74
Cyber Threats and National Security: Real vs. Perceived Threats By: Vaidotas Piekus Word Count: 14572 A dissertation submitted in partial fulfilment of the requirements for the Degree of Masters of Arts in International Political Economy

Cyber Threats and National Security:Real vs. Perceived Threats

Embed Size (px)

DESCRIPTION

Masters dissertation on the cyber threats to national security. The central argument of the dissertation is that this exaggeration of cyber threats, as a specific type of rhetoric that has been used for the securitization of cyber security, had actually led to more insecurity. In other words, the way security experts and government officials have chosen to frame cyber security issues has created more insecurity on the national as well as on the international level. The main question of the dissertation, therefore, is this: What are the implications of the gap between “actual” and “perceived” cyber threats to national security and how does this gap influence the understanding of the cyber security concept?

Citation preview

Page 1: Cyber Threats and National Security:Real vs. Perceived Threats

Cyber Threats and National Security:

Real vs. Perceived Threats

By: Vaidotas Piekus

Word Count: 14572

A dissertation submitted in partial fulfilment of the requirements for the

Degree of Masters of Arts in International Political Economy

Department of Politics

University of Sheffield

September 2012

Page 2: Cyber Threats and National Security:Real vs. Perceived Threats

Contents

Introduction............................................................................................................................3

Literature review....................................................................................................................5

1. Cyber threats to national security....................................................................................7

1.1 The securitization of the cyber threats.........................................................................8

1.2 Economic sector.......................................................................................................11

1.3 Political sector..........................................................................................................13

1.4 Military Sector..........................................................................................................18

2. Rhetoric of the cyber security debate............................................................................24

2.1. The gap between perception and reality....................................................................24

2.2 Exaggerated language of the cyber threats.................................................................26

2.3 Mismatch between perception and reality of cyber threats - reasons and implications......................................................................................................................................... 28

2.4 Implications for the cyber security concept................................................................31

Conclusion........................................................................................................................... 35

Bibliography........................................................................................................................ 37

2

Page 3: Cyber Threats and National Security:Real vs. Perceived Threats

Introduction

The end of Cold War caused a lot of changes in the security field. During the Cold

War era, the concept of security was framed within the threatening actions of aggressive

states. States were the main referent objects in international relations and the debates about

stability and security of the global world. This simplistic understanding of what has to be

secured and from whom changed with the collapse of Soviet Union. Suddenly the biggest

threat for many years disappeared and the gap was quickly filled with a variety of “new”

threats that were moved onto the political security agendas of most countries (Cavelty,

2007a: 16).

The US being the sole global superpower meant that the framing of the security

debate came (and still does) from researchers, government officials and security experts

who were primarily concerned about the threats to the US national security. The main

concern was that of “asymmetric warfare” where the hostile actor would deal the crippling

blow to a “vulnerable spot” of the state and this way would avoid direct military

confrontation. The fear of “asymmetric warfare” became prominent after the 9/11 terrorist

attacks, where the US was attacked avoiding the direct military confrontation. Vulnerable

targets are usually described as critical infrastructure (CI). For example, sectors of

information and communications, financial services, energy and utilities, transport and

distribution (Halpin, 2006: 35). The appeal of these sectors as potential targets is

undeniable, no modern state would be able to function properly without a smooth

performance of these infrastructures. Moreover, following the rapid technological

innovations in the 1990s these sectors became dependent on the computer networks having

to ensure reliable and continuous operation (Cavelty, 2007: 16). This way the concept of

cyber security became a big part of the security debate very quickly. Alongside

environmental, societal and human security, it became the popular topic not only among the

security experts and academics but also among the policy makers.

This work is set out to analyse the concept of cyber security and the current

discourse which is used to frame the threats that are coming from this particular sector.

From the moment cyber threats were recognized as significant and worthy of consideration

the discussion was accompanied by some exceptionally strong statements. As early as 1993

RAND researchers John Arquilla and David Ronfeldt announced that “Cyberwar is

Coming!” (Arquilla and Ronfeldt, 1993). This dread language has not stopped to this day.

In 2010 Mike McConnell (former director of National Security Agency of the US and

Director of National Intelligence) stated that “The United States is fighting a cyber-war 3

Page 4: Cyber Threats and National Security:Real vs. Perceived Threats

today, and we are losing” (McConnel, 2010). However, despite this kind of language, we

are in neither a cyber war, nor were there any cataclysmic cyber incidents with cascading

effects throughout the world. This led many academics and security experts to believe that

cyber threats are over-exaggerated.

The central argument of the dissertation is that this exaggeration of cyber threats, as

a specific type of rhetoric that has been used for the securitization of cyber security, had

actually led to more insecurity. In other words, the way security experts and government

officials have chosen to frame cyber security issues has created more insecurity on the

national as well as on the international level. The main question of the dissertation,

therefore, is this: What are the implications of the gap between “actual” and “perceived”

cyber threats to national security and how does this gap influence the understanding of the

cyber security concept?

The securitization path of cyber threats taken by the US has led to the militarization

of the cyber space and, while it will be shown that some threats and cyber incidents require

full attention of the military, it can be argued that these threats should be dealt by ordinary

means. This dissertation sets out to demonstrate how the process of the cyber threat

securitization has created a gap between the real threats that come from cyber sector and

threats are perceived to be real by military, security experts and the public. And more

importantly, how this situation affects national security of the state and overall global

stability. To explore this phenomenon the work will be divided as follows.

The first part will be dedicated to a brief summary of the relevant work in the field

of cyber security. The current state of cyber security debate will be explained and some

existing gaps in the academic literature on this subject will be presented.

The second section will frame the concept of national security in terms of cyber

threats. Also in this section the securitization of the cyber sector will be analysed. Starting

with the 1990s, the process of securitization will be explained through the institutional and

policy developments in the US, with particular importance being given on the way the

securitizing actors chose to frame the threats. Threats being framed in a specific way, have

led the whole sector and the understanding of the cyber security to be shaped according to

the interests of military and security experts. This caused the gap between the perceived

threats and the real threats to occur, this section only briefly address this disparity as the

final section will be dedicated to exploring this phenomenon. After the explanation of the

securitization, the section will examine the main referent actors and referent objects that are

relevant when talking about the cyber security and will divide, using Buzan’s framework,

threats to military, economic and political sectors. The section will show the impact that 4

Page 5: Cyber Threats and National Security:Real vs. Perceived Threats

different cases of cyber threats have to these three sectors. The main objective is to show to

what extent and exactly how cyber threats threaten the livelihood of the state.

The final section will address the already mentioned gap between the real threats

and the perceived ones. Taking evidence from the second section about the different cases

of cyber incidents and vulnerabilities of states, the comparison will be made with the

rhetoric that security experts and government officials are using. Underpinning reasons why

there is a disparity between the two and what is the connection between the perception and

reality will be the focus of this section.

The concluding paragraph will focus on the case for the desecuritization of cyber

security, in other words, taking cyber threats from the extraordinary politics and making

them, again, part of the daily politics routine and ordinary security debate.

Literature review

Cyber threats have been on the lips of politicians and security experts from the mid-

1990s. President George W. Bush said in 2003 that “securing cyberspace is an

extraordinarily difficult strategic challenge” (Bush, 2003) and President Barack Obama

assured that “cyberspace is real” and so are the risks that come with it (Obama, 2009).

Security experts seem to agree as CIO (a panel of experts) warned lawmakers about “the

looming threat of a cyber attack emanating from Iran” (Corbin, 2012). However, the

research on this topic within the Security Studies field is rather limited. The majority of

work has been done on the technical aspects of the cyberspace, discussing matters such as

cyber power and how it can be used in international relations. Also very common are

specific and technical detail-oriented books and articles that only describe the threats but

suggest nothing about how it affects the broader understanding of security. The

acknowledgment of cyber realm began with the Robert Keohane and Joseph Nye article

Power and Interdependence in the Information Age (1998) where they explored the ever

changing conditions of international relations and understanding information as a form of

power. After the 2007 cyber attacks against Estonia cyber security topic once again rose in

popularity. Such books as Lech Janczewski and Andrew Colarik Cyber Warfare and Cyber

Terrorism (2008), Edward Halpin Cyberwar, Netwar and the Revolution in Military Affairs

(2006) emphasised the new changes to military weaponry and new challenges for the states

to adapt to technology evolution. Significant attention was given to the critical

5

Page 6: Cyber Threats and National Security:Real vs. Perceived Threats

infrastructure protection and the threats that arise from vulnerable computer networks

necessary for the smooth operation of infrastructures as electricity, logistics, water supply,

communications, etc. (Brown, et al., 2006; Cavelty, 2007). According to Myriam Cavelty,

this focus on technical aspects of cyber security exists mostly because the concept itself

“does not fit well into established categories, neither conceptually nor theoretically and it

sits between various intersecting security discourses and disciplines” (Cavelty, 2012: 2).

This is understandable as cyberspace was mainly defined by the technology experts and the

knowledge was, and to some degree still is, tightly maintained within that circle. Academics

do not like to dive into the conditions that are defined by technical understanding which

they do not possess.

Regardless of that being true, it was shown that cyber security as a concept can still

be approached without a deep understanding of the technical side, as cyber weaponry and

cyber power is best understood as just another form of power. It is simply a tool, a means,

while quite unique, still persisting to play the same role as traditional sources of state power

as well as causes for its insecurity. Works that acknowledged the significant difference of

cyber security from other types of “securities” include Martin Libicki’s (2009) report

Cyberdeterrence and Cyberwar, where he emphasises the unique qualities of cyberspace

and argues that the same rules do not apply to this sector, especially when thinking about

the deterrence and war fighting. One of the most influential researchers in cyber security

sector is Cavelty who wrote a number of articles and books closely looking at the level of

threats that arise from the cyber sector, she argues that the actual possibility of all-out cyber

war is no more possible than conventional war and that many cyber doom scenarios to

national security are exaggerated (works like Cyber-security 2012, Power and Security in

the Information Age 2007b illustrate this point).

The whole cyberspace research is divided among techno-oriented security analysts

who are interested in vulnerabilities and practical countermeasures and those academics

who try to put the word “cyber” to different nouns such as “power”, “warfare”, “terrorism”,

“deterrence”, etc., and see what new tools this approach can give to the states to achieve

their international (and national) aims. However, there is a clear gap in an attempt to explain

the consequences of putting the cyber security concept on top of the states’ national security

concerns. Especially, questioning the impact it has on the understanding of cyber threats

and the degree the framing of the threat can have on perceptions of how “real” the threat is.

There is an important gap in answering these questions in the recent cyber security

literature. Lene Hansen and Helen Nissenbaum (2009) in their article Digital Disaster,

Cyber Security, and the Copenhagen School, come close to fulfilling this task. They used 6

Page 7: Cyber Threats and National Security:Real vs. Perceived Threats

the Copenhagen School’s securitization framework to put cyber security among the other,

successfully securitized, sectors such as economic, political, military and environmental.

They provided first steps in understanding what cyber security might entail in terms of

International Relations, questioning the referent object and actors in this sector. They briefly

presented the way in which the cyber sector was securitized and argued that the cyber

discourse can usually be described as hypersecuritization (the term used by Barry Buzan in

American exceptionalism, unipolarity and September 11 (2005)), where the securitizing

actors perceive the threats to be more than they usually are. There have been attempts to

link cyber security with national sovereignty and national security (Hare, 2009; Hare,

2010). However, those works do not attempt to explain the impact of the cyber discourse,

the way it was framed and the effects it has on the national security.

