From Cyber Threats to Cyber Risks

Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. From Cyber Threats to Cyber Risks Karsten Friis and Erik Reichborn-Kjennerud Norwegian Institute of International Affairs (NUPI) Introduction While issues relating to cyber security have been on the security policy agenda for several decades, it is only recently that cyberspace has moved to the top of the national and international security agendas. As a result, discourses on cyber security have increasingly become dominated by militarised language and links between cyberspace and strategic threats. The use of metaphors of war and nuclear deterrence, talk of a new Cyber Cold War, and drawing analogies to catastrophic events such as Pearl Harbor and 9/11 are all examples of this (Kerry 2013; Bumiller and Shanker 2012; Lynn 2010). The debates surrounding cyber security reflect our growing dependency on cyberspace and the willingness of states and nonstate actors to exploit it for political, economic, military, etc. gain. This also means that cyber security is not merely a technical problem, but one that has ramifications throughout society. In addition, states, organisations and corporations have established various cyber security institutions to deal with the myriad of challenges stemming from increased dependency on cyber and the inherent vulnerabilities of cyberspace. This has led a number of scholars to examine whether cyberspace has been securitized; i.e. lifted out of the realm of regular politics and treated as an emergency, thus legitimising extraordinary countermeasures (Buzan et al. 1998). Although they find many cases of attempted securitization, such as the hyperbolic language mentioned above, these have had limited resonance and have rarely resulted in extraordinary countermeasures. At the same time, numerous high profile cyber attacks and empirical evidence show that cyber security is 1 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. of growing importance and is being practiced on a daily basis by security professionals in various locations at the national level throughout industries and commercial entities, and by individuals. In other words, cyber security has become vital to modern societies, despite not having been securitised. Why is cyber security produced despite successful securitization? In order to overcome the apparent limitations of securitization theory, this chapter proposes an alternative analytical model, based on risk theory, in order to analyse the ongoing practice and production of cyber security. The aim of this chapter is to contribute to the discussion on how to theorise about and how to study cyber security. We will argue that in order to develop sound theories on cyber security, we need to depart from the traditional threat-based logic of an actor's ability to realise its harmful intent, to a focus on cyber security that takes cyberspace as its starting point. This calls for a focus on the material aspects of cyberspace and the ongoing practice of cyber security, and not only the social process of defining something as a security problem, often associated with elite discourses. In addition, taking cyberspace as the starting point means that we need to acknowledge our societal dependency on cyberspace and the subsequent vulnerabilities. Cyber security will then shift away from a threat-based logic to a risk security logic. While threat-based security deals with the direct causes of harm, risk security centres on the conditions of possibility or constitutive causes of harm. This opens up a different logic which calls for long-term precautionary governance rather than exceptional short-term measures. Thus risk not only broadens, but transforms security, as different measures are introduced to deal with potential, hypothetical and less than existential dangers. Given the vulnerable nature of cyberspace and everyday cyber security challenges, measures to deal with cyber security are always in a state of flux. 2 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. Situating cyber security within the risk security logic, we follow Olaf Corry's theory of 'riskification' (Corry 2012) and argue that cyberspace has become riskified, but not securitized. This approach also enables us to better incorporate the nature of cyberspace, the material dimension, than traditionally permitted by securitization theory. In addition, it allows the incorporation of the everyday practices of cyber security into the analysis. Riskification theory thus has the potential to provide us with a better understanding and more accurate picture of cyber security The first section will discuss how the socio-political processes for securitizing cyber have been theorised thus far. The next section will briefly introduce risk theory, before we apply Corry's riskification model to cyber security. We will conclude with ethical reflections on the implications of applying risk theory to cyber security. Theorising Cyber Security Policies: Securitization According to Myriam Dunn Cavelty, 'political science literature on cyber-security (…) remains policy-oriented and does not communicate with more general international relations theory' (Cavelty 2013) The exception, she asserts, is 'a limited number of scholars have used frameworks 1 derived from Securitization Theory' (Cavelty 2012; Choucri 2012) . This predominantly constructivist approach to security rejects the notion that there is something like objective (in)security and focuses on the social process of defining something as security. It is never a priori given what and who represent a threat, to what or whom, and what to eventually do with it. In our case, where we seek to analyse the various interpretations of vulnerabilities, perceptions of dangers, the responses, policies and other attempts at creating cyber security, this theoretical approach is a good starting point. 3 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. The Copenhagen School of security studies argues that security 'is the move that takes politics beyond the established rules of the game and frames the issue either as a special kind of politics or above politics' (Buzan et al. 1998, 23). Securitization theory defines a spectrum of possible policies, ranging from non-politicised (the state does not deal with it and it is not an issue of public debate) through politicised (the issue forms part of public policy, requiring government decisions) to securitized (an issue is presented as an existential threat, requiring emergency measures and justifying actions outside the normal bounds of political procedure). Based on a social constructivist epistemology, securitization theory is thus the placing of emphasis on the social construction of threats and the responses to these threats. Less emphasis is placed on the 'nature' of the threat (such as number of warheads), as this in any case needs to be interpreted and represented by human beings in a social setting (Hansen 2011)2. The basic pillars of the Copenhagen School are the securitizing actor(s) conducting a 'speech act', a