From Interstate - Journal of International Affairs VOL. 2015/2016 NO. 2
The Internet as a Slippery Object of State Security: The Problem of Physical Border Insensitivity, Anonymity and Global Interconnectedness
IN THIS ARTICLE
Cybersecurity is presented in the growing literature on the subject as an essentially "slippery" object for state security.1 The Internet puts a lot of stress on the conventional conception of state security as the insurance of the state's survival in the international realm. In addition, cybersecurity supposedly leads to a reconfiguration of state security which must be apprehended through new paradigms. In this article we establish a typology of the main arguments found in cybersecurity discourses that emphasize fundamental differences between cybersecurity and more conventional factors of state security in international relations. This will be complemented by discussing the effects of these discourses on the sovereignty-focused framework through which state security has been traditionally conceived. Moreover, we will point to some potential consequences of these paradigmatic mutations on the national/international security nexus.
We identify three important factors underlying the "slippery" character of the Internet as an object of state security: the problem of physical border insensitivity, anonymity and global interconnectedness. These three categories constitute the core issues which systematically come up in descriptions of particular cyber-threats. They form the central thread behind a seemingly fragmented enumeration of threat narratives, ranging from cyber-terrorism, cyber-hacktivism, cyber-criminality and so on.
I: The Problem of Physical Border Insensitivity
The insensitivity of Internet flows to physical frontiers undermines a whole tradition of border-based state security, i.e. what Foucault calls the "state of territoriality"; the aim of which is to keep enemies at distance out of the ring-fenced sovereign territory.2 The Internet erodes the relevance and protective value of physical borders and distance. It allows for an aggressor to carry out attacks which undermine state sovereignty without ever being present on the attacked nation's territory. The standard example is the 2010 Stuxnet attack on an Iranian nuclear power plant. The attacker was able to deliver a serious blow to Iran's sovereignty by weakening its ability to be energetically self-sufficient and, in case the uranium treated in the plant was indeed destined for military purposes, by impairing its military capacity for territorial defense from a distance.
Moreover, a growing consensus seems to be emerging among cybersecurity experts and government agencies on the limited protective effect of reproducing the traditional border logic on cyberspace to protect key networks such as military or governmental information systems. A 2008 report on the state of cybersecurity R&D published by the French Central Direction for the Security of Information Systems points out that the delimitation of "protection perimeters" through the use of technical tools such as filters or firewalls seems to be less and less effective to prevent cyber-attacks.3 This is due to the great diversity of "hidden channels" available for an attacker to reach his target and to the "semantic richness of authorized flux" which makes it difficult to filter out the bad from the good.4
Rather than reproducing a logic of security aimed at keeping threats at a distance, the report advocates the re-enforcement of network resilience as well as the development of cyber-profiling measures designed to compare the degree of difference between particular flux and a model of "normal" flux behavior.5 Thus, cybersecurity tends to invert traditional state security mechanisms in the realm of international relations. Openness, i.e. acknowledging the irrelevance of territory emerges as the norm, while bordering, at least in its traditional sense of drawing out fixed lines between an outside and an inside, becomes the exception.
II: The Problem of Anonymity
The problem of anonymity on the Internet undermines another great foundation of state security: the division between friends and enemies in the international system. Enemies can be defined as such because malevolent acts or intentions can be, rightly or not, attributed to them. The Internet replaces attribution with speculation. Of all the cyber-attacks usually described in the literature, the 2007 cyber-attacks against Estonia, the 2010 Stuxnet attack or the 2013 attacks against various American newspapers, not one was linked with a 100 % certainty to any specific state or even any particular actor.