This work will try to fill this particular gap in Security Studies. Firstly, using the

Copenhagen School’s theoretical framework of securitization, the process of how cyber

threats were securitized will be analysed. Using examples of governmental policies and

institutional developments (mainly in the US) the chronological order of movements

towards successful cyber sector securitization will be presented. A special attention will be

given to the rhetoric and the way the threats were framed by the securitizing actors. Having

this basic understanding of the securitization of the cyber sector it will be easier to go to the

next section where in depth analysis of the ways how cyber threats cause the insecurity for

the state will be given.

7

Page 8: Cyber Threats and National Security:Real vs. Perceived Threats

1. Cyber threats to national security

Security in the broadest possible sense is freedom from threat, objectively and

subjectively (Weaver, 1995). When the concern is national security, primary focus is the

survival of the basic political unit - a sovereign state. According to Ullman (1983: 133) a

threat to national security is an action that (1) threatens drastically and rapidly degrade the

quality of life for the inhabitants of a state, or (2) threatens significantly to narrow the range

of policy choices available to the government of the state. The focus of the work being

cyber threats to national security, the concern is only of those cyber threats that threaten to

seriously impede upon the state’s livelihood. There are many threats coming from the cyber

realm to variety of units (individuals, societies, states), but if the primary concern is national

security, those threats must be selected carefully and analysed only in the capacity to which

(using Ullman’s definition) they threaten to seriously limit the state’s policy options or

when they drastically degrade the quality of life for the population of the state. Using

Buzan’s division of security sectors, cyber threats will be divided into three categories -

economic, political and military. Each category will be addressed separately, looking at

what impact the threats that come from cyberspace has on that sector, and, ultimately, to

what extent it can be considered a matter of national security. According to Buzan (1991:

141), whether or not a threat is a national security issue, depends not only on determining

what type of threat it is but also how the recipient state perceives it and the intensity with

which the threat operates. Keeping in mind this argument, this chapter will only deal with

one side of the coin and analyse the types of threats and their impact on 3 sectors which are

paramount to the livelihood of the state. The second chapter will be addressing the question

of perception of the threat as well as military and security experts’ impact on the

understanding of security in general and cyber security in particular. However, before

analysing the actual examples of cyber threats it is necessary to point out how the

securitization of cyber threats occurred. Understanding of the cyber sector securitization

will allow not only a better understanding where does cyber security concept come from but

also will help with the analysis of the threats to national security.

1.1 The securitization of the cyber threats

The Copenhagen School is one of the major forces responsible for widening the

definition of security. Generally they divide security into 5 separate categories: military, 8

Page 9: Cyber Threats and National Security:Real vs. Perceived Threats

economic, societal, political and environmental. While all these categories are

interconnected, their dynamics, however, are determined by “securitizing actors” and

“referent objects” (Buzan, Wæver and Wilde, 1998: 36). Actors are those who securitize

issues by declaring something (a referent object) to be existentially threatened. Referent

objects can be various: states (military security), national sovereignty, or an ideology

(political security), national economies (economic security), collective identities (societal

security), species or habitats (environmental security) (Emmers, 2009: 137). Securitization

can be seen as a more extreme version of politicization, that is moving an issue from the

political spectrum (the issue is part of public policy, requiring government decision) to a

security category (the issue is presented as an existential threat, requiring emergency

measures and justifying actions outside the normal bounds of political procedure) (Buzan,

Wæver and Wilde, 1998: 23). The process of securitization is usually fairly simple. The

securitizing actor (usually the government) declares that there exists an existential threat

and that it does require extraordinary measures. This way, security itself is a self-referential

practice, because it does not matter if the issue indeed is a real existential threat or it is just

presented as such (Buzan, Wæver and Wilde, 1998: 24). However, according to

Copenhagen School, a mere declaration of the existential threat by a securitizing actor is not

enough. The issue is securitized only if and when the audience accepts it as such. There is

no clear definition what this audience must be, but usually it refers to a broader, significant

community such as media, public or experts. The securitizing actors initiate the process by a

speech act, where they utter the word “security”. They frame the threat as existential one

which requires emergency actions and if a significant audience accepts it as such, then the

process of securitization is successful (Buzan, Wæver and Wilde, 1998: 26).

From this explanation it is clear that the Copenhagen School holds security as a

wholly constructive concept. It is very dependent on the political context and the actors who

are involved in this process. Different political context in different country would lead to a

different understanding of what is security. They maintain that there is no use in looking for

a “real security” outside of the world of politics. “It is more relevant to grasp the processes

and dynamics of securitization, because if one knows who can “do” security on what issue

and under what conditions, it will sometimes be possible to manoeuvre the interaction

among actors and thereby curb security dilemmas” (Buzan, Wæver and Wilde, 1998: 31).

Security is socially constructed and determined by actors and is very subjective in that

regard. This approach is very useful in the analysis of the public policy developments and

the rhetoric of security experts, especially when the matter is cyber security where the

“actual level” of threats is not easily measured. Using the Copenhagen approach we can 9

Page 10: Cyber Threats and National Security:Real vs. Perceived Threats

assume that there might be different reasons for why cyber security was framed in a

particular way.

It can be argued that at this moment cyber security has been successfully securitized.

And it has been so for a while. The first step towards successful securitization was the

institutional development of President Clinton’s administration. In 1996 the Commission on

Critical Infrastructure Protection was established. A year later the commission conducted a

report called Critical Foundations: Protecting America’s Infrastructures. The report raised

awareness of the critical infrastructure protection and new type of vulnerabilities - cyber

vulnerabilities. While the report did not claim to find any basis for an immediate cyber

disaster or attack, the language used suggested that if no action will be taken, there might be

dire consequences: “...we are convinced that our vulnerabilities are increasing steadily” and

“We should attend to our critical foundations before we are confronted with a crisis, not

after. Waiting for disaster would prove as expensive as it would be irresponsible.” (CFPAI,

1997: 10). The next step was taken by president Bush’s Administration with the

establishment of The United States Computer Emergency Readiness Team (US-CERT) and

the formulation of The National Strategy to Secure Cyberspace in 2003. The executive

summary of the strategy referred, once again, to the vulnerabilities that arise from the

dependence on computer technologies in managing state’s critical infrastructure. The

strategy admits the lack of serious cyber incident but warns the readers that they can't be too

“sanguine” as “there have been instances where organized attackers have exploited

vulnerabilities that may be indicative of more destructive capabilities.” (NSSC, 2003: 8). In

2007 Estonia was hit by numerous cyber attacks that brought down the websites of its

banks, governmental agencies, media as well as Parliamentary and Presidential institutions.

This three week long cyber attack was caused by the removal of the Soviet war memorial

and the immediate suspects behind cyber attacks were the Russians. No direct proof was

found that the Russian government was in anyway involved in the incident, but the media

was using a very powerful language to describe a primitive cyber attack: BBC News -

“Estonia hit by 'Moscow cyber war'” (BBC, 2007) and The Guardian - “Russia accused of

unleashing cyberwar to disable Estonia” (Traynor, 2007). The New York Times called the

situation “the first war in cyberspace” (Landler and Markoff, 2007). Alongside the media,

Mikhel Tammet, at the time, a chairman of Estonia's cyber-defence co-ordination

committee, called it “a kind of terrorism” (Blomfield, 2007). The rhetoric used throughout

and after this incident will be analysed in the subsequent chapters, but suffice it to say that

the attention given by government officials, media and public, lead to the establishment of

NATO Cooperative Cyber Defence Centre of Excellence in Estonia in 2008. Finally, in 10

Page 11: Cyber Threats and National Security:Real vs. Perceived Threats

2009, Obama administration released Cyberspace Policy Review, a document that sets out

for the US to lead the world towards more secure cyberspace (Cyberspace Policy Review,

2009). The main message is that while the US government must take the leadership, for the

secure cyberspace to be a reality there must be close partnership among private and public

sectors as well as globally, among nations. With the establishment of the US Cyber

Command in 2009 it can be clearly said that the cyber security is firmly established in the

public policy debate and the institutional securitization steps that were taken begs the

question what are the consequences of this securitization to the understanding of cyber

security and national security in general. Before answering these questions, it is paramount

to analyse cyber threats to national security that are coming through economic, political and

military sectors. This analysis will make it possible to compare the actual cyber threat levels

and the perception of them.

1.2 Economic sector

Most of the economic damage that cyber threats can cause comes from two main

sources - malware and cyber-espionage. Malware is short for malicious software, it is a

program which is designed to disrupt or deny operation, also gain unauthorized access to

system resources and gather information. Examples include, but are not limited to, worms,

viruses, Trojan horses, bugs, etc. (Nash, 2005: 10). In 2007, a study carried out by

Computer Economics calculated (including labour costs to analyse, repair and cleanse

infected systems, loss of user productivity, loss of revenue due to loss or degraded

performance of system, and other costs directly incurred as the result of a malware attack)

that total annual worldwide economic damages from malware exceeded $13 billion

(Computer Economics, 2007). This rapid proliferation of the cyber crime caused the rise of

the security software market, which last year was worth $16.5 billion (Gartner, 2011). There

is nothing specifically unique about cyber crime. It is effectively the same criminal

activities only utilising new conditions and tools. The majority cases of cybercrime and

cyber related fraud targets individuals. They are the easiest targets for identity thefts,

stealing personal banking information or other valuable and easily accessible data. While

the numbers of such crime caused damage remains high (it is estimated that losses in 2007

were about $61 million (Herley and Florencio, 2008: 9)) it is mainly relevant in terms of

individual security. This is a serious matter when talking about the precautions of using

computers but it is hardly a matter of national security. This issue does not directly threaten

11

Page 12: Cyber Threats and National Security:Real vs. Perceived Threats

the livelihood of the state but rather causes inconvenience for individuals, but as, for

example, car thefts is a serious problem to individuals and to local levels, by no means it is

a problem on a national level, threatening to degrade the quality of life in a very rapid and

systematic fashion. For this reason economic damage caused by cyber threats to individuals

should not be considered an integral part of cyber threats to national security debate.

Large scale cyber espionage is aimed at industrial and state targets and therefore is

different in that respect. Economic damage of cyber espionage might not exceed the damage

done to individuals (at least by sheer numbers) but the nature of these attacks deems a

different place for it in the security debate. Because targets are states and/or big companies,

cyber espionage may be considered a national security issue as it is a direct threat to the

state’s economy rather than an indirect threat through the economic losses for individuals.

At the beginning of 1980s, the dawn of cyber crime, there were couple of prominent

hacking incidents that showed the level of threat caused by relying on computer networks

for safe-keeping of the information. Starting from 1982, when the so-called “414s break -

in” incident happened, where six teenagers from Milwaukee gained access to high-profile

computer systems in the US (Cavelty, 2012: 10), there were many more incidents like these,

different in scale and motives. Recently, there was an increase in cyber espionage incidents

that are believed to be originating from China. The properties and the consequences,

including the estimated damage, of these incidents are worth looking into. In 2005, FBI

report (Posner, 2010: 1) draw attention to a series of cyber attacks, named “Titan Rain”,

which were conducted starting from 2003 and aimed at various United States computer

systems. Some data was stolen from such subjects as NASA’s Mars Reconnaissance Orbiter

and Air Force flight planning software as well as US government systems and defence

contractors (Sommer and Brown, 2011: 57). It was hard to attribute these attacks to anyone

in particular but some speculations suggested that the perpetrators were based in China

(Thornburg, 2005). Another instance of similar, large-scale cyber attack was conducted in

2009. Named “Operation Aurora”, this incident consisted of numerous attacks on high tech,

security and defense contractor companies. It was first uncovered by Google in their official

blog post (Google Official Blog, 2010), where the company claimed to be a victim of

“highly sophisticated” cyber attack. The primary aim for the attack was Chinese human

rights activists’ email accounts. It was reported that many other companies were victims,

including Adobe, Juniper Networks, Rackspace, Yahoo, Symantec and many more.

