The initial thinking behind my new book Constructing cybersecurity: Power, expertise and the internet security industry began just short of a decade ago. The more I read about cybersecurity the more I found myself becoming interested in an overarching homogeneity in how it was understood and conveyed. Cybersecurity is a more recent addition to the security vernacular, but it was striking how quickly it had become assimilated within the discourse and agenda of national security. As Dunn Cavelty writes, there nothing ‘natural or given’ about this link and it had to be, ‘forged, argued, and accepted in the political process’ (2013: 105). Constructing cybersecurity considers this process and places a specific focus on the impact of one aspect of the internet security industry.
The part of the industry I focused on is made up of companies like Symantec and McAfee that are probably best known for their antivirus products. These had not previously been the focus of research but my primary motivation for studying them was to do with the nature of cybersecurity and the special status of the knowledge contained within their publications. Lene Hansen and Helen Nissenbaum (2009: 1157) speak of cybersecurity as a “technified” field that is, ‘reliant upon expert, technical knowledge for its resolution’. Consequently, these speakers can operate as ‘security professionals’ with the ‘last word over the truth concerning the evaluation of the future dangers and the construction of categories of danger and desirability’ (Bigo, 2012: 205). Given these qualities, the book is interested in how industry expert knowledge has impacted upon the construction of cybersecurity and it proceeds within the constructivist tradition arguing that this expert discourse does not merely reflect reality but is constitutive of it.
In the book I consider how cyber-threats and “cyberspace” itself have been constructed. My investigations into the latter revealed a space which has been portrayed as fraught with inherent weakness; a space built and navigated by humans and therefore not free from human error. Errors, oversights and “bugs” in design all present vulnerabilities that can be exploited by nefarious actors, just as can carelessness, ignorance or naivety on the part of the user. The metaphorical language of infection and pandemic that has been a focus of other research (Betz and Stevens, 2013; Wolff, 2014) conveys a tangible sense of danger as does reference to cyberspace as a dangerous wilderness where unprepared users are ‘easy prey for hackers and virus creators’ (Kaspersky Labs, 2002). There is a Rumsfeldian style uncertainty at work here too with known knowns, known unknowns and unknown unknowns. Nevertheless, amidst the uncertainty of the who, when and where, there is a high degree of confidence in the continued threat.
Cyber-threats themselves are said to be increasing in number, scale, complexity and destructiveness. The prevalence of militaristic metaphors helps convey this destructiveness and frames cyber-threats as the bombs and bullets we are more familiar with (Steuter and Wills, 2009). They encourage us to understand acts and individuals within specific frames of reference, for example, as cyber-warfare, cyber-terrorism, cybersoldiers or cybermercenaries. Military historical metaphors such as “cyber-9/11” or “cyber-Pearl Harbour” communicate the potential fallout of catastrophic ‘nightmare scenarios’ such as nationwide power-outages. Given that such ‘nightmare scenarios’ are (thankfully) yet to materialise, a great effort is also made to reinforce the credibility of threats, drawing attention to high-profile cyber-events and encouraging readers to avoid viewing things through the lens of science-fiction.
In exploring how cybersecurity was constructed within this discourse I found tactics, tropes and techniques that were both familiar and novel. However, the overarching impression was not of a radically different version of cybersecurity; the expert knowledge I surveyed did not diverge significantly from the ‘dominant threat frame’ (Dunn Cavelty, 2008). This was still security of cyberspace, communicated using the familiar language of national security. The reproduction of this dominant construction across an expert site of discourse such as this tells us something about its broader sedimentation. However, I think we can go further in considering the reasons why this is occurring within this corner of the industry as well as the wider effects it is having.
Firstly, and most straightforwardly, private industry’s raison d’être is symbiotically linked to the continued existence and credibility of these threats, as private companies each compete in the marketplace for similar clients and must generate profit if they wish to survive or grow. Drawing on traditional and familiar understandings of security allows for the unambiguous communication of cybersecurity to a diverse but often layperson audience.
Secondly, in adopting the dominant threat frame, these companies have strengthened their relationships with public sector professionals of security and politics and formed communities of mutual recognition (Bigo, 2012: 74-75) with mutual benefit for both parties. In my research I provide numerous examples of these companies working closely with government. For example, to provide strategic guidance or to make up the membership of high-ranking committees. So, speaking the language of cyber (national) security not only has a straightforward material benefit for the industry but it also brings these two ‘sources’ (private sector and government) together with formidable delimiting effects upon how cybersecurity is understood. It helps to render cyber (national) security “common sense” while foreclosing other possibilities. Now singing from the same hymn sheet as government, private industry finds itself closer to lucrative government contracts as well as the levers of political power with the policy steering and agenda setting benefits this brings.
