi Arabia, or Israel, among others, to respect international law and human rights, or to restrict the export of cybersurveillance technologies to countries with a poor record in this regard. Indeed, this legal or rights-based approach is the starting premise of the work of organizations like Amnesty International, Human Rights Watch, or Access Now, and is implicit in several essays published in this collection.[vii] Such an approach, however, must contend with the awkward fact that Western powers, far from living up to their professed values enshrined in human rights and international law, have a long-running history of arming, funding, and otherwise legitimizing abusive regimes across the MENA region.[viii] In the absence of a clear moral and legal directive from Western governments, cybersecurity consultants to MENA regimes draw ethical boundaries according to their own professional or personal judgment.[ix] But such idiosyncratic efforts do not and cannot amount to a hard guarantee of security for civil society from digital authoritarianism. Instead, civil society is left with no choice but to look to its own defenses. In this sense, then, we ask what civil society in the MENA is doing to protect itself from cyberattack.

So far, data and analysis have been scarce. Among cybersecurity professionals there is a profitable preoccupation with state and corporate security, and a concomitant neglect of civil society’s security.[x] Cybersecurity itself, moreover, has tended to be conceptualized as for the state from decentralized actors — not the other way around.[xi] The past two decades, however, have witnessed a “moral maneuver” to recast cybersecurity according to a more human-centric paradigm, where civil society’s security from state-level cyber intrusion is a tentatively legitimate object of inquiry.[xii]Even so, researchers have thus far tended to favor threat reporting over security assessment, leaving us with some sense of attack capabilities but only piecemeal knowledge of defensive readiness. The handful of studies that do inquire about civil society’s cybersecurity tend to ignore the MENA region, focus on individuals and ignore organizations, and ignore web security.[xiii] It is time that scholars of cyber politics in the Middle East begin to address these data gaps.

In this essay, I draw attention to an ongoing effort to collect and analyze data on the web security of civil society organizations (CSOs) and news media. While the literature has thus far dwelt primarily on the cybersecurity of individual activists and journalists, these individuals typically belong to CSOs, including charities, sustainable development NGOs, human rights NGOs, professional syndicates, labor unions, news agencies, and so on. Indeed, the coalescing of individuals around CSOs is an important part of the maturation process of social movements to convert ephemeral ‘mobilization’ into sustained ‘organization’. CSOs increasingly maintain their own computer networks that both members and the broader community may regularly connect to and trust. Most saliently, CSOs (especially news agencies) increasingly run their own websites, hosted on web servers. These websites may often be the first and primary point of contact between a CSO and its community or audience. As social media platforms like Twitter and Facebook increasingly comply with local authorities to suppress civil society’s speech,[xiv] independently managed websites are a natural fallback. All of this highlights the importance of knowing whether CSO web infrastructure is secure against cyber attack.

Web scanning

For researchers, an advantage to studying CSO web security is that websites are (by design) easy to find and can be scanned remotely. By contrast, individuals’ devices are harder to enumerate, may require greater ethical precautions (possibly including obtaining consent from the individual), and may necessitate in-person assessments (see Marczak and Paxson 2017). In ongoing work, I and a coauthor script a custom web scanning tool to remotely gather web security information from CSO websites.[xv] The tool, while by no means constituting a formal security assessment, yields a variety of data highly relevant to measuring a website’s security posture and, by extension, the security of the organization.

For a start, we check whether CSOs offer or insist on encrypted web sessions via the HTTPS protocol. Failure to encrypt implies that a visitor’s session can be read in plaintext, and tampered with, by state authorities with man-in-the-middle (MITM) positions at any intermediate ‘hop’ between the visitor’s device and the web server.

Websites can also be overwhelmed with malicious traffic in distributed denial of service (DDoS) attacks. We scan sites to see if they have implemented caching mechanisms to frustrate such attacks.

Nowadays most websites are typically not built from scratch, but rather draw upon third-party templates or frameworks such as WordPress, Drupal, and Joomla. As security vulnerabilities are detected, content management system (CMS) companies issue updates, but a CSO may fail to stay abreast of these updates. We fingerprint the website’s CMS and check if it is up-to-date.

