Lawmakers are urging President Donald Trump to reconsider America’s relationship with Saudi Arabia following the Kingdom’s alleged role in the murder of a commentator, but the U.S. defense industry and the Saudi government have a tangled history on the topic of cybersecurity. Following a 2012 hack, the Middle Eastern country relied heavily on American and Western cybersecurity contractors, according to public records, former intelligence officials and experts.
Financial details of the relationship between the Saudi government and American cybersecurity contractors are not public. But the Department of Commerce has approved more than $166 million in sales of controlled information security equipment and software to Saudi Arabia from 2012 to 2017, according to an analysis by Fifth Domain of documents that detail approved exports from the Bureau of Industry and Security’s commerce control list. According to the Department of Commerce, the items are controlled because they relate to encryption capabilities that are tied to information security.
The analysis shows that 2016 was the largest year of approved information security equipment and software sales to Saudi Arabia, when the Department of Commerce signed off on nearly 50 million dollars in sales to the Kingdom. The list was obtained by Fifth Domain through a Freedom of Information Act request.
In addition, according to public statements of the Saudi government and American defense contractors, the Kingdom has relied on U.S. companies and individuals for improved cybersecurity. The American firms who have partnered with the Saudi government or public institutions make up a roster of high-profile U.S. cyber talent. The list includes IronNet Cybersecurity, led by Keith Alexander, former head of the National Security Agency and U.S. Cyber Command and some of the largest military contractors of the U.S. government, Raytheon, Booz Allen Hamilton, Northrop Grumman and Lockheed Martin.
Saudi Arabia is “no different than the rest of us. We are under constant attack, we are under constant threat. That is the world that we live in. Most of the countries we deal with over there, they are just trying to catch up,” John DeSimone, the vice president of cybersecurity and special missions at Raytheon told Fifth Domain in a Sept. 6 interview.
A spokeswoman for the Saudi embassy in Washington did not return requests for comment regarding how the country built its cybersecurity and intelligence capabilities.
Kingdom regrouped after crisis
In 2012, Saudi Arabia suffered one of the world’s largest digital attacks on critical infrastructure at the time when hackers targeted its national oil producer, Saudi Aramco. Roughly 30,000 computers were reportedly destroyed in the Shamoon event.
“Following the 2012 Saudi Aramco incident, the Saudi government started investing significant resources toward advancing its cybersecurity capabilities and implementing both domestic and international measures to address its cyber insecurity,” according to a 2017 report from the Potomac Institute for Policy Studies, a Virginia-based think-tank.
In the aftermath, the Kingdom partnered with American and Western cybersecurity firms to bolster its digital defenses.
In 2017, Raytheon signed a memorandum of understanding with Saudi Arabia to cooperated on defense projects that included defensive cybersecurity systems and platforms.
Saudi Arabia, UAE and other countries are “very similar to what you see in the (federal and civilian) space — cyber systems integration, really tying together the information they have, providing the tools to do analytics, hunt, threat — but all on the defensive side,” said DeSimone, of Raytheon.
Spokespeople for Raytheon did not respond to requests for details regarding the company’s relationship with Saudi Arabia.
Booz Allen Hamilton signed a partnership agreement with Saudi Arabia in March to boost the country’s cybersecurity workforce. A spokesman for Booz Allen Hamilton declined to answer questions from Fifth Domain regarding the extent of the contractor’s relationship with Saudi Arabia.
Western governments have contributed a significant amount of time and effort to support Saudi Arabia’s cybersecurity capacity building but have been disappointed with the results, an expert told Fifth Domain. The expert spoke on the condition of anonymity to preserve their relationship in the national security community. But Saudi Arabia’s approach to outsourcing its cybersecurity practices has struggled because security operations centers built by defense contractors have not been as effective as leaders wanted, and the country does not have the expertise to use the systems properly, the expert said.
Saudi College Is Hub of Partnership
According to the Saudi government’s public statements, American companies have signed partnerships with the Saudi-based Prince Mohammed bin Salman College of Cyber Security, Artificial Intelligence and Advanced Technologies.
In July, the college signed a partnership with IronNet Cybersecurity, a firm founded by Keith Alexander. The agreement included “an advisory team comprising senior officers who had held senior positions in the Cyber Command of the U.S. Department of Defense.”
It was not immediately clear the nature of the agreement between IronNet Cybersecurity and the Saudi university, but it included “educational programs,” according to the Saudi Press Agency. A media relations company representing IronNet said the company would not respond to Fifth Domain’s questions.
The college has also signed an agreement with American Chiron Technology Services, a Columbia, Maryland, firm that specializes in information operations, cyber training and cybersecurity. The exact nature of their agreement is not clear. A phone message for the company’s CEO was not returned.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.