Cyber Threats and National Security:
Real vs. Perceived Threats
By: Vaidotas Piekus
Word Count: 14572
A dissertation submitted in partial fulfilment of the requirements for the
Degree of Masters of Arts in International Political Economy
Department of Politics
University of Sheffield
September 2012
Contents
Introduction............................................................................................................................3
Literature review....................................................................................................................5
1. Cyber threats to national security....................................................................................7
1.1 The securitization of the cyber threats.........................................................................8
1.2 Economic sector.......................................................................................................11
1.3 Political sector..........................................................................................................13
1.4 Military Sector..........................................................................................................18
2. Rhetoric of the cyber security debate............................................................................24
2.1. The gap between perception and reality....................................................................24
2.2 Exaggerated language of the cyber threats.................................................................26
2.3 Mismatch between perception and reality of cyber threats - reasons and implications......................................................................................................................................... 28
2.4 Implications for the cyber security concept................................................................31
Conclusion........................................................................................................................... 35
Bibliography........................................................................................................................ 37
2
Introduction
The end of Cold War caused a lot of changes in the security field. During the Cold
War era, the concept of security was framed within the threatening actions of aggressive
states. States were the main referent objects in international relations and the debates about
stability and security of the global world. This simplistic understanding of what has to be
secured and from whom changed with the collapse of Soviet Union. Suddenly the biggest
threat for many years disappeared and the gap was quickly filled with a variety of “new”
threats that were moved onto the political security agendas of most countries (Cavelty,
2007a: 16).
The US being the sole global superpower meant that the framing of the security
debate came (and still does) from researchers, government officials and security experts
who were primarily concerned about the threats to the US national security. The main
concern was that of “asymmetric warfare” where the hostile actor would deal the crippling
blow to a “vulnerable spot” of the state and this way would avoid direct military
confrontation. The fear of “asymmetric warfare” became prominent after the 9/11 terrorist
attacks, where the US was attacked avoiding the direct military confrontation. Vulnerable
targets are usually described as critical infrastructure (CI). For example, sectors of
information and communications, financial services, energy and utilities, transport and
distribution (Halpin, 2006: 35). The appeal of these sectors as potential targets is
undeniable, no modern state would be able to function properly without a smooth
performance of these infrastructures. Moreover, following the rapid technological
innovations in the 1990s these sectors became dependent on the computer networks having
to ensure reliable and continuous operation (Cavelty, 2007: 16). This way the concept of
cyber security became a big part of the security debate very quickly. Alongside
environmental, societal and human security, it became the popular topic not only among the
security experts and academics but also among the policy makers.
This work is set out to analyse the concept of cyber security and the current
discourse which is used to frame the threats that are coming from this particular sector.
From the moment cyber threats were recognized as significant and worthy of consideration
the discussion was accompanied by some exceptionally strong statements. As early as 1993
RAND researchers John Arquilla and David Ronfeldt announced that “Cyberwar is
Coming!” (Arquilla and Ronfeldt, 1993). This dread language has not stopped to this day.
In 2010 Mike McConnell (former director of National Security Agency of the US and
Director of National Intelligence) stated that “The United States is fighting a cyber-war 3
today, and we are losing” (McConnel, 2010). However, despite this kind of language, we
are in neither a cyber war, nor were there any cataclysmic cyber incidents with cascading
effects throughout the world. This led many academics and security experts to believe that
cyber threats are over-exaggerated.
The central argument of the dissertation is that this exaggeration of cyber threats, as
a specific type of rhetoric that has been used for the securitization of cyber security, had
actually led to more insecurity. In other words, the way security experts and government
officials have chosen to frame cyber security issues has created more insecurity on the
national as well as on the international level. The main question of the dissertation,
therefore, is this: What are the implications of the gap between “actual” and “perceived”
cyber threats to national security and how does this gap influence the understanding of the
cyber security concept?
The securitization path of cyber threats taken by the US has led to the militarization
of the cyber space and, while it will be shown that some threats and cyber incidents require
full attention of the military, it can be argued that these threats should be dealt by ordinary
means. This dissertation sets out to demonstrate how the process of the cyber threat
securitization has created a gap between the real threats that come from cyber sector and
threats are perceived to be real by military, security experts and the public. And more
importantly, how this situation affects national security of the state and overall global
stability. To explore this phenomenon the work will be divided as follows.
The first part will be dedicated to a brief summary of the relevant work in the field
of cyber security. The current state of cyber security debate will be explained and some
existing gaps in the academic literature on this subject will be presented.
The second section will frame the concept of national security in terms of cyber
threats. Also in this section the securitization of the cyber sector will be analysed. Starting
with the 1990s, the process of securitization will be explained through the institutional and
policy developments in the US, with particular importance being given on the way the
securitizing actors chose to frame the threats. Threats being framed in a specific way, have
led the whole sector and the understanding of the cyber security to be shaped according to
the interests of military and security experts. This caused the gap between the perceived
threats and the real threats to occur, this section only briefly address this disparity as the
final section will be dedicated to exploring this phenomenon. After the explanation of the
securitization, the section will examine the main referent actors and referent objects that are
relevant when talking about the cyber security and will divide, using Buzan’s framework,
threats to military, economic and political sectors. The section will show the impact that 4
different cases of cyber threats have to these three sectors. The main objective is to show to
what extent and exactly how cyber threats threaten the livelihood of the state.
The final section will address the already mentioned gap between the real threats
and the perceived ones. Taking evidence from the second section about the different cases
of cyber incidents and vulnerabilities of states, the comparison will be made with the
rhetoric that security experts and government officials are using. Underpinning reasons why
there is a disparity between the two and what is the connection between the perception and
reality will be the focus of this section.
The concluding paragraph will focus on the case for the desecuritization of cyber
security, in other words, taking cyber threats from the extraordinary politics and making
them, again, part of the daily politics routine and ordinary security debate.
Literature review
Cyber threats have been on the lips of politicians and security experts from the mid-
1990s. President George W. Bush said in 2003 that “securing cyberspace is an
extraordinarily difficult strategic challenge” (Bush, 2003) and President Barack Obama
assured that “cyberspace is real” and so are the risks that come with it (Obama, 2009).
Security experts seem to agree as CIO (a panel of experts) warned lawmakers about “the
looming threat of a cyber attack emanating from Iran” (Corbin, 2012). However, the
research on this topic within the Security Studies field is rather limited. The majority of
work has been done on the technical aspects of the cyberspace, discussing matters such as
cyber power and how it can be used in international relations. Also very common are
specific and technical detail-oriented books and articles that only describe the threats but
suggest nothing about how it affects the broader understanding of security. The
acknowledgment of cyber realm began with the Robert Keohane and Joseph Nye article
Power and Interdependence in the Information Age (1998) where they explored the ever
changing conditions of international relations and understanding information as a form of
power. After the 2007 cyber attacks against Estonia cyber security topic once again rose in
popularity. Such books as Lech Janczewski and Andrew Colarik Cyber Warfare and Cyber
Terrorism (2008), Edward Halpin Cyberwar, Netwar and the Revolution in Military Affairs
(2006) emphasised the new changes to military weaponry and new challenges for the states
to adapt to technology evolution. Significant attention was given to the critical
5
infrastructure protection and the threats that arise from vulnerable computer networks
necessary for the smooth operation of infrastructures as electricity, logistics, water supply,
communications, etc. (Brown, et al., 2006; Cavelty, 2007). According to Myriam Cavelty,
this focus on technical aspects of cyber security exists mostly because the concept itself
“does not fit well into established categories, neither conceptually nor theoretically and it
sits between various intersecting security discourses and disciplines” (Cavelty, 2012: 2).
This is understandable as cyberspace was mainly defined by the technology experts and the
knowledge was, and to some degree still is, tightly maintained within that circle. Academics
do not like to dive into the conditions that are defined by technical understanding which
they do not possess.
Regardless of that being true, it was shown that cyber security as a concept can still
be approached without a deep understanding of the technical side, as cyber weaponry and
cyber power is best understood as just another form of power. It is simply a tool, a means,
while quite unique, still persisting to play the same role as traditional sources of state power
as well as causes for its insecurity. Works that acknowledged the significant difference of
cyber security from other types of “securities” include Martin Libicki’s (2009) report
Cyberdeterrence and Cyberwar, where he emphasises the unique qualities of cyberspace
and argues that the same rules do not apply to this sector, especially when thinking about
the deterrence and war fighting. One of the most influential researchers in cyber security
sector is Cavelty who wrote a number of articles and books closely looking at the level of
threats that arise from the cyber sector, she argues that the actual possibility of all-out cyber
war is no more possible than conventional war and that many cyber doom scenarios to
national security are exaggerated (works like Cyber-security 2012, Power and Security in
the Information Age 2007b illustrate this point).
The whole cyberspace research is divided among techno-oriented security analysts
who are interested in vulnerabilities and practical countermeasures and those academics
who try to put the word “cyber” to different nouns such as “power”, “warfare”, “terrorism”,
“deterrence”, etc., and see what new tools this approach can give to the states to achieve
their international (and national) aims. However, there is a clear gap in an attempt to explain
the consequences of putting the cyber security concept on top of the states’ national security
concerns. Especially, questioning the impact it has on the understanding of cyber threats
and the degree the framing of the threat can have on perceptions of how “real” the threat is.
There is an important gap in answering these questions in the recent cyber security
literature. Lene Hansen and Helen Nissenbaum (2009) in their article Digital Disaster,
Cyber Security, and the Copenhagen School, come close to fulfilling this task. They used 6
the Copenhagen School’s securitization framework to put cyber security among the other,
successfully securitized, sectors such as economic, political, military and environmental.
They provided first steps in understanding what cyber security might entail in terms of
International Relations, questioning the referent object and actors in this sector. They briefly
presented the way in which the cyber sector was securitized and argued that the cyber
discourse can usually be described as hypersecuritization (the term used by Barry Buzan in
American exceptionalism, unipolarity and September 11 (2005)), where the securitizing
actors perceive the threats to be more than they usually are. There have been attempts to
link cyber security with national sovereignty and national security (Hare, 2009; Hare,
2010). However, those works do not attempt to explain the impact of the cyber discourse,
the way it was framed and the effects it has on the national security.
This work will try to fill this particular gap in Security Studies. Firstly, using the
Copenhagen School’s theoretical framework of securitization, the process of how cyber
threats were securitized will be analysed. Using examples of governmental policies and
institutional developments (mainly in the US) the chronological order of movements
towards successful cyber sector securitization will be presented. A special attention will be
given to the rhetoric and the way the threats were framed by the securitizing actors. Having
this basic understanding of the securitization of the cyber sector it will be easier to go to the
next section where in depth analysis of the ways how cyber threats cause the insecurity for
the state will be given.