According to some cyber and national security experts this was China’s espionage program

aimed at getting high-tech information as well as politically sensitive information for its

own purposes (Cha and Nakashima, 2010). At the same year, in 2009, Information Warfare 12

Page 13: Cyber Threats and National Security:Real vs. Perceived Threats

Monitor uncovered a massive web of cyber-spying operation named “Ghostnet”. According

to the report, the security was breached and the computer networks were compromised in

103 countries consisting of 1295 computers. Among the infected computers there were 30%

of high value targets, including ministries of foreign affairs of Iran, Indonesia, Philippines,

also embassies of India, South Korea, Indonesia, Thailand, Taiwan, some other countries as

well as news organizations and computer in NATO headquarters (Information Warfare

Monitor, 2009: 5). The researches that uncovered this wide web of cyber espionage said that

in addition to these targets various Dalai Lama’s Tibetan exile centres were among the

primary targets (Landler and Markoff, 2009). This and the fact that the technology behind

the Ghostnet was highly sophisticated led many to believe that Chinese government must

have been responsible for the support behind this incentive. However, like with the majority

of cyber crime, there can be no certainty behind the attribution as it is very easy to remain

anonymous in the cyberspace.

This brief overview of cyber related incidents that caused economic damage

showcases many problems when trying to determine to what extent these types of incidents

is a serious threat to national security. Firstly, it is hard to tell what the actual cost of large-

scale cyber espionage was. Neither states nor private companies want to reveal how much

classified and sensitive information were stolen and what impact it had. It can only be

assumed that if there was a lot of data that were taken from private defense contractors,

NASA or US Air Force computers, it was most likely valuable and have caused substantial

economic damage. Additionally, these types of disruptions do not directly threaten national

security in the most basic sense. Neither they cause significant limitations to the policy

choices for the government, nor do they threaten the livelihood of the state’s population.

The consensus is that cyber espionage has the potential to cause such financial loss that it

may also impact on the security of nation states both militarily and economically (Sommer

and Brown, 2011: 33). Economic sector occupies a peculiar position in state’s power. There

is a strong link between economic and military capability, and if economic capability, being

the crucial foundation on which the relative status of state’s power rests, declines, so does

the military capability and, subsequently, state power (Buzan, 1991: 127). In that regard

economic safety is a subject of national security, but the threats to economic sector must be

extraordinary, causing serious systematic shock and disruptions with the cascading effects.

Only in such instance, it could be a matter of national security. However, the scale of past

cyber incidents did not meet these requirements.

13

Page 14: Cyber Threats and National Security:Real vs. Perceived Threats

1.3 Political sector

According to Buzan, political threats are aimed at the organizational stability of the

state. The nature of the political threat is likened to that of a military one, because the state

is essentially a political entity, so political threats may be feared as much as military ones

(Buzan, 1991: 119). However, the purpose of the attack that threatens political sector is

different. It “may range from pressuring the government on a particular policy, through

overthrowing the government, to fomenting secessionism, and disrupting the political fabric

of the state so as to weaken it prior to military attack.” (Buzan, 1991: 118-119). When

assessing the cyber threats that aim at the political sector we must look at the properties of

the threat and only then decide to what extent it can be a matter of national security. Firstly,

it is important to pinpoint the motive of the attack/incident. Sometimes it can be hard to

distinguish what is the aim of a specific cyber incident, but the ones that have political

properties should be easy to spot. Usually the perpetrators clearly state their aims and goals

of what they are trying to achieve. The motive should be political - aimed at political regime

itself or the specific policy of that regime. Secondly, cyber attack should threaten

“organizational stability of the state”. In other words, the attack should target political

regime itself and/or its ability to make policy decisions. These two requirements should be

fulfilled if the attack is deemed to be a threat to national security that comes from political

sector.

Cyber attacks with a political motive are usually described as hacktivism. It is the

fusion of two words - hacking and activism. It refers to politically motivated attacks on

publicly accessible Web pages/resources or email servers (Dacey and Hite, 2003: 7).

Hacktivism is basically the use of hacker techniques (particularly web-defacement and

distributed denial of service attacks (DDoS)) to publicise an ideological cause rather than

for crime (Sommer and Brown, 2011: 31). Like cyber criminals are the same criminals only

using cyberspace for their illegal activity, hacktivists are essentially activists that have gone

electronic. They utilise virtual powers to mould offline life (Jordan and Taylor, 2004: 1).

There is a long history of hacktivism examples with varying degrees of success and

impact. Earliest example dates back to 1989, when the group called Worms Against Nuclear

Killers penetrated the United States Department of Energy and NASA machines. This anti-

nuclear group of hackers defaced website’s login pages to their own, proclaiming the

message - “You talk of times of peace for all, and then prepare for war” (Assange, 2006). A

significant example of similar attack can be found in 1997, when Portuguese hacking group

UrBaN Ka0s hacked the website of Indonesian military and government. The websites were 14

Page 15: Cyber Threats and National Security:Real vs. Perceived Threats

changed to express the criticism towards Indonesian government and the situation in East

Timor (Ludlow, 2010: 26). In 1998, arguably the same group launched attacks on

Indonesian government websites with the message “Free East Timor” (Harmon, 1998).

Hacktivist groups with the comedic names such as Electronic Disturbance Theater, the Cult

of the Dead Cow and the Hong Kong Blondes have used hacktivism tools to help and

support the Zapatista rebellion in Mexico, protest nuclear testing at India’s Bhabba Atomic

Research Center as well as protest anti-democratic crackdowns in China (Manion and

Goodrum, 2000: 14). All these incidents showcase a couple of points. Firstly, attacks were

clearly of a political nature, in most cases intending to oppose particular government and its

policy. Secondly, the attacks did not intend to cause economic damage but to send a

political message. It was a symbolic act. Part of the reason for it was that, at that time,

hacktivists’ tools were capable of defacing websites but it was technologically hard to make

a stronger impact. Therefore, these examples of hacktivism can only be considered as a part

of political activism and not a national security issue. They are symbolic acts that have a

clear political message, but by no means they caused a serious disruption for government’s

ability to make the policy decisions or threatened political regime’s livelihood. Hence, they

only fulfil the first requirement of the two that are necessarily to consider an issue being a

threat to national security. More than 20 years have passed after the first hacktivism

incident and today this type of activism is rising in popularity. Today’s hacktivism

incentives are bigger in scale and bigger in impact it creates.

Recently, hacker collectives such as “Anonymous” and “Lulzsec” as well as

WikiLeaks organisation spurred new life into the debates about hacktivism, cyberterrorism

and freedom of information. Anonymous is an interesting case of internet activism. It

mainly operates on the premise that information should be free and opposes various power

structures (big corporations, states, international organisations) which attempt to limit,

censor or by any means tame the content in the cyber space.

Anonymous activity began in 2009 and ever since then they have made many

attacks on various targets. M. D. Cavelty describes it as “behaving deliberately hedonistic”

and says that they “creatively play with anonymity in a time obsessed with control and

surveillance and humiliate high-visibility targets by DDoS attacks, break-ins and release of

sensitive information” (Cavelty, 2012: 12). There are 3 notable cyber incidents which are

attributed to ‘Anonymous’. In 2008 they launched Project Chanology, aimed at Church of

Scientology. Protesting against the removal of Tom Cruise video from YouTube, which was

done upon the church’s request, the group launched wide-scale attack on Scientology 15

Page 16: Cyber Threats and National Security:Real vs. Perceived Threats

websites, also flooding their offices with blank faxes and prank calls, using any measure

possible to disrupt their operations. In addition to that in about 100 cities worldwide about

7000 people took part in protests against Scientology in Australia, Europe, Canada and the

US (Moncada, 2008).

The second major incentive called Operation Payback started in 2010. The targets

this time were a major pro-copyright and anti-piracy corporations (e.g. Motion Picture

Association of America) law firms and individuals. Launching mainly the same DDoS

attacks they managed to shut down certain websites for up to 30 hours (TorrentFreak,

2010). Basically, using the same idea of the freedom of information and freedom from any

kind of censorship, the group sent a strong message that anyone who opposes this idea

might provoke cyber hostility. This motive was clearly evident during the scandal when the

US diplomatic cables were leaked through WikiLeaks organisation. “Anonymous” were

supporting the leaks and when the major financial organisations (PayPal, BankAmerica,

PostFinance, MasterCard, Visa), that were feeling the pressure from the US government,

stopped providing the services to WikiLeaks (this way creating many financial problems for

the organisation which main income was coming from the internet donations), they reacted

immediately by shutting down websites of those organisations for a limited amount of time

(Pauli, 2010). Both “operations” were very disruptive and possibly highly economically

damaging. They were similar to the first examples of hacktivism in the sense that they too

had a political/ideological message attached to them (this time being the freedom from

censorship and control in the cyber space). However, they were way bigger in scale and

caused much more disruption through economic loss and limitations to various

organisations. Precisely because the targets of the attacks were independent organizations, it

can be said that these type of threats belong more to individual than to national security

discourse.

The most recent attacks conducted by this group are much more dispersed and not

carrying a clear political message. Self-named Operation AntiSec aims at hacking into a

wide variety of companies and mocking their cyber security measures. Companies such as

Sony, Disney, NBC Universal, AT&T were attacked, and a lot of information were made

public including sensitive data about products and clients (Greenberg, 2011). The group was

also active during the Arab Spring that started in 2010, they were in charge of attacks on

Egypt’s, Libya’s and Tunisia’s government websites (Wagenseil, 2011), sending a message

that they are in favour of liberation movements. The diverse nature of the attacks shows that

the group itself is not a centralised, authoritative organisation with the clear set of rules and

motives. It can be described as decentralised, disperse and chaotic organisation of 16

Page 17: Cyber Threats and National Security:Real vs. Perceived Threats

individuals who oppose any incentive towards control and concentration of power. They

enjoy and celebrate the freedom cyberspace creates and the anonymity it provides. This

group’s activities poses a threat to many actors, however the threat is mainly of economic

nature. The ramifications that this type of activism creates for the understanding of security

and cyber security in particular will be explored after the brief analysis of the biggest

information leak scandal - Cablegate.

The US diplomatic cable leak began in 2010. A non-profit organisation WikiLeaks

published classified cables obtained from US State Department. The organisation obtained

classified documents from the US Army soldier Bradley Manning who downloaded them

without authorisation. The amount of information of the published cables is immense. There

are over 250 000 cables, involving international affairs from 274 embassies dating from

1966 to 2011 (Shane and Lehren, 2010: 2). This makes Cablegate the largest release of

classified material in the world. The content that was published stirred the news companies,

public and governments all around the world. The consequences included not only charges

against Bradley Manning but also against Julian Assange, the founder of WikiLeaks, who

decided to publish all material including sensitive information about informants working in

Afghanistan and Iraq, possibly putting their lives at risk. The data that was made public not

only put many people in danger but revealed how countries exchange correspondence and

what kind of language they use. It may have contributed to Arab Spring, creating instability

for the governments by revealing the corruption and spending details of the leaders, for

example, leaked documents revealed that in Tunisia the first lady had huge profits from

public schools which may have exacerbated public dislike of the government (Dickinson,

2011). Cablegate scandal is a matter of security on many levels. The leaked cables put many

individuals in danger, not only releasing their financial information but also, in the case of

informants, putting their lives in danger. Private correspondence between individuals was

made public and the “secret” nature of diplomatic relations was made available for the

general population. This information leak is a threat to both, individual and the state

security. However, it cannot be called solely a matter of cyber security because internet and

cyber tools acted only as a medium to transfer the information and make it public. The

information was not obtained by the outsider, a hacker, but rather from the insider, a US

Army soldier. This means that the scandal itself is matter of individual as well as state’s

national security, but it cannot be considered a threat coming from the cyber space.