Finally, for the state, cybersecurity presents challenges to its traditional role as security guarantor and threatens to create a ‘sovereignty gap’ (Kello, 2017). In an effort to ensure that these ‘real space sovereigns’ (Lessig, 1999) maintain their ‘regulatory power’ over virtual space as they do with ‘real space’ (Coles-Kemp, Ashenden and O’Hara, 2018, p. 47), these relationships help to consolidate cybersecurity around a more familiar notion of national security and cast cyberspace as analogous with land, sea and air. So while the state cedes some of its monopoly on speaking and doing security by acknowledging the role of private sector expertise and capability (something it has been increasingly doing as security has become further privatised), it is also able to subsume this new source within the predefined assemblage of security, mobilising this expertise as capital in its securitising moves.
With cybersecurity viewed as synonymous with national security, governments can prioritise ‘technico-managerial’ approaches (Leander, 2005: 824) that focus on the protection of infrastructure and that legitimise the accumulation of data for enhanced techniques of surveillance. Such solutions are as narrow as the understanding of cybersecurity itself and ‘mainly benefits a few already powerful entities…[with]…no, or even negative effects for the rest’ (Dunn Cavelty, 2014: 707).
Foucault wrote that power, ‘produces reality; it produces domains of objects and rituals of truth’ (Foucault, 1977: 194). Most importantly power produces knowledge; knowledge is always the product of power and power always the function of knowledge. The production and consolidation of this knowledge and the material consequences and security practices that flow from it are a manifestation of power that have been, ‘manufactured and circulated by an institutional matrix, involving the state, politicians, security experts and the media’ (Mythen and Walklate, 2006: 389). My book argues that the result has been to maintain an (in)security status quo, extend a strategy of neoliberal governance and foreclose a more radical reimagining of what meaningful “cybersecurity” might be.
By Andrew Whiting
Andrew Whiting is a Senior Lecturer in Security Studies at Birmingham City University
Constructing cybersecurity: Power, expertise and the internet security industry by Andrew Whiting is available to buy now.
Betz, D. J. and Stevens, T. (2013) ‘Analogical reasoning and cyber security’, Security Dialogue, 44(2), pp. 147-164.
Bigo, D. (2012) Globalisation and security. In: Edwin Amenta, Kate Nash and Alan Scott A (eds.) The Wiley-Blackwell Companion to Political Sociology. Chichester: Blackwell Publishing, pp. 204-213.
Coles-Kemp, L., Ashenden, D. and O’Hara, K. (2018) ‘Why Should I? Cybersecurity, the Security of the State and the Insecurity of the Citizen’, Politics and Governance, 6(2), pp. 41-48.
Dunn Cavelty, M. (2008) Cyber-security and threat politics: US efforts to secure the information age. London: Routledge.
Dunn Cavelty, M. (2013) ‘From cyber-bombs to political fallout: Threat representations with an impact in the cyber-security discourse, International Studies Review, 15(1), pp. 105-122.
Dunn Cavelty, M. (2014) ‘Breaking the cyber-security dilemma: Aligning security needs and removing vulnerabilities’, Science and Engineering Ethics, 20(3), pp. 701–715.
Foucault, M. (1977) Discipline and punish: The birth of the prison. Translated from French by Alan Sheridan. London: Penguin Books.
Hansen, L. and Nissenbaum, H. (2009) ‘Digital disaster, cyber security, and the Copenhagen School’, International Studies Quarterly, 53(4), pp.1155-1175.
Kaspersky Labs (2002) Kaspersky goes east. [online] Kaspersky Labs. Available at https://www.kaspersky.com/about/press-releases/2002_kaspersky-goes-east [Accessed 23/06/2020]
Kello, L. (2017) The virtual weapon and international order. London: Yale University Press.
Leander, A. (2005) ‘The power to construct international security: On the significance of Private Military Companies, Millennium, 33(3), pp. 803-826.
Mythen, G. and Walklate, S. (2006) ‘Criminology and terrorism: Which thesis? Risk society or governmentality’, British Journal of Criminology, 46(3), pp. 379-398.
Steuter, E. and Wills, D. (2009) At war with metaphor: Media, propaganda, and racism in the War on Terror. Plymouth: Lexington Books.
Wolff, J. (2014) ‘Cybersecurity as Metaphor: Policy and Defense Implications of Computer Security Metaphors’ (March 31, 2014). TPRC Conference Paper, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2418638 [Accessed 23/06/2020]