JITP4-1 Cyber Terror Cavelty

Cyber-Terror Looming Threat or Phantom Menace?
The Framing of the US Cyber-Threat Debate

Myriam Dunn Cavelty
ABSTRACT. For some years, experts and government officials have warned of cyber-terrorism as a looming threat to national security. However, if we define cyber-terror as an attack or series of attacks that is carried out by terrorists, that instills fear by effects that are destructive or disruptive, and that has a political, religious, or ideological motivation, then none of the disruptive cyber-incidents of the last years qualify as examples of cyber-terrorism. So why has this fear been so persistent? Instead of trying to answer how long cyber-terror is likely to remain a fictional scenario, this paper analyzes the US cyber-terror discourse from a constructivist security studies angle: It looks at how cyber-threats in general, and cyber-terror in particular are framed, and speculates on characteristics that are responsible for the rapid and considerable political impact of the widespread conceptualization of aspects of information technology as a security problem in the 1990s.
doi:10.1300/J516v04n01_03 [Article copies available for a fee from The Haworth Document Delivery Service: 1-800-HAWORTH. E-mail address: <docdelivery@haworthpress.com> Website: <http://www.HaworthPress. com> 2007 by The Haworth Press. All rights reserved.]
KEYWORDS. Cyber-terrorism, security studies, threat framing, information infrastructure
INTRODUCTION1 The link between terrorism and computer technology has been a theme in the US national security literature for more than a decade. As early as 1991, a report on computer security declared: We are at risk. Increasingly, America depends on computers. . . . Tomorrows terror-
ist may be able to do more damage with a keyboard than with a bomb (National Academy of Sciences, 1991, p. 7). Subsequent years saw the gradual refinement of the threat image and an increasing amount of grim warnings, with the 1995 Oklahoma City bombing and the political activity in its aftermath marking the beginning of the firm establishment of a cyber-terror con-
Myriam Dunn Cavelty, PhD, is Head of the New Risks Research Unit, Center for Security Studies (CSS), ETH Zurich, Switzerland; Coordinator of the Crisis and Risk Network (CRN), a Swiss-Swedish Internet and workshop initiative for international dialog on national-level security risks and vulnerabilities; and Lecturer at the University of Zurich and the Swiss Federal Institute of Technology. Dr. Dunn Cavelty holds a degree in political science, modern history, and international law from the University of Zurich. Address correspondence to: Myriam Dunn Cavelty, Center for Security Studies (CSS), ETH Zurich, WEC, Weinbergstrasse 11, CH-8092 Zurich, Switzerland (E-mail: dunn@sipo.gess.ethz.ch). This paper has won the Millennium Award 2006 for an Outstanding Research Paper by a Younger Scholar from the Comparative Interdisciplinary Studies Section of the International Studies Association. The author would like to thank seven anonymous reviewers for their insightful comments and suggestions for improvements. Journal of Information Technology & Politics, Vol. 4(1) 2007 Available online at http://jitp.haworthpress.com 2007 by The Haworth Press. All rights reserved. doi:10.1300/J516v04n01_03
19
20
JOURNAL OF INFORMATION TECHNOLOGY & POLITICS
cept that was closely linked to the critical infrastructure protection (CIP) debate on the national security agenda. While governments and the media repeatedly distribute information about cyberthreats, real cyber-attacks resulting in deaths and injuries remain largely the stuff of Hollywood movies or conspiracy theory. In fact, menacing scenarios of major disruptive occurrences in the cyber-domain, triggered by malicious actors, have remained just that scenarios. Nonetheless, for the US government (and to a lesser degree other governments around the world), the decision has been far more straightforward: it considers the threat to national security to be real, has extensively studied various aspects of cyber-threats, and spends considerable sums on a variety of countermeasures (Abele-Wigert & Dunn, 2006). This observation raises interesting questions from a security studies perspective: Why and how is a threat that has little or no relation to real-world occurrences included on the security political agenda? Are there specific characteristics that make it particularly likely to be there? Due to its vague nature, cyber-terrorism is a playfield for very different and diverse communities, concerned with topics such as freedom of speech and Internet censorship (Gladman, 1998; Weimann, 2004a); cyber crime in connection with terrorism (Sofaer & Goodman, 2000); or information warfare and sub-state groups (Devost, Houghton, & Pollard, 1997; Rathmell, Overill, Valeri, & Gearson, 1997). This article will focus on cyber-threats and cyber-terror broadly framed as a national security issue. Previous research on the topic has generally been highly specific and policy-oriented (Alberts & Papp, 1997; Arquilla & Ronfeldt, 1996) and has often uncritically adopted arguments on the nature and scale of cyber-terrorism from official statements or pieces of media coverage.2 This is epitomized in the tendency of many authors to hype the issue with rhetorical dramatization and alarmist warnings (cf. Arquilla, 1998; Schwartau, 1994). On the other hand, the considerable hype has brought forth a counter-movement of more cautious voices that are deliberately more specific in their estimates of the threat (cf. Lewis, 2002; Wilson, 2003). The key question on