reference object that is regarded to be under existential threat, and an audience responding to and (if the securitization is successful) accepting the securitization. The result of successful securitization is shared recognition that extraordinary countermeasures are necessary and legitimate in order to counter the threat. However, if the audience does not accept that the referent object is under an existential threat, the securitizing move will fail. Shared acceptance of the existence of the threat, as well as of its gravity (i.e. that it is critical to the survival of the referent object) is crucial in order to understand the dynamics of securitization theory. If these conditions are missing – i.e. if the audience does not recognise the threat or regards it as less imminent or grave as the securitizing actor – the securitization attempt will fail. In the case of cyber, one can therefore imagine a process where authoritative voices (cyber security experts, government officials, etc.) call out and warn about the new 4 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. dependencies and vulnerabilities following the digitisation of, for instance, critical infrastructure or information. The audience, for instance the US Congress, the President and the US public, is being convinced, which may subsequently lead to the establishment of new institutions, laws and resources to counter this threat. Through the Copenhagen framework, each step in such a process may be scrutinised more closely – and critically. As there is no a priori link between the resources spent and the 'objective' nature of the threat, securitization theory gives us an insight into inter alia governmental decision-making and resource allocation. Securitization – Or Not? Johan Eriksson made the first attempt to elaborate on this conceptualisation of cyber security in 2001. His approach is 'threat politics' which is 'how and why some threat images but not others end up on the political agenda' (Eriksson 2001, 211). By combining securitization theory with framing and agenda-setting theories, he argues that cyber and IT became securitized in Sweden after the Cold War. He shows that the 'military-bureaucratic security establishment' embarked upon the 'new threats' at the end of the Cold War, and framed them in terms of 'information warfare' and 'information operations'. By doing so they seized 'a dominant position in the securitization of IT' (Eriksson 2001, 215). Largely inspired by the USA, Swedish security experts framed and talked about the problem in the same way as in the USA. However, the policy responses were very different. Eriksson points to 'bureaucratic turf battles' taking place among the governmental agencies responsible for managing IT security. He also asserts that the 'securitisation of IT is sometimes far too exaggerated. All computer problems, bugs, dada diddling, spamming and break-in attempts are hardly existential threats to a sovereign state' (Eriksson 2001, 218). 5 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. Eriksson's main approach is framing theory; he therefore elaborates less on the securitization dimension. For instance, he does not specify what the referent object is (network vulnerability or the sovereign state?), and does not explain in depth what extraordinary measures were put in place to protect the referent object. It seems clear from his analysis that the militarybureaucratic establishment – as securitizing actors – attempted to securitise cyber security. However, it is less convincing that the audience (Swedish government and society) accepted this, and that extraordinary measures were put in place. The mentioned bureaucratic turf battles indicate a classic civil service response to new inter-sectoral challenges. Had the stakes been higher, time of the essence, and valuable institutions under an existential threat, the government most likely would have taken action and imposed solutions. The lack of such urgency indicates that securitization actually failed in Sweden. This is also how Bendrath, Eriksson and Giacomello describe cyber security in the USA during the Clinton years: much talk about cyber terrorism, but limited de facto responses (Bendrath et al. 2007). 'There was not much panic politics that moved beyond democratic procedures…The US government did talk the talk of securitization but they did not really walk the walk – not yet' (Bendrath et al. 2007, 67). However, Bendrath et al. argue that cyber security was properly securitized during the Bush years. This was done particularly in the wake of the 9/11 attacks, when specific immediate cyber security measures were implemented. The Patriot Act and other legislation criminalised certain computer activity, the President appointed a Special Advisor on Cybersecurity, and the Office of Cybersecurity and Communications was established. One may nevertheless ask whether this represents proper securitization of cyber. The measures taken were arguably limited compared to other sectors (such as airport security), and there was no indication of existential damage to critical infrastructure or other valuable referent objects. Most importantly, however, this was hardly a 6 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. securitization of cyberspace itself, but rather a dimension of the general securitization linked to the 'War on Terror' that followed the 9/11 attacks. The referent object here was thus the US state and society, not cyberspace as such. Irrespective of their views on this particular period, the authors recognise that securitization theory does not cover the 'less panicky ways' (Bendrath et al. 2007, 79) in which cyber threats are often framed. Instead, they argue that what they label the 'threat politics approach' is more appropriate to the study of cyber security. This approach largely builds on frame theory which 'may, but do not necessarily, include an identification of existential threat and a legitimisation of extraordinary measures' (Bendrath et al. 2007, 80). 'Threat politics' is also Myriam Dunn Cavelty's approach, where she combines securitization theory with frame analysis and agenda-setting theory (Cavelty 2008). She tells 'the story of how and why cyber-threats became to be considered one of the quintessential security threats of modern times in the United States' (Cavelty 2008, 1). She states that the framing of the problem has remained largely stable since the mid-1990s: critical infrastructure protection (CIP), including the digital information security dimension, has been the focal point of US cyber security measures for the past two decades. The focus on CIP primarily emerged in the wake of the 1995 Oklahoma City bombing; a focus not even altered by the 9/11 attacks (Cavelty 2008)3. As cyber is predominantly a civilian and largely privately-owned domain, traditional state security approaches have been of limited relevance. As a result, Dunn Cavelty concludes that what has taken place in the USA is 'failed securitization'. Although CIP is regarded as national security, 'no exceptional measures are envisaged