Keith Alexander, the general in charge of the US Cyber Command and the director

of the National Security Agency hold that hacker-activist group Anonymous is a threat to

national security. He claims that “the hacking group Anonymous could have the ability 17

Page 18: Cyber Threats and National Security:Real vs. Perceived Threats

within the next year or two to bring about a limited power outage through a cyberattack”

(Benkler, 2012). How realistic is this statement is hard to assess. So far the group showed

interest in obtaining secret information, website defacement and making targeted websites

inaccessible for a short period of time in order to transmit their rebellious message. So far,

hacktivism has proven to be sporadic by nature and not systematic or persistent. According

to Sommer and Brown “to reach the level of a global shock hacktivist activity would need

to be extremely well researched and persistent and to be carried out by activists who had no

care for the consequences” (Sommer and Brown, 2011: 32). Nonetheless, the potential of

the threat is there, the blockade against financial institutions showed that there is a

possibility of a prolonged inability for public and private sector to use internet financial

services. This indirectly can threaten political stability of the country because if government

cannot secure its financial sector in the long term the stability of political regime might be

threatened. The speculative nature of these threats cannot deem hacktivism to be an

immediate threat to national security. However, WikiLeaks example is different. Its

properties have a nature of cyber-espionage rather than hacktivism and falls within the

discourse of broader national security concept. In other words, the leak was made possible

by security problems in the US Army’s computer networks and was done by internal

source. Internet acted only as a catalyst, enabling the rapid spread of the classified

documents but nothing more. Internal security of such computer networks should always be

a priority, primarily in terms of military security rather than political security sector. To

conclude, while Cablegate leak was definitely a blow to stability and security of the

international diplomatic affairs, and by extension to national security of many countries, this

falls within the broader discourse of internal security which should be day-to-day routine

practice and not to be clumped up with the other cyber incidents.

Politicians and security experts who use hacktivism as an example to move cyber

security policies higher on the agenda should be careful not to overstate the threat levels. It

has the potential to be a national security issue, but so far, there is no proof of such scale

incidents. Examples showcase that hacktivism does not seriously threaten to reduce the

possible government options to make decisions nor does it seriously diminish the quality of

the people of the state. It is definitely a matter of individual security, mainly in the sense of

economic security, and where it goes beyond that point, it should be taken care by internal

computer security measures, but by no means, invoking national security rhetoric.

18

Page 19: Cyber Threats and National Security:Real vs. Perceived Threats

1.4 Military Sector

Security of the state is very often likened to the military security. When national

security is mentioned, the first thing we imagine is military threat and the direct use of

force. It is because Security Studies started with the conception of the military threats being

central in the whole national security debate. Even now, when the definition of security is as

wide as it is, military threats occupy a distinct and prominent role in security debate. It is

because military action can pose a threat to all the components of the state. According to

Buzan, military actions not only “strike at the very essence of the state’s basic protective

functions, but also threaten damage deep down through the layers of social and individual

interest superstructures” (Buzan, 1991: 117). Military threats can also be direct or indirect

with varying levels of impact, ranging from directed at particular state’s external interests to

invasions and assaults on the very existence of the populace (Buzan, 1991: 118).

Cyber threats can come through military sector in many ways. Nonetheless, Buzan’s

requirement that military threats always involve the use of force is not suited for

cyberspace. It is because any cyber threat that is active and does not come from the passive

inherent network vulnerabilities is, in the strictest sense, use of force. Be it a breach of

security with the motives of hacktivism, economical gain or purely curiosity, it is all use of

force. However, it should not mean that these types of incidents belong to military sector

and therefore by extension require military solutions. When we look at cyber threats coming

from military section we are mainly concerned with the conflicts that involve states as units,

conflicts that are purely cyber in nature (cyberwar) and conflicts that are conventional but

come with the cyber dimension. As of yet, there are no examples of all-out cyberwar, and

the evidence suggests that it is highly unlikely. However there have been a few conflicts

that come with the cyber dimension to them. Notable examples include: 1991 Gulf War,

2007 Iraq, 2007 Estonia and 2008 Georgia.

The 1991 Gulf War was a notable step in the US military discourse. This was the

conflict were the potential of information warfare was realised and utilized and emphasis

was placed on the reliance on information and not only on physical force. Winning

information warfare became essential for success. Since then information revolution played

a significant role in the US military affairs (Arquilla and Ronfeldt, 1993: 1). Information

technology gave an edge to the US military operations through the communication

satellites, intelligence gathering, command and control, also extensive use of Iraqi civil

mobile networks and media management were core aspects of this type of warfare

(Hutchinson, 2006: 213). Kosovo War in 1999 proved to be another example of a conflict 19

Page 20: Cyber Threats and National Security:Real vs. Perceived Threats

that had information warfare or cyber dimension to it. It is believed that cyber-based tools

used by the US helped to distort the images Serbian air defense systems were receiving.

Additionally, after the war ended there were hackers actively attacking Kosovo web pages

(Arquilla, 2003). Both of these conflicts included cyber tools in their regular conventional

military arsenal and clearly showed the advantages that domination in cyber realm can

provide. It has shown that the reliance on internet and computer networks may be a double

edged sword, providing efficient communication but creating vulnerabilities at the same

time.

The disadvantages of relying upon internet and computer networks manifested in its

full potential during the cyber attacks conducted towards Estonia in 2007. When

government of Estonia decided to remove World War II bronze statue representing a Soviet

soldier to a different place - a three week long cyber attack began. Primary targets were the

websites of Estonian parliament, banks, ministries, newspapers and broadcasters (Cavelty,

2012:14). Estonian government reacted very seriously to this attack. Estonian foreign

minister Urmas Paet accused Russia of direct involvement of the attack (Bright, 2007).

There were statements made by officials who suggested that these cyber attacks should be

likened to the “real” attacks and therefore would fall under the NATO Article V (Anderson,

2007). Despite the dramatic language, there was no conclusive evidence that Russia was

conducting this attack, most likely it has been a group of hackers sympathising with those

who were opposed to the removal of the monument. In this sense it is an example of

hacktivism, and therefore it falls within the political sector rather than military one.

Nonetheless, this incident showed that sustained blockade of services that are available on

cyberspace (banking, government information, and news portals) is possible. NATO reacted

swiftly to this incident and in 2008 created Cooperative Cyber Defence Centre of

Excellence in Estonia.

Cyber attack against numerous Georgian websites in 2008 is a similar example of

“cyber-ed” conflict. Five day long armed conflict between Georgia and Russia began on the

7th of August 2008. The breakout of the military conflict was synced with well-coordinated

cyber attacks aiming at Georgian government and media websites. The report conducted by

the US Cyber Consequences Unit concludes that the main objective of these cyber attacks

was to support Russian invasion of Georgia (U.S. Cyber Consequences Unit, 2009: 6). Also

while the attacks against Georgian targets were carried out by civilians, those civilians were

tipped off about the timing of the Russian military operations and they had an advance

notice of Russian military intentions (U.S. Cyber Consequences Unit, 2009: 2-3). This

cyber conflict was similar to that in Estonia because most likely Russian government were 20

Page 21: Cyber Threats and National Security:Real vs. Perceived Threats

not directly responsible for conducting the attacks but they used hacker groups for their own

purposes, tipping them off about the attack or encouraging them to jam the “enemy’s”

websites. This suggests that future conflicts will most likely have a cyber dimension to

them. Additionally, the attribution problem will allow states to hide behind the internet

anonymity and fully utilise the potential that cyberspace gives to aid conventional conflicts.

Nonetheless, examples of Estonia and Georgia do not suggest that cyber conflicts will

replace conventional conflicts any time soon. Most likely cyber tools will fulfil the

supplementing role as an additional tool to the variety of conventional use of force options

available. Looking closely at the results and damage of these incidents it can be concluded

that the impact was minimal. Three week and five day internet blockade of government

websites, news outlets and other services cannot be called a cascading threat that would

greatly impede upon governments choices to make policy decisions. It is a symbolic attack

rather than an actual utilisation of hard power as there is no physical damage done. If these

incidents can be regarded as a state’s intentional use of cyber weapons, those weapons

appeared to be limited to minor inconveniences, symbolic messages and temporary

economic disruptions.

The understanding of what cyber weapons can do changed dramatically in 2010 with

the discovery of Stuxnet computer worm. This type of malware is distinctly different from

ordinary malware discussed earlier. The only similarity is that it is also self-replicate and is

designed to spread rapidly. However, the properties and its aim is different. Firstly, it is a

much more complex programme than any other virus in the world. Symantec, one of the

leading computer security companies, described Stuxnet as requiring extraordinary

sophistication, thought and planning (Murchu, 2010). Security experts think that it might

have taken many months if not years to design it (Zetter, 2010). This initially led many

experts and analysts to believe (which later was essentially confirmed) that the creation of

this virus was conducted with nation-state backing and support (Kaspersky, 2010). The

second big difference is that this malware aims precisely at industrial control systems,

which are in charge of variety of industries such as electrical, water, oil, gas and date

operations. The aim was to penetrate the specific system and take control of it. It was not

aimed to conduct espionage or monitoring tasks as the majority of malwares are. It was

aimed at Windows systems that had Siemens Supervisory Control And Data Acquisition

systems. So it is a very specific target. It was revealed that the majority of infected

computers are located in Iran and the target was Iran’s main nuclear enrichment facilities

(Shearer, 2010). The worm spread through infected USB drives and may have damaged 21

Page 22: Cyber Threats and National Security:Real vs. Perceived Threats

about 1,000 centrifuges in the Fuel Enrichment Plant in Natanz. It successfully, but

temporarily, set back Iran’s fuel enrichment progress in Natanz (Albright, Brannan and

Walrond, 2010: 7). It was a deliberate and precise attack in order to disrupt and cause

physical damage to Iran’s nuclear ambitions.

Precisely because of what the target was and the complexity of the virus, media and

experts speculated that it may have been the work of United States and Israel. This

suspicion was later confirmed in the New York Times article by David Sanger. The article

revealed that Stuxnet virus was developed following incentive started by Bush

administration and called Operation Olympic Games. It included covert attacks against

Iranian nuclear industry and the main weapon of it was development and initiation of

Stuxnet (Sanger, 2012). The report argues that collaboration with Israeli intelligence unit

was driven by two conditions. Firstly, Israel had very advanced technical expertise and

particularly deep knowledge of the Natanz nuclear facility. Secondly, it was a good way to

deter Israel from thinking about pre-emptive strike against the Iranian nuclear facilities, as

that would create immense crisis situation and instability in the region (Sanger, 2012). The

article goes into detail how the initial planning and actual execution of the operation took

place, but these details are not that important. What is paramount is to understand that first

time in the history a cyber tool/weapon was used to do more than disrupt, deface or create

mild and temporary inconvenience. This weapon was used because alternative conventional

strikes were not the best option, however, it managed to create an actual physical

destruction of the crucial nuclear power plant. In many ways it was a success, however, due

to a mistake in programming code, Stuxnet spread to other computers outside Iran. This not

only revealed what are the capabilities of states in terms of cyber weaponry, but allowed to

dissect and analyse the program itself, so that replicas could be made by anyone willing and

having resources to do so. Because of that, the damage was not only to Iran’s nuclear plans

but also to the U.S.’s credibility in cyberspace, it is believed that it may encourage other

countries to increase their offensive cyberspace capabilities in response (Messmer, 2012).

Cyber threats that come through military sector can be divided in two categories.