which these two groups differ is whether or to what degree there is a credible or likely connection between terrorism and cyber-terrorism beyond the suspected vulnerability of critical infrastructures (cf. Nicander & Ranstorp, 2004, p. 15) and consequently, at what point in future time such an attack might occur. While it is undisputed in both communities that cyber-attacks and cyber-incidents cause major inconveniences and have cost billions of US dollars in lost intellectual property, maintenance and repair, lost revenue, and increased security in the last couple of years (Cashell, Jackson, Jickling, & Webel, 2004), these two groups differ considerably in their assessment of the future point in time at which such an attack might occur, and some even doubt whether there truly is a national security threat linked to the Internet and the information infrastructure. The main reason for this controversy is that cyber-threats have not materialized as a national security threat, even granted that there have been some few incidents with at least some potential for grave consequences. Interestingly enough, both hypers and de-hypers tend to agree on this point. But while the first group assumes that vicious attacks that wreak havoc and paralyze whole nations are imminent, more cautious researchers often point to the practical difficulties of a serious cyberattack (Ingles-le Nobel, 1999), question the assumption of critical infrastructure vulnerabilities (Lewis, 2002; Smith, 1998, 2000), or point to unclear benefits of cyber-attacks for terrorist groups (Barak, 2004). Despite this caution, however, even the second group contends that one cannot afford to shrug off the threat (Denning, 2001a) due to unclear and rapid future technological development as well as dynamic change of the capabilities of terrorism groups themselves (Technical Analysis Group, 2003). To summarize the debate in a nutshell: due to too many uncertainties concerning the scope of the threat, experts are unable to conclude whether cyber-terror is fact or fiction, or, since they are unwilling to dismiss the threat completely, how long it is likely to remain fiction. So far, relatively few attempts have been made to apply IR theory in analyzing this development, with a few exceptions (Eriksson & Giacomello, 2006; Giacomello & Eriksson,
Myriam Dunn Cavelty
21
2007; partly Latham, 2003). Research that has focused particularly on aspects of the construction of information-age security threats is also little influenced by theory or is mostly outdated (Bendrath, 2001, 2003; Eriksson, 2001b; newer: Bendrath, Eriksson, & Giacomello, 2007; Dunn Cavelty, in press). There is an agreement, though, that the elusive and unsubstantiated nature of cyber-threats means that approaches rooted in the constructivist mindset with a subjective ontology are particularly suitable for its analysis. Such approaches are typically linked to the constructivist research agenda and apply critical self-reflection to the inherently contradictory and problematic concept of security. These approaches were particularly influenced by the question of how and why new threats were moved onto the security agendas after the end of the Cold War. Traditional security policy research views threat images as given and actually out there, and assumes that security policies are responses to an objective increase of threats and risks (Walt, 1991). With constructivist approaches however, the focus is on how, when, and with what consequences political actors frame somethinganythingas a security issue, with a strong emphasis on speech acts, that is, political language, and the implications this has for political agenda-setting and political relations (Adler, 1997; Buzan, Wver, & Wilde, 1998; Reus-Smit, 1996; Wver, 1995). In order to analyze why cyber-threats occupy such a prominent position on the security political agenda, this paper introduces a framework for the analysis of threat frames (Eriksson, 2001b; Eriksson & Noreen, 2002; Eriksson, 2001a), partly based on the Copenhagen schools securitization approach (Buzan, Wver, & Wilde, 1998). Threat framing refers to the process whereby particular agents develop specific interpretive schemas about what should be considered a threat or risk, how to respond to this threat, and who is responsible for it. The paper focuses on the characteristics that might be responsible for the swiftness and considerable political impact of the widespread conceptualization of IT as a security problem. In doing so, it aims to shed light on how the issue of cyber-terrorism is perceived and represented by the US government, and what the consequences of this perception are. Thus, by
considering the salience of this threat rather than simply arguing over its significance, it pushes the debate in a new direction and provides much-needed grounding and reference for the public debate on cyber-security. This paper has three parts. First, the theoretical framework is introduced. Second, the paper reconstructs how cyber-threats in general and cyber-terror in particular have been framed and treated over the years. Third, specific traits of cyber-threat frames are analyzed. THE FRAMING OF SECURITY THREATS As the end of the Cold War by and large coincided with the beginnings of the information revolution, this technological development which is about a special set of technologies, often subsumed under the heading of information and communication technologies (ICT) (Alberts, Papp, & Kemp, 1997)had a considerable impact on the perception and shaping of new threats. Next to the vast opportunities of an ICT-dominated age in terms of economic development and democratization (Dutton, 1999; Loader, 1997; Thornton, 2001) worries about the security or rather the insecurity of digital networks were of major concern from the beginning. While extensively discussed on the technical level under the heading of IT-security, the information revolution was early on perceived to have a number of negative implications for national security (Abele- Wigert & Dunn, 2006; Dunn & Wigert, 2004; Hundley & Anderson, 1997). It has become common in the information age to coin new terms by simply placing the prefixes cyber, computer, or information before another word. Thus, an entire arsenal of expressionsamong them cyber-crime, information warfare, and cyber-terrorismhas been created. Due to the newness of the topic and the sensationalist nature of the discourse on it, there have been few semantic walls erected around the relevant concepts in the information security taxonomy, with the result that these terms have so many meanings and nuances that the words quickly become confusing or lose their meaning altogether (Dunn, 2007; Fisher, 2001).3 The term cyber-threats, for example, denotes a rather
22