7
1. Cyber threats to national security
Security in the broadest possible sense is freedom from threat, objectively and
subjectively (Weaver, 1995). When the concern is national security, primary focus is the
survival of the basic political unit - a sovereign state. According to Ullman (1983: 133) a
threat to national security is an action that (1) threatens drastically and rapidly degrade the
quality of life for the inhabitants of a state, or (2) threatens significantly to narrow the range
of policy choices available to the government of the state. The focus of the work being
cyber threats to national security, the concern is only of those cyber threats that threaten to
seriously impede upon the state’s livelihood. There are many threats coming from the cyber
realm to variety of units (individuals, societies, states), but if the primary concern is national
security, those threats must be selected carefully and analysed only in the capacity to which
(using Ullman’s definition) they threaten to seriously limit the state’s policy options or
when they drastically degrade the quality of life for the population of the state. Using
Buzan’s division of security sectors, cyber threats will be divided into three categories -
economic, political and military. Each category will be addressed separately, looking at
what impact the threats that come from cyberspace has on that sector, and, ultimately, to
what extent it can be considered a matter of national security. According to Buzan (1991:
141), whether or not a threat is a national security issue, depends not only on determining
what type of threat it is but also how the recipient state perceives it and the intensity with
which the threat operates. Keeping in mind this argument, this chapter will only deal with
one side of the coin and analyse the types of threats and their impact on 3 sectors which are
paramount to the livelihood of the state. The second chapter will be addressing the question
of perception of the threat as well as military and security experts’ impact on the
understanding of security in general and cyber security in particular. However, before
analysing the actual examples of cyber threats it is necessary to point out how the
securitization of cyber threats occurred. Understanding of the cyber sector securitization
will allow not only a better understanding where does cyber security concept come from but
also will help with the analysis of the threats to national security.
1.1 The securitization of the cyber threats
The Copenhagen School is one of the major forces responsible for widening the
definition of security. Generally they divide security into 5 separate categories: military, 8
economic, societal, political and environmental. While all these categories are
interconnected, their dynamics, however, are determined by “securitizing actors” and
“referent objects” (Buzan, Wæver and Wilde, 1998: 36). Actors are those who securitize
issues by declaring something (a referent object) to be existentially threatened. Referent
objects can be various: states (military security), national sovereignty, or an ideology
(political security), national economies (economic security), collective identities (societal
security), species or habitats (environmental security) (Emmers, 2009: 137). Securitization
can be seen as a more extreme version of politicization, that is moving an issue from the
political spectrum (the issue is part of public policy, requiring government decision) to a
security category (the issue is presented as an existential threat, requiring emergency
measures and justifying actions outside the normal bounds of political procedure) (Buzan,
Wæver and Wilde, 1998: 23). The process of securitization is usually fairly simple. The
securitizing actor (usually the government) declares that there exists an existential threat
and that it does require extraordinary measures. This way, security itself is a self-referential
practice, because it does not matter if the issue indeed is a real existential threat or it is just
presented as such (Buzan, Wæver and Wilde, 1998: 24). However, according to
Copenhagen School, a mere declaration of the existential threat by a securitizing actor is not
enough. The issue is securitized only if and when the audience accepts it as such. There is
no clear definition what this audience must be, but usually it refers to a broader, significant
community such as media, public or experts. The securitizing actors initiate the process by a
speech act, where they utter the word “security”. They frame the threat as existential one
which requires emergency actions and if a significant audience accepts it as such, then the
process of securitization is successful (Buzan, Wæver and Wilde, 1998: 26).
From this explanation it is clear that the Copenhagen School holds security as a
wholly constructive concept. It is very dependent on the political context and the actors who
are involved in this process. Different political context in different country would lead to a
different understanding of what is security. They maintain that there is no use in looking for
a “real security” outside of the world of politics. “It is more relevant to grasp the processes
and dynamics of securitization, because if one knows who can “do” security on what issue
and under what conditions, it will sometimes be possible to manoeuvre the interaction
among actors and thereby curb security dilemmas” (Buzan, Wæver and Wilde, 1998: 31).
Security is socially constructed and determined by actors and is very subjective in that
regard. This approach is very useful in the analysis of the public policy developments and
the rhetoric of security experts, especially when the matter is cyber security where the
“actual level” of threats is not easily measured. Using the Copenhagen approach we can 9
assume that there might be different reasons for why cyber security was framed in a
particular way.
It can be argued that at this moment cyber security has been successfully securitized.
And it has been so for a while. The first step towards successful securitization was the
institutional development of President Clinton’s administration. In 1996 the Commission on
Critical Infrastructure Protection was established. A year later the commission conducted a
report called Critical Foundations: Protecting America’s Infrastructures. The report raised
awareness of the critical infrastructure protection and new type of vulnerabilities - cyber
vulnerabilities. While the report did not claim to find any basis for an immediate cyber
disaster or attack, the language used suggested that if no action will be taken, there might be
dire consequences: “...we are convinced that our vulnerabilities are increasing steadily” and
“We should attend to our critical foundations before we are confronted with a crisis, not
after. Waiting for disaster would prove as expensive as it would be irresponsible.” (CFPAI,
1997: 10). The next step was taken by president Bush’s Administration with the
establishment of The United States Computer Emergency Readiness Team (US-CERT) and
the formulation of The National Strategy to Secure Cyberspace in 2003. The executive
summary of the strategy referred, once again, to the vulnerabilities that arise from the
dependence on computer technologies in managing state’s critical infrastructure. The
strategy admits the lack of serious cyber incident but warns the readers that they can't be too
“sanguine” as “there have been instances where organized attackers have exploited
vulnerabilities that may be indicative of more destructive capabilities.” (NSSC, 2003: 8). In
2007 Estonia was hit by numerous cyber attacks that brought down the websites of its
banks, governmental agencies, media as well as Parliamentary and Presidential institutions.
This three week long cyber attack was caused by the removal of the Soviet war memorial
and the immediate suspects behind cyber attacks were the Russians. No direct proof was
found that the Russian government was in anyway involved in the incident, but the media
was using a very powerful language to describe a primitive cyber attack: BBC News -
“Estonia hit by 'Moscow cyber war'” (BBC, 2007) and The Guardian - “Russia accused of
unleashing cyberwar to disable Estonia” (Traynor, 2007). The New York Times called the
situation “the first war in cyberspace” (Landler and Markoff, 2007). Alongside the media,
Mikhel Tammet, at the time, a chairman of Estonia's cyber-defence co-ordination
committee, called it “a kind of terrorism” (Blomfield, 2007). The rhetoric used throughout
and after this incident will be analysed in the subsequent chapters, but suffice it to say that
the attention given by government officials, media and public, lead to the establishment of
NATO Cooperative Cyber Defence Centre of Excellence in Estonia in 2008. Finally, in 10
2009, Obama administration released Cyberspace Policy Review, a document that sets out
for the US to lead the world towards more secure cyberspace (Cyberspace Policy Review,
2009). The main message is that while the US government must take the leadership, for the
secure cyberspace to be a reality there must be close partnership among private and public
sectors as well as globally, among nations. With the establishment of the US Cyber
Command in 2009 it can be clearly said that the cyber security is firmly established in the
public policy debate and the institutional securitization steps that were taken begs the
question what are the consequences of this securitization to the understanding of cyber
security and national security in general. Before answering these questions, it is paramount
to analyse cyber threats to national security that are coming through economic, political and
military sectors. This analysis will make it possible to compare the actual cyber threat levels
and the perception of them.
1.2 Economic sector
Most of the economic damage that cyber threats can cause comes from two main
sources - malware and cyber-espionage. Malware is short for malicious software, it is a
program which is designed to disrupt or deny operation, also gain unauthorized access to
system resources and gather information. Examples include, but are not limited to, worms,
viruses, Trojan horses, bugs, etc. (Nash, 2005: 10). In 2007, a study carried out by
Computer Economics calculated (including labour costs to analyse, repair and cleanse
infected systems, loss of user productivity, loss of revenue due to loss or degraded
performance of system, and other costs directly incurred as the result of a malware attack)
that total annual worldwide economic damages from malware exceeded $13 billion
(Computer Economics, 2007). This rapid proliferation of the cyber crime caused the rise of
the security software market, which last year was worth $16.5 billion (Gartner, 2011). There
is nothing specifically unique about cyber crime. It is effectively the same criminal
activities only utilising new conditions and tools. The majority cases of cybercrime and
cyber related fraud targets individuals. They are the easiest targets for identity thefts,
stealing personal banking information or other valuable and easily accessible data. While
the numbers of such crime caused damage remains high (it is estimated that losses in 2007
were about $61 million (Herley and Florencio, 2008: 9)) it is mainly relevant in terms of
individual security. This is a serious matter when talking about the precautions of using
computers but it is hardly a matter of national security. This issue does not directly threaten
11
the livelihood of the state but rather causes inconvenience for individuals, but as, for
example, car thefts is a serious problem to individuals and to local levels, by no means it is
a problem on a national level, threatening to degrade the quality of life in a very rapid and
systematic fashion. For this reason economic damage caused by cyber threats to individuals
should not be considered an integral part of cyber threats to national security debate.
Large scale cyber espionage is aimed at industrial and state targets and therefore is
different in that respect. Economic damage of cyber espionage might not exceed the damage
done to individuals (at least by sheer numbers) but the nature of these attacks deems a
different place for it in the security debate. Because targets are states and/or big companies,
cyber espionage may be considered a national security issue as it is a direct threat to the
state’s economy rather than an indirect threat through the economic losses for individuals.
At the beginning of 1980s, the dawn of cyber crime, there were couple of prominent
hacking incidents that showed the level of threat caused by relying on computer networks
for safe-keeping of the information. Starting from 1982, when the so-called “414s break -
in” incident happened, where six teenagers from Milwaukee gained access to high-profile
computer systems in the US (Cavelty, 2012: 10), there were many more incidents like these,
different in scale and motives. Recently, there was an increase in cyber espionage incidents
that are believed to be originating from China. The properties and the consequences,
including the estimated damage, of these incidents are worth looking into. In 2005, FBI
report (Posner, 2010: 1) draw attention to a series of cyber attacks, named “Titan Rain”,
which were conducted starting from 2003 and aimed at various United States computer
systems. Some data was stolen from such subjects as NASA’s Mars Reconnaissance Orbiter
and Air Force flight planning software as well as US government systems and defence
contractors (Sommer and Brown, 2011: 57). It was hard to attribute these attacks to anyone
in particular but some speculations suggested that the perpetrators were based in China
(Thornburg, 2005). Another instance of similar, large-scale cyber attack was conducted in
2009. Named “Operation Aurora”, this incident consisted of numerous attacks on high tech,
security and defense contractor companies. It was first uncovered by Google in their official
blog post (Google Official Blog, 2010), where the company claimed to be a victim of
“highly sophisticated” cyber attack. The primary aim for the attack was Chinese human
rights activists’ email accounts. It was reported that many other companies were victims,
including Adobe, Juniper Networks, Rackspace, Yahoo, Symantec and many more.
According to some cyber and national security experts this was China’s espionage program
aimed at getting high-tech information as well as politically sensitive information for its
own purposes (Cha and Nakashima, 2010). At the same year, in 2009, Information Warfare 12
Monitor uncovered a massive web of cyber-spying operation named “Ghostnet”. According
to the report, the security was breached and the computer networks were compromised in
103 countries consisting of 1295 computers. Among the infected computers there were 30%
of high value targets, including ministries of foreign affairs of Iran, Indonesia, Philippines,
also embassies of India, South Korea, Indonesia, Thailand, Taiwan, some other countries as
well as news organizations and computer in NATO headquarters (Information Warfare
Monitor, 2009: 5). The researches that uncovered this wide web of cyber espionage said that
in addition to these targets various Dalai Lama’s Tibetan exile centres were among the
primary targets (Landler and Markoff, 2009). This and the fact that the technology behind
the Ghostnet was highly sophisticated led many to believe that Chinese government must
have been responsible for the support behind this incentive. However, like with the majority
of cyber crime, there can be no certainty behind the attribution as it is very easy to remain
anonymous in the cyberspace.
