Cyber Threats and National Security: Real vs.

Perceived Threats
By: Vaidotas Piekus

Word Count: 14572

A dissertation submitted in partial fulfilment of the requirements for the Degree of Masters of Arts in International Political Economy Department of Politics University of Sheffield September 2012

Contents
Contents.............................................................................................................. 2 Introduction......................................................................................................... 3 Literature review................................................................................................. 5 1.Cyber threats to national security....................................................................8 1.1 The securitization of the cyber threats......................................................8 1.2 Economic sector..................................................................................... 11 1.3 Political sector........................................................................................ 14 1.4 Military Sector........................................................................................ 19 2.Rhetoric of the cyber security debate.............................................................24 2.1. The gap between perception and reality.................................................24 2.2 Exaggerated language of the cyber threats.............................................26 2.3 Mismatch between perception and reality of cyber threats - reasons and implications.................................................................................................... 28 2.4 Implications for the cyber security concept..............................................31 Conclusion......................................................................................................... 35 Bibliography....................................................................................................... 37

Introduction
The end of Cold War caused a lot of changes in the security field. During the Cold War era, the concept of security was framed within the threatening actions of aggressive states. States were the main referent objects in international relations and the debates about stability and security of the global world. This simplistic understanding of what has to be secured and from whom changed with the collapse of Soviet Union. Suddenly the biggest threat for many years disappeared and the gap was quickly filled with a variety of new threats that were moved onto the political security agendas of most countries (Cavelty, 2007a: 16). The US being the sole global superpower meant that the framing of the security debate came (and still does) from researchers, government officials and security experts who were primarily concerned about the threats to the US national security. The main concern was that of asymmetric warfare where the hostile actor would deal the crippling blow to a vulnerable spot of the state and this way would avoid direct military confrontation. The fear of asymmetric warfare became prominent after the 9/11 terrorist attacks, where the US was attacked avoiding the direct military confrontation. Vulnerable targets are usually described as critical infrastructure (CI). For example, sectors of information and communications, financial services, energy and utilities, transport and distribution (Halpin, 2006: 35). The appeal of these sectors as potential targets is undeniable, no modern state would be able to function properly without a smooth performance of these infrastructures. Moreover, following the rapid technological innovations in the 1990s these sectors became dependent on the computer networks having to ensure reliable and continuous operation (Cavelty, 2007: 16). This way the concept of cyber security became a big part of the security debate very quickly. Alongside environmental, societal and human security, it became the popular topic not only among the security experts and academics but also among the policy makers. This work is set out to analyse the concept of cyber security and the current discourse which is used to frame the threats that are coming from this particular sector. From the moment cyber threats were recognized as significant and worthy of consideration the discussion was accompanied by some exceptionally strong statements. As early as 1993 RAND researchers John Arquilla and David Ronfeldt announced that Cyberwar is
3

Coming! (Arquilla and Ronfeldt, 1993). This dread language has not stopped to this day. In 2010 Mike McConnell (former director of National Security Agency of the US and Director of National Intelligence) stated that The United States is fighting a cyber-war today, and we are losing (McConnel, 2010). However, despite this kind of language, we are in neither a cyber war, nor were there any cataclysmic cyber incidents with cascading effects throughout the world. This led many academics and security experts to believe that cyber threats are over-exaggerated. The central argument of the dissertation is that this exaggeration of cyber threats, as a specific type of rhetoric that has been used for the securitization of cyber security, had actually led to more insecurity. In other words, the way security experts and government officials have chosen to frame cyber security issues has created more insecurity on the national as well as on the international level. The main question of the dissertation, therefore, is this: What are the implications of the gap between actual and perceived cyber threats to national security and how does this gap influence the understanding of the cyber security concept? The securitization path of cyber threats taken by the US has led to the militarization of the cyber space and, while it will be shown that some threats and cyber incidents require full attention of the military, it can be argued that these threats should be dealt by ordinary means. This dissertation sets out to demonstrate how the process of the cyber threat securitization has created a gap between the real threats that come from cyber sector and threats are perceived to be real by military, security experts and the public. And more importantly, how this situation affects national security of the state and overall global stability. To explore this phenomenon the work will be divided as follows. The first part will be dedicated to a brief summary of the relevant work in the field of cyber security. The current state of cyber security debate will be explained and some existing gaps in the academic literature on this subject will be presented. The second section will frame the concept of national security in terms of cyber threats. Also in this section the securitization of the cyber sector will be analysed. Starting with the 1990s, the process of securitization will be explained through the institutional and policy developments in the US, with particular importance being given on the way the securitizing actors chose to frame the threats. Threats being framed in a specific way, have led the whole sector and the understanding of the cyber security to be shaped according to the interests of military and security experts. This caused the gap between the perceived threats and the real threats to occur, this section only briefly address this disparity as the final section will be dedicated to exploring this phenomenon. After the explanation of the
4

securitization, the section will examine the main referent actors and referent objects that are relevant when talking about the cyber security and will divide, using Buzans framework, threats to military, economic and political sectors. The section will show the impact that different cases of cyber threats have to these three sectors. The main objective is to show to what extent and exactly how cyber threats threaten the livelihood of the state. The final section will address the already mentioned gap between the real threats and the perceived ones. Taking evidence from the second section about the different cases of cyber incidents and vulnerabilities of states, the comparison will be made with the rhetoric that security experts and government officials are using. Underpinning reasons why there is a disparity between the two and what is the connection between the perception and reality will be the focus of this section. The concluding paragraph will focus on the case for the desecuritization of cyber security, in other words, taking cyber threats from the extraordinary politics and making them, again, part of the daily politics routine and ordinary security debate.

Literature review
Cyber threats have been on the lips of politicians and security experts from the mid1990s. President George W. Bush said in 2003 that securing cyberspace is an extraordinarily difficult strategic challenge (Bush, 2003) and President Barack Obama assured that cyberspace is real and so are the risks that come with it (Obama, 2009). Security experts seem to agree as CIO (a panel of experts) warned lawmakers about the looming threat of a cyber attack emanating from Iran (Corbin, 2012). However, the research on this topic within the Security Studies field is rather limited. The majority of work has been done on the technical aspects of the cyberspace, discussing matters such as cyber power and how it can be used in international relations. Also very common are specific and technical detail-oriented books and articles that only describe the threats but suggest nothing about how it affects the broader understanding of security. The acknowledgment of cyber realm began with the Robert Keohane and Joseph Nye article Power and Interdependence in the Information Age (1998) where they explored the ever changing conditions of international relations and understanding information as a form of power. After the 2007 cyber attacks against Estonia cyber security topic once again rose in popularity. Such books as Lech Janczewski and Andrew Colarik Cyber Warfare and Cyber
5

Terrorism (2008), Edward Halpin Cyberwar, Netwar and the Revolution in Military Affairs (2006) emphasised the new changes to military weaponry and new challenges for the states to adapt to technology evolution. Significant attention was given to the critical infrastructure protection and the threats that arise from vulnerable computer networks necessary for the smooth operation of infrastructures as electricity, logistics, water supply, communications, etc. (Brown, et al., 2006; Cavelty, 2007). According to Myriam Cavelty, this focus on technical aspects of cyber security exists mostly because the concept itself does not fit well into established categories, neither conceptually nor theoretically and it sits between various intersecting security discourses and disciplines (Cavelty, 2012: 2). This is understandable as cyberspace was mainly defined by the technology experts and the knowledge was, and to some degree still is, tightly maintained within that circle. Academics do not like to dive into the conditions that are defined by technical understanding which they do not possess. Regardless of that being true, it was shown that cyber security as a concept can still be approached without a deep understanding of the technical side, as cyber weaponry and cyber power is best understood as just another form of power. It is simply a tool, a means, while quite unique, still persisting to play the same role as traditional sources of state power as well as causes for its insecurity. Works that acknowledged the significant difference of cyber security from other types of securities include Martin Libickis (2009) report Cyberdeterrence and Cyberwar, where he emphasises the unique qualities of cyberspace and argues that the same rules do not apply to this sector, especially when thinking about the deterrence and war fighting. One of the most influential researchers in cyber security sector is Cavelty who wrote a number of articles and books closely looking at the level of threats that arise from the cyber sector, she argues that the actual possibility of all-out cyber war is no more possible than conventional war and that many cyber doom scenarios to national security are exaggerated (works like Cyber-security 2012, Power and Security in the Information Age 2007b illustrate this point). The whole cyberspace research is divided among techno-oriented security analysts who are interested in vulnerabilities and practical countermeasures and those academics who try to put the word cyber to different nouns such as power, warfare, terrorism, deterrence, etc., and see what new tools this approach can give to the states to achieve their international (and national) aims. However, there is a clear gap in an attempt to explain the consequences of putting the cyber security concept on top of the states national security concerns. Especially, questioning the impact it has on the understanding of cyber threats and the degree the framing of the threat can have on perceptions of how real the threat is.
6

There is an important gap in answering these questions in the recent cyber security literature. Lene Hansen and Helen Nissenbaum (2009) in their article Digital Disaster, Cyber Security, and the Copenhagen School, come close to fulfilling this task. They used the Copenhagen Schools securitization framework to put cyber security among the other, successfully securitized, sectors such as economic, political, military and environmental. They provided first steps in understanding what cyber security might entail in terms of International Relations, questioning the referent object and actors in this sector. They briefly presented the way in which the cyber sector was securitized and argued that the cyber discourse can usually be described as hypersecuritization (the term used by Barry Buzan in American exceptionalism, unipolarity and September 11 (2005)), where the securitizing actors perceive the threats to be more than they usually are. There have been attempts to link cyber security with national sovereignty and national security (Hare, 2009; Hare, 2010). However, those works do not attempt to explain the impact of the cyber discourse, the way it was framed and the effects it has on the national security. This work will try to fill this particular gap in Security Studies. Firstly, using the Copenhagen Schools theoretical framework of securitization, the process of how cyber threats were securitized will be analysed. Using examples of governmental policies and institutional developments (mainly in the US) the chronological order of movements towards successful cyber sector securitization will be presented. A special attention will be given to the rhetoric and the way the threats were framed by the securitizing actors. Having this basic understanding of the securitization of the cyber sector it will be easier to go to the next section where in depth analysis of the ways how cyber threats cause the insecurity for the state will be given.