that would traditionally fall under the purview of the national security apparatus' (Cavelty 2008, 132-133). Policies are neither taken out of 'normal bonds' nor are 'exceptional measures' implemented. Instead she argues that we are witnessing a new logic of security where technical security merges 7 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. with national security. Hence, security policy cannot be restricted to 'policy for extraordinary circumstances' (Cavelty 2008). In short, her empirical research reveals shortcomings of securitization theory when applied to cyber security. As the spectrum of potential threats is vast and fundamentally uncertain, and the list of potential malicious actors is so broad, it becomes challenging to identify key terms like 'existential threat'. Which referent object is under threat? In relation to CIP, it may be national key functions, but as Dunn Cavelty shows, this does not mobilise 'extraordinary measures'. It is more of a matter of day-to-day routine management. From an analytical perspective, it is thus difficult to say when a policy is extraordinary and when it is normal. Lene Hansen and Helen Nissenbaum also attempt to resolve these challenges by expanding on the Copenhagen School (Hansen and Nissenbaum 2009). They seek to link securitization theory to cyber security by combining constellations of referent objects, such as 'networks' and 'humans'. This allows a broader and inter-sectoral discursive analysis of the securitization process. They also introduce new 'grammars' into the Copenhagen framework, like 'technification', which highlights the role of ICT security professionals in defining the dangers and in responding to them. The important role of experts and the everyday practices in the production of security have also been highlighted in other contexts, where it is argued that security analysis should not be limited to elite discourses. Such a focus is vital to furthering our understanding of how security measures emerge bottom-up through an ongoing process of technocratic normalisation by security professionals (Bigo 2002; Balzacq 2010). In contrast to Dunn Cavelty, and in line with Bendrath et al., Hansen and Nissenbaum claim that cyber security has been successfully securitized in the USA, and list the various new 8 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. institutions and strategies that have been emerged since the mid-1990s as evidence of this. Again one must ask what is 'extraordinary' and what is 'normal', and the diverging conclusions regarding the USA illustrate that securitization theory is unclear on this. All agree that there have been several attempts to securitize cyber, but it is unclear whether the audience has accepted them, if the referent object(s) were considered to be under existential threat, and if the measures taken were exceptional or not. As Dunn Cavelty puts it: 'it remains largely unclear which audience has to accept what argument, to what degree, and for how long' (Cavelty 2008). Hansen and Nissenbaum's main case is the cyber attacks on Estonia in 2007, when Estonian officials went far to securitize the event. However, the inability to prove that it had been orchestrated by Russia and the lack of significant damage to the Estonian society resulted in the general failure of also this securitization attempt. NATO, the EU and the USA did not recognise them as an attack on Estonian sovereignty, which could have triggered NATO's Article 5. The attacks had several effects, such as contributing to 'cross-fertilisation' of cyber and terrorism, highlighting politically-motivated hacking, etc., which is illuminated by Hansen and Nissenbaum's theoretical framework, and the politically important establishment of NATO's Cooperative Cyber Defence Centre of Excellence in Tallinn. However, the core of securitization theory, to demonstrate how issues are lifted out of regular politics and into a higher order politics – legitimising extraordinary responses, was not applicable in this case. The Limits of Securitization Theory All of the contributions discussed above have found it necessary to expand upon or twist securitization theory in order to make it fit cyber security. The cases of attempted securitization are found mainly through hyperbolic statements, but they have had limited 9 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. resonance in various national and international audiences. Securitization has therefore failed. This begs the question: if securitization theory has limited value even for cases like Estonia, is it a useful theoretical lens for the analysis of cyber security? Given the unlikelihood that cyber attacks will cause massive death and physical destruction, can securitization ever be expected to be successful? Will it remain in the sphere of day-to-day management, rather than in the realm of urgent extraordinary means? Lowering the bar for defining securitization, as in Bendrath et al. and Hansen and Nissenbaum, is hardly a solution. The establishment of new institutions in the USA is not enough to qualify as securitization. In our view, the term securitization should be restricted to the extreme cases when there are sudden shifts in policy, urgent responses and heated debates. The theory is highly applicable to for instance the outbreak of civil wars, as it helps provide an understanding of why neighbours suddenly turn on each other. However, it is less applicable to the less dramatic non-kinetic discourses on cyber security. Another shortcoming in securitization theory is its relation to the material dimension of security. Claudia Aradau has argued that securitization theory has largely ignored the role of objects or 'things' – due to its association with the linguistic and social constructivist turn in IR. Material factors have often been relegated to the outside realm, as simply facilitating conditions for securitization (missiles, tanks, etc.) or as remnants of mainstream positivism. She asserts that as objects have the capacity to both enable and constrain effects on what can be said and done to secure them, it is important to understand the relation between matter and meaning. Matter should not simply be understood as an end product of discourse, as the effect of performative speech acts, but should be regarded as an active factor in material-discursive processes. In this sense, it can also be seen as facilitating conditions for speech acts (Aradau 10 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. 