There are the ones that pose a direct threat to national security and the ones that support

conventional conflicts by exploiting cyberspace to create pressure, disrupt media or spread

symbolic political messages. Conflicts of Gulf War, Iraq, Estonia and Georgia were of the

latter type, they had a cyber dimension to them. The opposing parties, utilised cyber space

tools to supplement their foreign policy agenda. These examples suggest that in the future

there might be more conflicts that will have a cyber dimension. However, cyber tools that 22

Page 23: Cyber Threats and National Security:Real vs. Perceived Threats

were used proved to be limited in the impact it created. Short-term government websites

disruptions are not, and should not be, a major national security issue. It can hardly be

called a matter of state security, let alone invoke national security rhetoric. The response to

these types of disruptions should primarily be done internally, improving the computer

networks and making more robust systems that would hold-out against such attacks in the

future. There are no grounds to use the words of “war”, “warfare”, “cyber warriors” or

anything like that, which was done during the Estonian cyber conflict. These matters should

be left to day-to-day politics, mainly to computer network and security experts who can

make backup systems in case of similar disruptions occur again. Neither politicians, nor

military should be involved in this. It is not a threat to national security in the strictest sense.

Other type of cyber threat that comes through military sector is cyber weapons

designed to cause physical damage. It is a cyber weapon that strikes directly the at physical

infrastructure of the state and undermines the livelihood of state. Stuxnet is the sole

example of existing cyber weapon but it shows that it is indeed possible to create and utilise

a weapon that comes and operates within the cyberspace but damages physical realm

instead of just virtual one. Because of that it requires a military response, be it by increasing

cyber defences or reducing cyber vulnerabilities when it comes to industrial sector

operations. This is clearly a threat that come through military sector and should be

considered a matter of national security. Cyber weapon can be substituted for a

conventional weapon and still do a physical damage to the designated target. It not only

bypasses the conventional security measures but also international conventions and

agreements. So far, cyber space is not under international supervision or any sort of weapon

control treaties. The existence this type of cyber weapons should be acknowledged by

military security experts as it is a threat to national security and international stability in

general.

23

Page 24: Cyber Threats and National Security:Real vs. Perceived Threats

2. Rhetoric of the cyber security debate.

2.1. The gap between perception and reality

The first part of the dissertation showed to what extent cyber threats can be a

national security problem. The results can be interpreted depending on the definition of

security. The broader the understanding is, the more threats can be considered a matter of

security and a threat to the state livelihood. However, when assessing the risks presented by

cyber sector, it is important to use a rigid and narrow understanding of national security.

Mainly because it is a fairly new threat and concepts are not yet developed, so there is a lot

of misunderstanding and miscommunication about the cyber realm. It ranges from people

who assume that we are in a perpetual cyber war to the sceptics who say cyber threats

cannot be put in the same category as economic, political or military threats. This is a

problem because depending how you understand security, defines how you frame problems

and threats. That subsequently causes different solutions. If the threats are overblown and

exaggerated it may easily lead to calling for unwanted military solutions.

The estimation of the threats that come through three sectors (military, economic

and political) shows that very few instances would allow national security rhetoric to be

used. In other words, the majority of the threats that come from cyberspace do not directly

threaten national security. Threats that come through economic sector pose a threat mainly

to individuals but not directly to the states. Large scale cyber-espionage have the potential

to threaten national security by causing immense economic damage to the state or if the

state loses extremely sensitive (military or intelligence related) information. However, so

far there has been no such attack/incident. Political sector presents states with different

problems as politically motivated activists use cyber tools to convey their message through

disruption of websites, hacking and extracting information. The question here is if these

activities can cause political instability for regime or significantly limit government's policy

options. Wikileaks scandal was different from other examples of hacktivism. It may have

caused significant problems for some states as their private correspondence was made

public. It may also have endangered many lives of informants in Iraq and Afghanistan,

additionally, information about the military movements may have been leaked. In this

respect, it threatened states’ (mainly the US) foreign policy incentives and their national

security. However, it is important to note that the information was obtained from within the

US military, by a soldier, proving once again that usually the weakest security link is human

and not technology. Internet was the catalyst for that information to spread and gain

24

Page 25: Cyber Threats and National Security:Real vs. Perceived Threats

momentum; it was not a cyber threat per se. Interesting observations can be made by

looking at military sector. It is clear that present and future conflicts will also take place in

the cyber sector. This was shown in Estonia and Georgia cases. Also there is no solid proof

that currently there is an on-going cyber war. There are a lot of attacks and disruptions

coming towards nations but none of them cause serious damage. Exception can be made

about the cyber weapons capabilities to cause physical damage as shown by Stuxnet virus.

The implications of this will be assessed in the further chapters but it is clearly an example

how cyberspace can be used to damage physical infrastructure. This should be taken

seriously and according to the working definition of security in this work, this virus is (or

rather was for Iran) a threat to national security.

As mentioned earlier determining what are the actual types of threats is just one side

of the coin. To definitely say that something is a national security issue, we must also look

at how the recipient state perceives that threat. Using the Copenhagen School’s

securitization theory it is important to look at how threats are framed and what language is

used. Copenhagen School argues that security is a self-referential practice, mainly because

the issue becomes a security issue not necessarily because a real existential threat exists but

because the issue is presented as such (Buzan, Wæver and Wilde, 1998: 24). They pay

particular importance at what is called “a speech act” - a designation of an existential threat

by securitizing actors, those actors claim an issue to be an existential threat requiring

emergency action or special measures. And if it is accepted by a significant audience, the

issue becomes securitized (Buzan, Wæver and Wilde, 1998: 27). According to Arnold

Wolfers security can be approached both objectively (there is a real threat) and subjectively

(there is perceived threat) and that nothing ensures that these two approaches will line up

(Wolfers (1962) cited in Buzan, Wæver and Wilde, 1998: 30). The perception is particularly

important speaking about cyber security because, as mentioned previously, this is a new

field and any motions towards framing threats in a certain way leads not only to a different

solutions to problems but also to a different understanding of the problem itself. For this

reason it is important to look at the “speech acts” made by cyber sector securitization actors

- government officials as well as security experts in the U.S.

25

Page 26: Cyber Threats and National Security:Real vs. Perceived Threats

2.2 Exaggerated language of the cyber threats.

According to the Copenhagen School securitising actors can be anybody and

anyone. However, elites, especially political elites, have a distinct advantage in the

securitising process. Given that the understanding of cyber security requires certain amount

of technological knowledge, security experts should also be included in this category. There

has been a lot of talking about information warfare, cyber capabilities and vulnerabilities,

cyber war and cyberterrorism in general. Many individuals made statements about cyber

security; therefore it is easy to be at a loss when trying to determine who the main

securitizing actors were. It is important, however, to analyse the tone of the language used,

how the issues and problems arising from cyber realm were framed as well as what kind of

language was used to describe them.

Due to the fact that the focus of this paper is on the types and levels of cyber threats

in comparison to the perception of them, and eventually pointing out what kind of

implications does the disparity between real and perceived causes, only a brief account of

the most important actors in charge of the cyber security framing will be presented. It is fair

to say that the discourse of cyber security framing, at least in the US, is a wholly negative

exercise. The usual tone of the language is dark, threatening, intentionally worrying and

sometimes even menacing.

In the past couple of years cyber security problems have had a lot of attention from

the politicians and security experts. It can be said that this attention is only increasing in the

recent years. Obama’s administration was (and still is) particularly keen on keeping cyber

security a policy priority. In 2008 administration’s requested report of the CSIS

Commission Cybersecurity for the 44th Presidency, warned that “cyber security is now a

major national security problem for the United States”(CSIS Commission on Cybersecurity,

2008: 1). A year later in 2009, the White House released a Cyberspace Policy Review,

which said that “cyber security risks pose some of the most serious economic and national

security challenges of the 21st Century”(Cyberspace Policy Review, 2009: iii). Barack

Obama himself in 2009 speech on cyber threats said that “America’s economic prosperity in

the 21st century will depend on cybersecurity” (Obama, 2009). These statements focused

attention on a particular parts of cyber security. It can be said that it paved the way for the

future security implementations and raised the awareness of the possible security problems,

putting cyber security alongside “traditional” sectors (military, economic, political, and

environmental). However, other securitising actors used much stronger language to describe

cyber threats. Keith Alexander, the director of US National Security Agency and the 26

Page 27: Cyber Threats and National Security:Real vs. Perceived Threats

commander of US Cyber Command claimed earlier in 2010 that US networks are being

attacked by “hundreds of thousands of probes a day” and that the Pentagon was “alarmed by

the increase” of these attacks (Hodge, 2010). He also warned that previously discussed

hacktivist group “Anonymous” in the nearest future may have the ability to cause “a limited

power outage through a cyberattack” (Benkler, 2012). US Defence Secretary Leon Panetta

in 2011 said that “the next Pearl Harbour that we confront could very well be a cyberattack”

(Mulrine, 2011). Mike McConnell, former director of the National Intelligence, also does

not miss a chance to hype up the cyber security of the US. In 2011 he said that if the US

would be in cyberwar today, US would lose (McConnell, 2010). Richard Clarke, who

worked for the US government security related positions and now is a counter-terrorism

analyst, in his book Cyber War (2010) draws a very dark picture of what would happen if

US would be involved in a cyberwar - blackouts would hit cities, airplanes would fall from

the sky, banks lose all their data and satellites would spin out of their orbits (Kakutani,

2010). Michael Mullen, former Chairman of the Joint Chiefs of Staff and a retired US Navy

admiral stated that in regard to cyber security “we are being attacked today, from other

countries” (Shachtman, 2010). These people play a pivotal role in the framing of national

security in terms of cyber vulnerabilities. They are the leading securitising actors, because

of unique government positions they occupy or occupied at some point. For this they have

the most influence in shaping up security matters as well as most exposure in terms of

publicity through media.

Precisely because of the high importance of these individuals, we must look

carefully at what (and how) they are saying. First chapter of this dissertation looked into the

“reality” of the cyber threats. Albeit that is a very tricky task as what is a “real” threat is

definitely subjective, because different units perceive different threats to be more “real”

than the others, depending on the information they have and other contextual conditions.

Academics in favour of constructivist approach to security seem to believe that the

importance of the actual threat level is not that big, the study should be focused mainly on

actors and their interactions. Cavelty argues that there is no sound way to study the “actual”

level of cyber-risk. She says that “the focus of research necessarily shifts to contexts and

conditions that determine the process by which key actors subjectively arrive at a shared

understanding of how to conceptualize and ultimately respond to a security threat” (Cavelty,

2012: 24). However, the “actual” threat or the “real” threat still matters despite this point of

view. If the aim is the optimal governmental policy solutions, we must assess how real the

threat is and how that matches with the perception of the threat.

27

Page 28: Cyber Threats and National Security:Real vs. Perceived Threats

Comparing the first chapter with the presented rhetoric of securitising actors it can

be said that the reality and the rhetoric does not match. There is a clear gap between what is

perceived to be a cyber threat and what kind of threats actually exists. This is a problem

because the mismatch between perception and reality creates a situation where public and

media is misinformed about the threat levels. In this instance where disparity is very

negative (rhetoric is exaggerating the actual threat levels), it can create an overly insecure

feeling about the cyber space, where individuals will be imagining that using internet is a

constant danger and that identity theft, financial loss and other dangers are imminent. This

can seriously stall the spread of electronic literacy and computer technology progress. What

is more important, is that this gap causes a particular kind of unwanted policy solutions and

creates an international tension among states, subsequently leading to more insecurity. This

problem will be addressed after the evaluation of why this gap exists at all.

2.3 Mismatch between perception and reality of cyber threats - reasons and implications

The gap that exists between perception and reality of cyber threats is caused by three

main reasons - psychological, economic and political.

Psychological reasons cause people to misjudge their sense of security all the time.