1. Cyber threats to national security

Security in the broadest possible sense is freedom from threat, objectively and subjectively (Weaver, 1995). When the concern is national security, primary focus is the survival of the basic political unit - a sovereign state. According to Ullman (1983: 133) a threat to national security is an action that (1) threatens drastically and rapidly degrade the quality of life for the inhabitants of a state, or (2) threatens significantly to narrow the range of policy choices available to the government of the state. The focus of the work being cyber threats to national security, the concern is only of those cyber threats that threaten to seriously impede upon the states livelihood. There are many threats coming from the cyber realm to variety of units (individuals, societies, states), but if the primary concern is national security, those threats must be selected carefully and analysed only in the capacity to which (using Ullmans definition) they threaten to seriously limit the states policy options or when they drastically degrade the quality of life for the population of the state. Using Buzans division of security sectors, cyber threats will be divided into three categories economic, political and military. Each category will be addressed separately, looking at what impact the threats that come from cyberspace has on that sector, and, ultimately, to what extent it can be considered a matter of national security. According to Buzan (1991: 141), whether or not a threat is a national security issue, depends not only on determining what type of threat it is but also how the recipient state perceives it and the intensity with which the threat operates. Keeping in mind this argument, this chapter will only deal with one side of the coin and analyse the types of threats and their impact on 3 sectors which are paramount to the livelihood of the state. The second chapter will be addressing the question of perception of the threat as well as military and security experts impact on the understanding of security in general and cyber security in particular. However, before analysing the actual examples of cyber threats it is necessary to point out how the securitization of cyber threats occurred. Understanding of the cyber sector securitization will allow not only a better understanding where does cyber security concept come from but also will help with the analysis of the threats to national security.

1.1 The securitization of the cyber threats

8

The Copenhagen School is one of the major forces responsible for widening the definition of security. Generally they divide security into 5 separate categories: military, economic, societal, political and environmental. While all these categories are interconnected, their dynamics, however, are determined by securitizing actors and referent objects (Buzan, Wver and Wilde, 1998: 36). Actors are those who securitize issues by declaring something (a referent object) to be existentially threatened. Referent objects can be various: states (military security), national sovereignty, or an ideology (political security), national economies (economic security), collective identities (societal security), species or habitats (environmental security) (Emmers, 2009: 137). Securitization can be seen as a more extreme version of politicization, that is moving an issue from the political spectrum (the issue is part of public policy, requiring government decision) to a security category (the issue is presented as an existential threat, requiring emergency measures and justifying actions outside the normal bounds of political procedure) (Buzan, Wver and Wilde, 1998: 23). The process of securitization is usually fairly simple. The securitizing actor (usually the government) declares that there exists an existential threat and that it does require extraordinary measures. This way, security itself is a self-referential practice, because it does not matter if the issue indeed is a real existential threat or it is just presented as such (Buzan, Wver and Wilde, 1998: 24). However, according to Copenhagen School, a mere declaration of the existential threat by a securitizing actor is not enough. The issue is securitized only if and when the audience accepts it as such. There is no clear definition what this audience must be, but usually it refers to a broader, significant community such as media, public or experts. The securitizing actors initiate the process by a speech act, where they utter the word security. They frame the threat as existential one which requires emergency actions and if a significant audience accepts it as such, then the process of securitization is successful (Buzan, Wver and Wilde, 1998: 26). From this explanation it is clear that the Copenhagen School holds security as a wholly constructive concept. It is very dependent on the political context and the actors who are involved in this process. Different political context in different country would lead to a different understanding of what is security. They maintain that there is no use in looking for a real security outside of the world of politics. It is more relevant to grasp the processes and dynamics of securitization, because if one knows who can do security on what issue and under what conditions, it will sometimes be possible to manoeuvre the interaction among actors and thereby curb security dilemmas (Buzan, Wver and Wilde, 1998: 31). Security is socially constructed and determined by actors and is very subjective in that regard. This approach is very useful in the analysis of the public policy developments and
9

the rhetoric of security experts, especially when the matter is cyber security where the actual level of threats is not easily measured. Using the Copenhagen approach we can assume that there might be different reasons for why cyber security was framed in a particular way. It can be argued that at this moment cyber security has been successfully securitized. And it has been so for a while. The first step towards successful securitization was the institutional development of President Clintons administration. In 1996 the Commission on Critical Infrastructure Protection was established. A year later the commission conducted a report called Critical Foundations: Protecting Americas Infrastructures. The report raised awareness of the critical infrastructure protection and new type of vulnerabilities - cyber vulnerabilities. While the report did not claim to find any basis for an immediate cyber disaster or attack, the language used suggested that if no action will be taken, there might be dire consequences: ...we are convinced that our vulnerabilities are increasing steadily and We should attend to our critical foundations before we are confronted with a crisis, not after. Waiting for disaster would prove as expensive as it would be irresponsible. (CFPAI, 1997: 10). The next step was taken by president Bushs Administration with the establishment of The United States Computer Emergency Readiness Team (US-CERT) and the formulation of The National Strategy to Secure Cyberspace in 2003. The executive summary of the strategy referred, once again, to the vulnerabilities that arise from the dependence on computer technologies in managing states critical infrastructure. The strategy admits the lack of serious cyber incident but warns the readers that they can't be too sanguine as there have been instances where organized attackers have exploited vulnerabilities that may be indicative of more destructive capabilities. (NSSC, 2003: 8). In 2007 Estonia was hit by numerous cyber attacks that brought down the websites of its banks, governmental agencies, media as well as Parliamentary and Presidential institutions. This three week long cyber attack was caused by the removal of the Soviet war memorial and the immediate suspects behind cyber attacks were the Russians. No direct proof was found that the Russian government was in anyway involved in the incident, but the media was using a very powerful language to describe a primitive cyber attack: BBC News Estonia hit by 'Moscow cyber war' (BBC, 2007) and The Guardian - Russia accused of unleashing cyberwar to disable Estonia (Traynor, 2007). The New York Times called the situation the first war in cyberspace (Landler and Markoff, 2007). Alongside the media, Mikhel Tammet, at the time, a chairman of Estonia's cyber-defence co-ordination committee, called it a kind of terrorism (Blomfield, 2007). The rhetoric used throughout and after this incident will be analysed in the subsequent chapters, but suffice it to say that
10

the attention given by government officials, media and public, lead to the establishment of NATO Cooperative Cyber Defence Centre of Excellence in Estonia in 2008. Finally, in 2009, Obama administration released Cyberspace Policy Review, a document that sets out for the US to lead the world towards more secure cyberspace (Cyberspace Policy Review, 2009). The main message is that while the US government must take the leadership, for the secure cyberspace to be a reality there must be close partnership among private and public sectors as well as globally, among nations. With the establishment of the US Cyber Command in 2009 it can be clearly said that the cyber security is firmly established in the public policy debate and the institutional securitization steps that were taken begs the question what are the consequences of this securitization to the understanding of cyber security and national security in general. Before answering these questions, it is paramount to analyse cyber threats to national security that are coming through economic, political and military sectors. This analysis will make it possible to compare the actual cyber threat levels and the perception of them.

1.2 Economic sector

Most of the economic damage that cyber threats can cause comes from two main sources - malware and cyber-espionage. Malware is short for malicious software, it is a program which is designed to disrupt or deny operation, also gain unauthorized access to system resources and gather information. Examples include, but are not limited to, worms, viruses, Trojan horses, bugs, etc. (Nash, 2005: 10). In 2007, a study carried out by Computer Economics calculated (including labour costs to analyse, repair and cleanse infected systems, loss of user productivity, loss of revenue due to loss or degraded performance of system, and other costs directly incurred as the result of a malware attack) that total annual worldwide economic damages from malware exceeded $13 billion (Computer Economics, 2007). This rapid proliferation of the cyber crime caused the rise of the security software market, which last year was worth $16.5 billion (Gartner, 2011). There is nothing specifically unique about cyber crime. It is effectively the same criminal activities only utilising new conditions and tools. The majority cases of cybercrime and cyber related fraud targets individuals. They are the easiest targets for identity thefts, stealing personal banking information or other valuable and easily accessible data. While the numbers of such crime caused damage remains high (it is estimated that losses in 2007 were about $61 million (Herley and Florencio, 2008: 9)) it is mainly relevant in terms of
11

individual security. This is a serious matter when talking about the precautions of using computers but it is hardly a matter of national security. This issue does not directly threaten the livelihood of the state but rather causes inconvenience for individuals, but as, for example, car thefts is a serious problem to individuals and to local levels, by no means it is a problem on a national level, threatening to degrade the quality of life in a very rapid and systematic fashion. For this reason economic damage caused by cyber threats to individuals should not be considered an integral part of cyber threats to national security debate. Large scale cyber espionage is aimed at industrial and state targets and therefore is different in that respect. Economic damage of cyber espionage might not exceed the damage done to individuals (at least by sheer numbers) but the nature of these attacks deems a different place for it in the security debate. Because targets are states and/or big companies, cyber espionage may be considered a national security issue as it is a direct threat to the states economy rather than an indirect threat through the economic losses for individuals. At the beginning of 1980s, the dawn of cyber crime, there were couple of prominent hacking incidents that showed the level of threat caused by relying on computer networks for safe-keeping of the information. Starting from 1982, when the so-called 414s break in incident happened, where six teenagers from Milwaukee gained access to high-profile computer systems in the US (Cavelty, 2012: 10), there were many more incidents like these, different in scale and motives. Recently, there was an increase in cyber espionage incidents that are believed to be originating from China. The properties and the consequences, including the estimated damage, of these incidents are worth looking into. In 2005, FBI report (Posner, 2010: 1) draw attention to a series of cyber attacks, named Titan Rain, which were conducted starting from 2003 and aimed at various United States computer systems. Some data was stolen from such subjects as NASAs Mars Reconnaissance Orbiter and Air Force flight planning software as well as US government systems and defence contractors (Sommer and Brown, 2011: 57). It was hard to attribute these attacks to anyone in particular but some speculations suggested that the perpetrators were based in China (Thornburg, 2005). Another instance of similar, large-scale cyber attack was conducted in 2009. Named Operation Aurora, this incident consisted of numerous attacks on high tech, security and defense contractor companies. It was first uncovered by Google in their official blog post (Google Official Blog, 2010), where the company claimed to be a victim of highly sophisticated cyber attack. The primary aim for the attack was Chinese human rights activists email accounts. It was reported that many other companies were victims, including Adobe, Juniper Networks, Rackspace, Yahoo, Symantec and many more. According to some cyber and national security experts this was Chinas espionage program
12