The difficulties that this absence of attribution causes for security actors have been widely covered in the existing cybersecurity literature.6 Therefore, we choose a different angle to look at the conflict between anonymity on the Internet and state security in the realm of international relations. While traditionalist and realist literature on security tends to see the sphere of international relations as autonomous and separated from domestic security, certain critical accounts of security practices have studied the use of international security issues to legitimize internal security dynamics and social control.7 Thus, referring to the international order, to a sphere of potentially inimical forces, has been at the core of the provision of "ontological security" by the modern state.8
Ontological security refers to how security practices generate a certain type of political and social order.9 Hence, the modern state has progressively displaced traditional hierarchies such as the church by mediating between the daily life of its citizens and their anguish of violent death.10 To put it simply, until the end of the Cold War, hostile states incarnated the main figure of the enemy and internal subversive movements or suspicious social groups were very often framed as agents of foreign powers. States can be easily denounced and/or constructed as inimical by the state and recognized as such by the population. The state can thereby assume the role of protector against its designated enemies and generate an impression of certainty among national citizens.11
The absence of certainty concerning the nature of malevolent actors on the Internet puts stress on the national state's function of generating "ontological security". We argue that the diverging assessments of the successful/ unsuccessful outcomes of cyber-threat securitizations show the uncertainty prevalent among academics and cybersecurity practitioners as to whether the alleged danger of cyber-threats is as easily understood by the general public as the "great danger" of the Soviet-Union during the Cold War, "roguestates" in the 1990s and 2000s or even "terrorists" today.12
The militarization of cybersecurity currently taking place in the US, i.e. the tendency to regard cyber-attacks as potential acts of war, combined with the use of historically pregnant war metaphors such as "cyber-Pearl Harbor", can be interpreted as an attempt to make cybersecurity more intelligible to public opinion by framing it through the familiar friend/enemy distinction which still constitutes a core paradigm of international relations and its mainstream interpretations. However, the plain fact that no cyber-attack until this day has caused as much damage as any act of physical warfare makes us cast doubt on the US' capacity to render credible its cyber-war/ "real war" comparison. The absence of violent death in cybersecurity matters appears to have left the general public indifferent to the "great menace" of cyberthreats.
III: The Problem of Interconnectedness and its Impact on the State as a Primary Referent-Object of Security in International Relations
Whereas anonymity poses the question of who the enemy is or what the threats are, another problem for state security posed by cybersecurity discourses is designating the actual referent-object of cybersecurity. Hence, it appears that due to the global interconnectedness of networks which transcends the distinction between national/international as well as public/private spheres, the state can hardly be isolated as a separate referentobject of security anymore. Although one has to be wary of technologicaldeterministic views which isolate "global interconnectedness" as a selfgoverning force which unilaterally changes (inter)national security configurations, the massive extension of the Internet does constitute a major condition of possibility of contemporary security mutations.13
Not only do states heavily rely on private networks but "vital infrastructures" also depend on the latter. This state of interconnectedness is used to feed a rhetoric of "cascading effects" of cyber-threats and attacks; a rhetoric that now tends to replace the traditional state-centered notion of security.14 Hansen and Nissenbaum conclude their analysis of cybersecurity discourses by pointing out that: "academic and policy discourse articulates in sum a wide array of threats to government, business, individuals, and society as a whole perpetuated by hackers, criminals, terrorists, commercial organizations, and nations that adopt cyber strategies for financial, ideological, political, or military gain".15 This new trend in state-security discourses has four major consequences for international relations.
Firstly, the mutual dependency of states and societies on global computer networks legitimizes and accelerates a de-differentiation between security realms: between cyber-terrorism and cyber-crime, between cyber-war and cyber-(h)ac(k)tivism, between the police and the military field. This generates fundamental uncertainty among states as to the best way of dealing with cybersecurity. The projection of traditional and often aggressive
national and military vocabularies on cybersecurity by the US can be interpreted as a potential solution to this problem. However, we argue that such a framing of cybersecurity does not necessarily indicate the dominant direction cybersecurity will take in the coming years but should rather be regarded as one type of discourse competing with others emanating from different actors.16 For example, the International Telecommunications Union emphasizes the need for greater transnational cooperation in terms of cybersecurity generated by global interconnectedness.17
Secondly, rather than undermining the realist association between sovereignty and security, cybersecurity reconfigures it. Indeed, the language of sovereignty is still very strong in cybersecurity discourses and has actually been reinforced with the recrudescence of alleged state-based cyberattacks in the last few years. The 2013 French White Paper on Defense (FWPD) clearly illustrates this: "The capacity to (...) protect ourselves against cyber attacks (...) has become an element of national sovereignty".18 However, sovereignty cannot be understood anymore as a mere attribute of the state which is somehow spatially "contained" in an envelope of physical borders.
Instead, a new post-territorial notion of sovereignty which "is more ambiguously located than in traditional national-military security" emerges from cybersecurity discourses.19 This enhanced notion of sovereignty articulates national security together with the need to protect national economic interests allegedly menaced by cyber-threats as well as with the necessity to preserve the competitiveness of national companies which provide the infrastructure and tools of cybersecurity. Although sovereignty has always been used to legitimize the advancement of the economic interests of national ruling classes at the international level, the language of sovereignty and economics were formally two separate semantic spheres. Thus, the reference to global interconnectedness seems to be a powerful discursive move to bridge the two narrative fields.