Even if the website software is up-to-date, the underlying web server’s software may not be. We augment our website scan with readouts from Shodan to see if web servers are running software with publicly known vulnerabilities.

Finally, we identify the country where the web server is geolocated. If the CSO’s state adversary has physical access to the server, then its security may be compromised.

Results

Palestine

As a proof of concept, Abrahams and Anonymous (2021) scan Palestinian civil society, non-Palestinian CSOs openly allied with the Boycott, Divestment, and Sanctions (BDS) movement, and a benchmark sample of Israeli think tanks and news agencies. In view of its contentious political history with Israel, Israel’s status as a world-renowned cyber threat actor, and Israel’s ‘man-in-the-middle’ position on internet traffic in the West Bank, Palestinian civil society arguably constitutes something of a paradigmatic case for thinking about the cybersecurity of civil society. The results of their scan are reprinted below in Table 1. 

 Table 1: Comparing security of Palestinian, BDS, and Israeli websites

Civil society websites

(news agencies, think tanks, CSOs)

Palestinian BDS Israeli
Allow https sessions 68.0% (155/228) 74.0% (54/73) 74.4 % (64/86)
Force https sessions 41.7% (95/228) 54.8% (40/73) 54.7% (47/86)
Up-to-date CMS* 33.7% (28/83) 27.5% (11/40) 52.2% (12/23)
X-Frame-Options 13.2% (30/228) 5.5% (4/73) 8.1% (7/86)
Strict-Transport-Security 5.7% (13/228) 19.2% (14/73) 5.8% (5/86)
Content-Security-Policy 1.3% (3/228) 1.4% (1/73) 7.0% (6/86)
DDoS protection** 0.4% (1/228) 9.6% (7/73) 17.4% (15/86)
No high/critical CVEs*** 77.2% (176/228) 78.1% (57/73) 81.2% (70/86)

*For technical reasons, the CMS version for each website could not always be identified.

**Detection was limited to the use of Cloudflare, Google Cloud or Deflect for DDos protection, three solutions offered for free to civil society but that do not together constitute an exhaustive list of DDoS mitigations.

***This number is calculated by querying the Shodan API (https://shodan.io).

Insecurity of Palestinian CSO web infrastructure

The first column of Table 1 summarizes cybersecurity statistics for a sample of 228 Palestinian CSOs. In absolute terms, the security of these organizations leaves a lot to be desired. Roughly a third of Palestinian CSO websites disallow encrypted sessions, only four in ten insist on them, and less than 6% enforce strict transport security. These lapses invite state authorities to monitor and modify visitor sessions, possibly even delivering malicious payloads. Fully two thirds of CSO websites are running outdated versions of WordPress (45), Joomla (5), and Drupal (5). Likewise, the underlying servers of 52 (22.8%) websites have at least one vulnerability rated ‘high’ or ‘critical’. Using outdated software is dangerous since software updates often patch publicly disclosed security vulnerabilities that can otherwise be exploited by attackers.

What explains these security lapses? The answer can neither be straightforwardly technical nor financial. For example, many Palestinian CSOs use plaintext HTTP, but the secure protocol HTTPS has existed for over two decades, and upgrading is a free and fairly seamless process.[xvi] Similarly, DDoS protection through Cloudflare, Google Cloud, and Deflect, is offered free-of-charge for civil society organizations. By definition, outdated web server and website software can be updated, typically for free. Nor can one claim that Palestinians organizations are unaware of these solutions; indeed, many Palestinian organizations have implemented them even as many have not.

Could it be that these security lapses are idiosyncratic to life under military occupation, or some other idiosyncratic challenge faced by Palestinian civil society? To shed light on this, Abrahams and Anonymous (2021) scanned 86 Israeli think tanks and news agencies. Column 2 of Table 1 lists the results. While Israeli CSO websites do appear to perform better on most security metrics, in absolute terms they are quite insecure, too. To take just one example, 74.4% of Israeli websites allow encrypted web traffic, which is only marginally higher than Palestinian CSOs (68.0%).