aimed at getting high-tech information as well as politically sensitive information for its own purposes (Cha and Nakashima, 2010). At the same year, in 2009, Information Warfare Monitor uncovered a massive web of cyber-spying operation named Ghostnet. According to the report, the security was breached and the computer networks were compromised in 103 countries consisting of 1295 computers. Among the infected computers there were 30% of high value targets, including ministries of foreign affairs of Iran, Indonesia, Philippines, also embassies of India, South Korea, Indonesia, Thailand, Taiwan, some other countries as well as news organizations and computer in NATO headquarters (Information Warfare Monitor, 2009: 5). The researches that uncovered this wide web of cyber espionage said that in addition to these targets various Dalai Lamas Tibetan exile centres were among the primary targets (Landler and Markoff, 2009). This and the fact that the technology behind the Ghostnet was highly sophisticated led many to believe that Chinese government must have been responsible for the support behind this incentive. However, like with the majority of cyber crime, there can be no certainty behind the attribution as it is very easy to remain anonymous in the cyberspace. This brief overview of cyber related incidents that caused economic damage showcases many problems when trying to determine to what extent these types of incidents is a serious threat to national security. Firstly, it is hard to tell what the actual cost of largescale cyber espionage was. Neither states nor private companies want to reveal how much classified and sensitive information were stolen and what impact it had. It can only be assumed that if there was a lot of data that were taken from private defense contractors, NASA or US Air Force computers, it was most likely valuable and have caused substantial economic damage. Additionally, these types of disruptions do not directly threaten national security in the most basic sense. Neither they cause significant limitations to the policy choices for the government, nor do they threaten the livelihood of the states population. The consensus is that cyber espionage has the potential to cause such financial loss that it may also impact on the security of nation states both militarily and economically (Sommer and Brown, 2011: 33). Economic sector occupies a peculiar position in states power. There is a strong link between economic and military capability, and if economic capability, being the crucial foundation on which the relative status of states power rests, declines, so does the military capability and, subsequently, state power (Buzan, 1991: 127). In that regard economic safety is a subject of national security, but the threats to economic sector must be extraordinary, causing serious systematic shock and disruptions with the cascading effects. Only in such instance, it could be a matter of national security. However, the scale of past cyber incidents did not meet these requirements.
13

1.3 Political sector

According to Buzan, political threats are aimed at the organizational stability of the state. The nature of the political threat is likened to that of a military one, because the state is essentially a political entity, so political threats may be feared as much as military ones (Buzan, 1991: 119). However, the purpose of the attack that threatens political sector is different. It may range from pressuring the government on a particular policy, through overthrowing the government, to fomenting secessionism, and disrupting the political fabric of the state so as to weaken it prior to military attack. (Buzan, 1991: 118-119). When assessing the cyber threats that aim at the political sector we must look at the properties of the threat and only then decide to what extent it can be a matter of national security. Firstly, it is important to pinpoint the motive of the attack/incident. Sometimes it can be hard to distinguish what is the aim of a specific cyber incident, but the ones that have political properties should be easy to spot. Usually the perpetrators clearly state their aims and goals of what they are trying to achieve. The motive should be political - aimed at political regime itself or the specific policy of that regime. Secondly, cyber attack should threaten organizational stability of the state. In other words, the attack should target political regime itself and/or its ability to make policy decisions. These two requirements should be fulfilled if the attack is deemed to be a threat to national security that comes from political sector. Cyber attacks with a political motive are usually described as hacktivism. It is the fusion of two words - hacking and activism. It refers to politically motivated attacks on publicly accessible Web pages/resources or email servers (Dacey and Hite, 2003: 7). Hacktivism is basically the use of hacker techniques (particularly web-defacement and distributed denial of service attacks (DDoS)) to publicise an ideological cause rather than for crime (Sommer and Brown, 2011: 31). Like cyber criminals are the same criminals only using cyberspace for their illegal activity, hacktivists are essentially activists that have gone electronic. They utilise virtual powers to mould offline life (Jordan and Taylor, 2004: 1). There is a long history of hacktivism examples with varying degrees of success and impact. Earliest example dates back to 1989, when the group called Worms Against Nuclear Killers penetrated the United States Department of Energy and NASA machines. This antinuclear group of hackers defaced websites login pages to their own, proclaiming the message - You talk of times of peace for all, and then prepare for war (Assange, 2006). A
14

significant example of similar attack can be found in 1997, when Portuguese hacking group UrBaN Ka0s hacked the website of Indonesian military and government. The websites were changed to express the criticism towards Indonesian government and the situation in East Timor (Ludlow, 2010: 26). In 1998, arguably the same group launched attacks on Indonesian government websites with the message Free East Timor (Harmon, 1998). Hacktivist groups with the comedic names such as Electronic Disturbance Theater, the Cult of the Dead Cow and the Hong Kong Blondes have used hacktivism tools to help and support the Zapatista rebellion in Mexico, protest nuclear testing at Indias Bhabba Atomic Research Center as well as protest anti-democratic crackdowns in China (Manion and Goodrum, 2000: 14). All these incidents showcase a couple of points. Firstly, attacks were clearly of a political nature, in most cases intending to oppose particular government and its policy. Secondly, the attacks did not intend to cause economic damage but to send a political message. It was a symbolic act. Part of the reason for it was that, at that time, hacktivists tools were capable of defacing websites but it was technologically hard to make a stronger impact. Therefore, these examples of hacktivism can only be considered as a part of political activism and not a national security issue. They are symbolic acts that have a clear political message, but by no means they caused a serious disruption for governments ability to make the policy decisions or threatened political regimes livelihood. Hence, they only fulfil the first requirement of the two that are necessarily to consider an issue being a threat to national security. More than 20 years have passed after the first hacktivism incident and today this type of activism is rising in popularity. Todays hacktivism incentives are bigger in scale and bigger in impact it creates. Recently, hacker collectives such as Anonymous and Lulzsec as well as WikiLeaks organisation spurred new life into the debates about hacktivism, cyberterrorism and freedom of information. Anonymous is an interesting case of internet activism. It mainly operates on the premise that information should be free and opposes various power structures (big corporations, states, international organisations) which attempt to limit, censor or by any means tame the content in the cyber space. Anonymous activity began in 2009 and ever since then they have made many attacks on various targets. M. D. Cavelty describes it as behaving deliberately hedonistic and says that they creatively play with anonymity in a time obsessed with control and surveillance and humiliate high-visibility targets by DDoS attacks, break-ins and release of sensitive information (Cavelty, 2012: 12). There are 3 notable cyber incidents which are attributed to Anonymous. In 2008 they launched Project Chanology, aimed at Church of
15

Scientology. Protesting against the removal of Tom Cruise video from YouTube, which was done upon the churchs request, the group launched wide-scale attack on Scientology websites, also flooding their offices with blank faxes and prank calls, using any measure possible to disrupt their operations. In addition to that in about 100 cities worldwide about 7000 people took part in protests against Scientology in Australia, Europe, Canada and the US (Moncada, 2008). The second major incentive called Operation Payback started in 2010. The targets this time were a major pro-copyright and anti-piracy corporations (e.g. Motion Picture Association of America) law firms and individuals. Launching mainly the same DDoS attacks they managed to shut down certain websites for up to 30 hours (TorrentFreak, 2010). Basically, using the same idea of the freedom of information and freedom from any kind of censorship, the group sent a strong message that anyone who opposes this idea might provoke cyber hostility. This motive was clearly evident during the scandal when the US diplomatic cables were leaked through WikiLeaks organisation. Anonymous were supporting the leaks and when the major financial organisations (PayPal, BankAmerica, PostFinance, MasterCard, Visa), that were feeling the pressure from the US government, stopped providing the services to WikiLeaks (this way creating many financial problems for the organisation which main income was coming from the internet donations), they reacted immediately by shutting down websites of those organisations for a limited amount of time (Pauli, 2010). Both operations were very disruptive and possibly highly economically damaging. They were similar to the first examples of hacktivism in the sense that they too had a political/ideological message attached to them (this time being the freedom from censorship and control in the cyber space). However, they were way bigger in scale and caused much more disruption through economic loss and limitations to various organisations. Precisely because the targets of the attacks were independent organizations, it can be said that these type of threats belong more to individual than to national security discourse. The most recent attacks conducted by this group are much more dispersed and not carrying a clear political message. Self-named Operation AntiSec aims at hacking into a wide variety of companies and mocking their cyber security measures. Companies such as Sony, Disney, NBC Universal, AT&T were attacked, and a lot of information were made public including sensitive data about products and clients (Greenberg, 2011). The group was also active during the Arab Spring that started in 2010, they were in charge of attacks on Egypts, Libyas and Tunisias government websites (Wagenseil, 2011), sending a message that they are in favour of liberation movements. The diverse nature of the attacks shows that
16

the group itself is not a centralised, authoritative organisation with the clear set of rules and motives. It can be described as decentralised, disperse and chaotic organisation of individuals who oppose any incentive towards control and concentration of power. They enjoy and celebrate the freedom cyberspace creates and the anonymity it provides. This groups activities poses a threat to many actors, however the threat is mainly of economic nature. The ramifications that this type of activism creates for the understanding of security and cyber security in particular will be explored after the brief analysis of the biggest information leak scandal - Cablegate. The US diplomatic cable leak began in 2010. A non-profit organisation WikiLeaks published classified cables obtained from US State Department. The organisation obtained classified documents from the US Army soldier Bradley Manning who downloaded them without authorisation. The amount of information of the published cables is immense. There are over 250 000 cables, involving international affairs from 274 embassies dating from 1966 to 2011 (Shane and Lehren, 2010: 2). This makes Cablegate the largest release of classified material in the world. The content that was published stirred the news companies, public and governments all around the world. The consequences included not only charges against Bradley Manning but also against Julian Assange, the founder of WikiLeaks, who decided to publish all material including sensitive information about informants working in Afghanistan and Iraq, possibly putting their lives at risk. The data that was made public not only put many people in danger but revealed how countries exchange correspondence and what kind of language they use. It may have contributed to Arab Spring, creating instability for the governments by revealing the corruption and spending details of the leaders, for example, leaked documents revealed that in Tunisia the first lady had huge profits from public schools which may have exacerbated public dislike of the government (Dickinson, 2011). Cablegate scandal is a matter of security on many levels. The leaked cables put many individuals in danger, not only releasing their financial information but also, in the case of informants, putting their lives in danger. Private correspondence between individuals was made public and the secret nature of diplomatic relations was made available for the general population. This information leak is a threat to both, individual and the state security. However, it cannot be called solely a matter of cyber security because internet and cyber tools acted only as a medium to transfer the information and make it public. The information was not obtained by the outsider, a hacker, but rather from the insider, a US Army soldier. This means that the scandal itself is matter of individual as well as states national security, but it cannot be considered a threat coming from the cyber space.
17