Cognitive bias makes us perceive personified risks to be greater than anonymous, also

exaggerate spectacular and rare risks and downplay common risks (Schneier, 2011). This is

also true when talking about cyber security. Especially when people hear words as

“cyberterrorism” and “cyberwar” that psychologically causes a sense of fear. Terrorism

associates with the fear of random, violent victimisation and that blends with the distrust

and outright fear of computer technology (Weimann, 2004: 3). Technological fear is

especially relevant when it comes to cyber threats because the majority of media articles

and security experts use quite vague and strong language to describe these threats. Threats

seem to be coming out of nowhere, from some anonymous hacker groups who can strike

any time and cause unimaginable damage. This is caused by the lack of information on the

part of consumers and general population. It is problematic because if there is a big

disparity between the “feeling” of security and the reality of it, it is hard to make sensible

security estimations and that leads to a bad security policy decisions.

Economic reasons are quite straightforward. Combating cyber threats became a very

profitable business. According to Gartner Inc., worldwide security software revenue in total

28

Page 29: Cyber Threats and National Security:Real vs. Perceived Threats

was $17.7 billion in 2011 and increased by 7.5% from 2010 (Gartner, 2012). Additionally,

following 9/11 attacks, the US federal government requested $4.5 billion for infrastructure

security (Weimann, 2004: 3). Think tanks release reports that alarm public about cyber

realities, experts have testified about cyberterrorism dangers before Congress and private

companies have deployed security consultants to protect themselves. It cannot be said that

all these movements were based on groundless threat perception, however, the exaggeration

of the threats definitely moved the cyber security industry forward and gave jobs to a lot of

computer and network experts, analysts and professionals. It is in their best interest to keep

the threat levels as high as possible, without going totally overboard.

Finally, political reasons are a bit more ambiguous and not so clear cut. Politicians

very frequently use the tactic of “raising awareness” of some problem when they want a

certain legislation to pass. Media sometimes exacerbates the exaggerated rhetoric by

chasing a scary front-page title, such as - “Cyber-Attacks by Al Qaeda Feared, Terrorists at

Threshold of Using Internet as Tool of Bloodshed, Experts Say” (Gellman, 2002). This

might be a selective example but “dread” language from politicians usually increase when a

big legislative bill is about to get voted in Congress. This happened with Cybersecurity Act

of 2010, when the increased attention was given to cyber security in the media by the

senators who were trying to push through this bill. In the op-ed article senators Olympia

Snowe and Jay Rockefeller warn that attacks coming from cyber sector “have the potential

to disrupt or disable vital information networks, which would cause catastrophic economic

loss and social havoc” (Rockefeller and Snowe, 2010). Many experts agreed at the time that

this was clearly an artificial ramping up of the rhetoric in order to get the bill to pass. The

bill was controversial because it introduced the so-called “kill switch” - an ability for the

President to order limitation or complete shutdown of Internet traffic. Electronic Frontier

Foundation called this an “approach that favours dramatic over sober response (Granick,

2009). Recently, the same tactic was used by President Obama as he was trying to get

passed the Cybersecurity Act of 2012 in the Senate. He wrote an op-ed in Wall Street

Journal arguing that “cyber threat to our nation is one of the most serious economic and

national security challenges we face” and starting the article with the dread scenario of the

cyber attack simulation where trains derail and water treatment plants shut down” (Obama,

2012). Once again the updated version of Cybersecurity Act faced heavy criticism. Personal

privacy advocates claimed that the bill will seriously impede upon people’s ability to be

anonymous and private on Internet, forcing some Internet Service Providers to implement

blocking measures against privacy service providers such as VPN and TOR, also that the

bill will allow recording of “potential future crimes”, again, highly ambiguous and freely 29

Page 30: Cyber Threats and National Security:Real vs. Perceived Threats

interpreted statement (Wilson, 2012). Currently the bill is in limbo as it did not pass the

Senate vote, but Obama considers using the executive order to get it through regardless.

Looking at the reasons why the gap between the perceived cyber threats and the

actual cyber threats exists, it is safe to say that all three reasons - economic, political and

psychological, makes the case for educating the public about the cyber threats. If we would

have more information about what the actual threat levels are, it would be easier to assess

and recognise when the exaggeration happens and when the rhetoric is being used because

of the political motivation. The disparity between real and perceived not only causes

misinformation towards general public but also causes other implications in terms of policy

decisions, general security and international stability.

The level of states’ cyber capabilities (offensive and defensive) varies greatly, but it

is hard to assess the actual levels because most of the information is regarded as sensitive

and therefore is not accessible. Nonetheless, experts suggest that countries have been

ramping up their offensive and defensive capabilities.

Iran has been on the spotlight as a country that can and would use cyber tools to

retaliate if they would ever feel cornered. Iran is said to have a cyber capabilities to perform

an attack. In 2010 Iranian Islamic Revolution Guards Corps established their cyber warfare

division. It is believed that there are about 2400 personnel in the cyber division (Carr, 2012:

250). Iran’s officials seem to constantly warn the US and Western world of their “very

strong” defence capabilities (Ferran, 2011).

China is also developing a strong cyber command unit. Development of cyber

warfare capabilities has been one of the most important incentives in order to diminish the

disparity between the US and Chinese military capabilities. In 2011 China announced the

establishment of a “Blue Army” division, a cyber command unit (Carr, 2012: 257).

North Korea has been training hackers since mid-1980s and now has a very

powerful force of cyber warriors. Specialised college trains a hundred professional hackers

every year which are incorporated into military and being put under centralised command

(Jae, 2011). It is believed that Iran’s cyber warfare capabilities are on par with such

countries as South Korea, China and Russia, mainly because they put hackers under direct

command and therefore fully control the capacity of cyber tools, whereas other countries,

especially Russia and China, depend on separate hacker groups who are motivated by

ideology or money.

Russia alongside countries such as France, Germany, Israel, Canada, and Australia

are also in the process of increasing their cyber capabilities. Due to overall secrecy of these 30

Page 31: Cyber Threats and National Security:Real vs. Perceived Threats

types of military programs it is hard to rank countries and say that one is more advanced

than the other. Nonetheless, the trend is very apparent, a lot of states are ramping up their

offensive and defensive cyber security programs and there seems to be nothing to suggest

that this trend will decrease any time soon.

Exaggerated rhetoric by the US may have contributed to this “militarization” of

cyber sector because when the US uses such terms as “cyber war”, “cyber deterrence” and

“cyber response” it creates an international tension and an atmosphere of insecurity. That

might lead to the security-dilemma of the cyber space. If many countries are building cyber-

command units, little is known about their capabilities and this only encourages other

countries to “catch-up” and do the same. Uncertainty, secrecy and distrust seem to dominate

international cyber relations (Cavelty, 2012: 15). Not only the rhetoric may have

contributed to that but also actions by the US. Stuxnet virus has basically proven to be the

creation of the US and Israeli intelligence and it sent a clear signal to the other states about

what these two countries are capable of in terms of technological advancement. The fact

that the virus code leaked and got dissected by many computer experts did not make the

case any better. It allowed for not so advanced states to use the same code and attempt to try

and create their own cyber weapon. US sent a loud message that they are prepared to use

offensive cyber tools to achieve their foreign policy aims. Militarization of the cyber sector

is just one side of the problem. The gap between perceptions and reality also has a negative

effect on the cyber security concept itself..

2.4 Implications for the cyber security concept

A lot of problems related to the concept of cyber security come from its ambiguity.

As mentioned earlier, cyber security is not the concept that fits easily in the well-established

conceptual or theoretical Security Studies categories. To quote Hansen and Nissenbaum,

“cyber discourse moves seamlessly across distinctions normally deemed crucial to Security

Studies: between individual and collective security, between public authorities and private

institutions, and between economic and political-military security” (Hansen and

Nissenbaum, 2009: 1161). The problem is not that cyber security can be an issue for the

variety of units (individuals, states, societies), but that politicians, security experts and some

academics use the term “cyber security” to describe entirely different problems. Cyber

threats to individuals are vastly different from the threats to the states. The clarity of what is

31

Page 32: Cyber Threats and National Security:Real vs. Perceived Threats

meant by ‘cyber security’ must always be a priority when someone is making a speech or

writing a report on the national security. Given that the concept of cyber security is at its

early stage of development, a particular attention should be paid to avoid the confusion of

the terms. Otherwise, not only there will be a blurry academic discourse and analysis, it will

also lead to a bad policy decisions.

The second source of ambiguity comes from the properties of the cyber

securitization. The process of securitization always involves same two reflections – the

future and the past. To a degree all past securitizations utilized a projection of the future

(e.g. environmental change scenarios to illustrate the importance of taking environmental

security seriously), but, also, securitization always depends on the past as a reference that

underscores the gravity of the situation (Hansen and Nissenbaum, 2009: 1164). In the case

of nuclear war, Hiroshima and Nagasaki examples would be used to make an estimated

projection of what an all-out nuclear war would mean. The problem is that cyber threats do

not have the past “catastrophes” on which cyber security concept could be built. So far,

there has been no large-scale cyber incident with the cascading effects that would leave a

long lasting impact. Therefore, cyber sector securitization relied on the future projections of

the cyber catastrophes. This is understandable because for the issue to become a part of the

security debate and establish itself firmly in the broader context of security, some

exaggeration is helpful. However, it can be argued that what started with the intention of a

firmer securitization and “claiming” equal footing among the other security sectors, ended

up being over-exaggerated concept, susceptible to the case for hyper-securitization.

The ambiguity of the cyber sector lies at the very core of this dissertation main

argument about the existing gap between the perception of cyber threats and the actual

threat levels. Securitizing actors had no past examples to rely on when they started the

process of cyber threat securitization. Because of that, securitizing actors relied on the

future projections and possible “dread” scenarios. According to Ole Weaver, the use of the

security label does not necessarily imply that a problem is a security problem, but rather it is

a political choice, a decision for conceptualization in a special way (Weaver, 1995: 13). He

maintains that we should not judge the securitization act as “good” or “bad” by itself, but

we should look at the effects such political move creates (Weaver, 1995: 21). Applying this

thought process to the cyber security concept, it should not be said that the cyber

securitization, based on exaggerated projections of the future itself, is a bad move.

However, the effect it created is not a positive and, therefore, adjustments towards the

understanding of the cyber security concept should be made.

32

Page 33: Cyber Threats and National Security:Real vs. Perceived Threats

Besides the effects caused by the gap between the real cyber threats and the

perceived ones that were discussed earlier (possible militarization of the sector, overall

instability and distrust of the international cyber discourse) there are also negative effects on

the understanding of the cyber security concept itself. Effectively, what has happened with

the cyber security concept is due to the perceptions becoming the reality. This work showed

that there is a clear gap between the actual threat level and the perceptions, but the effects of

the securitization imply that either this gap is not visible to the other actors (or, using the

Copenhagen School’s terminology, the audience) or it is totally ignored. Securitizing actors

used a very powerful language to convince that cyber security should be a top priority and,

if unattended, can lead to the extraordinary and cataclysmic disasters. They did that for

various reasons but the most important point is that the audience was convinced of that

rhetoric. When it comes to general population, they lack the sufficient information about the

subject. The understanding of cyber threats requires at least basic technological knowledge

but the majority of people do not have that. When it comes to other states and people in

charge of formulating national security policies - it is different. They do not lack the

information, but they are enforced to take it seriously because of the unstable nature of

international relations and the security dilemma that arises from cyber sector. Existing cyber

weaponry and cyber actions being unregulated and unsupervised by any authority puts

major powers at a difficult strategic position. On one hand, they should clearly see that the

traditional sectors of the economy and the military security should take priority over cyber

security. On the other hand, they cannot take it lightly when the US high ranking officials

and generals state that they need to review their cyber policy because they are “losing the

cyber war”. No state wants to fall behind at the power game, and no state takes chances of

not putting a lot of resources in the development of cyber capabilities. This way, the

perception becomes the reality, when the US, being the leading superpower and the most

advanced country in terms of cyber capabilities, talk about the possibility of cyber disasters

and the need to focus on cyber security (usually this means an increased funding for the

development of defensive and offensive capabilities) this causes other countries to react.