2010). Securitization theory thus has limited value in terms of illuminating how changes in the nature of cyberspace (as discussed in the Introduction) impact on security discourses and practices. Without attention to the material aspects of cyberspace, a proper analysis of the production of cyber security is hindered. Furthermore, the nature of cyberspace means that most of the day-to-day workings of cyber security are reactive, in the sense that the security professionals are always reacting (if they themselves are not engaged in offensive cyber operations), to new software and malware installed in the systems, patching known vulnerabilities and creating new anti-malware software4. This is a dynamic practice, where cyber security is constantly being co-produced by new malware and new practices to counter this malware, both constrained and enabled by the technical logic of cyberspace. The nature of cyberspace – and cyber security – is therefore ongoing and dynamic, and is being dealt with on a daily basis. The material or technical dimension is crucial in cyber security, but the kind of responses and countermeasures chosen are not given. Cyber security is not just a technical problem, but a practice that is co-produced by material-discursive processes. To address these shortcomings without dismissing securitization theory altogether, we propose a framework that systematically differentiates between securitization 'proper' and other, less dramatic but still serious, security challenges which also allow the analysis of the material aspects of cyberspace and the practices of cyber security experts. To do this, we need to distinguish between threats and risks. Threats and risks are both perceptions and representations of certain dangers but, as we see it, only the former can be securitised. Threats are representations of danger that imply an agent with intent and capabilities. The focus is thus outwards, towards the danger, and responses typically include deterrence, defence and 11 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. offense. Risk, on the other hand, has a different logic associated to it. Framing something as risk produces security practices that are about probabilities, prevention, future scenarios and management, as opposed to deterring adversaries or defending against or defeating identifiable and calculable threats. What is Risk? Risk analysis and management of risk has been applied to almost every facet of human endeavour, from finance and fishing to epidemiology, ecology, war and welfare. In the rationalist tradition, risk analysis is an instrument that is used to enhance decision-making by estimating future danger in terms of risk. It is premised on the belief that risks can be classified, quantified and thereby predict possible futures to be managed. In recent years, however, scholars from different theoretical backgrounds and political inclinations have begun to explore the concept of risk more critically. One can broadly lump security studies scholars within the field of risk into two camps; those who follow the work of Ulrich Beck and his risk society thesis and those who follow Michel Foucault and his work on governmentality (Rasmussen 2006; Coker 2002; Heng 2006; Ewald 1986; Dean 1999; Aradau and Munster 2007). The 'Beckians' start off with Beck's idea of the risk society, a theory that describes the macro-structural changes happening in the West as the bipolar world is fading away and we are 'moving from a world of enemies to one of dangers and risks' (Beck 1999, 3). Dangers are now conceptualised as risks in terms of their 'probabilities and magnitude of consequences' (Heng 2006), making risks much more open to subjective interpretations than threats. In Beck's definition of a risk, they are both seen as 'real' and 'socially constructed', but this interpretation hinges on a distinction between risk and danger. He argues that risk arises through assessments of future dangers and becomes 'real' 12 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. when one sees the possibility of acting to prevent or mitigate the potential effects of danger in the future. Thus, risks only occur when one locates a danger, assesses it and then decides whether to act on it. 'Risks concern the possibility of future occurrences and developments; they make present a state of the world that does not (yet) exist. Risks are always future events that may occur' (Beck 2009, 9). Risk is thus linked to interpretation and decision, while dangers are seen as 'existing'. The risk security writers that largely take Foucauldian governmentality as their starting point view risk as a tool used by certain actors (preliminary governments) to expand neo-liberal control mechanisms – rather than an inherent condition of the world. Risk, in this view, is a mode of governmentality that implies the expansion of regulatory regimes. It is a particular rationality of government that works to legitimise actions of power vis-à-vis the population. Such analyses of risk are interested in exposing 'how the world and existing problematizations are made into risks [and] what effects this form of ordering entails upon populations' (Aradau and Munster 2007, 97). As such, they move away from the Beckian critique of the attempts of security elites and policymakers to control uncertainty. Instead they focus critically on control regimes that seek to govern populations through strategies portraying the future as computable, calculable and manageable. We see that the two risk 'schools' reach different conclusions as to how risks are generated and how they are dealt with. Nevertheless, they agree that security is increasingly being framed in the language of risk and that there has been a cognitive shift in how we think about security. In addition, risk security writers agree that risk both transforms and broadens the logic of security. They are worried, albeit for different reasons, about how the logic of risk drives an expanding security agenda in which the precautionary principle and pre-emption 13 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. have become guiding principles in an ever-increasing 'routinisation' of security. In essence, they argue that risk has become the new security, and that the changing practices and meaning of security are thus best understood through a risk framework. We will therefore next discuss how we can apply risk theorisation on cyber security, while retaining the social construction elements of the Copenhagen School. Riskification Fortunately someone has already made such a marriage, albeit in a different sector (field) than cyber. Olaf Corry's term 'riskification' captures the idea of a 'social process of constructing something politically in terms of risks' (Corry 2012, 238). The term builds on the securitization framework, but can be placed between securitization and politicisation. It is not about existential threats, but less dramatic security challenges. Corry stresses the difference between threats and risk, as discussed above. He does this by particularly highlighting how risk focuses on future scenarios and policies aimed at preventing it from materialising. From this perspective, risk tends to depersonalise danger, as it does not require an enemy to do the threatening. As risks are considered a more or less permanent feature of modern societies, they cannot be eradicated, only managed, he claims. As a result, 'risk security measures will tend to be permanent features of society' (Corry 2012, 245). Securitization theory is unable to capture security policies related to risks, as risks are neither existential nor call for radically exceptional policy responses. Corry's riskification concept helps mitigate this weakness, as it remains within the same basic parameters of securitization theory. It still requires someone to advocate security measures to be put in place, a valued reference object to protect, and an audience that accepts the need for new security measures. 