Keith Alexander, the general in charge of the US Cyber Command and the director of the National Security Agency hold that hacker-activist group Anonymous is a threat to national security. He claims that the hacking group Anonymous could have the ability within the next year or two to bring about a limited power outage through a cyberattack (Benkler, 2012). How realistic is this statement is hard to assess. So far the group showed interest in obtaining secret information, website defacement and making targeted websites inaccessible for a short period of time in order to transmit their rebellious message. So far, hacktivism has proven to be sporadic by nature and not systematic or persistent. According to Sommer and Brown to reach the level of a global shock hacktivist activity would need to be extremely well researched and persistent and to be carried out by activists who had no care for the consequences (Sommer and Brown, 2011: 32). Nonetheless, the potential of the threat is there, the blockade against financial institutions showed that there is a possibility of a prolonged inability for public and private sector to use internet financial services. This indirectly can threaten political stability of the country because if government cannot secure its financial sector in the long term the stability of political regime might be threatened. The speculative nature of these threats cannot deem hacktivism to be an immediate threat to national security. However, WikiLeaks example is different. Its properties have a nature of cyber-espionage rather than hacktivism and falls within the discourse of broader national security concept. In other words, the leak was made possible by security problems in the US Armys computer networks and was done by internal source. Internet acted only as a catalyst, enabling the rapid spread of the classified documents but nothing more. Internal security of such computer networks should always be a priority, primarily in terms of military security rather than political security sector. To conclude, while Cablegate leak was definitely a blow to stability and security of the international diplomatic affairs, and by extension to national security of many countries, this falls within the broader discourse of internal security which should be day-to-day routine practice and not to be clumped up with the other cyber incidents. Politicians and security experts who use hacktivism as an example to move cyber security policies higher on the agenda should be careful not to overstate the threat levels. It has the potential to be a national security issue, but so far, there is no proof of such scale incidents. Examples showcase that hacktivism does not seriously threaten to reduce the possible government options to make decisions nor does it seriously diminish the quality of the people of the state. It is definitely a matter of individual security, mainly in the sense of economic security, and where it goes beyond that point, it should be taken care by internal computer security measures, but by no means, invoking national security rhetoric.
18

1.4 Military Sector

Security of the state is very often likened to the military security. When national security is mentioned, the first thing we imagine is military threat and the direct use of force. It is because Security Studies started with the conception of the military threats being central in the whole national security debate. Even now, when the definition of security is as wide as it is, military threats occupy a distinct and prominent role in security debate. It is because military action can pose a threat to all the components of the state. According to Buzan, military actions not only strike at the very essence of the states basic protective functions, but also threaten damage deep down through the layers of social and individual interest superstructures (Buzan, 1991: 117). Military threats can also be direct or indirect with varying levels of impact, ranging from directed at particular states external interests to invasions and assaults on the very existence of the populace (Buzan, 1991: 118). Cyber threats can come through military sector in many ways. Nonetheless, Buzans requirement that military threats always involve the use of force is not suited for cyberspace. It is because any cyber threat that is active and does not come from the passive inherent network vulnerabilities is, in the strictest sense, use of force. Be it a breach of security with the motives of hacktivism, economical gain or purely curiosity, it is all use of force. However, it should not mean that these types of incidents belong to military sector and therefore by extension require military solutions. When we look at cyber threats coming from military section we are mainly concerned with the conflicts that involve states as units, conflicts that are purely cyber in nature (cyberwar) and conflicts that are conventional but come with the cyber dimension. As of yet, there are no examples of all-out cyberwar, and the evidence suggests that it is highly unlikely. However there have been a few conflicts that come with the cyber dimension to them. Notable examples include: 1991 Gulf War, 2007 Iraq, 2007 Estonia and 2008 Georgia. The 1991 Gulf War was a notable step in the US military discourse. This was the conflict were the potential of information warfare was realised and utilized and emphasis was placed on the reliance on information and not only on physical force. Winning information warfare became essential for success. Since then information revolution played a significant role in the US military affairs (Arquilla and Ronfeldt, 1993: 1). Information technology gave an edge to the US military operations through the communication
19

satellites, intelligence gathering, command and control, also extensive use of Iraqi civil mobile networks and media management were core aspects of this type of warfare (Hutchinson, 2006: 213). Kosovo War in 1999 proved to be another example of a conflict that had information warfare or cyber dimension to it. It is believed that cyber-based tools used by the US helped to distort the images Serbian air defense systems were receiving. Additionally, after the war ended there were hackers actively attacking Kosovo web pages (Arquilla, 2003). Both of these conflicts included cyber tools in their regular conventional military arsenal and clearly showed the advantages that domination in cyber realm can provide. It has shown that the reliance on internet and computer networks may be a double edged sword, providing efficient communication but creating vulnerabilities at the same time. The disadvantages of relying upon internet and computer networks manifested in its full potential during the cyber attacks conducted towards Estonia in 2007. When government of Estonia decided to remove World War II bronze statue representing a Soviet soldier to a different place - a three week long cyber attack began. Primary targets were the websites of Estonian parliament, banks, ministries, newspapers and broadcasters (Cavelty, 2012:14). Estonian government reacted very seriously to this attack. Estonian foreign minister Urmas Paet accused Russia of direct involvement of the attack (Bright, 2007). There were statements made by officials who suggested that these cyber attacks should be likened to the real attacks and therefore would fall under the NATO Article V (Anderson, 2007). Despite the dramatic language, there was no conclusive evidence that Russia was conducting this attack, most likely it has been a group of hackers sympathising with those who were opposed to the removal of the monument. In this sense it is an example of hacktivism, and therefore it falls within the political sector rather than military one. Nonetheless, this incident showed that sustained blockade of services that are available on cyberspace (banking, government information, and news portals) is possible. NATO reacted swiftly to this incident and in 2008 created Cooperative Cyber Defence Centre of Excellence in Estonia. Cyber attack against numerous Georgian websites in 2008 is a similar example of cyber-ed conflict. Five day long armed conflict between Georgia and Russia began on the 7th of August 2008. The breakout of the military conflict was synced with well-coordinated cyber attacks aiming at Georgian government and media websites. The report conducted by the US Cyber Consequences Unit concludes that the main objective of these cyber attacks was to support Russian invasion of Georgia (U.S. Cyber Consequences Unit, 2009: 6). Also while the attacks against Georgian targets were carried out by civilians, those civilians were
20

tipped off about the timing of the Russian military operations and they had an advance notice of Russian military intentions (U.S. Cyber Consequences Unit, 2009: 2-3). This cyber conflict was similar to that in Estonia because most likely Russian government were not directly responsible for conducting the attacks but they used hacker groups for their own purposes, tipping them off about the attack or encouraging them to jam the enemys websites. This suggests that future conflicts will most likely have a cyber dimension to them. Additionally, the attribution problem will allow states to hide behind the internet anonymity and fully utilise the potential that cyberspace gives to aid conventional conflicts. Nonetheless, examples of Estonia and Georgia do not suggest that cyber conflicts will replace conventional conflicts any time soon. Most likely cyber tools will fulfil the supplementing role as an additional tool to the variety of conventional use of force options available. Looking closely at the results and damage of these incidents it can be concluded that the impact was minimal. Three week and five day internet blockade of government websites, news outlets and other services cannot be called a cascading threat that would greatly impede upon governments choices to make policy decisions. It is a symbolic attack rather than an actual utilisation of hard power as there is no physical damage done. If these incidents can be regarded as a states intentional use of cyber weapons, those weapons appeared to be limited to minor inconveniences, symbolic messages and temporary economic disruptions. The understanding of what cyber weapons can do changed dramatically in 2010 with the discovery of Stuxnet computer worm. This type of malware is distinctly different from ordinary malware discussed earlier. The only similarity is that it is also self-replicate and is designed to spread rapidly. However, the properties and its aim is different. Firstly, it is a much more complex programme than any other virus in the world. Symantec, one of the leading computer security companies, described Stuxnet as requiring extraordinary sophistication, thought and planning (Murchu, 2010). Security experts think that it might have taken many months if not years to design it (Zetter, 2010). This initially led many experts and analysts to believe (which later was essentially confirmed) that the creation of this virus was conducted with nation-state backing and support (Kaspersky, 2010). The second big difference is that this malware aims precisely at industrial control systems, which are in charge of variety of industries such as electrical, water, oil, gas and date operations. The aim was to penetrate the specific system and take control of it. It was not aimed to conduct espionage or monitoring tasks as the majority of malwares are. It was aimed at Windows systems that had Siemens Supervisory Control And Data Acquisition
21

systems. So it is a very specific target. It was revealed that the majority of infected computers are located in Iran and the target was Irans main nuclear enrichment facilities (Shearer, 2010). The worm spread through infected USB drives and may have damaged about 1,000 centrifuges in the Fuel Enrichment Plant in Natanz. It successfully, but temporarily, set back Irans fuel enrichment progress in Natanz (Albright, Brannan and Walrond, 2010: 7). It was a deliberate and precise attack in order to disrupt and cause physical damage to Irans nuclear ambitions. Precisely because of what the target was and the complexity of the virus, media and experts speculated that it may have been the work of United States and Israel. This suspicion was later confirmed in the New York Times article by David Sanger. The article revealed that Stuxnet virus was developed following incentive started by Bush administration and called Operation Olympic Games. It included covert attacks against Iranian nuclear industry and the main weapon of it was development and initiation of Stuxnet (Sanger, 2012). The report argues that collaboration with Israeli intelligence unit was driven by two conditions. Firstly, Israel had very advanced technical expertise and particularly deep knowledge of the Natanz nuclear facility. Secondly, it was a good way to deter Israel from thinking about pre-emptive strike against the Iranian nuclear facilities, as that would create immense crisis situation and instability in the region (Sanger, 2012). The article goes into detail how the initial planning and actual execution of the operation took place, but these details are not that important. What is paramount is to understand that first time in the history a cyber tool/weapon was used to do more than disrupt, deface or create mild and temporary inconvenience. This weapon was used because alternative conventional strikes were not the best option, however, it managed to create an actual physical destruction of the crucial nuclear power plant. In many ways it was a success, however, due to a mistake in programming code, Stuxnet spread to other computers outside Iran. This not only revealed what are the capabilities of states in terms of cyber weaponry, but allowed to dissect and analyse the program itself, so that replicas could be made by anyone willing and having resources to do so. Because of that, the damage was not only to Irans nuclear plans but also to the U.S.s credibility in cyberspace, it is believed that it may encourage other countries to increase their offensive cyberspace capabilities in response (Messmer, 2012). Cyber threats that come through military sector can be divided in two categories. There are the ones that pose a direct threat to national security and the ones that support conventional conflicts by exploiting cyberspace to create pressure, disrupt media or spread symbolic political messages. Conflicts of Gulf War, Iraq, Estonia and Georgia were of the
22