This brief overview of cyber related incidents that caused economic damage
showcases many problems when trying to determine to what extent these types of incidents
is a serious threat to national security. Firstly, it is hard to tell what the actual cost of large-
scale cyber espionage was. Neither states nor private companies want to reveal how much
classified and sensitive information were stolen and what impact it had. It can only be
assumed that if there was a lot of data that were taken from private defense contractors,
NASA or US Air Force computers, it was most likely valuable and have caused substantial
economic damage. Additionally, these types of disruptions do not directly threaten national
security in the most basic sense. Neither they cause significant limitations to the policy
choices for the government, nor do they threaten the livelihood of the state’s population.
The consensus is that cyber espionage has the potential to cause such financial loss that it
may also impact on the security of nation states both militarily and economically (Sommer
and Brown, 2011: 33). Economic sector occupies a peculiar position in state’s power. There
is a strong link between economic and military capability, and if economic capability, being
the crucial foundation on which the relative status of state’s power rests, declines, so does
the military capability and, subsequently, state power (Buzan, 1991: 127). In that regard
economic safety is a subject of national security, but the threats to economic sector must be
extraordinary, causing serious systematic shock and disruptions with the cascading effects.
Only in such instance, it could be a matter of national security. However, the scale of past
cyber incidents did not meet these requirements.
13
1.3 Political sector
According to Buzan, political threats are aimed at the organizational stability of the
state. The nature of the political threat is likened to that of a military one, because the state
is essentially a political entity, so political threats may be feared as much as military ones
(Buzan, 1991: 119). However, the purpose of the attack that threatens political sector is
different. It “may range from pressuring the government on a particular policy, through
overthrowing the government, to fomenting secessionism, and disrupting the political fabric
of the state so as to weaken it prior to military attack.” (Buzan, 1991: 118-119). When
assessing the cyber threats that aim at the political sector we must look at the properties of
the threat and only then decide to what extent it can be a matter of national security. Firstly,
it is important to pinpoint the motive of the attack/incident. Sometimes it can be hard to
distinguish what is the aim of a specific cyber incident, but the ones that have political
properties should be easy to spot. Usually the perpetrators clearly state their aims and goals
of what they are trying to achieve. The motive should be political - aimed at political regime
itself or the specific policy of that regime. Secondly, cyber attack should threaten
“organizational stability of the state”. In other words, the attack should target political
regime itself and/or its ability to make policy decisions. These two requirements should be
fulfilled if the attack is deemed to be a threat to national security that comes from political
sector.
Cyber attacks with a political motive are usually described as hacktivism. It is the
fusion of two words - hacking and activism. It refers to politically motivated attacks on
publicly accessible Web pages/resources or email servers (Dacey and Hite, 2003: 7).
Hacktivism is basically the use of hacker techniques (particularly web-defacement and
distributed denial of service attacks (DDoS)) to publicise an ideological cause rather than
for crime (Sommer and Brown, 2011: 31). Like cyber criminals are the same criminals only
using cyberspace for their illegal activity, hacktivists are essentially activists that have gone
electronic. They utilise virtual powers to mould offline life (Jordan and Taylor, 2004: 1).
There is a long history of hacktivism examples with varying degrees of success and
impact. Earliest example dates back to 1989, when the group called Worms Against Nuclear
Killers penetrated the United States Department of Energy and NASA machines. This anti-
nuclear group of hackers defaced website’s login pages to their own, proclaiming the
message - “You talk of times of peace for all, and then prepare for war” (Assange, 2006). A
significant example of similar attack can be found in 1997, when Portuguese hacking group
UrBaN Ka0s hacked the website of Indonesian military and government. The websites were 14
changed to express the criticism towards Indonesian government and the situation in East
Timor (Ludlow, 2010: 26). In 1998, arguably the same group launched attacks on
Indonesian government websites with the message “Free East Timor” (Harmon, 1998).
Hacktivist groups with the comedic names such as Electronic Disturbance Theater, the Cult
of the Dead Cow and the Hong Kong Blondes have used hacktivism tools to help and
support the Zapatista rebellion in Mexico, protest nuclear testing at India’s Bhabba Atomic
Research Center as well as protest anti-democratic crackdowns in China (Manion and
Goodrum, 2000: 14). All these incidents showcase a couple of points. Firstly, attacks were
clearly of a political nature, in most cases intending to oppose particular government and its
policy. Secondly, the attacks did not intend to cause economic damage but to send a
political message. It was a symbolic act. Part of the reason for it was that, at that time,
hacktivists’ tools were capable of defacing websites but it was technologically hard to make
a stronger impact. Therefore, these examples of hacktivism can only be considered as a part
of political activism and not a national security issue. They are symbolic acts that have a
clear political message, but by no means they caused a serious disruption for government’s
ability to make the policy decisions or threatened political regime’s livelihood. Hence, they
only fulfil the first requirement of the two that are necessarily to consider an issue being a
threat to national security. More than 20 years have passed after the first hacktivism
incident and today this type of activism is rising in popularity. Today’s hacktivism
incentives are bigger in scale and bigger in impact it creates.
Recently, hacker collectives such as “Anonymous” and “Lulzsec” as well as
WikiLeaks organisation spurred new life into the debates about hacktivism, cyberterrorism
and freedom of information. Anonymous is an interesting case of internet activism. It
mainly operates on the premise that information should be free and opposes various power
structures (big corporations, states, international organisations) which attempt to limit,
censor or by any means tame the content in the cyber space.
Anonymous activity began in 2009 and ever since then they have made many
attacks on various targets. M. D. Cavelty describes it as “behaving deliberately hedonistic”
and says that they “creatively play with anonymity in a time obsessed with control and
surveillance and humiliate high-visibility targets by DDoS attacks, break-ins and release of
sensitive information” (Cavelty, 2012: 12). There are 3 notable cyber incidents which are
attributed to ‘Anonymous’. In 2008 they launched Project Chanology, aimed at Church of
Scientology. Protesting against the removal of Tom Cruise video from YouTube, which was
done upon the church’s request, the group launched wide-scale attack on Scientology 15
websites, also flooding their offices with blank faxes and prank calls, using any measure
possible to disrupt their operations. In addition to that in about 100 cities worldwide about
7000 people took part in protests against Scientology in Australia, Europe, Canada and the
US (Moncada, 2008).
The second major incentive called Operation Payback started in 2010. The targets
this time were a major pro-copyright and anti-piracy corporations (e.g. Motion Picture
Association of America) law firms and individuals. Launching mainly the same DDoS
attacks they managed to shut down certain websites for up to 30 hours (TorrentFreak,
2010). Basically, using the same idea of the freedom of information and freedom from any
kind of censorship, the group sent a strong message that anyone who opposes this idea
might provoke cyber hostility. This motive was clearly evident during the scandal when the
US diplomatic cables were leaked through WikiLeaks organisation. “Anonymous” were
supporting the leaks and when the major financial organisations (PayPal, BankAmerica,
PostFinance, MasterCard, Visa), that were feeling the pressure from the US government,
stopped providing the services to WikiLeaks (this way creating many financial problems for
the organisation which main income was coming from the internet donations), they reacted
immediately by shutting down websites of those organisations for a limited amount of time
(Pauli, 2010). Both “operations” were very disruptive and possibly highly economically
damaging. They were similar to the first examples of hacktivism in the sense that they too
had a political/ideological message attached to them (this time being the freedom from
censorship and control in the cyber space). However, they were way bigger in scale and
caused much more disruption through economic loss and limitations to various
organisations. Precisely because the targets of the attacks were independent organizations, it
can be said that these type of threats belong more to individual than to national security
discourse.
The most recent attacks conducted by this group are much more dispersed and not
carrying a clear political message. Self-named Operation AntiSec aims at hacking into a
wide variety of companies and mocking their cyber security measures. Companies such as
Sony, Disney, NBC Universal, AT&T were attacked, and a lot of information were made
public including sensitive data about products and clients (Greenberg, 2011). The group was
also active during the Arab Spring that started in 2010, they were in charge of attacks on
Egypt’s, Libya’s and Tunisia’s government websites (Wagenseil, 2011), sending a message
that they are in favour of liberation movements. The diverse nature of the attacks shows that
the group itself is not a centralised, authoritative organisation with the clear set of rules and
motives. It can be described as decentralised, disperse and chaotic organisation of 16
individuals who oppose any incentive towards control and concentration of power. They
enjoy and celebrate the freedom cyberspace creates and the anonymity it provides. This
group’s activities poses a threat to many actors, however the threat is mainly of economic
nature. The ramifications that this type of activism creates for the understanding of security
and cyber security in particular will be explored after the brief analysis of the biggest
information leak scandal - Cablegate.
The US diplomatic cable leak began in 2010. A non-profit organisation WikiLeaks
published classified cables obtained from US State Department. The organisation obtained
classified documents from the US Army soldier Bradley Manning who downloaded them
without authorisation. The amount of information of the published cables is immense. There
are over 250 000 cables, involving international affairs from 274 embassies dating from
1966 to 2011 (Shane and Lehren, 2010: 2). This makes Cablegate the largest release of
classified material in the world. The content that was published stirred the news companies,
public and governments all around the world. The consequences included not only charges
against Bradley Manning but also against Julian Assange, the founder of WikiLeaks, who
decided to publish all material including sensitive information about informants working in
Afghanistan and Iraq, possibly putting their lives at risk. The data that was made public not
only put many people in danger but revealed how countries exchange correspondence and
what kind of language they use. It may have contributed to Arab Spring, creating instability
for the governments by revealing the corruption and spending details of the leaders, for
example, leaked documents revealed that in Tunisia the first lady had huge profits from
public schools which may have exacerbated public dislike of the government (Dickinson,
2011). Cablegate scandal is a matter of security on many levels. The leaked cables put many
individuals in danger, not only releasing their financial information but also, in the case of
informants, putting their lives in danger. Private correspondence between individuals was
made public and the “secret” nature of diplomatic relations was made available for the
general population. This information leak is a threat to both, individual and the state
security. However, it cannot be called solely a matter of cyber security because internet and
cyber tools acted only as a medium to transfer the information and make it public. The
information was not obtained by the outsider, a hacker, but rather from the insider, a US
Army soldier. This means that the scandal itself is matter of individual as well as state’s
national security, but it cannot be considered a threat coming from the cyber space.