14 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. A shared starting point is the constructivist epistemology position on dangers. According to Corry, nothing is inherently a threat or a risk as 'different dangers can be constructed in terms of either risk or threat at different times' (Corry 2012, 246). To understand the difference between threat security policies and risk security policies, one can therefore not define the former as graver or more dangerous than the latter. Rather, Corry argues that risk security can be distinguished from threat security by three features: First, it implies a different kind of causality. Risk makes us think of the 'constitutive causes of harm', rather than the direct causes of harm (as in threats) (Corry 2012). Riskification relates to the factors that make a danger possible, such as vulnerability of societies, weak international regimes and the existence of weapons. In contrast, the threat and securitization of for instance terror is 'connected to particular agents believed to exist and have malicious intent and capability to commit acts of terror' (Corry 2012). This is a more direct causation of harm than a risk, and produces a different logic for action. Furthermore, Corry argues, '(t)hinking in terms of constitutive causes draws attention to background factors and structures (material or discursive) that make certain actions or events possible' (Corry 2012). The focus on constitutive background factors thus opens for the inclusion of material factors – such as malware – into the analysis. Second, there is a change of locus of security action: 'whereas securitization involves a plan of action to defend a valued referent object against a threat, riskification implies a plan of action to govern the conditions of possibility of harm' (Corry 2012, 247). Threats cannot be governed, only defended against. The attention is therefore outward, while a risk policy looks inward. 'Security thus has to take on modus operandi other than defence' (Corry 2014). It is not about deterrence, defence or fighting, but about understanding dependencies and 15 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. vulnerabilities, precaution and governance. It is about reducing the chances of possible future harm through preventive policies, resilience and international governance. Third, while securitization calls for immediate and short-term responses through extraordinary measures, riskification promotes long-term thinking, investment in governance capabilities, investment in precautionary measures and resilience. In contrast to securitization, it may open debates and increase transparency in the discourse on security (Corry 2012, 248). To sum up, riskification is not characterised by an existential threat to a valued referent object leading to exceptional measures against external and ungovernable threatening others. Rather, it posits risks (understood as condition of possibly harm) to a referent object. This thus leads to programmes for permanent changes aimed at reducing vulnerability and boosting governance-capacity of the valued reference object itself' (Corry 2012). Riskification of Cyber Armed forces worldwide are generally constrained to protecting their own information and communications technology (ICT) systems. Main responsibility for securing cyberspace, on the other hand, lies with civilian and commercial agencies. This means that cyber security is mostly dealt with on a day-to-day basis by cyber security professionals in civilian and commercial organisations rather than military 'cyber warriors'. In contrast to securitization theory, riskification may be a relevant tool for the analysis of these less dramatic responses and the everyday production of cyber security. This includes preparations to sustain larger attacks, while keeping the door open for escalation and securitization under particular circumstances. By applying Corry's three characteristics of riskification (constitutive 16 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. causality, governance, and long-term), in the following we will see how this applies to cyber security. Constitutive Causality Cyber danger is better depicted as a constitutive rather than a direct cause of harm. The risk of cyber attacks cannot be reduced to malicious actors' intent and capabilities alone. This is partly due to the problem of attribution in cyberspace (Singer and Friedman 2014) and as such it is the dependencies, vulnerabilities and resilience of own systems that largely define the probability and consequences of an attack. In other words, it is the 'background factors' that make action possible that defines the dangers, not actors' intent and capabilities alone. Furthermore, in most cases cyber attacks are not regarded as an immediate threat, but an ongoing risk and a potential scenario. Risks occur through assessments of future dangers and efforts to prevent or mitigate these. Of course, cyber attacks may occur as spillovers from political conflicts and tensions in other regions, such as Estonia in 2007 and Georgia in 2008 (O’Connell 2012) or the muchpublicised cyber conflict between China and the USA (Lindsay et al. 2015). If a state is in the midst of such a crisis or war, the problem of attribution in cyberspace is less of a mystery. In these cases, urgency is more of a concern, and securitization is a better way to characterise the processes taking place. In these cases, cyber security is simply a sub-set of a larger political conflict, not a security sector in and of itself. However, the dangers stemming from a cyber attack in peacetime are better depicted as risks. It should be noted, however, that ongoing cyber operations blur the line between peace and conflict. Security policies focus on our societal dependencies and the vulnerable nature of 17 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. cyberspace, and aim to reduce the negative implications of a potential future attack (resilience). An analysis of today's cyber security policies would need to capture the entire spectrum of these constitutive causes of harm; the interpretation and representation of the risks, the proposed countermeasures among various public, corporate and private actors, the international efforts and the networks between all these actors. Thinking in terms of constitutive causes allows us to also draw attention to cyberspace itself, to the digital materiality of malware, and to the vulnerabilities in our own systems. A wouldbe riskifying actor would need to point to the evolution of cyberspace; new dependencies and vulnerabilities and the constantly changing syntactic level. The evolution of the technical or material aspects of cyberspace is thus an integral part of any risk