vague notion signifying the malicious use of information and communication technologies either as a target or as a weapon. Cyber-terrorism is one clear case of a cyber-threat. As the issue of cyber-terrorism has grown in popularity over the years, it has also acquired a range of meanings, depending on the context in which it is used. The term cyber-terrorism was allegedly coined in the 1980s by Barry Collin, a senior research fellow at the Institute for Security and Intelligence in California, as a hybrid term that encompasses the concepts of cybernetics and terrorism (Collin, 1997; Conway, 2002). In subsequent years, the term cybernetics was replaced by the term cyberspace, so that the concept is now composed of two elements: cyberspace and terrorism. As both concepts are notoriously difficult to define, cyber-terror itself was and still is a very elusive and poorly-defined concept. Academics agree in general that to be labeled cyber-terrorism, cyber-incidents must be mounted by sub-national terrorist groups,4 be aimed at parts of the information infrastructure, instill terror by effects that are sufficiently destructive or disruptive to generate fear, and must have a political, religious, or ideological motivation (Denning, 2000, 2001a, 2001b; Devost, Houghton, & Pollard, 1997; Nelson, Choi, Iacobucci, Mitchell, & Gagnon, 1999; Pollitt, 1997). According to this definition, none of the larger and smaller disruptive cyber-incidents that we have experienced in the last couple of years has been an example of cyber-terrorism. Even though most terrorist groups have seized on the opportunity accorded by the information revolution through an established multiple Web presence, access to uncensored propaganda, and by using the Web as an auxiliary recruitment and fundraising tool (Thomas, 2003; Weimann, 2004a; Weimann, 2004b), cyberspace has so far mainly served as a force-multiplier in intelligence gathering and target-acquisition for terrorist groups and not as an offensive weapon. Despite this, the term is used frequently in the political domain, detached from any academic definition of the issue, as a specter depicting a terrorist and a keyboard, wreaking havoc that can disrupt an entire society. Somewhat exemplary, Congressman Curt Weldon (R-Pennsylvania) placed cyber-terror-
ism at the top of his list of modern threats to the American way of life in 1999, when he said that in my opinion, neither missile proliferation nor weapons of mass destruction are as serious as the threat [of cyberterrorism] (Poulsen, 1999). In September 2002, Richard Clarke, former Special White House Adviser for Cyberspace Security, told ABC News: [Cyber- terrorism is] much easier to do than building a weapon of mass destruction. Cyber-attacks are a weapon of mass disruption, and theyre a lot cheaper and easier (Wallace, 2002). What is the meaning of such statements, one might ask? At all times, the cyber-threats debate was (and is) highly political. It is not only about predicting the future, but also about how to prepare for it in the present. As a result of this, turf battles on different levels of government are the rule and ongoing. As there have been no major destructive attacks on the cyber-level, different scenarios, which are stories about possible futures, are providing the grounds on which decisions have to be made. The different actors involvedranging from government agencies to the technology community to insurance companieswith their divergent interests are therefore competing with each other by means of constructed versions of the future (Bendrath, 2001, 2003). Ultimately, it is about resources and about who is in charge to counter the threat. The so-called Copenhagen School of Security, in particular, developed an approach that focuses on the process of bringing an issue from a politicized or even non-politicized stage into the security domain. This process is called securitization (Buzan, Wver, & Wilde, 1998). The process is seen as a socially constructed, contextual speech act (Austin, 1962; Searle, 1969), meaning that by uttering the word security or another term expressing the need for exceptional measures, a professional of security, most often a state representative, claims a special right to use any means necessary to counter a certain threat (Wver, 1995). Ultimately, this means that issues become security issues not necessarily because a real existential threat exists, but because the issue is successfully presented and established by key actors in the political arena as such a threat. Securitization studies aim to gain an understanding of who securitizes (the actor) which issues (the threat
Myriam Dunn Cavelty
23
subject), for whom or what (the referent object), why (the intentions and purposes), with what results (the outcome), and under what conditions (the structure) (Buzan, Wver, & Wilde, 1998, p. 32). To explain why certain issues seem more susceptible to securitization than others, and this is also the focus of this article, some scholars have established a stronger link to (cognitive) framing research that looks at special traits of the threat frames employed by key actors (Eriksson, 2001a; Eriksson, 2001b; Eriksson & Noreen, 2002). Frame theory is rooted in linguistic studies of interaction and points to the way shared assumptions and meanings shape the interpretation of any particular event (Oliver & Johnston, 2000). We understand framing to refer to the subtle selection of certain aspects of an issue in order to cue a specific response; the way an issue is framed explains who is responsible and suggests potential solutions conveyed by images, stereotypes, messengers, and metaphors (Ryan, 1991, p. 59; Snow & Benford, 1992; Snow, Rocheford, Worden, & Benford, 1986). In threat framing, government officials and experts use certain phrases and also certain types of stories to add urgency to their case. Specific uses of language dramatize the actual threat: the use of specific phrases and words make its construction as a national security threat possible in the first place. Since there is no real-world reference for the threat, constant persuasion is required to sustain the sense that it is a real danger. And because the national security dimension is not completely obvious, it is necessary to use specific analogies (Cohn, 1987). Frame analysis can be seen as a strand of discourse analysis that mainly focuses on relevant content and argumentation (Gamson, 1992). Framing is an empirically observable activity: frames are rooted in and constituted by group-based social interaction, which is available for first-hand observation, examination, and analysis of texts (Snow & Benford, 1992). The high relevance of frames as social patterns is an outcome of the fact that frames define meaning and determine actions. Specifically, socially accepted frames influence the actions of actors and define meaning in the public mind (Gamson, 1992, p. 110; Snow, Rocheford, Worden, & Benford, 1986, p. 464). Social con-