Keith Alexander, the general in charge of the US Cyber Command and the director
of the National Security Agency hold that hacker-activist group Anonymous is a threat to
national security. He claims that “the hacking group Anonymous could have the ability 17
within the next year or two to bring about a limited power outage through a cyberattack”
(Benkler, 2012). How realistic is this statement is hard to assess. So far the group showed
interest in obtaining secret information, website defacement and making targeted websites
inaccessible for a short period of time in order to transmit their rebellious message. So far,
hacktivism has proven to be sporadic by nature and not systematic or persistent. According
to Sommer and Brown “to reach the level of a global shock hacktivist activity would need
to be extremely well researched and persistent and to be carried out by activists who had no
care for the consequences” (Sommer and Brown, 2011: 32). Nonetheless, the potential of
the threat is there, the blockade against financial institutions showed that there is a
possibility of a prolonged inability for public and private sector to use internet financial
services. This indirectly can threaten political stability of the country because if government
cannot secure its financial sector in the long term the stability of political regime might be
threatened. The speculative nature of these threats cannot deem hacktivism to be an
immediate threat to national security. However, WikiLeaks example is different. Its
properties have a nature of cyber-espionage rather than hacktivism and falls within the
discourse of broader national security concept. In other words, the leak was made possible
by security problems in the US Army’s computer networks and was done by internal
source. Internet acted only as a catalyst, enabling the rapid spread of the classified
documents but nothing more. Internal security of such computer networks should always be
a priority, primarily in terms of military security rather than political security sector. To
conclude, while Cablegate leak was definitely a blow to stability and security of the
international diplomatic affairs, and by extension to national security of many countries, this
falls within the broader discourse of internal security which should be day-to-day routine
practice and not to be clumped up with the other cyber incidents.
Politicians and security experts who use hacktivism as an example to move cyber
security policies higher on the agenda should be careful not to overstate the threat levels. It
has the potential to be a national security issue, but so far, there is no proof of such scale
incidents. Examples showcase that hacktivism does not seriously threaten to reduce the
possible government options to make decisions nor does it seriously diminish the quality of
the people of the state. It is definitely a matter of individual security, mainly in the sense of
economic security, and where it goes beyond that point, it should be taken care by internal
computer security measures, but by no means, invoking national security rhetoric.
18
1.4 Military Sector
Security of the state is very often likened to the military security. When national
security is mentioned, the first thing we imagine is military threat and the direct use of
force. It is because Security Studies started with the conception of the military threats being
central in the whole national security debate. Even now, when the definition of security is as
wide as it is, military threats occupy a distinct and prominent role in security debate. It is
because military action can pose a threat to all the components of the state. According to
Buzan, military actions not only “strike at the very essence of the state’s basic protective
functions, but also threaten damage deep down through the layers of social and individual
interest superstructures” (Buzan, 1991: 117). Military threats can also be direct or indirect
with varying levels of impact, ranging from directed at particular state’s external interests to
invasions and assaults on the very existence of the populace (Buzan, 1991: 118).
Cyber threats can come through military sector in many ways. Nonetheless, Buzan’s
requirement that military threats always involve the use of force is not suited for
cyberspace. It is because any cyber threat that is active and does not come from the passive
inherent network vulnerabilities is, in the strictest sense, use of force. Be it a breach of
security with the motives of hacktivism, economical gain or purely curiosity, it is all use of
force. However, it should not mean that these types of incidents belong to military sector
and therefore by extension require military solutions. When we look at cyber threats coming
from military section we are mainly concerned with the conflicts that involve states as units,
conflicts that are purely cyber in nature (cyberwar) and conflicts that are conventional but
come with the cyber dimension. As of yet, there are no examples of all-out cyberwar, and
the evidence suggests that it is highly unlikely. However there have been a few conflicts
that come with the cyber dimension to them. Notable examples include: 1991 Gulf War,
2007 Iraq, 2007 Estonia and 2008 Georgia.
The 1991 Gulf War was a notable step in the US military discourse. This was the
conflict were the potential of information warfare was realised and utilized and emphasis
was placed on the reliance on information and not only on physical force. Winning
information warfare became essential for success. Since then information revolution played
a significant role in the US military affairs (Arquilla and Ronfeldt, 1993: 1). Information
technology gave an edge to the US military operations through the communication
satellites, intelligence gathering, command and control, also extensive use of Iraqi civil
mobile networks and media management were core aspects of this type of warfare
(Hutchinson, 2006: 213). Kosovo War in 1999 proved to be another example of a conflict 19
that had information warfare or cyber dimension to it. It is believed that cyber-based tools
used by the US helped to distort the images Serbian air defense systems were receiving.
Additionally, after the war ended there were hackers actively attacking Kosovo web pages
(Arquilla, 2003). Both of these conflicts included cyber tools in their regular conventional
military arsenal and clearly showed the advantages that domination in cyber realm can
provide. It has shown that the reliance on internet and computer networks may be a double
edged sword, providing efficient communication but creating vulnerabilities at the same
time.
The disadvantages of relying upon internet and computer networks manifested in its
full potential during the cyber attacks conducted towards Estonia in 2007. When
government of Estonia decided to remove World War II bronze statue representing a Soviet
soldier to a different place - a three week long cyber attack began. Primary targets were the
websites of Estonian parliament, banks, ministries, newspapers and broadcasters (Cavelty,
2012:14). Estonian government reacted very seriously to this attack. Estonian foreign
minister Urmas Paet accused Russia of direct involvement of the attack (Bright, 2007).
There were statements made by officials who suggested that these cyber attacks should be
likened to the “real” attacks and therefore would fall under the NATO Article V (Anderson,
2007). Despite the dramatic language, there was no conclusive evidence that Russia was
conducting this attack, most likely it has been a group of hackers sympathising with those
who were opposed to the removal of the monument. In this sense it is an example of
hacktivism, and therefore it falls within the political sector rather than military one.
Nonetheless, this incident showed that sustained blockade of services that are available on
cyberspace (banking, government information, and news portals) is possible. NATO reacted
swiftly to this incident and in 2008 created Cooperative Cyber Defence Centre of
Excellence in Estonia.
Cyber attack against numerous Georgian websites in 2008 is a similar example of
“cyber-ed” conflict. Five day long armed conflict between Georgia and Russia began on the
7th of August 2008. The breakout of the military conflict was synced with well-coordinated
cyber attacks aiming at Georgian government and media websites. The report conducted by
the US Cyber Consequences Unit concludes that the main objective of these cyber attacks
was to support Russian invasion of Georgia (U.S. Cyber Consequences Unit, 2009: 6). Also
while the attacks against Georgian targets were carried out by civilians, those civilians were
tipped off about the timing of the Russian military operations and they had an advance
notice of Russian military intentions (U.S. Cyber Consequences Unit, 2009: 2-3). This
cyber conflict was similar to that in Estonia because most likely Russian government were 20
not directly responsible for conducting the attacks but they used hacker groups for their own
purposes, tipping them off about the attack or encouraging them to jam the “enemy’s”
websites. This suggests that future conflicts will most likely have a cyber dimension to
them. Additionally, the attribution problem will allow states to hide behind the internet
anonymity and fully utilise the potential that cyberspace gives to aid conventional conflicts.
Nonetheless, examples of Estonia and Georgia do not suggest that cyber conflicts will
replace conventional conflicts any time soon. Most likely cyber tools will fulfil the
supplementing role as an additional tool to the variety of conventional use of force options
available. Looking closely at the results and damage of these incidents it can be concluded
that the impact was minimal. Three week and five day internet blockade of government
websites, news outlets and other services cannot be called a cascading threat that would
greatly impede upon governments choices to make policy decisions. It is a symbolic attack
rather than an actual utilisation of hard power as there is no physical damage done. If these
incidents can be regarded as a state’s intentional use of cyber weapons, those weapons
appeared to be limited to minor inconveniences, symbolic messages and temporary
economic disruptions.
The understanding of what cyber weapons can do changed dramatically in 2010 with
the discovery of Stuxnet computer worm. This type of malware is distinctly different from
ordinary malware discussed earlier. The only similarity is that it is also self-replicate and is
designed to spread rapidly. However, the properties and its aim is different. Firstly, it is a
much more complex programme than any other virus in the world. Symantec, one of the
leading computer security companies, described Stuxnet as requiring extraordinary
sophistication, thought and planning (Murchu, 2010). Security experts think that it might
have taken many months if not years to design it (Zetter, 2010). This initially led many
experts and analysts to believe (which later was essentially confirmed) that the creation of
this virus was conducted with nation-state backing and support (Kaspersky, 2010). The
second big difference is that this malware aims precisely at industrial control systems,
which are in charge of variety of industries such as electrical, water, oil, gas and date
operations. The aim was to penetrate the specific system and take control of it. It was not
aimed to conduct espionage or monitoring tasks as the majority of malwares are. It was
aimed at Windows systems that had Siemens Supervisory Control And Data Acquisition
systems. So it is a very specific target. It was revealed that the majority of infected
computers are located in Iran and the target was Iran’s main nuclear enrichment facilities
(Shearer, 2010). The worm spread through infected USB drives and may have damaged 21
about 1,000 centrifuges in the Fuel Enrichment Plant in Natanz. It successfully, but
temporarily, set back Iran’s fuel enrichment progress in Natanz (Albright, Brannan and
Walrond, 2010: 7). It was a deliberate and precise attack in order to disrupt and cause
physical damage to Iran’s nuclear ambitions.
Precisely because of what the target was and the complexity of the virus, media and
experts speculated that it may have been the work of United States and Israel. This
suspicion was later confirmed in the New York Times article by David Sanger. The article
revealed that Stuxnet virus was developed following incentive started by Bush
administration and called Operation Olympic Games. It included covert attacks against
Iranian nuclear industry and the main weapon of it was development and initiation of
Stuxnet (Sanger, 2012). The report argues that collaboration with Israeli intelligence unit
was driven by two conditions. Firstly, Israel had very advanced technical expertise and
particularly deep knowledge of the Natanz nuclear facility. Secondly, it was a good way to
deter Israel from thinking about pre-emptive strike against the Iranian nuclear facilities, as
that would create immense crisis situation and instability in the region (Sanger, 2012). The
article goes into detail how the initial planning and actual execution of the operation took
place, but these details are not that important. What is paramount is to understand that first
time in the history a cyber tool/weapon was used to do more than disrupt, deface or create
mild and temporary inconvenience. This weapon was used because alternative conventional
strikes were not the best option, however, it managed to create an actual physical
destruction of the crucial nuclear power plant. In many ways it was a success, however, due
to a mistake in programming code, Stuxnet spread to other computers outside Iran. This not
only revealed what are the capabilities of states in terms of cyber weaponry, but allowed to
dissect and analyse the program itself, so that replicas could be made by anyone willing and
having resources to do so. Because of that, the damage was not only to Iran’s nuclear plans
but also to the U.S.’s credibility in cyberspace, it is believed that it may encourage other
countries to increase their offensive cyberspace capabilities in response (Messmer, 2012).
Cyber threats that come through military sector can be divided in two categories.
There are the ones that pose a direct threat to national security and the ones that support
conventional conflicts by exploiting cyberspace to create pressure, disrupt media or spread
symbolic political messages. Conflicts of Gulf War, Iraq, Estonia and Georgia were of the
latter type, they had a cyber dimension to them. The opposing parties, utilised cyber space
tools to supplement their foreign policy agenda. These examples suggest that in the future
there might be more conflicts that will have a cyber dimension. However, cyber tools that 22
were used proved to be limited in the impact it created. Short-term government websites
disruptions are not, and should not be, a major national security issue. It can hardly be
called a matter of state security, let alone invoke national security rhetoric. The response to
these types of disruptions should primarily be done internally, improving the computer
networks and making more robust systems that would hold-out against such attacks in the
future. There are no grounds to use the words of “war”, “warfare”, “cyber warriors” or
anything like that, which was done during the Estonian cyber conflict. These matters should
be left to day-to-day politics, mainly to computer network and security experts who can
make backup systems in case of similar disruptions occur again. Neither politicians, nor
military should be involved in this. It is not a threat to national security in the strictest sense.