Thirdly, cybersecurity generates new forms of international tensions which cannot be reduced to the traditional conflictual logics and security dilemmas which are usually associated with states' supposedly "eternal" quest for security.20 The adoption by a state of a particular type of cybersecurity grammars and practices can potentially contradict other cybersecurity objectives of the same state or other states. A major distinction can be made between types of cybersecurity narratives based on Deibert's differentiation between risks to cyberspace i.e. "risks to the physical realm of computer and communication technologies" and risks through cyberspace i.e. "risks that arise from cyberspace and are facilitated or generated by its technologies, but do not directly target the infrastructures per se".21 These two risks categories are related to a specific national/international dialectic. Thus, there seems to be a "robust international consensus, growing communities of practice, and an emerging normative regime around risks to cyberspace" taking the form, for instance, of the ITU's Global Cybersecurity Agenda framework which provides an inter-governmental platform to discuss cybersecurity issues.22
However, the monitoring, filtering of networks and censoring of content by certain states for various reasons, often pertaining to national security as in China's Golden Shield Program, can be potentially detrimental to the objective of a functioning and free-flowing global network put forward by cybersecurity, understood as security of the networks.23 Although Deibert's dichotomy constitutes a good starting point to understand the complex relationship between cybersecurity, the national and the international level and how cybersecurity differentiates itself from more conventional state security factors, we argue that it needs to be refined. Indeed, Deibert's dichotomy tends to presume a natural association between, on the one hand, technical aspects with the international level and, on the other hand, political considerations with the national level.
However, the seemingly "strictly" technical issue of defining threats to cyberspace can be just as political as threats from cyberspace and re-framed in the language of national sovereignty. This can happen for example when certain foreign-made technical devices essential for the proper functioning of networks such as routers are presented as national cybersecurity threats. In the French Senatorial Report on Cyber defense of July 18, 2012 the need for a European ban of Chinese fabricated routers was advocated because of the supposed presence of "back-doors" and spying tools. It called for their replacement by European-made equipment.24 Two conclusions on the state security/cybersecurity/ international relations nexus can be drawn from this example: 1) Global interconnectedness does not erode national state security considerations. Technology itself does not automatically generate a new "global" form of security. 2) Cybersecurity relocates national security issues in new domains and therefore requires state security to be viewed through other lenses than the perspective of war or other types of violent confrontations.
Finally, a fundamental paradigmatic change pertaining to the status of the state in international relations seems to be emerging from within cybersecurity discourses. Since the construction of the Westphalian order, state elites have always referred to the state as the primary referent-object of security in the realm of (western) international relations. The justification for the prioritization of state security has rested on the assumption that the state is the principal defender of the sovereign territory's integrity, the guarantor of "national unity" and the main protector of "societies" envisaged as "national communities". In this traditional paradigm, sub-fields of security such as the security of populations have tended to be considered as derivative of state security; as secondary issues.25 Cybersecurity tends to erode this hierarchisation of security. Indeed, if state security is increasingly dependent on the proper functioning of predominantly private networks and if global interconnectedness fogs the distinction between state and private security, then the security of networks itself become the ultimate referent object of security from which state security derives.
This development seems paradoxical because the Internet was built upon research conducted by the RAND Corporation and the United States Department of Defense Advanced Research Projects Agency (DARPA) in the 1960s which sought to make military communication systems more resilient in the face of a nuclear attack (i.e. to reinforce the state's independence and status as the primary unit of survival).26 As long as the Internet was restricted to exclusive military and academic circles, cybersecurity wasn't an issue in international relations. This changed with the massification of the Internet in the 1990s. Security shifts here from the defense of the state per se to the protection of flux circulation and networks. Although, as pointed out above, the Internet as such does not automatically engender transnational security dynamics, the objective of ensuring the circulation of information flow and sorting out between "good" and "bad" flux requires a full degree of transnational cooperation to be truly effective.27 Hence, a tension arises between the necessity to secure the networks of global capitalist flux circulation and an international order still composed of sovereign and potentially rival states defending their national bourgeoisies and which are still greatly influenced by "traditional" and realist-type security paradigms.Continued on Next Page »