tests for the legitimate definition of reality are held by ways of different categories as expressed in frames. In the case of threat framing, the process of categorizing something as a particular threat has practical consequences when key actors begin seeing the world according to these categories. Framing theory addresses three main questions, the second of which will be our main focus: (a) how frames influence social action; (b) which frames are particularly successful for what reasons; and (c) how frames can be changed (Snow & Benford, 1988). There are three types of framing (ibid. 199-202): a. diagnostic framing, which is about clearly defining a problem and assigning blame for the problem to an agent or agencies. In other words, this is about designating that which appears to be threatening (the subject of the threat image or threat subject) and what is perceived as threatened (the object of the threat image or referent object); b. prognostic framing, which is about offering solutions, and proposing specific strategies, tactics, and objectives by which these solutions may be achieved; c. motivational framing, to rally the troops behind the cause or a call for action. To this list, they add a fourth key element, frame resonance, meaning that the frame content must appeal to the existing values and beliefs of the target audience to become effective. In the following, we will conduct a mini-case study on the framing of the US cyber-terror discourse. Even though such an approach does not help to determine whether cyber-terror is fact or fiction or how long it will remain fiction, we can identify those traits that have made cyber-threats such prominent features on the national security policy agendas. Data for the case study was collected from official policy papers, hearings, and other statements of key actors. Top-level documents reflect actual presidential intentions, as opposed to public statements of purpose, which frequently leave out sensitive details and, on occasion, directly conflict with the stated goals of the administration.
24
DEVELOPMENT AND PARAMETERS OF THE US CYBER-TERROR DISCOURSE The beginnings of the cyber-threats debate go back to the Reagan administration, which was concerned with preventing what it viewed as damaging disclosures of classified information as well as the acquisition of sensitive but unclassified information (DCI Center for Security Evaluation Standards Group, 1995). Subsequently, we find policy efforts in two domains: the first one linked to the protection of federal agencies computer data from espionage, which was interlinked with the debate on encryption technology and led to the Computer Security Act of 1987,5 and the second one linked to the growing problem of computer crime, which led to the Computer Abuse Act of 1984/866 that laid the groundwork for the prosecution of computer crimes in the US. The first official threat frame can be found in National Security Decision Directive Number 145 on National Policy on Telecommunications and Automated Information Systems Security issued on September 17, 1984 (The White House, 1984): The technology to exploit these electronic systems is widespread and is used extensively by foreign nations and can be employed, as well, by terrorist groups and criminal elements. Government systems as well as those which process the private or proprietary information of US persons and businesses can become targets for foreign exploitation. As we will see below, this threat frame already contains most of the ingredients of the current threat frame, even though in a slight variation. The threat subject ranges from foreign nations to terrorists to criminals. There is an emphasis on foreign exploitation, which seems to rule out that the problem could stem from US citizens. The referent object at this stage is limited to government systems and business systems that carry relevant information. Further, we can see that it is a fairly narrow threat frame that is concerned mainly about classified material and not about the soci-
ety-threatening aspects of cyber-threats yet. This can be attributed to the technological substructure, which was still lacking the quality of a mass phenomenon that it acquired when computer networks turned into a pivotal element of modern society (Ellison et al., 1997) and networks in a more abstracted sense became a metaphor for many aspects of modern life (Arquilla & Ronfeldt, 1996; Arquilla & Ronfeldt, 2001; Castells, 1996). Even though terrorist groups are listed as potential perpetrators in this 1984 document, the cyber-terror specter as such has not yet been born, for the same reason. Apart from a change in the technological environment, the broadening of the vulnerability aspect can be attributed to changing threat perceptions and other developments in the US military: We can observe a close link of the early cyber-threats debate to the US Revolution in Military Affairswhich refers to the strategic, operational, and tactical consequences of the marriage of systems that collect, process, and communicate information with those that apply military force (Tilford, 1995)and the subsequent development of an information warfare-information operations doctrine (Dunn, 2002). While technology was seen mainly as a force enabler for a considerable number of years until after the end of the Cold War, the US developed the fear that their huge conventional military dominance would force any kind of adversarystates or sub-state groupsto resort to asymmetric means, such as weapons of mass destruction, information operations, or terrorism in the future (Kolet, 2001). The 1991 Gulf War played a large role in demonstrating the benefits of the information differential provided by the information systems employed (Campen, 1992; Eriksson, 1999), but it was also the Gulf War that birthed fear of the downside of this development mainly through experiences with the threat of data intrusion as perpetrated by hacker attacks against 34 Department of Defense computer sites during the conflict (Devost, 1995). In the aftermath of the Oklahoma City bombing in April 1995, the issue of cyber-threats was definitely established as one the military establishment could and should not deal with alone, and it was closely connected to the concept of critical infrastructure protection. The advantages in use and dissemination of ICT were seen
Myriam Dunn Cavelty
25
