This is a book that deserves to get much more attention in this country. Cyber-Security and Threat Politics: US efforts to secure the information age by Myriam Dunn Cavelty provides a valuable historical and analytical perspective on the debate over cyber-security in the U.S. Whereas the American discourse is dominated by techno-centric approaches that are maddeningly innocent of politics and institutions, Cavelty links the cyber debate to securitization theory in political science.
In this approach, what matters is how the threat is defined, how and when did a particular understanding of the threat gain acceptance and prominence, who promoted it, and what are its implications for policy and actions? Cavelty traces cyber-security discourses back to the mid-1980s. She shows how various factions in the professional community involved in national security compete over the definition and interpretation of threats, as an extension of their bureaucratic turf wars. At some point, one of these threat frames emerges as dominant: i.e., its diagnosis and prescriptive recommendations achieve acceptance by security professionals and top-level decision makers.
After recounting the early efforts to analyze and respond to the threats and vulnerabilities associated with computers and networks, Cavelty claims that the “threat frame” solidified and reached its contemporary state during the second Clinton administration. The 1997 report of the President’s Commission on Critical Infrastructure Protection (PCCIP) articulated a vision of a vulnerable information infrastructure that could be brought down by terrorists or foreign enemies and/or used to threaten energy and financial systems. The identification of the enemy in this threat frame was vague and anecdotal – it included mainly terrorists both domestic and foreign, initially, but also other nation-states. This threat frame recognized that the infrastructure was mostly privately owned and operated, and thus required a public-private partnership to respond rather than a standard military retailiation. According to Cavelty, “the PCCIP threat frame successfully amalgamated a number of issues that had been floating around in the security debate, such as terrorism, critical infrastructures, asymmetric vulnerabilities, and cyber-threats.”
Cavelty offers some important insights about the political, legal and economic implications of this definition of the threat. She alludes to the fact that what is designated as a “critical infrastructure” cannot easily be bounded and has a tendency to expand uncontrollably. She notes that “the introduction of numerous non-state enemies as threat subjects dissolves the distinction between internal and external threats. The threatened system was broadened from government networks and computers to the entire society.” She concludes: “Thus, the prevailing threat frame is very vague, both in terms of what or who is seen as the threat, and of what or who is being seen as threatened.” This has implications for policy and institutions. “Due to their very diffuse nature, these threats defy traditional security institutions and make it difficult to rely on a counterstrategy based on retaliation. Further, because the ownership, operation and supply of the critical systems are largely in the hands of the private sector, the distinction between the private and public spheres of action is dissolved.” (p. 132) Unstated but tacit in this analysis is an interesting and rather scary polarity: either the internet and our information infrastructure become militarized, ICTs are regulated as if they were weapons, and we live in a 24/7 national security state; or unspecified innovations take place in the institutionalized production of security. As she puts it, “Cyber-threat politics take place in a security environment that is [now] governed by the notion of risk management rather than traditional security practices, and the strategies and policies pursued to secure the information space change the role of government in providing security; providing security inside a society is not the same as on the outside…” (p. 140) “…the tasks of the ‘agents of security’ have changed, as those traditionally concerned with security inside the state are increasingly involved in issues of ‘international’ security and vice versa.” (p. 141)
As a grimly amusing side story, the book describes how, prior to the 9/11 attacks, cyber incidents start to be regarded as literally as potentially threatening and destructive as nuclear war. So seduced were the national security professionals by the cyber-threat that they were surprised that the big terrorist attack on the US in September 2001 came from airplanes and not from the Internet (p. 103). One national security official, Marcus Sachs, is quoted as saying “we were very shocked in the federal government that the [9/11] attack didn’t come from cyberspace.” According to Cavelty, Bush admin policy toward cybersecurity is not fundamentally different from Clinton’s. If anything, cyber-threats were de-emphasized relative to physical security during the Bush terms.
One weakness of this book (one that the author cannot really be blamed for) is its lack of currency. It seems as if the research behind this book ended in mid-2007 at the latest. Since then, the level of prominence afforded cybersecurity has skyrocketed. It would be interesting to know whether Cavelty thinks the cyber security issue has been re-framed or modified in significant ways in the post-Estonia/Georgia, Obama Administration world. Of great interest in this regard is the blue-ribbon Commission on Cybersecurity behind the Center for Strategic and International Studies (CSIS) report for the 44th Presidency and the direct pipeline that seems to exist between the CSIS recommendations, the Rockefeller-Snowe law and the Obama speech on cybersecurity. For those of us watching the melding of national security and cybersecurity over the past few years, it sure feels as if a major reframing has taken place and that the issue is far more prominent than it was in the Bush years. Indeed, much of the current activity has is premised on the belief that the Bush administration’s 2003 strategy to secure cyberspace was somehow inadequate and too “laissez faire”. On the other hand, however, it is not clear whether any substantive differences exist in either the diagnostic or prognostic threat frames at work. We still hear vague and not well grounded discussions of how unspecified terrorist groups or nation states might use the information infrastructures to cripple society by disabling “critical infrastructures.” A blurred line between civilian and military threats and infrastructures is still a major feature of this understanding of the way to respond to threats.