Other type of cyber threat that comes through military sector is cyber weapons
designed to cause physical damage. It is a cyber weapon that strikes directly the at physical
infrastructure of the state and undermines the livelihood of state. Stuxnet is the sole
example of existing cyber weapon but it shows that it is indeed possible to create and utilise
a weapon that comes and operates within the cyberspace but damages physical realm
instead of just virtual one. Because of that it requires a military response, be it by increasing
cyber defences or reducing cyber vulnerabilities when it comes to industrial sector
operations. This is clearly a threat that come through military sector and should be
considered a matter of national security. Cyber weapon can be substituted for a
conventional weapon and still do a physical damage to the designated target. It not only
bypasses the conventional security measures but also international conventions and
agreements. So far, cyber space is not under international supervision or any sort of weapon
control treaties. The existence this type of cyber weapons should be acknowledged by
military security experts as it is a threat to national security and international stability in
general.
23
2. Rhetoric of the cyber security debate.
2.1. The gap between perception and reality
The first part of the dissertation showed to what extent cyber threats can be a
national security problem. The results can be interpreted depending on the definition of
security. The broader the understanding is, the more threats can be considered a matter of
security and a threat to the state livelihood. However, when assessing the risks presented by
cyber sector, it is important to use a rigid and narrow understanding of national security.
Mainly because it is a fairly new threat and concepts are not yet developed, so there is a lot
of misunderstanding and miscommunication about the cyber realm. It ranges from people
who assume that we are in a perpetual cyber war to the sceptics who say cyber threats
cannot be put in the same category as economic, political or military threats. This is a
problem because depending how you understand security, defines how you frame problems
and threats. That subsequently causes different solutions. If the threats are overblown and
exaggerated it may easily lead to calling for unwanted military solutions.
The estimation of the threats that come through three sectors (military, economic
and political) shows that very few instances would allow national security rhetoric to be
used. In other words, the majority of the threats that come from cyberspace do not directly
threaten national security. Threats that come through economic sector pose a threat mainly
to individuals but not directly to the states. Large scale cyber-espionage have the potential
to threaten national security by causing immense economic damage to the state or if the
state loses extremely sensitive (military or intelligence related) information. However, so
far there has been no such attack/incident. Political sector presents states with different
problems as politically motivated activists use cyber tools to convey their message through
disruption of websites, hacking and extracting information. The question here is if these
activities can cause political instability for regime or significantly limit government's policy
options. Wikileaks scandal was different from other examples of hacktivism. It may have
caused significant problems for some states as their private correspondence was made
public. It may also have endangered many lives of informants in Iraq and Afghanistan,
additionally, information about the military movements may have been leaked. In this
respect, it threatened states’ (mainly the US) foreign policy incentives and their national
security. However, it is important to note that the information was obtained from within the
US military, by a soldier, proving once again that usually the weakest security link is human
and not technology. Internet was the catalyst for that information to spread and gain
24
momentum; it was not a cyber threat per se. Interesting observations can be made by
looking at military sector. It is clear that present and future conflicts will also take place in
the cyber sector. This was shown in Estonia and Georgia cases. Also there is no solid proof
that currently there is an on-going cyber war. There are a lot of attacks and disruptions
coming towards nations but none of them cause serious damage. Exception can be made
about the cyber weapons capabilities to cause physical damage as shown by Stuxnet virus.
The implications of this will be assessed in the further chapters but it is clearly an example
how cyberspace can be used to damage physical infrastructure. This should be taken
seriously and according to the working definition of security in this work, this virus is (or
rather was for Iran) a threat to national security.
As mentioned earlier determining what are the actual types of threats is just one side
of the coin. To definitely say that something is a national security issue, we must also look
at how the recipient state perceives that threat. Using the Copenhagen School’s
securitization theory it is important to look at how threats are framed and what language is
used. Copenhagen School argues that security is a self-referential practice, mainly because
the issue becomes a security issue not necessarily because a real existential threat exists but
because the issue is presented as such (Buzan, Wæver and Wilde, 1998: 24). They pay
particular importance at what is called “a speech act” - a designation of an existential threat
by securitizing actors, those actors claim an issue to be an existential threat requiring
emergency action or special measures. And if it is accepted by a significant audience, the
issue becomes securitized (Buzan, Wæver and Wilde, 1998: 27). According to Arnold
Wolfers security can be approached both objectively (there is a real threat) and subjectively
(there is perceived threat) and that nothing ensures that these two approaches will line up
(Wolfers (1962) cited in Buzan, Wæver and Wilde, 1998: 30). The perception is particularly
important speaking about cyber security because, as mentioned previously, this is a new
field and any motions towards framing threats in a certain way leads not only to a different
solutions to problems but also to a different understanding of the problem itself. For this
reason it is important to look at the “speech acts” made by cyber sector securitization actors
- government officials as well as security experts in the U.S.
25
2.2 Exaggerated language of the cyber threats.
According to the Copenhagen School securitising actors can be anybody and
anyone. However, elites, especially political elites, have a distinct advantage in the
securitising process. Given that the understanding of cyber security requires certain amount
of technological knowledge, security experts should also be included in this category. There
has been a lot of talking about information warfare, cyber capabilities and vulnerabilities,
cyber war and cyberterrorism in general. Many individuals made statements about cyber
security; therefore it is easy to be at a loss when trying to determine who the main
securitizing actors were. It is important, however, to analyse the tone of the language used,
how the issues and problems arising from cyber realm were framed as well as what kind of
language was used to describe them.
Due to the fact that the focus of this paper is on the types and levels of cyber threats
in comparison to the perception of them, and eventually pointing out what kind of
implications does the disparity between real and perceived causes, only a brief account of
the most important actors in charge of the cyber security framing will be presented. It is fair
to say that the discourse of cyber security framing, at least in the US, is a wholly negative
exercise. The usual tone of the language is dark, threatening, intentionally worrying and
sometimes even menacing.
In the past couple of years cyber security problems have had a lot of attention from
the politicians and security experts. It can be said that this attention is only increasing in the
recent years. Obama’s administration was (and still is) particularly keen on keeping cyber
security a policy priority. In 2008 administration’s requested report of the CSIS
Commission Cybersecurity for the 44th Presidency, warned that “cyber security is now a
major national security problem for the United States”(CSIS Commission on Cybersecurity,
2008: 1). A year later in 2009, the White House released a Cyberspace Policy Review,
which said that “cyber security risks pose some of the most serious economic and national
security challenges of the 21st Century”(Cyberspace Policy Review, 2009: iii). Barack
Obama himself in 2009 speech on cyber threats said that “America’s economic prosperity in
the 21st century will depend on cybersecurity” (Obama, 2009). These statements focused
attention on a particular parts of cyber security. It can be said that it paved the way for the
future security implementations and raised the awareness of the possible security problems,
putting cyber security alongside “traditional” sectors (military, economic, political, and
environmental). However, other securitising actors used much stronger language to describe
cyber threats. Keith Alexander, the director of US National Security Agency and the 26
commander of US Cyber Command claimed earlier in 2010 that US networks are being
attacked by “hundreds of thousands of probes a day” and that the Pentagon was “alarmed by
the increase” of these attacks (Hodge, 2010). He also warned that previously discussed
hacktivist group “Anonymous” in the nearest future may have the ability to cause “a limited
power outage through a cyberattack” (Benkler, 2012). US Defence Secretary Leon Panetta
in 2011 said that “the next Pearl Harbour that we confront could very well be a cyberattack”
(Mulrine, 2011). Mike McConnell, former director of the National Intelligence, also does
not miss a chance to hype up the cyber security of the US. In 2011 he said that if the US
would be in cyberwar today, US would lose (McConnell, 2010). Richard Clarke, who
worked for the US government security related positions and now is a counter-terrorism
analyst, in his book Cyber War (2010) draws a very dark picture of what would happen if
US would be involved in a cyberwar - blackouts would hit cities, airplanes would fall from
the sky, banks lose all their data and satellites would spin out of their orbits (Kakutani,
2010). Michael Mullen, former Chairman of the Joint Chiefs of Staff and a retired US Navy
admiral stated that in regard to cyber security “we are being attacked today, from other
countries” (Shachtman, 2010). These people play a pivotal role in the framing of national
security in terms of cyber vulnerabilities. They are the leading securitising actors, because
of unique government positions they occupy or occupied at some point. For this they have
the most influence in shaping up security matters as well as most exposure in terms of
publicity through media.
Precisely because of the high importance of these individuals, we must look
carefully at what (and how) they are saying. First chapter of this dissertation looked into the
“reality” of the cyber threats. Albeit that is a very tricky task as what is a “real” threat is
definitely subjective, because different units perceive different threats to be more “real”
than the others, depending on the information they have and other contextual conditions.
Academics in favour of constructivist approach to security seem to believe that the
importance of the actual threat level is not that big, the study should be focused mainly on
actors and their interactions. Cavelty argues that there is no sound way to study the “actual”
level of cyber-risk. She says that “the focus of research necessarily shifts to contexts and
conditions that determine the process by which key actors subjectively arrive at a shared
understanding of how to conceptualize and ultimately respond to a security threat” (Cavelty,
2012: 24). However, the “actual” threat or the “real” threat still matters despite this point of
view. If the aim is the optimal governmental policy solutions, we must assess how real the
threat is and how that matches with the perception of the threat.
27
Comparing the first chapter with the presented rhetoric of securitising actors it can
be said that the reality and the rhetoric does not match. There is a clear gap between what is
perceived to be a cyber threat and what kind of threats actually exists. This is a problem
because the mismatch between perception and reality creates a situation where public and
media is misinformed about the threat levels. In this instance where disparity is very
negative (rhetoric is exaggerating the actual threat levels), it can create an overly insecure
feeling about the cyber space, where individuals will be imagining that using internet is a
constant danger and that identity theft, financial loss and other dangers are imminent. This
can seriously stall the spread of electronic literacy and computer technology progress. What
is more important, is that this gap causes a particular kind of unwanted policy solutions and
creates an international tension among states, subsequently leading to more insecurity. This
problem will be addressed after the evaluation of why this gap exists at all.
2.3 Mismatch between perception and reality of cyber threats - reasons and implications
The gap that exists between perception and reality of cyber threats is caused by three
main reasons - psychological, economic and political.
Psychological reasons cause people to misjudge their sense of security all the time.
Cognitive bias makes us perceive personified risks to be greater than anonymous, also
exaggerate spectacular and rare risks and downplay common risks (Schneier, 2011). This is
also true when talking about cyber security. Especially when people hear words as
“cyberterrorism” and “cyberwar” that psychologically causes a sense of fear. Terrorism
associates with the fear of random, violent victimisation and that blends with the distrust
and outright fear of computer technology (Weimann, 2004: 3). Technological fear is
especially relevant when it comes to cyber threats because the majority of media articles
and security experts use quite vague and strong language to describe these threats. Threats
seem to be coming out of nowhere, from some anonymous hacker groups who can strike
any time and cause unimaginable damage. This is caused by the lack of information on the
part of consumers and general population. It is problematic because if there is a big
disparity between the “feeling” of security and the reality of it, it is hard to make sensible
security estimations and that leads to a bad security policy decisions.