latter type, they had a cyber dimension to them. The opposing parties, utilised cyber space tools to supplement their foreign policy agenda. These examples suggest that in the future there might be more conflicts that will have a cyber dimension. However, cyber tools that were used proved to be limited in the impact it created. Short-term government websites disruptions are not, and should not be, a major national security issue. It can hardly be called a matter of state security, let alone invoke national security rhetoric. The response to these types of disruptions should primarily be done internally, improving the computer networks and making more robust systems that would hold-out against such attacks in the future. There are no grounds to use the words of war, warfare, cyber warriors or anything like that, which was done during the Estonian cyber conflict. These matters should be left to day-to-day politics, mainly to computer network and security experts who can make backup systems in case of similar disruptions occur again. Neither politicians, nor military should be involved in this. It is not a threat to national security in the strictest sense. Other type of cyber threat that comes through military sector is cyber weapons designed to cause physical damage. It is a cyber weapon that strikes directly the at physical infrastructure of the state and undermines the livelihood of state. Stuxnet is the sole example of existing cyber weapon but it shows that it is indeed possible to create and utilise a weapon that comes and operates within the cyberspace but damages physical realm instead of just virtual one. Because of that it requires a military response, be it by increasing cyber defences or reducing cyber vulnerabilities when it comes to industrial sector operations. This is clearly a threat that come through military sector and should be considered a matter of national security. Cyber weapon can be substituted for a conventional weapon and still do a physical damage to the designated target. It not only bypasses the conventional security measures but also international conventions and agreements. So far, cyber space is not under international supervision or any sort of weapon control treaties. The existence this type of cyber weapons should be acknowledged by military security experts as it is a threat to national security and international stability in general.

23

2. Rhetoric of the cyber security debate.

2.1. The gap between perception and reality
The first part of the dissertation showed to what extent cyber threats can be a national security problem. The results can be interpreted depending on the definition of security. The broader the understanding is, the more threats can be considered a matter of security and a threat to the state livelihood. However, when assessing the risks presented by cyber sector, it is important to use a rigid and narrow understanding of national security. Mainly because it is a fairly new threat and concepts are not yet developed, so there is a lot of misunderstanding and miscommunication about the cyber realm. It ranges from people who assume that we are in a perpetual cyber war to the sceptics who say cyber threats cannot be put in the same category as economic, political or military threats. This is a problem because depending how you understand security, defines how you frame problems and threats. That subsequently causes different solutions. If the threats are overblown and exaggerated it may easily lead to calling for unwanted military solutions. The estimation of the threats that come through three sectors (military, economic and political) shows that very few instances would allow national security rhetoric to be used. In other words, the majority of the threats that come from cyberspace do not directly threaten national security. Threats that come through economic sector pose a threat mainly to individuals but not directly to the states. Large scale cyber-espionage have the potential to threaten national security by causing immense economic damage to the state or if the state loses extremely sensitive (military or intelligence related) information. However, so far there has been no such attack/incident. Political sector presents states with different problems as politically motivated activists use cyber tools to convey their message through disruption of websites, hacking and extracting information. The question here is if these activities can cause political instability for regime or significantly limit government's policy options. Wikileaks scandal was different from other examples of hacktivism. It may have caused significant problems for some states as their private correspondence was made public. It may also have endangered many lives of informants in Iraq and Afghanistan, additionally, information about the military movements may have been leaked. In this
24

respect, it threatened states (mainly the US) foreign policy incentives and their national security. However, it is important to note that the information was obtained from within the US military, by a soldier, proving once again that usually the weakest security link is human and not technology. Internet was the catalyst for that information to spread and gain momentum; it was not a cyber threat per se. Interesting observations can be made by looking at military sector. It is clear that present and future conflicts will also take place in the cyber sector. This was shown in Estonia and Georgia cases. Also there is no solid proof that currently there is an on-going cyber war. There are a lot of attacks and disruptions coming towards nations but none of them cause serious damage. Exception can be made about the cyber weapons capabilities to cause physical damage as shown by Stuxnet virus. The implications of this will be assessed in the further chapters but it is clearly an example how cyberspace can be used to damage physical infrastructure. This should be taken seriously and according to the working definition of security in this work, this virus is (or rather was for Iran) a threat to national security. As mentioned earlier determining what are the actual types of threats is just one side of the coin. To definitely say that something is a national security issue, we must also look at how the recipient state perceives that threat. Using the Copenhagen Schools securitization theory it is important to look at how threats are framed and what language is used. Copenhagen School argues that security is a self-referential practice, mainly because the issue becomes a security issue not necessarily because a real existential threat exists but because the issue is presented as such (Buzan, Wver and Wilde, 1998: 24). They pay particular importance at what is called a speech act - a designation of an existential threat by securitizing actors, those actors claim an issue to be an existential threat requiring emergency action or special measures. And if it is accepted by a significant audience, the issue becomes securitized (Buzan, Wver and Wilde, 1998: 27). According to Arnold Wolfers security can be approached both objectively (there is a real threat) and subjectively (there is perceived threat) and that nothing ensures that these two approaches will line up (Wolfers (1962) cited in Buzan, Wver and Wilde, 1998: 30). The perception is particularly important speaking about cyber security because, as mentioned previously, this is a new field and any motions towards framing threats in a certain way leads not only to a different solutions to problems but also to a different understanding of the problem itself. For this reason it is important to look at the speech acts made by cyber sector securitization actors - government officials as well as security experts in the U.S.

25

2.2 Exaggerated language of the cyber threats.

According to the Copenhagen School securitising actors can be anybody and anyone. However, elites, especially political elites, have a distinct advantage in the securitising process. Given that the understanding of cyber security requires certain amount of technological knowledge, security experts should also be included in this category. There has been a lot of talking about information warfare, cyber capabilities and vulnerabilities, cyber war and cyberterrorism in general. Many individuals made statements about cyber security; therefore it is easy to be at a loss when trying to determine who the main securitizing actors were. It is important, however, to analyse the tone of the language used, how the issues and problems arising from cyber realm were framed as well as what kind of language was used to describe them. Due to the fact that the focus of this paper is on the types and levels of cyber threats in comparison to the perception of them, and eventually pointing out what kind of implications does the disparity between real and perceived causes, only a brief account of the most important actors in charge of the cyber security framing will be presented. It is fair to say that the discourse of cyber security framing, at least in the US, is a wholly negative exercise. The usual tone of the language is dark, threatening, intentionally worrying and sometimes even menacing. In the past couple of years cyber security problems have had a lot of attention from the politicians and security experts. It can be said that this attention is only increasing in the recent years. Obamas administration was (and still is) particularly keen on keeping cyber security a policy priority. In 2008 administrations requested report of the CSIS Commission Cybersecurity for the 44th Presidency, warned that cyber security is now a major national security problem for the United States(CSIS Commission on Cybersecurity, 2008: 1). A year later in 2009, the White House released a Cyberspace Policy Review, which said that cyber security risks pose some of the most serious economic and national security challenges of the 21st Century(Cyberspace Policy Review, 2009: iii). Barack Obama himself in 2009 speech on cyber threats said that Americas economic prosperity in the 21st century will depend on cybersecurity (Obama, 2009). These statements focused attention on a particular parts of cyber security. It can be said that it paved the way for the
26

future security implementations and raised the awareness of the possible security problems, putting cyber security alongside traditional sectors (military, economic, political, and environmental). However, other securitising actors used much stronger language to describe cyber threats. Keith Alexander, the director of US National Security Agency and the commander of US Cyber Command claimed earlier in 2010 that US networks are being attacked by hundreds of thousands of probes a day and that the Pentagon was alarmed by the increase of these attacks (Hodge, 2010). He also warned that previously discussed hacktivist group Anonymous in the nearest future may have the ability to cause a limited power outage through a cyberattack (Benkler, 2012). US Defence Secretary Leon Panetta in 2011 said that the next Pearl Harbour that we confront could very well be a cyberattack (Mulrine, 2011). Mike McConnell, former director of the National Intelligence, also does not miss a chance to hype up the cyber security of the US. In 2011 he said that if the US would be in cyberwar today, US would lose (McConnell, 2010). Richard Clarke, who worked for the US government security related positions and now is a counter-terrorism analyst, in his book Cyber War (2010) draws a very dark picture of what would happen if US would be involved in a cyberwar - blackouts would hit cities, airplanes would fall from the sky, banks lose all their data and satellites would spin out of their orbits (Kakutani, 2010). Michael Mullen, former Chairman of the Joint Chiefs of Staff and a retired US Navy admiral stated that in regard to cyber security we are being attacked today, from other countries (Shachtman, 2010). These people play a pivotal role in the framing of national security in terms of cyber vulnerabilities. They are the leading securitising actors, because of unique government positions they occupy or occupied at some point. For this they have the most influence in shaping up security matters as well as most exposure in terms of publicity through media. Precisely because of the high importance of these individuals, we must look carefully at what (and how) they are saying. First chapter of this dissertation looked into the reality of the cyber threats. Albeit that is a very tricky task as what is a real threat is definitely subjective, because different units perceive different threats to be more real than the others, depending on the information they have and other contextual conditions. Academics in favour of constructivist approach to security seem to believe that the importance of the actual threat level is not that big, the study should be focused mainly on actors and their interactions. Cavelty argues that there is no sound way to study the actual level of cyber-risk. She says that the focus of research necessarily shifts to contexts and conditions that determine the process by which key actors subjectively arrive at a shared understanding of how to conceptualize and ultimately respond to a security threat (Cavelty,
27

2012: 24). However, the actual threat or the real threat still matters despite this point of view. If the aim is the optimal governmental policy solutions, we must assess how real the threat is and how that matches with the perception of the threat. Comparing the first chapter with the presented rhetoric of securitising actors it can be said that the reality and the rhetoric does not match. There is a clear gap between what is perceived to be a cyber threat and what kind of threats actually exists. This is a problem because the mismatch between perception and reality creates a situation where public and media is misinformed about the threat levels. In this instance where disparity is very negative (rhetoric is exaggerating the actual threat levels), it can create an overly insecure feeling about the cyber space, where individuals will be imagining that using internet is a constant danger and that identity theft, financial loss and other dangers are imminent. This can seriously stall the spread of electronic literacy and computer technology progress. What is more important, is that this gap causes a particular kind of unwanted policy solutions and creates an international tension among states, subsequently leading to more insecurity. This problem will be addressed after the evaluation of why this gap exists at all.