to connote an over-proportional vulnerability, which caused experts to fear that enemies who were likely to fail against the US war machine might instead plan to bring the US to its knees by striking vital points at home (Berkowitz, 1997)these points being fundamental to the national security and the essential functioning of industrialized societies as a whole, and not necessarily to the military in specific. Due to the nature of cyber-attacks, it became clear that is was often impossible to determine at the outset whether an intrusion is an act of vandalism, computer crime, terrorism, foreign intelligence activity, or some form of strategic attack. The only way to determine the source, nature, and scope of the incident is to investigate. And the authority to investigate such matters and to obtain the necessary court orders or subpoenas clearly resides with law enforcement (Vatis, 1998). US domestic law also gave the armed forces lawyers headaches, because an attack on US infrastructures could originate in Iraq as well as in the US. A military counter-strike through cyberspace might therefore unwittingly constitute an operation of US armed forces on domestic territory, which is prohibited by the Posse Comitatus Act of 1878.7 One direct outcome of the Oklahoma City bombing was Presidential Decision Directive 39, which directed Attorney-General Janet Reno to lead a government-wide effort to re-examine the adequacy of the available infrastructure protection. As a result, Reno convened a working group to investigate the issue and report back to the cabinet with policy options (Freeh, 1997). The review, which was completed in early February 1996, particularly highlighted the lack of attention that had been given to protecting the cyber-infrastructure of critical information systems and computer networks. Thus, the topic of cyber-threats was linked to the topics of critical infrastructure protection and terrorism. Subsequently, President Bill Clinton started to develop a national protection strategy with his Presidential Commission on Critical Infrastructure Protection (PCCIP) in 1996, and the issue remained a very high priority during his presidency and had a strong position in all the National Security Strategies between 1995 and 1999. The years 1997/1998 in particular were a watershed in terms of the views on cyber-threats.
When comparing open hearings concerning national security or the annual defense reports over the years, we see how the issue takes a quantum leap in 1998: there is a great quantitative increase in the time and space given to the topic in public hearings. In addition, cyberthreats came to be depicted as one of the prime dangers among the new threats. CIA director John Deutch, for example, had regularly warned of threats to national security from cyber-attacks since the mid-1990s. Asked in a Senate hearing to compare the danger with nuclear, biological, or chemical weapons, he answered, it is very, very close to the top (Deutch, 1996). The PCCIP presented its report in the fall of 1997 (PCCIP, 1997). The international impact of this document was such that it led to the firm establishment of the topic of cyber-threats and critical infrastructure protection on the security agenda of various countries (Abele-Wigert & Dunn, 2006; Dunn & Wigert, 2004). Clinton followed the recommendations of the PCCIP in May 1998 with his Presidential Decision Directives (PDD) 62 and 63 (White House, 1998a, 1998b). Clintons master plan adopted a twofold response to cyber-threats: On the one hand, the intelligence community and the law enforcement agencies together built up further capacities for investigations of cyber-crimes, like computer forensics tools or close surveillance of the hacker community; On the other hand, because of the amorphous nature of these non-state actors and unknown enemies, a lot of effort was put into hardening the critical infrastructures (Bendrath, 2001). The distinct image of the cyber-terrorist also appears during these years. First mentioned in a public hearing in 1998, cyber-terror quickly became one of the catchphrases of the debate. Poor definitions and careless use of terminology by many government officials is a major obstacle for meaningful discussion of the cyber-terror issue. A statement of President Bill Clinton, who was very influential in shaping the perception of the issue, can serve as an example of this semantic ambiguity. In his foreign policy farewell lecture at the University of Nebraska at Kearney in December 2000, he identified the need to pay attention to new security challenges like cyber-terrorism, and said:
26
One of the biggest threats to the future is going to be cyberterrorismpeople fooling with your computer networks, trying to shut down your phones, erase bank records, mess up airline schedules, do things to interrupt the fabric of life. (Bowman, 2000, para. 7) Both the PDD 62 and 63 and the National Plan follow the PCCIPs reasoning and cement the winning and dominant threat frame. After that date, all the threat frames that are employed in public hearings and other documents resemble the PCCIPs threat frame. In the report, it is stressed that dependence on the information and communications infrastructure have created new cyber-vulnerabilities (PCCIP, 1997, p. 5) and that potential adversaries include a very broad range of actorsfrom recreational hackers to terrorists to national teams of information warfare specialists (ibid., p. 15). This very broad and indeterminate framing of the threat subject is one of the hallmarks of the cyber-threat frame. On the referent object side, it was clearly established that the nation is so dependent on our infrastructures that we must view them through a national security lens. They are essential to the nations security, economic health, and social well being (ibid, p. vii). The dependence of society on the information and communication infrastructure on the one hand, and the ever-more complex interdependencies between infrastructures on the other, were identified as creating new dimensions of vulnerability, which, when combined with an emerging constellation of threats, poses unprecedented national risk (ibid., p. ix). In the PCCIP report, cyber-threats are described as being even more dangerous than other new threats, especially because the necessary weapons are so easy to acquire (PCCIP, 1997, p. 14). On the whole, there is little emphasis on the foreign intelligence threat, though it still remains a concern. Among the far more virulent topics are scenarios of states using information warfare means, or sub-state actors using the information infrastructures for their attack. This development was accompanied by an expansion of the vocabulary to incorporate new terminology such as cyber-war, cyber-terrorism, or electronic Pearl Harbor (Bendrath,