assessment. This does not mean that there is no room for interpretation or social and political factors, but that the dynamic nature of cyberspace requires an ongoing rephrasing and reassessment of the risks at hand. In other words, there is no material determinism, but an 'active' material dimension which constantly plays into – and constitutes – the social dimension. Taken together, these factors constitute the risk of a cyber attack. Governance Riskification is about governing, not preventing, the possibility of harm. The focus on cyber security is more internal (vulnerability focus) than external (friend-enemy focus), as the locus and nature of the threat is unknown. Resilience of one's own systems is therefore key, as there are limits to what firewalls and anti-virus systems can do to protect them. Most attention is given to precautionary measures, such as patching holes in the systems, updating software, encryption and improving back-ups (Harrop and Matteson 2013-14). Cyber defence organisations, such as computer emergency readiness teams (CERT), obviously also monitor 18 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. the cyber system as a whole and look for patterns and early indicators of attacks. However, as most severe cyber attacks usually exploit unknown vulnerabilities in a system, so-called zeroday attacks (Andress and Winterfeld 2011), setting up a defence makes little sense, as they are by definition unknown. Cyber security experts therefore never know exactly what to look for, but once malware is identified, countermeasures are put in place. Malware is therefore often labelled single-shot guns – it can only be used once. As a result, cyber security is always reactive 5 and an attack is usually only discovered long after it has been launched. Furthermore, cyber security professionals are busy on day-to-day basis, revealing and managing the myriads of small and large attacks. They do not wait passively for an enemy to intrude, but actively scan the horizon for dangers to manage. This is cyber security practice at its core. The focus on internal management makes the technical cyber security professionals the focal points of cyber security. This bottom-up and technically-heavy nature of cyber security also reinforces the point that this is management, not defence. In this respect, the inter-sectoral nature of cyber risks makes it necessary to look at governance broadly, from industry to civilian governance to the military. There is little use in mobilising only one sector, one agency or institution to manage cyber risks of scale. Technical cooperation and shared situational awareness is a necessity in order to succeed in both the day-to-day risk management and in the event of larger attacks. The nature of cyber makes international CERT collaboration necessary. This allows the teams to assist each other in the event of an attack and build shared situational awareness. The numerous international efforts to improve internet governance and management indicate that cyber security is being dealt with actively on the international level, although the 19 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. effectiveness can be debated There are several government and inter-governmental initiatives in the UN, the ITU 6 , the OSCE 7 and in trade organisations. There are also 'I*star' organisations which deal with critical internet resources, protocols, etc., like ICANN8. Finally, there are multi-stakeholder initiatives, where governments, the private sector and nongovernmental actors meet, such as the Internet Governance Forum, and similar conferences (Kleinwächter 2013). These international efforts aim to reduce vulnerabilities in the system and share information, but also to generate confidence-building measures between countries with political differences or conflicting views on how to regulate the internet. All of these national and international governance initiatives focus on governing risk, not preventing it. The Long-term Perspective Cyber security cannot be confined to the military security sector alone, which is true of much of the traditional security discourse. In particular, the private sector, telecommunications and internet providers are critical in terms of security. The myriad of actors involved in cyber security complicates the matter, as they often have diverging interests and different political aims. As such, cyber security efforts are often aimed at 'soft' measures like 'awareness building', 'information sharing', 'confidence building' and 'best practices' such as encryption, cyber hygiene, etc. in order to manage the various challenges associated with the intersectoral cyberspace. These are long-term investments and precautionary measures aimed at reducing vulnerabilities and thereby risk, not defending against an attack. Because urgency is less of a factor in risk than in securitization, riskification allows for contemplation, debate and numerous online discussions about the various risks at hand. It is long-term security building, not driven by urgency or panic, although much of the discourse around cyber security is precisely this. 20 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. Efforts to enhance cyber security are more transparent and openly debated than most traditional security fields. It is the technical nature that keeps much of the discourse 'encrypted' for outsiders, rather than deliberate attempts to keep the processes secret. Obviously, detailed information about CERTs' and intelligence services' methodologies, or private companies' cyber security strategies are kept secret, but the overarching discussions of principle and strategy are open and transparent. The important role of the private corporate sector and civil society like 'white hat hackers' in cyber security also enhances transparency. The latter spend their days trying to worm their way into clients' computer systems to see how vulnerable they are to cyber-criminals, spies and other nefarious 'black hats'9. Edward Snowden's revelations about the NSA's cyber security programmes may arguably counter this argumentation. The secret cyber conflict taking place between the NSA and its Chinese counterpart is far from transparent and open. There is little doubt that intelligence services and numerous other global actors in cyberspace operate with a high degree of secrecy. Nonetheless, this tug of war also takes the form of open debates about risks. It was for instance a private US security company, Mandiant, which revealed the location of a Chinese cyber operation's headquarters in Shanghai in 201310. Furthermore, the most famous cyber attack to date, the Stuxnet worm, became publicly known, despite initially being a highly secret computer network attack (CNA). This demonstrates that even the most sophisticated and secret malware cannot be contained for ever – and eventually will leak out to the public (Lindsay 2013). By introducing riskification and Corry's three features as an analytical category between politicisation and securitization, we have opened for a more nuanced