2.3 Mismatch between perception and reality of cyber threats reasons and implications
The gap that exists between perception and reality of cyber threats is caused by three main reasons - psychological, economic and political. Psychological reasons cause people to misjudge their sense of security all the time. Cognitive bias makes us perceive personified risks to be greater than anonymous, also exaggerate spectacular and rare risks and downplay common risks (Schneier, 2011). This is also true when talking about cyber security. Especially when people hear words as cyberterrorism and cyberwar that psychologically causes a sense of fear. Terrorism associates with the fear of random, violent victimisation and that blends with the distrust and outright fear of computer technology (Weimann, 2004: 3). Technological fear is especially relevant when it comes to cyber threats because the majority of media articles and security experts use quite vague and strong language to describe these threats. Threats seem to be coming out of nowhere, from some anonymous hacker groups who can strike any time and cause unimaginable damage. This is caused by the lack of information on the part of consumers and general population. It is problematic because if there is a big

28

disparity between the feeling of security and the reality of it, it is hard to make sensible security estimations and that leads to a bad security policy decisions. Economic reasons are quite straightforward. Combating cyber threats became a very profitable business. According to Gartner Inc., worldwide security software revenue in total was $17.7 billion in 2011 and increased by 7.5% from 2010 (Gartner, 2012). Additionally, following 9/11 attacks, the US federal government requested $4.5 billion for infrastructure security (Weimann, 2004: 3). Think tanks release reports that alarm public about cyber realities, experts have testified about cyberterrorism dangers before Congress and private companies have deployed security consultants to protect themselves. It cannot be said that all these movements were based on groundless threat perception, however, the exaggeration of the threats definitely moved the cyber security industry forward and gave jobs to a lot of computer and network experts, analysts and professionals. It is in their best interest to keep the threat levels as high as possible, without going totally overboard. Finally, political reasons are a bit more ambiguous and not so clear cut. Politicians very frequently use the tactic of raising awareness of some problem when they want a certain legislation to pass. Media sometimes exacerbates the exaggerated rhetoric by chasing a scary front-page title, such as - Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say (Gellman, 2002). This might be a selective example but dread language from politicians usually increase when a big legislative bill is about to get voted in Congress. This happened with Cybersecurity Act of 2010, when the increased attention was given to cyber security in the media by the senators who were trying to push through this bill. In the op-ed article senators Olympia Snowe and Jay Rockefeller warn that attacks coming from cyber sector have the potential to disrupt or disable vital information networks, which would cause catastrophic economic loss and social havoc (Rockefeller and Snowe, 2010). Many experts agreed at the time that this was clearly an artificial ramping up of the rhetoric in order to get the bill to pass. The bill was controversial because it introduced the so-called kill switch - an ability for the President to order limitation or complete shutdown of Internet traffic. Electronic Frontier Foundation called this an approach that favours dramatic over sober response (Granick, 2009). Recently, the same tactic was used by President Obama as he was trying to get passed the Cybersecurity Act of 2012 in the Senate. He wrote an op-ed in Wall Street Journal arguing that cyber threat to our nation is one of the most serious economic and national security challenges we face and starting the article with the dread scenario of the cyber attack simulation where trains derail and water treatment plants shut down (Obama, 2012). Once again the updated version of Cybersecurity Act faced heavy criticism. Personal
29

privacy advocates claimed that the bill will seriously impede upon peoples ability to be anonymous and private on Internet, forcing some Internet Service Providers to implement blocking measures against privacy service providers such as VPN and TOR, also that the bill will allow recording of potential future crimes, again, highly ambiguous and freely interpreted statement (Wilson, 2012). Currently the bill is in limbo as it did not pass the Senate vote, but Obama considers using the executive order to get it through regardless. Looking at the reasons why the gap between the perceived cyber threats and the actual cyber threats exists, it is safe to say that all three reasons - economic, political and psychological, makes the case for educating the public about the cyber threats. If we would have more information about what the actual threat levels are, it would be easier to assess and recognise when the exaggeration happens and when the rhetoric is being used because of the political motivation. The disparity between real and perceived not only causes misinformation towards general public but also causes other implications in terms of policy decisions, general security and international stability. The level of states cyber capabilities (offensive and defensive) varies greatly, but it is hard to assess the actual levels because most of the information is regarded as sensitive and therefore is not accessible. Nonetheless, experts suggest that countries have been ramping up their offensive and defensive capabilities. Iran has been on the spotlight as a country that can and would use cyber tools to retaliate if they would ever feel cornered. Iran is said to have a cyber capabilities to perform an attack. In 2010 Iranian Islamic Revolution Guards Corps established their cyber warfare division. It is believed that there are about 2400 personnel in the cyber division (Carr, 2012: 250). Irans officials seem to constantly warn the US and Western world of their very strong defence capabilities (Ferran, 2011). China is also developing a strong cyber command unit. Development of cyber warfare capabilities has been one of the most important incentives in order to diminish the disparity between the US and Chinese military capabilities. In 2011 China announced the establishment of a Blue Army division, a cyber command unit (Carr, 2012: 257). North Korea has been training hackers since mid-1980s and now has a very powerful force of cyber warriors. Specialised college trains a hundred professional hackers every year which are incorporated into military and being put under centralised command (Jae, 2011). It is believed that Irans cyber warfare capabilities are on par with such countries as South Korea, China and Russia, mainly because they put hackers under direct command and therefore fully control the capacity of cyber tools, whereas other countries,
30

especially Russia and China, depend on separate hacker groups who are motivated by ideology or money. Russia alongside countries such as France, Germany, Israel, Canada, and Australia are also in the process of increasing their cyber capabilities. Due to overall secrecy of these types of military programs it is hard to rank countries and say that one is more advanced than the other. Nonetheless, the trend is very apparent, a lot of states are ramping up their offensive and defensive cyber security programs and there seems to be nothing to suggest that this trend will decrease any time soon. Exaggerated rhetoric by the US may have contributed to this militarization of cyber sector because when the US uses such terms as cyber war, cyber deterrence and cyber response it creates an international tension and an atmosphere of insecurity. That might lead to the security-dilemma of the cyber space. If many countries are building cybercommand units, little is known about their capabilities and this only encourages other countries to catch-up and do the same. Uncertainty, secrecy and distrust seem to dominate international cyber relations (Cavelty, 2012: 15). Not only the rhetoric may have contributed to that but also actions by the US. Stuxnet virus has basically proven to be the creation of the US and Israeli intelligence and it sent a clear signal to the other states about what these two countries are capable of in terms of technological advancement. The fact that the virus code leaked and got dissected by many computer experts did not make the case any better. It allowed for not so advanced states to use the same code and attempt to try and create their own cyber weapon. US sent a loud message that they are prepared to use offensive cyber tools to achieve their foreign policy aims. Militarization of the cyber sector is just one side of the problem. The gap between perceptions and reality also has a negative effect on the cyber security concept itself..

2.4 Implications for the cyber security concept

A lot of problems related to the concept of cyber security come from its ambiguity. As mentioned earlier, cyber security is not the concept that fits easily in the well-established conceptual or theoretical Security Studies categories. To quote Hansen and Nissenbaum, cyber discourse moves seamlessly across distinctions normally deemed crucial to Security Studies: between individual and collective security, between public authorities and private institutions, and between economic and political-military security (Hansen and
31

Nissenbaum, 2009: 1161). The problem is not that cyber security can be an issue for the variety of units (individuals, states, societies), but that politicians, security experts and some academics use the term cyber security to describe entirely different problems. Cyber threats to individuals are vastly different from the threats to the states. The clarity of what is meant by cyber security must always be a priority when someone is making a speech or writing a report on the national security. Given that the concept of cyber security is at its early stage of development, a particular attention should be paid to avoid the confusion of the terms. Otherwise, not only there will be a blurry academic discourse and analysis, it will also lead to a bad policy decisions. The second source of ambiguity comes from the properties of the cyber securitization. The process of securitization always involves same two reflections the future and the past. To a degree all past securitizations utilized a projection of the future (e.g. environmental change scenarios to illustrate the importance of taking environmental security seriously), but, also, securitization always depends on the past as a reference that underscores the gravity of the situation (Hansen and Nissenbaum, 2009: 1164). In the case of nuclear war, Hiroshima and Nagasaki examples would be used to make an estimated projection of what an all-out nuclear war would mean. The problem is that cyber threats do not have the past catastrophes on which cyber security concept could be built. So far, there has been no large-scale cyber incident with the cascading effects that would leave a long lasting impact. Therefore, cyber sector securitization relied on the future projections of the cyber catastrophes. This is understandable because for the issue to become a part of the security debate and establish itself firmly in the broader context of security, some exaggeration is helpful. However, it can be argued that what started with the intention of a firmer securitization and claiming equal footing among the other security sectors, ended up being over-exaggerated concept, susceptible to the case for hyper-securitization. The ambiguity of the cyber sector lies at the very core of this dissertation main argument about the existing gap between the perception of cyber threats and the actual threat levels. Securitizing actors had no past examples to rely on when they started the process of cyber threat securitization. Because of that, securitizing actors relied on the future projections and possible dread scenarios. According to Ole Weaver, the use of the security label does not necessarily imply that a problem is a security problem, but rather it is a political choice, a decision for conceptualization in a special way (Weaver, 1995: 13). He maintains that we should not judge the securitization act as good or bad by itself, but we should look at the effects such political move creates (Weaver, 1995: 21). Applying this thought process to the cyber security concept, it should not be said that the cyber
32

securitization, based on exaggerated projections of the future itself, is a bad move. However, the effect it created is not a positive and, therefore, adjustments towards the understanding of the cyber security concept should be made. Besides the effects caused by the gap between the real cyber threats and the perceived ones that were discussed earlier (possible militarization of the sector, overall instability and distrust of the international cyber discourse) there are also negative effects on the understanding of the cyber security concept itself. Effectively, what has happened with the cyber security concept is due to the perceptions becoming the reality. This work showed that there is a clear gap between the actual threat level and the perceptions, but the effects of the securitization imply that either this gap is not visible to the other actors (or, using the Copenhagen Schools terminology, the audience) or it is totally ignored. Securitizing actors used a very powerful language to convince that cyber security should be a top priority and, if unattended, can lead to the extraordinary and cataclysmic disasters. They did that for various reasons but the most important point is that the audience was convinced of that rhetoric. When it comes to general population, they lack the sufficient information about the subject. The understanding of cyber threats requires at least basic technological knowledge but the majority of people do not have that. When it comes to other states and people in charge of formulating national security policies - it is different. They do not lack the information, but they are enforced to take it seriously because of the unstable nature of international relations and the security dilemma that arises from cyber sector. Existing cyber weaponry and cyber actions being unregulated and unsupervised by any authority puts major powers at a difficult strategic position. On one hand, they should clearly see that the traditional sectors of the economy and the military security should take priority over cyber security. On the other hand, they cannot take it lightly when the US high ranking officials and generals state that they need to review their cyber policy because they are losing the cyber war. No state wants to fall behind at the power game, and no state takes chances of not putting a lot of resources in the development of cyber capabilities. This way, the perception becomes the reality, when the US, being the leading superpower and the most advanced country in terms of cyber capabilities, talk about the possibility of cyber disasters and the need to focus on cyber security (usually this means an increased funding for the development of defensive and offensive capabilities) this causes other countries to react. Other states do not want to fall behind and they start developing those capabilities to the best of their abilities. This situation forms a loop where the dread scenario articulated by the US causes other states to increase their cyber capabilities making the initially unrealistic
33