2001), terms that are frequently used in hearings, interviews, and press articles. The events of 11 September 2001 served to further increase the awareness of vulnerabilities and the sense of urgency in protecting critical infrastructures (Bush, 2001a, 2001b). First and foremost, the attacks of 9/11 provided a reason to restructure the overall organizational framework of critical infrastructure protection (CIP) in the US. In the immediate aftermath of 9/11, President George W. Bush signed two Executive Orders (EO) affecting CIP. With EO 13,228, entitled Establishing the Office of Homeland Security and the Homeland Security Council of 8 October 2001, Bush set up an Office of Cyberdefense at the White House, as part of the new Homeland Security Office, which in turn was part of the National Security Council (Executive Order No. 13,228, 2001). The mission of this office was to develop and coordinate the implementation of a comprehensive national strategy to secure the US from terrorist threats and attacks. The second Executive Order, EO 13,231 Critical Infrastructure Protection in the Information Age, established the Presidents Critical Infrastructure Protection Board, whose responsibility was to recommend policies and coordinate programs for protecting information systems for critical infrastructure (Executive Order No. 13,231, 2001). The Bush administrations policy regarding critical infrastructure protection represented a continuation of PDD-63 in many respects: The fundamental policy statements are essentially the same, as are the infrastructures identified as critical, although they were expanded and emphasis was placed on targets that would result in large numbers of casualties (Moteff, 2007, p. 12). There was one primary difference, however. First, the Office of Homeland Security was given overall authority for coordinating critical infrastructure protection against terrorist threats and attacks. Those responsibilities associated with information systems of critical infrastructures were delegated to the Presidents Critical Infrastructure Protection Board. Furthermore, the boards responsibilities for protecting the physical assets of the nations information systems were to be defined by the assistant to the president for national security and the assistant to the president for
Myriam Dunn Cavelty
27
homeland security. While Clintons PDD-63 focused primarily on cyber-security, it gave the national coordinator responsibility to coordinate the physical and virtual security for all critical infrastructures. The above-mentioned Executive Orders not only segregated responsibility for protecting the nations information infrastructure, but also considerably strengthened the physical aspect vis--vis the aspect of cyber- attacks. As a result of this, many critical voices were heard disapproving of the extent of the attention given to the cyber-dimension. The fact that the governments first cyber-security chief abruptly resigned after one year with the US Department of Homeland Security raised serious questions in the press about the Bush administrations ability to quickly improve the nations cyber-security (cf. Gross, 2004; Mark, 2004; Verton, 2004). Negative press was part of the reason why the second secretary of homeland security, Michael Chertoff, proposed to restructure the IAIP Directorate responsible for CIP and rename it the Directorate of Preparedness as one of his Second Stage Review recommendations in 2005 (Chertoff, 2005). Later, the Information Analysis function was merged into a new Office of Intelligence and Analysis. The Infrastructure Protection function, with the same missions as outlined in the Homeland Security Act, remained, but was joined by other existing and new entities. In addition, the restructuring established the position of an assistant secretary for cyber security and telecommunications, which had long been advocated by many within the cybersecurity community, and of an assistant secretary forinfrastructureprotection(Moteff,2007,p.15). Generally speaking, the Bush administration became bogged down in the details of implementing its own strategy. Shortly before the beginning of Operation Iraqi Freedom in 2003, the DHS identified a list of 160 assets or sites that it considered critical to the nation, based on their vulnerability to attack and potential consequences. Over time, according to the DHS inspector general, this initial priority list evolved into what is now called the National Asset Database, which, as of January 2006, contained over 77,000 entries (Moteff, 2006; Moteff, 2007, p. 25). While the DHS has reportedly made progress on improving the reliability of the in-
formation contained in the database, it continues to draw criticism for including thousands of assets that many believe have more local importance than national importance. A DHS report summarizing the results of Cyber Storm, a four-day exercise designed to test how industry and the government would respond to a concerted cyber-attack on key information systems, was seen as another indicator for insufficient progress made (DHS, 2006). Cyber Storm suggested that government and private-sector participants had trouble recognizing the coordinated attacks, determining whom to contact, and organizing a response. Despite this, it can be argued that the attacks of 11 September 2001 did not bring many changes for the overall strategyand, regardless of what might be commonly expected, did not bring any changes in the threat frames. What we do see, however, is that at least initially, one main focus in public hearings was on the possibility of terrorists using cyber-means for attacks. In addition, a number of studies were conducted in the aftermath of 9/11 that focused on Muslim terrorists and their cyber-capabilities (National Infrastructure Protection Center, 2002; TAG, 2001; Vatis, 2001). At this time, officials attention shifted from hackers depicted as terrorists towards terrorist hackers, and specifically Muslim ones. The few examples cited below again show how volatile and unfounded the cyber-threat assessments still were. In his Senate testimony on The Terrorist Threat Confronting the United States in February 2002, Dale L. Watson, the FBIs executive assistant director on counter-terrorism and counterintelligence, talked about an emerging threat: Beyond criminal threats, cyber space also faces a variety of significant national security threats, including increasing threats from terrorists . . . . Cyberterrorism meaning the use of cyber tools to shut down critical national infrastructures (such as energy, transportation, or government operations) for the purpose of coercing or intimidating a government or civilian populationis clearly an emerging threat. (Watson, 2002, Cyber/National Infrastructure section, para. 2, 3)