Other states do not want to fall behind and they start developing those capabilities to the

best of their abilities. This situation forms a loop where the “dread” scenario articulated by

the US causes other states to increase their cyber capabilities making the initially unrealistic

scenario more probable. It appears that cyber sector, being a relatively new concept, suffers

from the classic problems of security dilemma.

After all, how ‘real’ the threat is depends on whether or not it is perceived to be real,

effectively blurring the two categories together. Cyber security suffers from it. The current 33

Page 34: Cyber Threats and National Security:Real vs. Perceived Threats

situation does not provide a clear definitions and boundaries of the cyber security concept.

If the government uses cyber security as a “catch-all” phrase to increase their ability to

control (which is the aim of any government, consolidating the power and governing more

effectively) that changes the understanding of the problem itself. Cyber security is more

relevant when talking about the individual security. It manifests itself as a threat to privacy

and the economic wellbeing of the populations. As showed in the first chapter of this work,

cyber threats rarely cause insecurity for the state if the rigid definition of national security is

used. However, the current understanding of cyber security implies that there is a looming

possibility of cyber catastrophe. There is a lack of evidence to support statements like this,

but if this tone of the rhetoric persists, the future ramifications of the cyber security will be

deemed to be limited to the military-economical security discourse, while, clearly, at the

moment the biggest issue is individual security and individuals’ need to feel safe in the

cyber space.

34

Page 35: Cyber Threats and National Security:Real vs. Perceived Threats

Conclusion

Cyber security concept hinges on the cyber disaster scenarios (Hansen and

Nissenbaum, 2009: 1164) and this is the main reason for the need to re-evaluate the cyber

security discourse. The main problem is that the reliance on the disaster scenarios and the

“dread” rhetoric do not match the actual threat levels that come from the cyber sector. There

is a gap between the perception and the reality which causes unwanted consequences for the

cyber security concept.

The first chapter of this work deals with the question to what extent cyber threats

can be a matter of national security. It can be said that only a limited amount of cyber

threats directly undermine national security, a notable exception being Stuxnet - the cyber

weapon developed by the US and Israel and used against Iran’s nuclear facilities. The vast

majority of the threats causes economic damage for the business and the loss of intellectual

property and, therefore, is a matter of individual security rather than state security. Because

of that, most of the time national security rhetoric should be used very sparingly, only when

talking about a particular cyber threats that may cause substantial physical damage for the

state. Nonetheless, the second chapter points out that there is a mismatch between the cyber

threat levels to national security and the way politicians, security experts and military

officials talk about it. This mismatch creates a gap and leads to the understanding that all

cyber threats should be considered in the context of national security. In practice, this means

invoking military solutions and increasing funding for various offensive and defensive

measures. That is not the optimal approach. When it comes to the cyber security, military

solutions should be used only for a limited amount of threats.

This is the main reason for the re-evaluation of the cyber discourse. Cyber security

is more relevant when talking about the rights of individuals. Economic security,

intellectual property and the rights to maintain privacy in the cyber realm are the issues that

can be easily undermined if the public discourse of cyber security is fixated on national

security and the constant warnings about the upcoming “cyber Pearl Harbours”.

The most sensible approach to this problem may be the movement towards the de-

securitization of the cyber discourse. The majority of the threats that come through cyber

sector are not the threats to national security. Those threats can be managed using standard

political system. In most cases day-to-day politics is more than sufficient to implement the

changes required for the increased security in the cyber space. There is no need to push the

35

Page 36: Cyber Threats and National Security:Real vs. Perceived Threats

matter further as it does not require emergency actions that are beyond standard political

procedures. Moving cyber security from “securitized” to “politized” category would be

beneficial to the understanding of the cyber security concept itself and would subsequently

lead to a better policy solutions. It does not mean that politicians should disregard cyber

threats that can undermine national security and only focus on those that are more relevant

to individuals; rather, it means that national security should be invoked only in limited

selection of cases. Securitizing actors should understand that the exaggerated rhetoric that

they use is not helpful for overall stability and security of the cyber sector.

36

Page 37: Cyber Threats and National Security:Real vs. Perceived Threats

Bibliography

Albright, D., Brannan, P. and Walrond, C. (2010) ‘Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?’, Institute for Science and International Security, Washington, DC, Available at: <http :// isis - online . org / uploads / isis - reports / documents / stuxnet _ FEP _22 Dec 2010. pdf > [Accessed on 6 September 2012].

Anderson, N. (2007) ‘Massive DDoS attacks targets Estonia; Russia accused’, Arstechnica.com, [online] Available at: <http :// arstechnica . com / security /2007/05/ massive - ddos - attacks - target - estonia - russia - accused / > [Accessed on 6 September 2012].

Arquilla, J. (2003) Interview in PBS Frontline, [online] Available at: <http :// www . pbs . org / wgbh / pages / frontline / shows / cyberwar / interviews / arquilla . html > [Accessed on 6 September 2012].

Arquilla, J. and Ronfeldt, D. (1993) ‘Cyberwar is Coming!’, in J. Arquilla and D. Ronfeldt (eds), In Athena’s Camp: Preparing for Conflict in the Information Age, RAND Corporation, pp. 23-60.

Assange, J. (2006) ‘The Curious Origins of Political Hacktivism’, Counter Punch, [online] Available at: <http :// www . counterpunch . org /2006/11/25/ the - curious - origins - of - political - hacktivism / > [Accessed on 6 September 2012].

BBC News, (2007) Estonia hit by “Moscow cyber war”, [online] Available at: <http :// news . bbc . co . uk /1/ hi / world / europe /6665145. stm > [Accessed on 12 July 2012].

Benkler, Y. (2012) ‘Hacks of Valor: Why Anonymous Is Not a Threat to National Security’, Foreign Affairs, April 4.

Blomfield, A. (2007) ‘Estonia Calls for Nato Cyber-terrorism strategy’, The Telegraph, [online] Available at: <http :// www . telegraph . co . uk / news / worldnews /1551963/ Estonia - calls - for - Nato - cyber - terrorism - strategy . html > [Accessed on 12 July 2012].

Bright, A. (2007) ‘Estonia accuses Russia of ‘cyberattack’’, The Christian Science Monitor, [online] Available at: <http :// www . csmonitor . com /2007/0517/ p 99 s 01- duts . html > [Accessed on 6 September 2012].

Brown, G. et al. (2006) ‘Defending critical infrastructure’, Interfaces, 36 (6): 530-544.Bruce Schneier: The Security Mirage (2010) [video] TED, [online] Available at: <http :// www . ted . com / talks / bruce _ schneier . html > [Accessed on 6 September 2012].

37

Page 38: Cyber Threats and National Security:Real vs. Perceived Threats

Bush, G. W. (2003) in The National Strategy to Secure Cyberspace, U. S. government via Department of Homeland Security.

Buzan, B. (1991), People, states and fear : an agenda for international security studies in the post-cold war era, Harlow: Pearson Educ.

Buzan, B. (2005) ‘American Exceptionalism, Unipolarity and September 11: Understanding the Behaviour of the Sole Superpower’, International Review, 38.

Buzan, B., Wæver, O. and Wilde, J. (1998) Security: a new framework for analysis, Boulder, Colo: Lynne Rienner Pub.

Carr, J. (2012) Inside Cyber Warfare, Sebastopol: O’Reilly Media.

Cavelty, M. D. (2007a) ‘Critical Information Infrastructure: Vulnerabilities, Threats and Responses’, UNIDIR Disarmament Forum, 7: 15-22.

Cavelty, M. D. (2012) ‘Cyber-security’, forthcoming in A. Collins (ed.) Contemporary Security Studies, Oxford University Press.

Cavelty, M. D., Mauer, V. and Hensel, S. (eds.) (2007b) Power and Security in the Information Age: Investigating the Role of State in Cyberspace, Aldershot: Ashgate.

Cha, A. and Nakashima, E. (2010) ‘Google China Cyberattack Part of Vast Espionage Campaign, Experts Say’, The Washington Post, [online] Available at: <http :// www . washingtonpost . com / wp - dyn / content / article /2010/01/13/ AR 2010011300359. ht ml ? sid = ST 2010011300360 > [Accessed on 6 September 2012].

Clarke, R. and Knake, R. (2010) Cyber War: The Next Threat to National Security and What to Do About It, New York: Ecco Press.

Herley, C. and Florencio, D. (2008), A Profitless Endeavor: Phishing as Tragedy of theCommons, New Security Paradigms Workshop, Redmond, WA: Association for Computing Machinery, Inc.

Computer Economics (2007) Annual Worldwide Economic Damages from Malware Exceed $13 Billion, [online] Available at: <http :// www . computereconomics . com / article . cfm ? id =1225 > [Accessed on 9 September 2012] .

Corbin, K. (2012) ‘Security Experts Warn of Cyber Threats From Iran’, CIO, [online] Available at:

38

Page 39: Cyber Threats and National Security:Real vs. Perceived Threats

<http :// www . cio . com / article /705173/ Security _ Experts _ Warn _ of _ Cyber _ Threats _ From _ Ira n _ > [Accessed on 12 July 2012].

CSIS Commision on Cybersecurity for the 44th Presidency, (2008) ‘Securing Cyberspace for the 44th Presidency’, Center for Strategic and International Studies, Washington, DC.

Dacey, R. and Hite, R. (2003) ‘Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues’, Testimony Before the Committee on Government Reform, House of Representatives, United States General Accounting Office, [online] Available at:<http :// www . gao . gov / new . items / d 03715 t . pdf > [Accessed on 6 September 2012].

Dickinson, E. (2011) ‘The First WikiLeaks Revolution?’, Foreign Policy, [online] Available at:<http :// wikileaks . foreignpolicy . com / posts /2011/01/13/ wikileaks _ and _ the _ tunisia _ protest s> [Accessed on 6 September 2012].

Emmers, R. (2009) ‘Securitization’, in Collins A. (ed.) Contemporary Security Studies, New York: Oxford University Press.

Ferran, L. (2011) ‘Iran to U.S., Israel: Bring On the Cyber War’, abcnews, [online] Available at: <http :// abcnews . go . com / Blotter / iran - us - israel - bring - cyber - war / story ? id =14255216#. UEz 1 beVmyZd > [Accessed on 3 September 2012].

Gartner press release (2011) Gartner Says Less Than Half of Security Software Market Belongs to Top Five Vendors, [online] Available at: <http :// www . gartner . com / it / page . jsp ? id =1752714 > [Accessed on 6 September 2012].

Gellman, B. (2002) ‘Cyber-Attacks by Al Qaeda Feared: Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say’, Washington Post.

Google Official Blog (2010), A New Approach to China, [online] Available at: <http :// googleblog . blogspot . co . uk /2010/01/ new - approach - to - china . html > [Accessed on 6 September 2012].

Granick, J. (2009) ‘Federal Authority Over the Internet? The Cybersecurity Act of 2009’, Electronic Frontier Foundation, [online] Available at: <https :// www . eff . org / deeplinks /2009/04/ cybersecurity - act > [Accessed on 3 September 2012].

39

Page 40: Cyber Threats and National Security:Real vs. Perceived Threats

Greenberg, A. (2011) ‘LulzSec Says Goodbye, Dumping NATO, AT&T, Gamer Data’, Forbes, [online] Available at:<http :// www . forbes . com / sites / andygreenberg /2011/06/25/ lulzsec - says - goodbye - dumping - nato - att - gamer - data / > [Accessed on 6 September 2012].

Hansen, L., Nissenbaum, H. (2009), ‘Digital Disaster, Cyber Security, and the Copenhagen School’, International Studies Quarterly, 53, 1155-1175.