scenario more probable. It appears that cyber sector, being a relatively new concept, suffers from the classic problems of security dilemma. After all, how real the threat is depends on whether or not it is perceived to be real, effectively blurring the two categories together. Cyber security suffers from it. The current situation does not provide a clear definitions and boundaries of the cyber security concept. If the government uses cyber security as a catch-all phrase to increase their ability to control (which is the aim of any government, consolidating the power and governing more effectively) that changes the understanding of the problem itself. Cyber security is more relevant when talking about the individual security. It manifests itself as a threat to privacy and the economic wellbeing of the populations. As showed in the first chapter of this work, cyber threats rarely cause insecurity for the state if the rigid definition of national security is used. However, the current understanding of cyber security implies that there is a looming possibility of cyber catastrophe. There is a lack of evidence to support statements like this, but if this tone of the rhetoric persists, the future ramifications of the cyber security will be deemed to be limited to the military-economical security discourse, while, clearly, at the moment the biggest issue is individual security and individuals need to feel safe in the cyber space.

34

Conclusion

Cyber security concept hinges on the cyber disaster scenarios (Hansen and Nissenbaum, 2009: 1164) and this is the main reason for the need to re-evaluate the cyber security discourse. The main problem is that the reliance on the disaster scenarios and the dread rhetoric do not match the actual threat levels that come from the cyber sector. There is a gap between the perception and the reality which causes unwanted consequences for the cyber security concept. The first chapter of this work deals with the question to what extent cyber threats can be a matter of national security. It can be said that only a limited amount of cyber threats directly undermine national security, a notable exception being Stuxnet - the cyber weapon developed by the US and Israel and used against Irans nuclear facilities. The vast majority of the threats causes economic damage for the business and the loss of intellectual property and, therefore, is a matter of individual security rather than state security. Because of that, most of the time national security rhetoric should be used very sparingly, only when talking about a particular cyber threats that may cause substantial physical damage for the state. Nonetheless, the second chapter points out that there is a mismatch between the cyber threat levels to national security and the way politicians, security experts and military officials talk about it. This mismatch creates a gap and leads to the understanding that all cyber threats should be considered in the context of national security. In practice, this means invoking military solutions and increasing funding for various offensive and defensive measures. That is not the optimal approach. When it comes to the cyber security, military solutions should be used only for a limited amount of threats. This is the main reason for the re-evaluation of the cyber discourse. Cyber security is more relevant when talking about the rights of individuals. Economic security, intellectual property and the rights to maintain privacy in the cyber realm are the issues that can be easily undermined if the public discourse of cyber security is fixated on national security and the constant warnings about the upcoming cyber Pearl Harbours. The most sensible approach to this problem may be the movement towards the desecuritization of the cyber discourse. The majority of the threats that come through cyber
35

sector are not the threats to national security. Those threats can be managed using standard political system. In most cases day-to-day politics is more than sufficient to implement the changes required for the increased security in the cyber space. There is no need to push the matter further as it does not require emergency actions that are beyond standard political procedures. Moving cyber security from securitized to politized category would be beneficial to the understanding of the cyber security concept itself and would subsequently lead to a better policy solutions. It does not mean that politicians should disregard cyber threats that can undermine national security and only focus on those that are more relevant to individuals; rather, it means that national security should be invoked only in limited selection of cases. Securitizing actors should understand that the exaggerated rhetoric that they use is not helpful for overall stability and security of the cyber sector.

36

Bibliography
Albright, D., Brannan, P. and Walrond, C. (2010) Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?, Institute for Science and International Security, Washington, DC, Available at: <http://isis-online.org/uploads/isis-reports/documents/stuxnet_FEP_22Dec2010.pdf> [Accessed on 6 September 2012]. Anderson, N. (2007) Massive DDoS attacks targets Estonia; Russia accused, Arstechnica.com, [online] Available at: <http://arstechnica.com/security/2007/05/massiveddos-attacks-target-estonia-russia-accused/> [Accessed on 6 September 2012]. Arquilla, J. (2003) Interview in PBS Frontline, [online] Available at: <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/arquilla.html> [Accessed on 6 September 2012]. Arquilla, J. and Ronfeldt, D. (1993) Cyberwar is Coming!, in J. Arquilla and D. Ronfeldt (eds), In Athenas Camp: Preparing for Conflict in the Information Age, RAND Corporation, pp. 23-60. Assange, J. (2006) The Curious Origins of Political Hacktivism, Counter Punch, [online] Available at: <http://www.counterpunch.org/2006/11/25/the-curious-origins-of-politicalhacktivism/> [Accessed on 6 September 2012]. BBC News, (2007) Estonia hit by Moscow cyber war, [online] Available at: <http://news.bbc.co.uk/1/hi/world/europe/6665145.stm> [Accessed on 12 July 2012]. Benkler, Y. (2012) Hacks of Valor: Why Anonymous Is Not a Threat to National Security, Foreign Affairs, April 4. Blomfield, A. (2007) Estonia Calls for Nato Cyber-terrorism strategy, The Telegraph, [online] Available at: <http://www.telegraph.co.uk/news/worldnews/1551963/Estonia-callsfor-Nato-cyber-terrorism-strategy.html> [Accessed on 12 July 2012]. Bright, A. (2007) Estonia accuses Russia of cyberattack, The Christian Science Monitor, [online] Available at: <http://www.csmonitor.com/2007/0517/p99s01-duts.html> [Accessed on 6 September 2012]. Brown, G. et al. (2006) Defending critical infrastructure, Interfaces, 36 (6): 530-544. Bruce Schneier: The Security Mirage (2010) [video] TED, [online] Available at: <http://www.ted.com/talks/bruce_schneier.html> [Accessed on 6 September 2012].
37

Bush, G. W. (2003) in The National Strategy to Secure Cyberspace, U. S. government via Department of Homeland Security. Buzan, B. (1991), People, states and fear : an agenda for international security studies in the post-cold war era, Harlow: Pearson Educ. Buzan, B. (2005) American Exceptionalism, Unipolarity and September 11: Understanding the Behaviour of the Sole Superpower, International Review, 38. Buzan, B., Wver, O. and Wilde, J. (1998) Security: a new framework for analysis, Boulder, Colo: Lynne Rienner Pub. Carr, J. (2012) Inside Cyber Warfare, Sebastopol: OReilly Media. Cavelty, M. D. (2007a) Critical Information Infrastructure: Vulnerabilities, Threats and Responses, UNIDIR Disarmament Forum, 7: 15-22. Cavelty, M. D. (2012) Cyber-security, forthcoming in A. Collins (ed.) Contemporary Security Studies, Oxford University Press. Cavelty, M. D., Mauer, V. and Hensel, S. (eds.) (2007b) Power and Security in the Information Age: Investigating the Role of State in Cyberspace, Aldershot: Ashgate. Cha, A. and Nakashima, E. (2010) Google China Cyberattack Part of Vast Espionage Campaign, Experts Say, The Washington Post, [online] Available at: <http://www.washingtonpost.com/wpdyn/content/article/2010/01/13/AR2010011300359.html?sid=ST2010011300360> [Accessed on 6 September 2012]. Clarke, R. and Knake, R. (2010) Cyber War: The Next Threat to National Security and What to Do About It, New York: Ecco Press. Herley, C. and Florencio, D. (2008), A Profitless Endeavor: Phishing as Tragedy of the Commons, New Security Paradigms Workshop, Redmond, WA: Association for Computing Machinery, Inc. Computer Economics (2007) Annual Worldwide Economic Damages from Malware Exceed $13 Billion, [online] Available at: <http://www.computereconomics.com/article.cfm? id=1225> [Accessed on 9 September 2012] . Corbin, K. (2012) Security Experts Warn of Cyber Threats From Iran, CIO, [online] Available at: <http://www.cio.com/article/705173/Security_Experts_Warn_of_Cyber_Threats_From_Ira n_> [Accessed on 12 July 2012].
38

CSIS Commision on Cybersecurity for the 44th Presidency, (2008) Securing Cyberspace for the 44th Presidency, Center for Strategic and International Studies, Washington, DC. Dacey, R. and Hite, R. (2003) Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues, Testimony Before the Committee on Government Reform, House of Representatives, United States General Accounting Office, [online] Available at:<http://www.gao.gov/new.items/d03715t.pdf> [Accessed on 6 September 2012]. Dickinson, E. (2011) The First WikiLeaks Revolution?, Foreign Policy, [online] Available at:<http://wikileaks.foreignpolicy.com/posts/2011/01/13/wikileaks_and_the_tunisia_protest s> [Accessed on 6 September 2012]. Emmers, R. (2009) Securitization, in Collins A. (ed.) Contemporary Security Studies, New York: Oxford University Press. Ferran, L. (2011) Iran to U.S., Israel: Bring On the Cyber War, abcnews, [online] Available at: <http://abcnews.go.com/Blotter/iran-us-israel-bring-cyber-war/story? id=14255216#.UEz1beVmyZd> [Accessed on 3 September 2012]. Gartner press release (2011) Gartner Says Less Than Half of Security Software Market Belongs to Top Five Vendors, [online] Available at: <http://www.gartner.com/it/page.jsp? id=1752714> [Accessed on 6 September 2012]. Gellman, B. (2002) Cyber-Attacks by Al Qaeda Feared: Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say, Washington Post. Google Official Blog (2010), A New Approach to China, [online] Available at: <http://googleblog.blogspot.co.uk/2010/01/new-approach-to-china.html> [Accessed on 6 September 2012]. Granick, J. (2009) Federal Authority Over the Internet? The Cybersecurity Act of 2009, Electronic Frontier Foundation, [online] Available at: <https://www.eff.org/deeplinks/2009/04/cybersecurity-act> [Accessed on 3 September 2012]. Greenberg, A. (2011) LulzSec Says Goodbye, Dumping NATO, AT&T, Gamer Data, Forbes, [online] Available at:<http://www.forbes.com/sites/andygreenberg/2011/06/25/lulzsec-says-goodbyedumping-nato-att-gamer-data/> [Accessed on 6 September 2012]. Hansen, L., Nissenbaum, H. (2009), Digital Disaster, Cyber Security, and the Copenhagen School, International Studies Quarterly, 53, 1155-1175.
39