Finally, one might argue that Palestinian CSOs neglect their web security because they enjoy a ‘security by obscurity’ insofar as they remain disengaged from politically contentious action.[xvii] Indeed, scholars have argued that Palestinian civil society has become de-politicized and co-opted to a neoliberal development agenda since the start of the Oslo period, implying that they are an unlikely target of Israeli cyber surveillance.[xviii]

To evaluate this possibility, Abrahams and Anonymous (2021) looked beyond their sample of Palestinian CSOs to consider organizations belonging to the Boycott, Divestment, and Sanctions (BDS) movement. The BDS movement is undoubtedly contentious, and has drawn all manner of hostility, including cyberattacks in recent years.[xix] They scan 73 non-Palestinian organizations publicly affiliated with the BDS movement. The results, listed in Column 3, suggest their web infrastructure appears to be no more prepared for attack than ‘ordinary’ Palestinian CSOs. Indeed, over five years since the BDS movement’s main website suffered a DDoS attack,[xx] they find that just 9.6% of BDS-affiliated organizations have availed themselves of DDoS protection. Only a quarter of BDS-affiliated organizations run websites with up-to-date software. And the websites for one in five organizations are hosted on web servers running out-of-date software for which high/critical vulnerabilities are publicly known. The decision to openly engage in contentious political action, it would seem, does not prompt these organizations to adopt a higher degree of security vigilance.

Media websites across the MENA region

One potential explanation for the insecurity of CSO websites is that they may have been launched perfunctorily to please donors and are largely irrelevant to the day-to-day operations of these organizations. While this may hold true for many CSOs, the argument does not easily extend to news media. Media websites are often the first and primary point of contact between a news agency and its audiences. And since journalists are themselves often the targets of surveillance, it stands to reason that news organizations – as central points of contact within media networks – would likewise be targeted.

I therefore widened the aperture of the scan to news media sites across the region. I obtained a list of news websites from MediaCloud’s geographic collections for each of 20 MENA countries, then pointed the web scanning tool at them. At this preliminary stage, I am not yet able to disaggregate between state-aligned versus independent news organizations, nor do I yet give greater weight to more popular sites. With those caveats in mind, Table 2 lists the web security statistics averaged across the twenty MENA countries scanned, while Figures 1 and 2 depict cross-country comparisons for two metrics (HTTPS availability and web server vulnerabilities).

Figure 1: Percentage of media websites per country offering HTTPS

Figure 2: Percentage of media web servers per country running software with a ‘high’ or ‘critical’ vulnerability (CVSS of 7.0 or above)

 

Table 2: Web security of media sites across the MENA

  Average across all MENA countries
Allow https sessions 80.0%
Force https sessions 58.5%
Up-to-date CMS* 50.6%
X-Frame-Options 10.2%
Strict-Transport-Security 8.2%
Content-Security-Policy 3.5%
DDoS protection** 34.4%
No high/critical CVEs*** 86.2%

*For technical reasons, the CMS version for each website could not always be identified.

**We only detected the use of Cloudflare, Google Cloud or Deflect for DDos protection, three solutions offered for free to civil society but that do not together constitute an exhaustive list of DDoS mitigations.

***This number is calculated by querying the Shodan API (https://shodan.io).

Overall, despite the importance of websites for news media organizations, the results in Table 2 suggest that while they do exhibit better web security than the CSO organizations, they still leave a lot to be desired. Averaged across countries, 80% of media sites in the MENA enable HTTPS. While Kuwaiti media sites score the worst on this metric (66.7%), Saudi Arabia’s media sites exhibit the highest rates of encryption, (92.9%) and also force encryption at the highest rate regionally (85.7%). Saudi Arabian media also lead the region with the lowest rates of web server vulnerabilities — none of their media web servers exhibits high or critical vulnerabilities. On the other end of the spectrum, 31.6% of Tunisian media sites have high or critical web server vulnerabilities. Across the region, one in three media sites enjoys DDoS protection, with Egyptian media the best protected (74.3%).

The cross-country variation in these data invites further investigation. Saudi Arabia’s high scores may reflect its investments in internet technologies more generally, while Egypt’s status as a digital hub within the region may have something to do with its higher rates of DDoS protection.[xxi] As the region’s only nascent democracy, Tunisia’s vulnerable media web servers are troubling, and suggest there may not be a straightforward relationship between governance type and media security. Further investigation will be required to unpack each of these differences, but these data constitute a jumping-off point.