understanding of how states and societies respond to cyber security, domestically and internationally. This allows 21 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. the necessary breadth in scope in terms of domains and actors, and the decoupling of the analysis from the binary logic inherent in threat politics. By doing so, we move away from a focus on enemy actors and capabilities, and the corresponding terminology of deterrence, defence, urgency, immediacy, and direct causes of harm, and turn to probabilities, future scenarios, management and governance. We thus move from an outward look at the world 'out there' to a more inward focus on internal dependencies, vulnerabilities, responses and resilience. Most importantly, riskification allows an analysis of the material aspects as well as the crucial role of the day-to-day cyber security professional in the provision of cyber security. Finally, the move from threats to risk also facilitates a more critical approach towards the hyperbolic attempts to securitize cyber. However, a focus on risk also means attention to vulnerabilities. This can have positive and negative effects. One could argue that looking at vulnerabilities instead of at external actors can result in an unhealthy focus on worst-case catastrophes – which again may lead to increased militarisation of cyberspace (Cavelty 2012). On the other hand, such a focus may lead to an effort to reduce vulnerabilities, thus minimising certain risks, such as systemic failures and cyber crime. In addition, a focus on vulnerabilities rather than actors may have the benefit of cyber security not becoming a self-fulfilling prophecy of a new Cyber Cold War. We will conclude this chapter with further ethical considerations regarding the impact of our theoretical approach. Conclusion The inherent normative approach of the Copenhagen School is that securitization may often not be a good thing: 'security should be seen as negative, as a failure to deal with issues as normal politics' (Buzan et al. 1998). De-securitization, in other words a return to normal 22 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. politics with less dramatic features, is therefore often seen as desirable. This particularly applies to sectors like human security or environmental security, where state-centric and militarised solutions may exacerbate rather than reduce tensions (Hansen 2012). As we argued at the outset of this chapter, the same can be said about cyber security. Attempts at securitization have placed part of the cyber debate, particularly in the USA, in the military logic of friend and foe, deterrence and war. This may also have 'legitimised' some of the intrusive privacy practices of the NSA, as revealed by Edward Snowden. However, Corry warns that de-securitization may also have negative effects. In the case of climate change, it could lead to 'de-riskification', thus 'removing climate change away from this precautionary logic and into ‘normal' politics of distribution of goods and bads' (Corry 2012, 255). This is where climate sceptics would like to see the debate; in other words as entirely decoupled from security and heightened political attention. For others, climate change is something that requires particular attention and preparedness, as it is on a higher policy level than day-to-day politics. In the cyber domain, few voices seek to reject the risks altogether, but the normative imperative of talking in terms of risk rather than threats de-escalates the discourse. If that were to fail, cyber security would become a domain totally dominated by security and intelligence agencies, technical experts and not least the booming 'cyber-security militaryindustrial complex' that simultaneously cries wolf and offers solutions (Deibert 2013). Riskification is thus an analytical tool that can be applied in order to empirically capture cyber security efforts, the representation of the danger and the policies formulated to address it, as well as a way to conduct critical analysis aimed at unmasking securitization efforts in this 23 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. field. Empirical analysis will most likely find that the riskification in certain places and at certain times begins to resemble securitization. As with climate change, such securitization of cyber can be criticised while offering an alternative security frame, so that a return to normal politics no longer is the only option. Nonetheless, following a Foucauldian approach to risk, one may argue that risk policies are as dangerous to the freedom of society as securitization and militarisation, since the former represent a more creeping and gradual change to the security and control measures of neoliberal regimes of power that call for a permanent process with no end. The slow processes normalise security policies that would arguably have met resistance had they been put in place abruptly. From this perspective, replacing securitization with riskification may not be a positive move if the valued referent object is a free and transparent cyberspace. Applying riskification analytically therefore does not need to automatically correspond to advocating riskification of cyber security politically. That is a value judgement. Riskification as an analytical tool can be applied without taking a normative stance on these matters, but it can also be applied as a platform for critical judgements of current policies. As we see it, applying riskification to the study of cyber security has important benefits. It allows analysts to capture processes that may be at the boundary between risk and threat, perhaps not existential, but still grave. It further allows escalation and de-escalation within the same basic analytical parameters, and can also be combined with some of the proposed 'new grammars' of the Copenhagen School discussed here, such as 'technification'. Importantly, it allows for a deeper understanding of the intended and unintended material aspects of and the role of cyber security professionals in production of cyber security. Furthermore, riskification 24 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. does not preclude the continued use of other theoretical tools like 'frame analysis' and 'agenda setting-theory'. It helps us escape the hyperbolic language of threats and dangers while remaining seriously committed to recognising and understanding the risks and vulnerabilities of our networked societies. It may also serve as a normative platform for the defence of internet freedom against the growing pressure from the intelligence services and the surveillance industry towards increased control and surveillance. With a less dramatic representation of the cyber dangers, legitimate countermeasures will most likely be less intrusive and omnipotent. References Andress, Jason and Steve Winterfeld. 2011. Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. Waltham, MA: Syngress Elsevier. Aradau, Claudia. 2010. “Security That Matters: Critical Infrastructure and Objects of Protection.” [In English]. Security Dialogue 41 (5): 491‒514. Aradau, Claudia and Rens van Munster. 