Hare, F. (2009) ‘Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security?’ in Czosseck, C., Geers, K. (eds.) The Virtual Battlefield: Perspectives on Cyber Warfare, IOS Press.

Hare, F. (2010) ‘The cyber threat to national security: why can’t we agree?’ in Czosseck, C., Podins, K. (eds.) Conference on Cyber Conflict. Proceedings 2010, Tallinn, Estonia: CCD COE Publications.

Harmon, A. (1998) ‘“Hacktivists “ of All Persuasions Take Their Struggle to the Web’, The New York Times, [online] Available at: <http :// www . nytimes . com / library / tech /98/10/ biztech / articles /31 hack . html > [Accessed on 6 September 2012].

Hodge, N. (2010) ‘Pentagon Networks Targeted by ‘Hundreds of Thousands’ of Probes (Whatever That Means)’, Wired.com, [online] Available at: <http :// www . wired . com / dangerroom /2010/04/ pentagon - networks - targeted - by - hundreds - of - thousands - of - probes / > [Accessed on 6 September 2012].

Hutchinson, W. (2006) ‘Information Warfare and Deception’, Information Science, 9: 213-223.

Information Warfare Monitor (2009) Tracking Ghostnet : Investigating a Cyber Espionage Network, [online] Available at: <http :// www . scribd . com / doc /13731776/ Tracking - GhostNet - Investigating - a - Cyber - Espionage - Network > [Accessed on 6 September 2012].

Jae, M. (2011) ‘North Korea’s Powerful Cyber Warfare Capabilities’, DailyNK, [online] Available at: <http :// www . dailynk . com / english / read . php ? cataId = nk 00400& num =7647. > [Accessed on 3 September 2012].

Janczewski, L. and Colarik, A. (2008) Cyber Warfare and Cyber Terrorism, Hershey, New York: Information Science Reference.

40

Page 41: Cyber Threats and National Security:Real vs. Perceived Threats

Jordan, T. and Taylor, P. (2004) Hacktivism and Cyberwars: Rebels with a Cause?, New York: Routledge Publishing.

Kakutani, M. (2010) ‘The Attack Coming From Bytes, Not Bombs’, The New York Times, [online] Available at: <http :// www . nytimes . com /2010/04/27/ books /27 book . html ? pagewanted = all > [Accessed on 6 September 2012].Kaspersky Lab (2010) Kaspersky Lab Provides Its Insights on Stuxnet Worm, Available at: <http :// www . kaspersky . com / about / news / virus /2010/ Kaspersky _ Lab _ provides _ its _ insights _ on _ Stuxnet _ worm > [Accessed on 6 September 2012].

Keohane, R. and Nye, J. (1998) ‘Power and Interdependence in the Information Age’, Foreign Affairs, 5 (77): 81-94.

Landler, M. and Markoff, J. (2007) ‘In Estonia, What May Be the First War in Cyberspace’, The New York Times, [online] Available at: <http :// www . nytimes . com /2007/05/28/ business / worldbusiness /28 iht - cyberwar .4.5901141. html ? pagewanted = all > [Accessed on 12 July 2012].

Libicki, M. (2009) Cyberdeterrence and Cyberwar, RAND Corporation.

Ludlow, P. (2010) ‘WikiLeaks and Hacktivist Culture’, The Nation, pp. 25-26.

Manion, M. and Goodrum, A. (2000) ‘Terrorism or Civil Disobedience: Toward a Hacktivist Ethic’, Computers and Society, 30 (2): 14-19.

McConnel, M. (2010) ‘Mike McConnel on How to Win the Cyber-war We’re Losing’, The Washington Post, [online] Available at: <http :// www . washingtonpost . com / wp - dyn / content / article /2010/02/25/ AR 2010022502493_ pf . html > [Accessed on 12 July 2012]

Messmer, E. (2012) ‘Stuxnet cyberattack by US a 'destabilizing and dangerous' course of action, security expert Bruce Schneier says’, Networkworld, [online] Available at: <http :// www . networkworld . com / news /2012/061812- schneier -260303. html > [Accessed on 6 September 2012].

Moncada, C. (2008) ‘Organizers Tout Scientology Protest, Plan Another’, The Suncoast News, [online] Available at: <http :// www 2. suncoastnews . com / news / news /2008/ feb /12/ organizers - tout - scientology - protest - plan - another - ar -371484/ > [Accessed on 6 September 2012].

Mulrine, A. (2011) ‘CIA chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack’, The Christian Science Monitor, [online] Available at:

41

Page 42: Cyber Threats and National Security:Real vs. Perceived Threats

<http :// www . csmonitor . com / USA / Military /2011/0609/ CIA - chief - Leon - Panetta - The - next - Pearl - Harbor - could - be - a - cyberattack > [Accessed on 6 September 2012].

Murchu, L. (2010) ‘Stuxnet Using Three Additional Zero-Day Vulnerabilities’, Symantec Official Blog, [online] Available at: <http :// www . symantec . com / connect / blogs / stuxnet - using - three - additional - zero - day - vulnerabilities > [Accessed on 6 September 2012].

Nash, T. (2005) ‘An Undirected Attack Against Critical Infrastructure: A Case Study for Improving Your Control System Security’, US-CERT Control Systems Security Center, Lawrence Livermore National Laboratory, [online] Available at: <http :// www . us - cert . gov / control _ systems / pdf / undirected _ attack 0905. pdf > [Accessed on 9 September 2012].

Obama, B. (2009) ‘Remarks by the President on Securing Our Nation’s Cyber Infrastructure’’, The White House, Office of the Press Secretary. Available at: <http :// www . whitehouse . gov / video / President - Obama - on - Cybersecurity # transcript > [Accessed on 12 July 2012].

Obama, B. (2012) ‘Taking the Cyberattack Threat Seriously’, The Wall Street Journal, [online] Available at: <http :// online . wsj . com / article / SB 10000872396390444330904577535492693044650. html > [Accessed on 3 September 2012].

Pauli, D. (2010) ‘PayPal Suffers DoS for Spurning Wikileaks’, ZDNET, [online] Available at: <http :// www . zdnet . com / paypal - suffers - dos - for - spurning - wikileaks -1339307771/ > [Accessed on 6 September 2012].

Posner, G. (2010) ‘China’s Secret Cyberterrorism’, The Daily Beast, [online] Available at: <http :// www . thedailybeast . com / articles /2010/01/13/ chinas - secret - cyber - terrorism . html > [Accessed on 9 September 2012].

President’s Commission on Critical Infrastructure Protection (1997) Critical Foundations: Protecting America’s Infrastructures, Washington, DC.

Rockefeller, J. and O. Snowe (2010) ‘Now Is the Time to Prepare for Cyberwar’, The Wall Street Journal, [online] Available at:<http :// online . wsj . com / article / SB 10001424052702303960604575157703702712526. html > [Accessed on 3 September 2012].

Sanger, D. (2012) ‘Obama Order Sped Up Wave of Cyberattacks Against Iran’, The New York Times, [online] Available at:

42

Page 43: Cyber Threats and National Security:Real vs. Perceived Threats

<http :// www . nytimes . com /2012/06/01/ world / middleeast / obama - ordered - wave - of - cyberattacks - against - iran . html ? pagewanted = all > [Accessed on 6 September 2012].

Shachtman, N. (2010) ‘Top Officer Fears Cyberwar, Hearts Karzai, Tweets With Help’, Wired.com, [online] Available at: <http :// www . wired . com / dangerroom /2010/04/ top - officer - fears - cyberwar - hearts - karzai - tweets - with - help / > [Accessed on 6 September 2012].

Shane, S. and Lehren, A. (2010) ‘Leaked Cables Offer Raw Look at U.S. Dimplomacy’, The New York Times, [online] Available at:<http :// www . nytimes . com /2010/11/29/ world /29 cables . html ?_ r =3& bl > [Accessed on 6 September 2012].

Shearer, J. (2010) ‘W32. Stuxnet’, Symantec.com, [online] Available at: <http :// www . symantec . com / security _ response / writeup . jsp ? docid =2010-071400-3123-99 > [Accessed on 6 September 2012].

Siroli, G. P. (2006) ‘Strategic Information Warfare: An Introduction’, in E. Halpin, P. Trevorrow, D. Webb, S. Wright (eds.), Cyberwar, Netwar and the Revolution in Military Affairs, Houndmills: Palgrave Macmillan, pp. 32-48.

Sommer, P. and Brown, I. (2011) ‘Reducing Systemic Cybersecurity Risk’, Organisation for Economic Cooperation and Development, [online] Available at: <http :// ssrn . com / abstract =1743384> [Accessed on 6 September 2012].

The National Strategy to Secure Cyberspace (2003), Washington, DC, Available at: <http :// www . us - cert . gov / reading _ room / cyberspace _ strategy . pdf > [Accessed on 12 July 2012].

The White House, (2009) Cyberspace Policy Review: Assuring a Trusting and Resilient Information and Communications Infrastructure, Washington, DC, Available at: <http :// www . whitehouse . gov / assets / documents / Cyberspace _ Policy _ Review _ final . pdf > [Accessed on 9 September 2012].

Thornburgh, N. (2005) ‘Inside the Chinese Hack Attack’, Time, [online] Available at: <http :// www . time . com / time / nation / article /0,8599,1098371,00. html > [Accessed on 6 September 2012].

TorrentFreak (2010) ‘4chan DDoS Takes Down MPAA and Anti-Piracy Websites’, [online] Available at:<http :// torrentfreak . com /4 chan - ddos - takes - down - mpaa - and - anti - piracy - websites -100918/ > [Accessed on 6 September 2012].

43

Page 44: Cyber Threats and National Security:Real vs. Perceived Threats

Traynor, I. (2007) ‘Russia Accused of Unleashing Cyberwar to Disable Estonia’, The Guardian, [online] Available at: <http :// www . guardian . co . uk / world /2007/ may /17/ topstories 3. russia > [Accessed on 12 July 2012].

Ullman, R. (1983), ‘Redefining Security’, International Security, 8 (1): 129-53.

United States Cyber Consequences Unit (2009) ‘Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008’, Available at: <http :// www . registan . net / wp - content / uploads /2009/08/ US - CCU - Georgia - Cyber - Campaign - Overview . pdf > [Accessed on 6 September 2012].

Wæver, O. (1995), ‘Securitization and Desecuritization’, in Lipschutz R. (ed.) On Security, New York: Columbia University Press.

Wagenseil, P. (2011) ‘Anonymous ‘hacktivists’ attack Egyptian websites’, NBCNEWS.COM, [online] Available at:<http :// www . msnbc . msn . com / id /41280813/ ns / technology _ and _ science - security / t / anonymous - hacktivists - attack - egyptian - websites /#. UBl 1 Ip 1 lSZc > [Accessed on 6 September 2012].

Weimann, G. (2004) ‘Cyberterrorism: How Real Is the Threat?’, United States Institute Of Peace, Washington, DC, Available at: <http :// www . usip . org / publications / cyberterrorism - how - real - threat > [Accessed on 6 September 2012].

Wilson, D. (2012) ‘Obama Mulling Executive Order to Get Cybersecurity Act of 2012 Passed?’, ZeroPaid, [online] Available at: <http :// www . zeropaid . com / news /101960/ obama - mulling - executive - order - get - cybersecurity - act -2012- passed / > [Accessed on 3 September 2012].

Wolfers, A. (1962) ‘National Security as an Ambiguous Symbol’, Discord and Collaboration. Essays on International Politics, John Hopkins University Press: Baltimore, pp. 147-165.

Zetter, K. (2010) ‘Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target’, Wired.com, [online] Available at: <http :// www . wired . com / threatlevel /2010/09/ stuxnet / > [Accessed on 6 September 2012].

44