Conclusion

In the wake of the Arab Spring, citizens across the MENA region continue to demand accountable governance and challenge state and corporate authority. Within this conflict, civil society and media are a crucial mesolayer between citizens and the state, helping citizens to stay informed and collectivized. These vital roles of civil society and media make them a target of co-option and repression by the state. As digital communications have gained importance for civil society and media, states have stepped up cyber surveillance and interference. Despairing of intercession from Western powers, civil society and media in the region must look to their own defenses.

How are civil society and media prepared to meet these cyber threats? In this essay, I drew attention to an ongoing effort to scan the web infrastructure of civil society and media organizations. Worrisomely, the scans reveal widespread and potentially compromising insecurities. On the other hand, in all cases technical solutions exist and can generally be implemented easily and at minimal cost. Positively, then, and in contrast to the gloomy forecasts surrounding the rise of digital authoritarianism in the region, it would appear that there is much that civil society and media in the region can do unilaterally to protect themselves.

At the same time, scholars of cyber politics can do more to fill the data and analytical lacuna around this topic. The web scan results surface some puzzling similarities and differences between countries and sectors and invite further research. Moreover, the persistence of these insecurities defies straightforward technical, financial, or contextual explanations, and ought to prompt deeper investigation, likely including interviews of the organizations themselves. For comparative perspective, the aperture of these scans should be widened to include different sectors of society (civil society, media, private sector, government) to clarify the full range and depth of the situation. On the other hand, web-facing infrastructure is only one ‘attack surface’ among many. Further efforts along the lines of Marczak and Paxson (2017) to assess the security of individuals’ devices and unpack individuals’ decision making would be invaluable. The cybersecurity of civil society and media is a topic of emerging importance to the region, and scholars have both an opportunity and a responsibility to get involved.

 

[i]Postdoctoral fellow, Technology & Social Change Project, Shorenstein Center, Harvard University, alexei_abrahams@hks.harvard.edu

[ii]Larry Diamond, & Marc F. Plattner (Eds.), Liberation technology: Social media and the struggle for democracy (Baltimore: Johns Hopkins University Press, 2012). Philip N. Howard and Muzammil M. Hussain, Democracy’s fourth wave?: digital media and the Arab Spring (Oxford: Oxford University Press, 2013). Manuel Castells, Networks of outrage and hope: Social movements in the Internet age (Cambridge: Polity, 2012).

[iii]Marc O. Jones, Digital Authoritarianism in the Middle East (forthcoming, London: Hurst, 2021). Margaret E. Roberts, Censored: distraction and diversion inside China’s Great Firewall (Princeton, NJ: Princeton University Press, 2018). Nils B. Weidmann and Espen G. Rød, The Internet and political protest in autocracies (Oxford, UK: Oxford University Press, 2019).

[iv]Amnesty International, “Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks” (2021), available from: https://www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks. John Scott-Railton, Bill Marczak, Siena Anstis, Bahr AbduRazzak, Masashi Crete-Nishihata, and Ron Deibert, “Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group’s Spyware” (2019), available from: https://citizenlab.ca/2019/03/nso-spyware-slain-journalists-wife

[v]Bill Marczak and John Scott-Railton, “The million dollar dissident: NSO group’s iPhone zero-days used against a UAE human rights defender”, The Citizen Lab (2016). Bill Marczak, John Scott-Railton, Adam Senft, Bahr AbduRazzak, and Ron Deibert, “The Kingdom Came to Canada – How Saudi-Linked Digital Espionage Reached Canadian Soil” (2018), available from: https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil. John Scott-Railton, Bill Marczak, Ramy Raoff, and Etienne Maynier, “Nile Phish – Large-Scale Phishing Campaign Targeting Egyptian Civil Society” (2017), available from: https://citizenlab.ca/2017/02/nilephish-report. Amnesty International, “Morroccan Journalist Targeted with Network Injection Attacks using NSO Group’s Tools” (2020), available from: https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools, Amnesty International, “German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed”, (2020), available from: https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed.