Hare, F. (2009) Borders in Cyberspace: Can Sovereignty Adapt to the Challenges of Cyber Security? in Czosseck, C., Geers, K. (eds.) The Virtual Battlefield: Perspectives on Cyber Warfare, IOS Press. Hare, F. (2010) The cyber threat to national security: why cant we agree? in Czosseck, C., Podins, K. (eds.) Conference on Cyber Conflict. Proceedings 2010, Tallinn, Estonia: CCD COE Publications. Harmon, A. (1998) Hacktivists of All Persuasions Take Their Struggle to the Web, The New York Times, [online] Available at: <http://www.nytimes.com/library/tech/98/10/biztech/articles/31hack.html> [Accessed on 6 September 2012]. Hodge, N. (2010) Pentagon Networks Targeted by Hundreds of Thousands of Probes (Whatever That Means), Wired.com, [online] Available at: <http://www.wired.com/dangerroom/2010/04/pentagon-networks-targeted-by-hundreds-ofthousands-of-probes/> [Accessed on 6 September 2012]. Hutchinson, W. (2006) Information Warfare and Deception, Information Science, 9: 213223. Information Warfare Monitor (2009) Tracking Ghostnet : Investigating a Cyber Espionage Network, [online] Available at: <http://www.scribd.com/doc/13731776/Tracking-GhostNetInvestigating-a-Cyber-Espionage-Network> [Accessed on 6 September 2012]. Jae, M. (2011) North Koreas Powerful Cyber Warfare Capabilities, DailyNK, [online] Available at: <http://www.dailynk.com/english/read.php?cataId=nk00400&num=7647.> [Accessed on 3 September 2012]. Janczewski, L. and Colarik, A. (2008) Cyber Warfare and Cyber Terrorism, Hershey, New York: Information Science Reference. Jordan, T. and Taylor, P. (2004) Hacktivism and Cyberwars: Rebels with a Cause?, New York: Routledge Publishing. Kakutani, M. (2010) The Attack Coming From Bytes, Not Bombs, The New York Times, [online] Available at: <http://www.nytimes.com/2010/04/27/books/27book.html? pagewanted=all> [Accessed on 6 September 2012]. Kaspersky Lab (2010) Kaspersky Lab Provides Its Insights on Stuxnet Worm, Available at: <http://www.kaspersky.com/about/news/virus/2010/Kaspersky_Lab_provides_its_insights_ on_Stuxnet_worm> [Accessed on 6 September 2012]. Keohane, R. and Nye, J. (1998) Power and Interdependence in the Information Age, Foreign Affairs, 5 (77): 81-94.
40

Landler, M. and Markoff, J. (2007) In Estonia, What May Be the First War in Cyberspace, The New York Times, [online] Available at: <http://www.nytimes.com/2007/05/28/business/worldbusiness/28ihtcyberwar.4.5901141.html?pagewanted=all> [Accessed on 12 July 2012]. Libicki, M. (2009) Cyberdeterrence and Cyberwar, RAND Corporation. Ludlow, P. (2010) WikiLeaks and Hacktivist Culture, The Nation, pp. 25-26. Manion, M. and Goodrum, A. (2000) Terrorism or Civil Disobedience: Toward a Hacktivist Ethic, Computers and Society, 30 (2): 14-19. McConnel, M. (2010) Mike McConnel on How to Win the Cyber-war Were Losing, The Washington Post, [online] Available at: <http://www.washingtonpost.com/wpdyn/content/article/2010/02/25/AR2010022502493_pf.html> [Accessed on 12 July 2012] Messmer, E. (2012) Stuxnet cyberattack by US a 'destabilizing and dangerous' course of action, security expert Bruce Schneier says, Networkworld, [online] Available at: <http://www.networkworld.com/news/2012/061812-schneier-260303.html> [Accessed on 6 September 2012]. Moncada, C. (2008) Organizers Tout Scientology Protest, Plan Another, The Suncoast News, [online] Available at: <http://www2.suncoastnews.com/news/news/2008/feb/12/organizers-tout-scientologyprotest-plan-another-ar-371484/> [Accessed on 6 September 2012]. Mulrine, A. (2011) CIA chief Leon Panetta: The Next Pearl Harbor Could Be a Cyberattack, The Christian Science Monitor, [online] Available at: <http://www.csmonitor.com/USA/Military/2011/0609/CIA-chief-Leon-Panetta-The-nextPearl-Harbor-could-be-a-cyberattack> [Accessed on 6 September 2012]. Murchu, L. (2010) Stuxnet Using Three Additional Zero-Day Vulnerabilities, Symantec Official Blog, [online] Available at: <http://www.symantec.com/connect/blogs/stuxnetusing-three-additional-zero-day-vulnerabilities> [Accessed on 6 September 2012]. Nash, T. (2005) An Undirected Attack Against Critical Infrastructure: A Case Study for Improving Your Control System Security, US-CERT Control Systems Security Center, Lawrence Livermore National Laboratory, [online] Available at: <http://www.uscert.gov/control_systems/pdf/undirected_attack0905.pdf> [Accessed on 9 September 2012]. Obama, B. (2009) Remarks by the President on Securing Our Nations Cyber Infrastructure, The White House, Office of the Press Secretary. Available at: <http://www.whitehouse.gov/video/President-Obama-on-Cybersecurity#transcript> [Accessed on 12 July 2012].
41

Obama, B. (2012) Taking the Cyberattack Threat Seriously, The Wall Street Journal, [online] Available at: <http://online.wsj.com/article/SB10000872396390444330904577535492693044650.html> [Accessed on 3 September 2012]. Pauli, D. (2010) PayPal Suffers DoS for Spurning Wikileaks , ZDNET, [online] Available at: <http://www.zdnet.com/paypal-suffers-dos-for-spurning-wikileaks-1339307771/> [Accessed on 6 September 2012]. Posner, G. (2010) Chinas Secret Cyberterrorism, The Daily Beast, [online] Available at: <http://www.thedailybeast.com/articles/2010/01/13/chinas-secret-cyber-terrorism.html> [Accessed on 9 September 2012]. Presidents Commission on Critical Infrastructure Protection (1997) Critical Foundations: Protecting Americas Infrastructures, Washington, DC. Rockefeller, J. and O. Snowe (2010) Now Is the Time to Prepare for Cyberwar, The Wall Street Journal, [online] Available at:<http://online.wsj.com/article/SB10001424052702303960604575157703702712526.html > [Accessed on 3 September 2012]. Sanger, D. (2012) Obama Order Sped Up Wave of Cyberattacks Against Iran, The New York Times, [online] Available at: <http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-ofcyberattacks-against-iran.html?pagewanted=all> [Accessed on 6 September 2012]. Shachtman, N. (2010) Top Officer Fears Cyberwar, Hearts Karzai, Tweets With Help, Wired.com, [online] Available at: <http://www.wired.com/dangerroom/2010/04/top-officerfears-cyberwar-hearts-karzai-tweets-with-help/> [Accessed on 6 September 2012]. Shane, S. and Lehren, A. (2010) Leaked Cables Offer Raw Look at U.S. Dimplomacy, The New York Times, [online] Available at: <http://www.nytimes.com/2010/11/29/world/29cables.html?_r=3&bl> [Accessed on 6 September 2012]. Shearer, J. (2010) W32. Stuxnet, Symantec.com, [online] Available at: <http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99> [Accessed on 6 September 2012]. Siroli, G. P. (2006) Strategic Information Warfare: An Introduction, in E. Halpin, P. Trevorrow, D. Webb, S. Wright (eds.), Cyberwar, Netwar and the Revolution in Military Affairs, Houndmills: Palgrave Macmillan, pp. 32-48.

42

Sommer, P. and Brown, I. (2011) Reducing Systemic Cybersecurity Risk, Organisation for Economic Cooperation and Development, [online] Available at: <http://ssrn.com/abstract=1743384> [Accessed on 6 September 2012]. The National Strategy to Secure Cyberspace (2003), Washington, DC, Available at: <http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf> [Accessed on 12 July 2012]. The White House, (2009) Cyberspace Policy Review: Assuring a Trusting and Resilient Information and Communications Infrastructure, Washington, DC, Available at: <http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf> [Accessed on 9 September 2012]. Thornburgh, N. (2005) Inside the Chinese Hack Attack, Time, [online] Available at: <http://www.time.com/time/nation/article/0,8599,1098371,00.html> [Accessed on 6 September 2012]. TorrentFreak (2010) 4chan DDoS Takes Down MPAA and Anti-Piracy Websites, [online] Available at:<http://torrentfreak.com/4chan-ddos-takes-down-mpaa-and-anti-piracywebsites-100918/> [Accessed on 6 September 2012]. Traynor, I. (2007) Russia Accused of Unleashing Cyberwar to Disable Estonia, The Guardian, [online] Available at: <http://www.guardian.co.uk/world/2007/may/17/topstories3.russia> [Accessed on 12 July 2012]. Ullman, R. (1983), Redefining Security, International Security, 8 (1): 129-53. United States Cyber Consequences Unit (2009) Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008, Available at: <http://www.registan.net/wpcontent/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf> [Accessed on 6 September 2012]. Wver, O. (1995), Securitization and Desecuritization, in Lipschutz R. (ed.) On Security, New York: Columbia University Press. Wagenseil, P. (2011) Anonymous hacktivists attack Egyptian websites, NBCNEWS.COM, [online] Available at:<http://www.msnbc.msn.com/id/41280813/ns/technology_and_sciencesecurity/t/anonymous-hacktivists-attack-egyptian-websites/#.UBl1Ip1lSZc> [Accessed on 6 September 2012]. Weimann, G. (2004) Cyberterrorism: How Real Is the Threat?, United States Institute Of Peace, Washington, DC, Available at: <http://www.usip.org/publications/cyberterrorismhow-real-threat> [Accessed on 6 September 2012].
43

Wilson, D. (2012) Obama Mulling Executive Order to Get Cybersecurity Act of 2012 Passed?, ZeroPaid, [online] Available at: <http://www.zeropaid.com/news/101960/obamamulling-executive-order-get-cybersecurity-act-2012-passed/> [Accessed on 3 September 2012]. Wolfers, A. (1962) National Security as an Ambiguous Symbol, Discord and Collaboration. Essays on International Politics, John Hopkins University Press: Baltimore, pp. 147-165. Zetter, K. (2010) Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target, Wired.com, [online] Available at: <http://www.wired.com/threatlevel/2010/09/stuxnet/> [Accessed on 6 September 2012].

44