Economic reasons are quite straightforward. Combating cyber threats became a very
profitable business. According to Gartner Inc., worldwide security software revenue in total
28
was $17.7 billion in 2011 and increased by 7.5% from 2010 (Gartner, 2012). Additionally,
following 9/11 attacks, the US federal government requested $4.5 billion for infrastructure
security (Weimann, 2004: 3). Think tanks release reports that alarm public about cyber
realities, experts have testified about cyberterrorism dangers before Congress and private
companies have deployed security consultants to protect themselves. It cannot be said that
all these movements were based on groundless threat perception, however, the exaggeration
of the threats definitely moved the cyber security industry forward and gave jobs to a lot of
computer and network experts, analysts and professionals. It is in their best interest to keep
the threat levels as high as possible, without going totally overboard.
Finally, political reasons are a bit more ambiguous and not so clear cut. Politicians
very frequently use the tactic of “raising awareness” of some problem when they want a
certain legislation to pass. Media sometimes exacerbates the exaggerated rhetoric by
chasing a scary front-page title, such as - “Cyber-Attacks by Al Qaeda Feared, Terrorists at
Threshold of Using Internet as Tool of Bloodshed, Experts Say” (Gellman, 2002). This
might be a selective example but “dread” language from politicians usually increase when a
big legislative bill is about to get voted in Congress. This happened with Cybersecurity Act
of 2010, when the increased attention was given to cyber security in the media by the
senators who were trying to push through this bill. In the op-ed article senators Olympia
Snowe and Jay Rockefeller warn that attacks coming from cyber sector “have the potential
to disrupt or disable vital information networks, which would cause catastrophic economic
loss and social havoc” (Rockefeller and Snowe, 2010). Many experts agreed at the time that
this was clearly an artificial ramping up of the rhetoric in order to get the bill to pass. The
bill was controversial because it introduced the so-called “kill switch” - an ability for the
President to order limitation or complete shutdown of Internet traffic. Electronic Frontier
Foundation called this an “approach that favours dramatic over sober response (Granick,
2009). Recently, the same tactic was used by President Obama as he was trying to get
passed the Cybersecurity Act of 2012 in the Senate. He wrote an op-ed in Wall Street
Journal arguing that “cyber threat to our nation is one of the most serious economic and
national security challenges we face” and starting the article with the dread scenario of the
cyber attack simulation where trains derail and water treatment plants shut down” (Obama,
2012). Once again the updated version of Cybersecurity Act faced heavy criticism. Personal
privacy advocates claimed that the bill will seriously impede upon people’s ability to be
anonymous and private on Internet, forcing some Internet Service Providers to implement
blocking measures against privacy service providers such as VPN and TOR, also that the
bill will allow recording of “potential future crimes”, again, highly ambiguous and freely 29
interpreted statement (Wilson, 2012). Currently the bill is in limbo as it did not pass the
Senate vote, but Obama considers using the executive order to get it through regardless.
Looking at the reasons why the gap between the perceived cyber threats and the
actual cyber threats exists, it is safe to say that all three reasons - economic, political and
psychological, makes the case for educating the public about the cyber threats. If we would
have more information about what the actual threat levels are, it would be easier to assess
and recognise when the exaggeration happens and when the rhetoric is being used because
of the political motivation. The disparity between real and perceived not only causes
misinformation towards general public but also causes other implications in terms of policy
decisions, general security and international stability.
The level of states’ cyber capabilities (offensive and defensive) varies greatly, but it
is hard to assess the actual levels because most of the information is regarded as sensitive
and therefore is not accessible. Nonetheless, experts suggest that countries have been
ramping up their offensive and defensive capabilities.
Iran has been on the spotlight as a country that can and would use cyber tools to
retaliate if they would ever feel cornered. Iran is said to have a cyber capabilities to perform
an attack. In 2010 Iranian Islamic Revolution Guards Corps established their cyber warfare
division. It is believed that there are about 2400 personnel in the cyber division (Carr, 2012:
250). Iran’s officials seem to constantly warn the US and Western world of their “very
strong” defence capabilities (Ferran, 2011).
China is also developing a strong cyber command unit. Development of cyber
warfare capabilities has been one of the most important incentives in order to diminish the
disparity between the US and Chinese military capabilities. In 2011 China announced the
establishment of a “Blue Army” division, a cyber command unit (Carr, 2012: 257).
North Korea has been training hackers since mid-1980s and now has a very
powerful force of cyber warriors. Specialised college trains a hundred professional hackers
every year which are incorporated into military and being put under centralised command
(Jae, 2011). It is believed that Iran’s cyber warfare capabilities are on par with such
countries as South Korea, China and Russia, mainly because they put hackers under direct
command and therefore fully control the capacity of cyber tools, whereas other countries,
especially Russia and China, depend on separate hacker groups who are motivated by
ideology or money.
Russia alongside countries such as France, Germany, Israel, Canada, and Australia
are also in the process of increasing their cyber capabilities. Due to overall secrecy of these 30
types of military programs it is hard to rank countries and say that one is more advanced
than the other. Nonetheless, the trend is very apparent, a lot of states are ramping up their
offensive and defensive cyber security programs and there seems to be nothing to suggest
that this trend will decrease any time soon.
Exaggerated rhetoric by the US may have contributed to this “militarization” of
cyber sector because when the US uses such terms as “cyber war”, “cyber deterrence” and
“cyber response” it creates an international tension and an atmosphere of insecurity. That
might lead to the security-dilemma of the cyber space. If many countries are building cyber-
command units, little is known about their capabilities and this only encourages other
countries to “catch-up” and do the same. Uncertainty, secrecy and distrust seem to dominate
international cyber relations (Cavelty, 2012: 15). Not only the rhetoric may have
contributed to that but also actions by the US. Stuxnet virus has basically proven to be the
creation of the US and Israeli intelligence and it sent a clear signal to the other states about
what these two countries are capable of in terms of technological advancement. The fact
that the virus code leaked and got dissected by many computer experts did not make the
case any better. It allowed for not so advanced states to use the same code and attempt to try
and create their own cyber weapon. US sent a loud message that they are prepared to use
offensive cyber tools to achieve their foreign policy aims. Militarization of the cyber sector
is just one side of the problem. The gap between perceptions and reality also has a negative
effect on the cyber security concept itself..
2.4 Implications for the cyber security concept
A lot of problems related to the concept of cyber security come from its ambiguity.
As mentioned earlier, cyber security is not the concept that fits easily in the well-established
conceptual or theoretical Security Studies categories. To quote Hansen and Nissenbaum,
“cyber discourse moves seamlessly across distinctions normally deemed crucial to Security
Studies: between individual and collective security, between public authorities and private
institutions, and between economic and political-military security” (Hansen and
Nissenbaum, 2009: 1161). The problem is not that cyber security can be an issue for the
variety of units (individuals, states, societies), but that politicians, security experts and some
academics use the term “cyber security” to describe entirely different problems. Cyber
threats to individuals are vastly different from the threats to the states. The clarity of what is
31
meant by ‘cyber security’ must always be a priority when someone is making a speech or
writing a report on the national security. Given that the concept of cyber security is at its
early stage of development, a particular attention should be paid to avoid the confusion of
the terms. Otherwise, not only there will be a blurry academic discourse and analysis, it will
also lead to a bad policy decisions.
The second source of ambiguity comes from the properties of the cyber
securitization. The process of securitization always involves same two reflections – the
future and the past. To a degree all past securitizations utilized a projection of the future
(e.g. environmental change scenarios to illustrate the importance of taking environmental
security seriously), but, also, securitization always depends on the past as a reference that
underscores the gravity of the situation (Hansen and Nissenbaum, 2009: 1164). In the case
of nuclear war, Hiroshima and Nagasaki examples would be used to make an estimated
projection of what an all-out nuclear war would mean. The problem is that cyber threats do
not have the past “catastrophes” on which cyber security concept could be built. So far,
there has been no large-scale cyber incident with the cascading effects that would leave a
long lasting impact. Therefore, cyber sector securitization relied on the future projections of
the cyber catastrophes. This is understandable because for the issue to become a part of the
security debate and establish itself firmly in the broader context of security, some
exaggeration is helpful. However, it can be argued that what started with the intention of a
firmer securitization and “claiming” equal footing among the other security sectors, ended
up being over-exaggerated concept, susceptible to the case for hyper-securitization.
The ambiguity of the cyber sector lies at the very core of this dissertation main
argument about the existing gap between the perception of cyber threats and the actual
threat levels. Securitizing actors had no past examples to rely on when they started the
process of cyber threat securitization. Because of that, securitizing actors relied on the
future projections and possible “dread” scenarios. According to Ole Weaver, the use of the
security label does not necessarily imply that a problem is a security problem, but rather it is
a political choice, a decision for conceptualization in a special way (Weaver, 1995: 13). He
maintains that we should not judge the securitization act as “good” or “bad” by itself, but
we should look at the effects such political move creates (Weaver, 1995: 21). Applying this
thought process to the cyber security concept, it should not be said that the cyber
securitization, based on exaggerated projections of the future itself, is a bad move.
However, the effect it created is not a positive and, therefore, adjustments towards the
understanding of the cyber security concept should be made.
32
Besides the effects caused by the gap between the real cyber threats and the
perceived ones that were discussed earlier (possible militarization of the sector, overall
instability and distrust of the international cyber discourse) there are also negative effects on
the understanding of the cyber security concept itself. Effectively, what has happened with
the cyber security concept is due to the perceptions becoming the reality. This work showed
that there is a clear gap between the actual threat level and the perceptions, but the effects of
the securitization imply that either this gap is not visible to the other actors (or, using the
Copenhagen School’s terminology, the audience) or it is totally ignored. Securitizing actors
used a very powerful language to convince that cyber security should be a top priority and,
if unattended, can lead to the extraordinary and cataclysmic disasters. They did that for
various reasons but the most important point is that the audience was convinced of that
rhetoric. When it comes to general population, they lack the sufficient information about the
subject. The understanding of cyber threats requires at least basic technological knowledge
but the majority of people do not have that. When it comes to other states and people in
charge of formulating national security policies - it is different. They do not lack the
information, but they are enforced to take it seriously because of the unstable nature of
international relations and the security dilemma that arises from cyber sector. Existing cyber
weaponry and cyber actions being unregulated and unsupervised by any authority puts
major powers at a difficult strategic position. On one hand, they should clearly see that the
traditional sectors of the economy and the military security should take priority over cyber
security. On the other hand, they cannot take it lightly when the US high ranking officials
and generals state that they need to review their cyber policy because they are “losing the
cyber war”. No state wants to fall behind at the power game, and no state takes chances of
not putting a lot of resources in the development of cyber capabilities. This way, the
perception becomes the reality, when the US, being the leading superpower and the most
advanced country in terms of cyber capabilities, talk about the possibility of cyber disasters
and the need to focus on cyber security (usually this means an increased funding for the
development of defensive and offensive capabilities) this causes other countries to react.