28
In March of 2002, the intelligence communitys new global threat estimate was presented to Congress. CIA director George J. Tenet, when discussing possible cyber-attacks, talked mostly about terrorists, after having focused his attention on the whole range of actors in previous years (Tenet, 1997, 1998, 1999): We are also alert to the possibility of cyber warfare attack by terrorists . . . . Attacks of this nature will become an increasingly viable option for terrorists as they and other foreign adversaries become more familiar with these targets, and the technologies required to attack them. (Tenet, 2002, terrorism section, para. 9) In the CIA Answers to Questions for the Record, dated April 8, 2002, it is further specified that Various terrorist groups including al-Qaida and Hizballah are becoming more adept at using the Internet and computer technologies, and the FBI is monitoring an increasing number of cyber threats . . . . These groups have both the intentions and the desire to develop some of the cyberskills necessary to forge an effective cyber attack modus operandi. (CIA, 2002, the threat of cyber-terrorism section) Others, too, feared that al-Qaida had these abilities: For example, Vice Admiral Lowell E. Jacoby, Director of the Defense Intelligence Agency, stated that members of al-Qaida had spoken openly of targeting the US economy as a way of undermining US global power. As proof for this claim, he stated that al-Qaida was using publicly available Internet Web sites to reconnoiter US infrastructure, utilities, and critical facilities (Jacoby, 2003). Again others, such as Robert S. Mueller, Director of the Federal Bureau of Investigation, feared that though current attacks were mere nuisances such as denial-of-service attacks, their options might increase (Mueller, 2003). Detached from all of this, the cyber-threat frame as developed under Clinton remained in place. The reason for this is twofold: on the one
hand, the prevalent threat frame was widely accepted and therefore highly stable. Not only was the diagnosisa very wide range of potential perpetratorsaccepted, but so was the prognosis: Whether cyber-terror or cyber-warfare, the countermeasures as laid out in the National Plan and Bushs National Strategy to Secure Cyberspace seemed to satisfy decision-makers. In addition, all the turf battles between various agencies had been fought in the 1990s, so that this specific threat occurred in a more settled phase: The lead of the law enforcement community and the crucial importance of public-private partnerships were widely accepted by all actors involved. The establishment of the DHS, propagated as a step towards pulling down the artificial walls between institutions that deal with internal threats and others that deal with external ones, did not fundamentally change this perception: it merely changed parts of the organizational setting. CHARACTERISTICS OF THE US CYBER-THREATS/ CYBER-TERROR THREAT FRAME Conceptions of cyber-threats are very broad and also very vague, both in terms of what or who is seen as the threat and what or who is seen as being threatened. In theory, cyber-attacks can be carried out in innumerable ways by anyone with a computer connected to the Internet, and for purposes ranging from juvenile hacking, to organized crime, to political activism, to strategic warfare. Hacking-tools are easily downloaded from the Internet, and have become both more sophisticated and user-friendly. Motivational framing became a feature of threat frames in the 1990s, when the threat is frequently called new in order to indicate the inability of established structures and instruments to deal with it. Cyber-terror is more narrowly constructed as a subset of cyber-threats, as it focuses on non-state actors on the threat subject side, but the two threat images are so closely interlinked that the image of the cyber-terrorist and that of the larger set of cyber-perpetrators are never truly separated in official statements. On the whole, the cyber-terror frame as a sub-theme of the general cyber-threats frame
Myriam Dunn Cavelty
29
combines two of the great fears of the late 20th century: The fear of random and violent victimization and the distrust or outright fear of computer technology, which both feed on the fear of the unknown (Pollitt, 1997). Terrorism is feared, and is meant to be feared, because it is perceived as being random, incomprehensible, and uncontrollable. Technology, including information technology, is feared because it is seen as complex, abstract, and arcane in its impact on individuals. Because computers do things that used to be done by humans, there is a notion of technology being out of control, a recurring theme in political and philosophical thought (Winner, 1977) that is even strengthened by the increase in connectivity that the information revolution brings. They are ultimately seen as a threat to societys core values, especially national security, and to the economic and social well-being of a nation. Therefore, they are inevitably presented as a national security issue. That officials in various agencies struggle to identify the most dangerous actors or to decide whether states or non-state actors are more likely to become a threat is a consequence of the very wide prognostic threat frame, especially on the threat subject side. At the end of the 1990s the general consensus emerged that states were the ones to worry about, because they had greater capabilitiesbut that it was more likely that terrorists or criminals would attack. As DIA Director Thomas Wilson said in 2000: Foreign states have the greatest potential capability to attack our infrastructure because they possess the intelligence assets to assess and analyze infrastructure vulnerabilities, and the range of weaponsconventional munitions, WMD, and information operations toolsto take advantage of vulnerabilities. (Wilson, 2000, the growing asymmetric threat section, para. 5) The renewed focus on cyber-terrorists after 9/11 proved a fairly temporary thing, too. About a year after 9/11, Richard Clarke, then head of the White House Office for Cyber Security, told the press that the government had begun to regard nation-states rather than terrorist