2007. “Governing Terrorism through Risk: Taking Precautions, (Un)Knowing the Future.” European Journal of International Relations 13 (1) (March): 89‒115. Balzacq, Thierry, Tugba Basara, Didier Bigo, Emmanuel-Pierre Guittet and Christian Olsson. 2010. “Security Practices.” In International Studies Encyclopedia Online, edited by Robert A. Denemark, 1‒30. New York: Blackwell. Beck, Ulrich. 2009. World at Risk. 2nd edition. Cambridge: Polity. 25 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. Beck, Ulrich. 1999. World Risk Society. Malden, MA: Polity Press. Bendrath, Ralph, Johan Eriksson and Giampiero Giacomello. 2007. “Cyberterrorism to Cyberwar, Back and Forth: How the United States Securitized Cyberspace.” In International Relations and Security in the Digital Age, edited by Johan Eriksson and Giampiero Giacomello, 57‒82. London: Routhledge. Bigo, Didier. 2002. “Security and Immigration: Toward a Critique of Governmentality of Unease.” Alternatives 27 (1): 62‒92. Bumiller, Elisabeth and Thom Shanker. 2012. Panetta Warns of Dire Threat of Cyberattack on U.S. New York Times. http://www.nytimes.com/2012/10/12/world/panetta-warns-of-direthreat-of-cyberattack.html?pagewanted=all&_r=0; Buzan, Barry, Jaap de Wilde and Ole Wæver. 1998. Security: A New Framework for Analysis. Boulder, Colorado: Lynne Rienner. Cavelty, Myriam Dunn. 2008. Cyber-Security and Threat Politics: Us Efforts to Secure the Information Age. London: Routledge. ———. 2012. The Militarisation of Cyberspace: Why Less May Be Better. 4th International Conference on Cyber Conflict, edited by C. Czosseck, R. Ottis and K. Ziolkowski: 141-53. Talinn: NATO CCD COE Publications. 26 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. ———. 2013. “From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse.” International Studies Review 15 (1): 105‒22. Choucri, Nazli. 2012. Cyberpolitics in International Relations. Cambridge, Mass.: MIT Press. Coker, Christopher. 2002. “Globalisation and Insecurity in the Twenty-First Century -- Nato and the Management of Risk.” Adelphi Papers 345. New York: Routledge. ———. 2009. War in an Age of Risk. Cambridge: Polity. Corry, Olaf. 2012. “Securitisation and 'Riskification': Second-Order Security and the Politics of Climate Change.” [In English]. Millennium-Journal of International Studies 40 (2): 235‒ 58. ———. 2014. “From Defence to Recilience: Environmental Security Beyond NeoLiberalism.” International Political Sociology 8 (3): 256‒47. Dean, Mitchell. 1999. Governmentality: Power and Rule in Modern Society. London, Thousand Oaks, Calif.: Sage Publications. Deibert, Ronald. 2013. Black Code: Surveillance, Privacy, and the Dark Side of the Internet. Expanded edition. Toronto: McClelland & Stewart. Eriksson, Johan. 2001. “Cyberplagues, It, and Security: Threat Politics in the Information Age.” Journal of Contingencies and Crisis Management 9 (4): 211‒22. 27 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. Ewald, François. 1986. L'etat Providence [the Welfare State]. Paris: Editions Grasset. Hansen, Lene. 2011. “The Politics of Securitization and the Muhammad Cartoon Crisis: A Post-Structuralist Perspective.” [In English]. Security Dialogue 42 (4-5): 357‒69. ———. 2012. “Reconstructing Desecuritisation: The Normative-Political in the Copenhagen School and Directions for How to Apply It.” Review of International Studies 38 (03): 525‒46. Hansen, Lene and Helen Nissenbaum. 2009. “Digital Disaster, Cyber Security, and the Copenhagen School.” [In English]. International Studies Quarterly 53 (4): 1155‒75. Harrop, Wayne and Ashely Matteson. 2013-14. “Cyber Resilience: A Review of Critical National Infrastructure and Cyber Security Protection Measures Applied in the Uk and USA.” Journal of Business Continuity & Emergency Planning 7 (2): 149‒62. Heng, Yee-Kuang. 2006. “War as Risk Management : Strategy and Conflict in an Age of Globalised Risks.” Contemporary Security Studies. London ; New York: Routledge. Kerry, John. 2013. “Foreign Hackers Are '21st Century Nuclear Weapons'.” Huffington Post. http://www.huffingtonpost.com/2013/01/24/john-kerry-hackers_n_2544534.html. Kleinwächter, Wolfgang. 2013. “Internet Governance Outlook 2014: Good News, Bad News, No News?” CIRLEID. 28 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. http://www.circleid.com/posts/20131231_internet_governance_outlook_2014_good_news_ba d_news_no_news/. Lindsay, Jon R. 2013. “Stuxnet and the Limits of Cyberwarfare.” Security Studies 22 (3): 365–404. Lindsay, John R., Tai Ming Cheung and Derek S. Reveron. 2015. China and Cybersecurity: Espionage, Strategy and Politics in the Digital Domain. New York, NY: Oxford University Press. Lynn III, William J. 2010. “Defending a New Domain: The Pentagon's Cyberstrategy.” Foreign Affairs 89 (5). O'Connell, Mary Ellen. 2012. “Cyber Security without Cyber War.” Journal of Conflict & Security Law 17 (2): 187–209. Rasmussen, Mikkel Vedby. 2006. The Risk Society at War: Terror, Technology and Strategy in the Twenty-First Century. Cambridge; New York: Cambridge University Press. Singer, P. W. and Allan Friedman. 2014. Cybersecurity and Cyberwar: What Everyone Needs to Know. New York: Oxford University Press. Notes 29 Conflict in Cyber Space: Theoretical, Strategic and Legal Perspectives, Karsten Friis and Jens Ringsmose eds., London: Routledge, 2016. 1 This claim can be challenged, as other theories also have been applied. Nazli Choucri, Cyberpolitics in International Relations (Cambridge, Mass.: MIT Press, 2012), is but one example of a comprehensive theorising of cyber security in international relations which is not based on the Copenhagen framework. 2 The 'nature of threats' in the Copenhagen School is widely debated. See for instance Lene Hansen for an overview of the discussion: Lene Hansen. 2011. "The Politics of Securitization and the Muhammad Cartoon Crisis: A Post-Structuralist Perspective," Security Dialogue 42 ( 4-5). 3 However, 9/11 resulted in a return to identifying 'terrorists' as the main cyber perpetrators – as opposed to 'states' in the early Bush administration. 4 However, vulnerabilities that have not been exploited previously, so-called zero-day vulnerabilities, are sometimes kept as secrets by governments and sold by various entities on the black market rather than patched. See e.g. http://www.wired.com/2014/11/what-is-a-zero-day/. 5 It should be noted that offensive computer network operations (CNO) are also part of cyber security in order to bolster emergency preparedness and in some cases prevent attacks from occurring. 6 International Telecommunication Union, http://www.itu.int/en/ITU-D/Cyber security/Pages/default.aspx. 7 Organization for Security and Cooperation in Europe, http://www.osce.org/cio/126475. 8 The Internet Corporation for Assigned Names and Numbers, https://www.icann.org/. 9 'White hats to the rescue', The Economist, February 22, 2014, available at: http://www.economist.com/news/business/21596984-law-abiding-hackers-are-helping-businesses-fight-badguys-white-hats-rescue. 10 See http://intelreport.mandiant.com/. 30