Other states do not want to fall behind and they start developing those capabilities to the
best of their abilities. This situation forms a loop where the “dread” scenario articulated by
the US causes other states to increase their cyber capabilities making the initially unrealistic
scenario more probable. It appears that cyber sector, being a relatively new concept, suffers
from the classic problems of security dilemma.
After all, how ‘real’ the threat is depends on whether or not it is perceived to be real,
effectively blurring the two categories together. Cyber security suffers from it. The current 33
situation does not provide a clear definitions and boundaries of the cyber security concept.
If the government uses cyber security as a “catch-all” phrase to increase their ability to
control (which is the aim of any government, consolidating the power and governing more
effectively) that changes the understanding of the problem itself. Cyber security is more
relevant when talking about the individual security. It manifests itself as a threat to privacy
and the economic wellbeing of the populations. As showed in the first chapter of this work,
cyber threats rarely cause insecurity for the state if the rigid definition of national security is
used. However, the current understanding of cyber security implies that there is a looming
possibility of cyber catastrophe. There is a lack of evidence to support statements like this,
but if this tone of the rhetoric persists, the future ramifications of the cyber security will be
deemed to be limited to the military-economical security discourse, while, clearly, at the
moment the biggest issue is individual security and individuals’ need to feel safe in the
cyber space.
34
Conclusion
Cyber security concept hinges on the cyber disaster scenarios (Hansen and
Nissenbaum, 2009: 1164) and this is the main reason for the need to re-evaluate the cyber
security discourse. The main problem is that the reliance on the disaster scenarios and the
“dread” rhetoric do not match the actual threat levels that come from the cyber sector. There
is a gap between the perception and the reality which causes unwanted consequences for the
cyber security concept.
The first chapter of this work deals with the question to what extent cyber threats
can be a matter of national security. It can be said that only a limited amount of cyber
threats directly undermine national security, a notable exception being Stuxnet - the cyber
weapon developed by the US and Israel and used against Iran’s nuclear facilities. The vast
majority of the threats causes economic damage for the business and the loss of intellectual
property and, therefore, is a matter of individual security rather than state security. Because
of that, most of the time national security rhetoric should be used very sparingly, only when
talking about a particular cyber threats that may cause substantial physical damage for the
state. Nonetheless, the second chapter points out that there is a mismatch between the cyber
threat levels to national security and the way politicians, security experts and military
officials talk about it. This mismatch creates a gap and leads to the understanding that all
cyber threats should be considered in the context of national security. In practice, this means
invoking military solutions and increasing funding for various offensive and defensive
measures. That is not the optimal approach. When it comes to the cyber security, military
solutions should be used only for a limited amount of threats.
This is the main reason for the re-evaluation of the cyber discourse. Cyber security
is more relevant when talking about the rights of individuals. Economic security,
intellectual property and the rights to maintain privacy in the cyber realm are the issues that
can be easily undermined if the public discourse of cyber security is fixated on national
security and the constant warnings about the upcoming “cyber Pearl Harbours”.
The most sensible approach to this problem may be the movement towards the de-
securitization of the cyber discourse. The majority of the threats that come through cyber
sector are not the threats to national security. Those threats can be managed using standard
political system. In most cases day-to-day politics is more than sufficient to implement the
changes required for the increased security in the cyber space. There is no need to push the
35
matter further as it does not require emergency actions that are beyond standard political
procedures. Moving cyber security from “securitized” to “politized” category would be
beneficial to the understanding of the cyber security concept itself and would subsequently
lead to a better policy solutions. It does not mean that politicians should disregard cyber
threats that can undermine national security and only focus on those that are more relevant
to individuals; rather, it means that national security should be invoked only in limited
selection of cases. Securitizing actors should understand that the exaggerated rhetoric that
they use is not helpful for overall stability and security of the cyber sector.
36
Bibliography
Albright, D., Brannan, P. and Walrond, C. (2010) ‘Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?’, Institute for Science and International Security, Washington, DC, Available at: <http :// isis - online . org / uploads / isis - reports / documents / stuxnet _ FEP _22 Dec 2010. pdf > [Accessed on 6 September 2012].
Anderson, N. (2007) ‘Massive DDoS attacks targets Estonia; Russia accused’, Arstechnica.com, [online] Available at: <http :// arstechnica . com / security /2007/05/ massive - ddos - attacks - target - estonia - russia - accused / > [Accessed on 6 September 2012].
Arquilla, J. (2003) Interview in PBS Frontline, [online] Available at: <http :// www . pbs . org / wgbh / pages / frontline / shows / cyberwar / interviews / arquilla . html > [Accessed on 6 September 2012].
Arquilla, J. and Ronfeldt, D. (1993) ‘Cyberwar is Coming!’, in J. Arquilla and D. Ronfeldt (eds), In Athena’s Camp: Preparing for Conflict in the Information Age, RAND Corporation, pp. 23-60.
Assange, J. (2006) ‘The Curious Origins of Political Hacktivism’, Counter Punch, [online] Available at: <http :// www . counterpunch . org /2006/11/25/ the - curious - origins - of - political - hacktivism / > [Accessed on 6 September 2012].
BBC News, (2007) Estonia hit by “Moscow cyber war”, [online] Available at: <http :// news . bbc . co . uk /1/ hi / world / europe /6665145. stm > [Accessed on 12 July 2012].
Benkler, Y. (2012) ‘Hacks of Valor: Why Anonymous Is Not a Threat to National Security’, Foreign Affairs, April 4.
Blomfield, A. (2007) ‘Estonia Calls for Nato Cyber-terrorism strategy’, The Telegraph, [online] Available at: <http :// www . telegraph . co . uk / news / worldnews /1551963/ Estonia - calls - for - Nato - cyber - terrorism - strategy . html > [Accessed on 12 July 2012].
Bright, A. (2007) ‘Estonia accuses Russia of ‘cyberattack’’, The Christian Science Monitor, [online] Available at: <http :// www . csmonitor . com /2007/0517/ p 99 s 01- duts . html > [Accessed on 6 September 2012].
Brown, G. et al. (2006) ‘Defending critical infrastructure’, Interfaces, 36 (6): 530-544.Bruce Schneier: The Security Mirage (2010) [video] TED, [online] Available at: <http :// www . ted . com / talks / bruce _ schneier . html > [Accessed on 6 September 2012].
37
Bush, G. W. (2003) in The National Strategy to Secure Cyberspace, U. S. government via Department of Homeland Security.
Buzan, B. (1991), People, states and fear : an agenda for international security studies in the post-cold war era, Harlow: Pearson Educ.
Buzan, B. (2005) ‘American Exceptionalism, Unipolarity and September 11: Understanding the Behaviour of the Sole Superpower’, International Review, 38.
Buzan, B., Wæver, O. and Wilde, J. (1998) Security: a new framework for analysis, Boulder, Colo: Lynne Rienner Pub.
Carr, J. (2012) Inside Cyber Warfare, Sebastopol: O’Reilly Media.
Cavelty, M. D. (2007a) ‘Critical Information Infrastructure: Vulnerabilities, Threats and Responses’, UNIDIR Disarmament Forum, 7: 15-22.
Cavelty, M. D. (2012) ‘Cyber-security’, forthcoming in A. Collins (ed.) Contemporary Security Studies, Oxford University Press.
Cavelty, M. D., Mauer, V. and Hensel, S. (eds.) (2007b) Power and Security in the Information Age: Investigating the Role of State in Cyberspace, Aldershot: Ashgate.
Cha, A. and Nakashima, E. (2010) ‘Google China Cyberattack Part of Vast Espionage Campaign, Experts Say’, The Washington Post, [online] Available at: <http :// www . washingtonpost . com / wp - dyn / content / article /2010/01/13/ AR 2010011300359. ht ml ? sid = ST 2010011300360 > [Accessed on 6 September 2012].
Clarke, R. and Knake, R. (2010) Cyber War: The Next Threat to National Security and What to Do About It, New York: Ecco Press.
Herley, C. and Florencio, D. (2008), A Profitless Endeavor: Phishing as Tragedy of theCommons, New Security Paradigms Workshop, Redmond, WA: Association for Computing Machinery, Inc.
Computer Economics (2007) Annual Worldwide Economic Damages from Malware Exceed $13 Billion, [online] Available at: <http :// www . computereconomics . com / article . cfm ? id =1225 > [Accessed on 9 September 2012] .
Corbin, K. (2012) ‘Security Experts Warn of Cyber Threats From Iran’, CIO, [online] Available at:
38
<http :// www . cio . com / article /705173/ Security _ Experts _ Warn _ of _ Cyber _ Threats _ From _ Ira n _ > [Accessed on 12 July 2012].
CSIS Commision on Cybersecurity for the 44th Presidency, (2008) ‘Securing Cyberspace for the 44th Presidency’, Center for Strategic and International Studies, Washington, DC.
Dacey, R. and Hite, R. (2003) ‘Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues’, Testimony Before the Committee on Government Reform, House of Representatives, United States General Accounting Office, [online] Available at:<http :// www . gao . gov / new . items / d 03715 t . pdf > [Accessed on 6 September 2012].
Dickinson, E. (2011) ‘The First WikiLeaks Revolution?’, Foreign Policy, [online] Available at:<http :// wikileaks . foreignpolicy . com / posts /2011/01/13/ wikileaks _ and _ the _ tunisia _ protest s> [Accessed on 6 September 2012].
Emmers, R. (2009) ‘Securitization’, in Collins A. (ed.) Contemporary Security Studies, New York: Oxford University Press.
Ferran, L. (2011) ‘Iran to U.S., Israel: Bring On the Cyber War’, abcnews, [online] Available at: <http :// abcnews . go . com / Blotter / iran - us - israel - bring - cyber - war / story ? id =14255216#. UEz 1 beVmyZd > [Accessed on 3 September 2012].
Gartner press release (2011) Gartner Says Less Than Half of Security Software Market Belongs to Top Five Vendors, [online] Available at: <http :// www . gartner . com / it / page . jsp ? id =1752714 > [Accessed on 6 September 2012].
Gellman, B. (2002) ‘Cyber-Attacks by Al Qaeda Feared: Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say’, Washington Post.
Google Official Blog (2010), A New Approach to China, [online] Available at: <http :// googleblog . blogspot . co . uk /2010/01/ new - approach - to - china . html > [Accessed on 6 September 2012].
Granick, J. (2009) ‘Federal Authority Over the Internet? The Cybersecurity Act of 2009’, Electronic Frontier Foundation, [online] Available at: <https :// www . eff . org / deeplinks /2009/04/ cybersecurity - act > [Accessed on 3 September 2012].
39
Greenberg, A. (2011) ‘LulzSec Says Goodbye, Dumping NATO, AT&T, Gamer Data’, Forbes, [online] Available at:<http :// www . forbes . com / sites / andygreenberg /2011/06/25/ lulzsec - says - goodbye - dumping - nato - att - gamer - data / > [Accessed on 6 September 2012].
Hansen, L., Nissenbaum, H. (2009), ‘Digital Disaster, Cyber Security, and the Copenhagen School’, International Studies Quarterly, 53, 1155-1175.
Hare, F. (2009) ‘Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?’ in Czosseck, C., Geers, K. (eds.) The Virtual Battlefield: Perspectives on Cyber Warfare, IOS Press.