[vi] Alexei Abrahams and Brandon Merrell, “Monopolies of Violence? How Insurgent Threats Can Motivate Accountable Governance,” 2021.

[vii]Ahmed Shaheed and Benjamin Greenacre, “Binary Threat: How Governments’ Cyber Laws and Practice Undermine Human Rights in the MENA Region”, POMEPS Studies (2021). Mohamad Najem and Afef Abroughi, “Follow the Money for Better Digital Rights in the Arab region”, POMEPS Studies (2021).

[viii] Among myriad books and articles, see for example Amaney Jamal, Of empires and citizens: pro-American democracy or no democracy at all?. Princeton University Press, 2012. Jason Brownlee, Democracy prevention: The politics of the US-Egyptian alliance. Cambridge University Press, 2012. Sean L.Yom, From resilience to revolution: How foreign interventions destabilize the Middle East. Columbia University Press, 2015.

[ix] James Shires, “The implementation of digital surveillance infrastructures in the Gulf”, POMEPS Studies (2021).

[x]Lennart Maschmeyer, Ron Deibert, and Jon Lindsay, “A tale of two cybers – how threat reporting by cybersecurity firms systematically underrepresents threats to civil society”, Journal of Information Technology & Politics, Vol 18 (2020).

[xi]James Shires, The politics of cybersecurity in the Middle East  (forthcoming, London: Hurst, 2021).

[xii]Ibid.

[xiii] Two studies of civil society cybersecurity in the MENA region are  Bora Ataman and Barış Çoban, “Counter-surveillance and alternative new media in Turkey”, Information, Communication & Society 21, no. 7 (2018): 1014-1029; and Bill Marczak and Vern Paxson, “Social Engineering Attacks on Government Opponents: Target Perspectives”, Proceedings on Privacy Enhancing Technologies, 2 (2017), 172-185. One study that focuses on organizations is Nikita Samarin, Alisa Frik, Sean Brooks, Coye Cheshire, and Serge Egelman, “Conducting Privacy-Sensitive Surveys: A Case Study of Civil Society Organizations”, arXiv preprint arXiv:2003.08580 (2020).

[xiv]  Mona El Swah and Mahsa Alimardani. “Digital Apartheid: #SaveSheikhJarrah and Arabic Content Moderation”. POMEPS Studies, 2021. Systematic Efforts to Silence Palestinian Content On Social Media. https://7amleh.org/2020/06/07/systematic-efforts-to-silence-palestinian-content-on-social-media

[xv] Alexei Abrahams and Anonymous, “Measuring the (in)security of Palestinian civil society web infrastructure”, 2021.

[xvi] https://letsencrypt.org/

[xvii]Susan E. McGregor, Elizabeth A. Watkins, “‘Security by Obscurity’: Journalists’ Mental Models of Information Security”, ISOJ Vol 6:1 (2016).

[xviii]Mona Atia and Catherine E. Herrold, “Governing through patronage: The rise of NGOs and the fall of civil society in Palestine and Morocco”, VOLUNTAS: International Journal of Voluntary and Nonprofit Organizations, 29(5), 1044-1054 (2018). Tariq Dana, “The structural transformation of Palestinian civil society: Key paradigm shifts”, Middle East Critique, 24(2), 191-210 (2015). Benoit Challand, Palestinian civil society: Foreign donors and the power to promote and exclude, (New York, NY: Routledge, 2008). Amaney Jamal, Barriers to democracy: The other side of social capital in Palestine and the Arab world, (Princeton, NJ: Princeton University Press, 2009).

[xix]Nathan Brown and Daniel Nerenberg, “Palestine in Flux: From Search for State to Search for Tactics,” Carnegie Endowment for International Peace (2016). Available from https://carnegieendowment.org/2016/01/19/palestine-in-flux-from-search-for-state-to-search-for-tactics-pub-62486. eQualitie, “Deflect Labs Report #2 : Botnet Attack Analysis of Deflect Protected Website bdsmovement.net”, (2016) available from: https://equalit.ie/en/deflect-labs-report-2

[xx]eQualitie (2016)

[xxi] See Shires (2021) and Jones (2021) for background.