Hare, F. (2010) ‘The cyber threat to national security: why can’t we agree?’ in Czosseck, C., Podins, K. (eds.) Conference on Cyber Conflict. Proceedings 2010, Tallinn, Estonia: CCD COE Publications.
Harmon, A. (1998) ‘“Hacktivists “ of All Persuasions Take Their Struggle to the Web’, The New York Times, [online] Available at: <http :// www . nytimes . com / library / tech /98/10/ biztech / articles /31 hack . html > [Accessed on 6 September 2012].
Hodge, N. (2010) ‘Pentagon Networks Targeted by ‘Hundreds of Thousands’ of Probes (Whatever That Means)’, Wired.com, [online] Available at: <http :// www . wired . com / dangerroom /2010/04/ pentagon - networks - targeted - by - hundreds - of - thousands - of - probes / > [Accessed on 6 September 2012].
Hutchinson, W. (2006) ‘Information Warfare and Deception’, Information Science, 9: 213-223.
Information Warfare Monitor (2009) Tracking Ghostnet : Investigating a Cyber Espionage Network, [online] Available at: <http :// www . scribd . com / doc /13731776/ Tracking - GhostNet - Investigating - a - Cyber - Espionage - Network > [Accessed on 6 September 2012].
Jae, M. (2011) ‘North Korea’s Powerful Cyber Warfare Capabilities’, DailyNK, [online] Available at: <http :// www . dailynk . com / english / read . php ? cataId = nk 00400& num =7647. > [Accessed on 3 September 2012].
Janczewski, L. and Colarik, A. (2008) Cyber Warfare and Cyber Terrorism, Hershey, New York: Information Science Reference.
40
Jordan, T. and Taylor, P. (2004) Hacktivism and Cyberwars: Rebels with a Cause?, New York: Routledge Publishing.
Kakutani, M. (2010) ‘The Attack Coming From Bytes, Not Bombs’, The New York Times, [online] Available at: <http :// www . nytimes . com /2010/04/27/ books /27 book . html ? pagewanted = all > [Accessed on 6 September 2012].Kaspersky Lab (2010) Kaspersky Lab Provides Its Insights on Stuxnet Worm, Available at: <http :// www . kaspersky . com / about / news / virus /2010/ Kaspersky _ Lab _ provides _ its _ insights _ on _ Stuxnet _ worm > [Accessed on 6 September 2012].
Keohane, R. and Nye, J. (1998) ‘Power and Interdependence in the Information Age’, Foreign Affairs, 5 (77): 81-94.
Landler, M. and Markoff, J. (2007) ‘In Estonia, What May Be the First War in Cyberspace’, The New York Times, [online] Available at: <http :// www . nytimes . com /2007/05/28/ business / worldbusiness /28 iht - cyberwar .4.5901141. html ? pagewanted = all > [Accessed on 12 July 2012].
Libicki, M. (2009) Cyberdeterrence and Cyberwar, RAND Corporation.
Ludlow, P. (2010) ‘WikiLeaks and Hacktivist Culture’, The Nation, pp. 25-26.
Manion, M. and Goodrum, A. (2000) ‘Terrorism or Civil Disobedience: Toward a Hacktivist Ethic’, Computers and Society, 30 (2): 14-19.
McConnel, M. (2010) ‘Mike McConnel on How to Win the Cyber-war We’re Losing’, The Washington Post, [online] Available at: <http :// www . washingtonpost . com / wp - dyn / content / article /2010/02/25/ AR 2010022502493_ pf . html > [Accessed on 12 July 2012]
Messmer, E. (2012) ‘Stuxnet cyberattack by US a 'destabilizing and dangerous' course of action, security expert Bruce Schneier says’, Networkworld, [online] Available at: <http :// www . networkworld . com / news /2012/061812- schneier -260303. html > [Accessed on 6 September 2012].
Moncada, C. (2008) ‘Organizers Tout Scientology Protest, Plan Another’, The Suncoast News, [online] Available at: <http :// www 2. suncoastnews . com / news / news /2008/ feb /12/ organizers - tout - scientology - protest - plan - another - ar -371484/ > [Accessed on 6 September 2012].
Mulrine, A. (2011) ‘CIA chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack’, The Christian Science Monitor, [online] Available at:
41
<http :// www . csmonitor . com / USA / Military /2011/0609/ CIA - chief - Leon - Panetta - The - next - Pearl - Harbor - could - be - a - cyberattack > [Accessed on 6 September 2012].
Murchu, L. (2010) ‘Stuxnet Using Three Additional Zero-Day Vulnerabilities’, Symantec Official Blog, [online] Available at: <http :// www . symantec . com / connect / blogs / stuxnet - using - three - additional - zero - day - vulnerabilities > [Accessed on 6 September 2012].
Nash, T. (2005) ‘An Undirected Attack Against Critical Infrastructure: A Case Study for Improving Your Control System Security’, US-CERT Control Systems Security Center, Lawrence Livermore National Laboratory, [online] Available at: <http :// www . us - cert . gov / control _ systems / pdf / undirected _ attack 0905. pdf > [Accessed on 9 September 2012].
Obama, B. (2009) ‘Remarks by the President on Securing Our Nation’s Cyber Infrastructure’’, The White House, Office of the Press Secretary. Available at: <http :// www . whitehouse . gov / video / President - Obama - on - Cybersecurity # transcript > [Accessed on 12 July 2012].
Obama, B. (2012) ‘Taking the Cyberattack Threat Seriously’, The Wall Street Journal, [online] Available at: <http :// online . wsj . com / article / SB 10000872396390444330904577535492693044650. html > [Accessed on 3 September 2012].
Pauli, D. (2010) ‘PayPal Suffers DoS for Spurning Wikileaks’, ZDNET, [online] Available at: <http :// www . zdnet . com / paypal - suffers - dos - for - spurning - wikileaks -1339307771/ > [Accessed on 6 September 2012].
Posner, G. (2010) ‘China’s Secret Cyberterrorism’, The Daily Beast, [online] Available at: <http :// www . thedailybeast . com / articles /2010/01/13/ chinas - secret - cyber - terrorism . html > [Accessed on 9 September 2012].
President’s Commission on Critical Infrastructure Protection (1997) Critical Foundations: Protecting America’s Infrastructures, Washington, DC.
Rockefeller, J. and O. Snowe (2010) ‘Now Is the Time to Prepare for Cyberwar’, The Wall Street Journal, [online] Available at:<http :// online . wsj . com / article / SB 10001424052702303960604575157703702712526. html > [Accessed on 3 September 2012].
Sanger, D. (2012) ‘Obama Order Sped Up Wave of Cyberattacks Against Iran’, The New York Times, [online] Available at:
42
<http :// www . nytimes . com /2012/06/01/ world / middleeast / obama - ordered - wave - of - cyberattacks - against - iran . html ? pagewanted = all > [Accessed on 6 September 2012].
Shachtman, N. (2010) ‘Top Officer Fears Cyberwar, Hearts Karzai, Tweets With Help’, Wired.com, [online] Available at: <http :// www . wired . com / dangerroom /2010/04/ top - officer - fears - cyberwar - hearts - karzai - tweets - with - help / > [Accessed on 6 September 2012].
Shane, S. and Lehren, A. (2010) ‘Leaked Cables Offer Raw Look at U.S. Dimplomacy’, The New York Times, [online] Available at:<http :// www . nytimes . com /2010/11/29/ world /29 cables . html ?_ r =3& bl > [Accessed on 6 September 2012].
Shearer, J. (2010) ‘W32. Stuxnet’, Symantec.com, [online] Available at: <http :// www . symantec . com / security _ response / writeup . jsp ? docid =2010-071400-3123-99 > [Accessed on 6 September 2012].
Siroli, G. P. (2006) ‘Strategic Information Warfare: An Introduction’, in E. Halpin, P. Trevorrow, D. Webb, S. Wright (eds.), Cyberwar, Netwar and the Revolution in Military Affairs, Houndmills: Palgrave Macmillan, pp. 32-48.
Sommer, P. and Brown, I. (2011) ‘Reducing Systemic Cybersecurity Risk’, Organisation for Economic Cooperation and Development, [online] Available at: <http :// ssrn . com / abstract =1743384> [Accessed on 6 September 2012].
The National Strategy to Secure Cyberspace (2003), Washington, DC, Available at: <http :// www . us - cert . gov / reading _ room / cyberspace _ strategy . pdf > [Accessed on 12 July 2012].
The White House, (2009) Cyberspace Policy Review: Assuring a Trusting and Resilient Information and Communications Infrastructure, Washington, DC, Available at: <http :// www . whitehouse . gov / assets / documents / Cyberspace _ Policy _ Review _ final . pdf > [Accessed on 9 September 2012].
Thornburgh, N. (2005) ‘Inside the Chinese Hack Attack’, Time, [online] Available at: <http :// www . time . com / time / nation / article /0,8599,1098371,00. html > [Accessed on 6 September 2012].
TorrentFreak (2010) ‘4chan DDoS Takes Down MPAA and Anti-Piracy Websites’, [online] Available at:<http :// torrentfreak . com /4 chan - ddos - takes - down - mpaa - and - anti - piracy - websites -100918/ > [Accessed on 6 September 2012].
43
Traynor, I. (2007) ‘Russia Accused of Unleashing Cyberwar to Disable Estonia’, The Guardian, [online] Available at: <http :// www . guardian . co . uk / world /2007/ may /17/ topstories 3. russia > [Accessed on 12 July 2012].
Ullman, R. (1983), ‘Redefining Security’, International Security, 8 (1): 129-53.
United States Cyber Consequences Unit (2009) ‘Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008’, Available at: <http :// www . registan . net / wp - content / uploads /2009/08/ US - CCU - Georgia - Cyber - Campaign - Overview . pdf > [Accessed on 6 September 2012].
Wæver, O. (1995), ‘Securitization and Desecuritization’, in Lipschutz R. (ed.) On Security, New York: Columbia University Press.
Wagenseil, P. (2011) ‘Anonymous ‘hacktivists’ attack Egyptian websites’, NBCNEWS.COM, [online] Available at:<http :// www . msnbc . msn . com / id /41280813/ ns / technology _ and _ science - security / t / anonymous - hacktivists - attack - egyptian - websites /#. UBl 1 Ip 1 lSZc > [Accessed on 6 September 2012].
Weimann, G. (2004) ‘Cyberterrorism: How Real Is the Threat?’, United States Institute Of Peace, Washington, DC, Available at: <http :// www . usip . org / publications / cyberterrorism - how - real - threat > [Accessed on 6 September 2012].
Wilson, D. (2012) ‘Obama Mulling Executive Order to Get Cybersecurity Act of 2012 Passed?’, ZeroPaid, [online] Available at: <http :// www . zeropaid . com / news /101960/ obama - mulling - executive - order - get - cybersecurity - act -2012- passed / > [Accessed on 3 September 2012].
Wolfers, A. (1962) ‘National Security as an Ambiguous Symbol’, Discord and Collaboration. Essays on International Politics, John Hopkins University Press: Baltimore, pp. 147-165.
Zetter, K. (2010) ‘Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target’, Wired.com, [online] Available at: <http :// www . wired . com / threatlevel /2010/09/ stuxnet / > [Accessed on 6 September 2012].
44