groups as the most dangerous threat. He said, There are terrorist groups that are interested [in conducting cyber attacks]. We now know that al Qaeda was interested. But the real major threat is from the information-warfare brigade or squadron of five or six countries (Cha & Krim, 2002, p. A02). Given this uncertainty, it is not surprising that the prognostic part of the frame remained far more contested than the diagnostic part during the entire debate. Issues of how to counter the threat, mainly questions concerning responsibilities, were discussed until approximately 1997, when the PCCIP threat frame offered a solution that appealed to everyone. Notions of cyber-threats have originated among military as well as civilian actors. In the law enforcement community, cyber-crime has become a particularly salient threat image. Within the military bureaucracy, the perceived threats have been framed as information warfare, information operations, and cyber-war. Both communities refer to cyber-terror, a threat image that has remained very fuzzy. Among computer scientists, technicians, and network operators, the threat images are usually much narrower, with an emphasis on attacks, exploits, and disruptions perpetrated against computer networks, software conflicts, and other bugs which can lead to systems crashes. From the very beginning, the law enforcement community played a strong role in the process due to existing resources, norms, and institutions. Members of the military took the place of a framing, but not of an executing actor: they gave cyber-threats a new face, but then had to cede responsibility and admit that they could not provide the answer to them (Defense Science Board, 1994, 1996; Joint Security Commission, 1994). The perceived nature of the threat as well as restraints stemming from norms and institutions made a bigger role of the military establishment unfeasible. As a result, they became more or less marginalized in the broader debate after a certain point. Only in the domain of information warfare, framed as a traditional military task, did they retain primary responsibility and strive to advance developments in the domain. Nonetheless, even though the issue of cyber-threat is clearly linked to national security on a rhetorical level, there are, in general,
30
no exceptional measures envisaged that would traditionally fall under the purview of national security apparatus. Therefore, the cyberthreats debate is an example of a failed securitization (cf. Bendrath, 2001). If we turn once again to securitization theory, the criterion given by securitization theory is that issues become securitized when they are taken out of the normal bounds of political procedure, which in turn amounts to a call for exceptional measures (Buzan, Wver & Wilde, 1998, p. 24). In addition, securitization moves are only successful if an audience accepts the security argument (ibid., p. 25). A study of cyber-threat frames offer a possible interpretation of this: Even though the diagnostic part of current cyber-threat frames establishes a forceful link to national security, the prognostic part does not. And apparently, the prognostic part, which is about offering solutions, and proposing specific strategies, tactics, and objectives by which these solutions may be achieved, is more important, as it is, ultimately, about real consequences. CONCLUDING REMARKS In this paper, it was shown that terrorists have not used cyberspace as a weapon or target so far, though they routinely make use of computers, the Internet, or cryptography for organizational purposes. However, there is a lot of uncertainty as to the future development of this threat. To answer the question of how likelyhow soon we would need concrete intelligence data of which non-state actor is likely to employ cyber-tools as an offensive weapon at what point in time (Nicander & Ranstorp, 2004, pp. 12-13)data which is not available. A different approach has therefore been chosen in this paper: It looked at the cyber-threat discourse from a constructivist security studies perspective and identified key aspects of the cyber-threat frame (and cyber-terror frame) in order to determine what aspects might be responsible for its strong position on the national security agenda. We find that on the rhetorical level, the danger is said to be caused by new and poorly understood vulnerabilities due to dependence of society on the information and communication
infrastructure on the one hand, and ever-more complex interdependencies between infrastructures on the other. The information infrastructure, including its physical and cybercomponents, is often named as a concrete target of cyber-terror and, more generally, of cyberthreats. In the agent dimension, a danger has been constructed that emanates from an enemy who is located outside of the US, both in geographical and in moral terms. This picture of a dangerous other reinforces the idea of the nation as a collective self. The use of phrases like our computers or our infrastructures amplifies this effect. The reference object of security is the entire US society. The logical and political implication of this is that defense against cyber-attacks comes under the purview of national security policy. However, it was argued that the prognostic frame is more important than the diagnostic threat frame. In fact, it is likely that the PCCIP threat frame has prevailed due to its prognostic part rather than to its diagnostic one. Despite the fact that there is national security rhetoric in abundance, the actual countermeasures in place rely on risk analysis and risk management. This business rationale is forced upon governments due to the fact that the private industry owns and operates about 85% to 95% of the US critical infrastructures and key assets, depending on the source. Therefore, much of the expertise and many of the resources required for planning and taking better protective measures lie outside the federal government (Baird, 2002; Bosch, 2002; Goodman et al., 2002). As a result, it is necessary to delegate a large part of the responsibility for the protection of critical infrastructure to the private owners and operators. Whereas the traditional logic of national security suggests unilateral government action and policy, CIP policies are inevitably blurred by domestic considerations and other policy imperatives. In contrast to the logic of security, the logic of risk is not binary, but probabilistic. It is a constant process towards a desired outcome. Thus, managing risk is essentially about accepting that one is insecure, but constantly patching this insecurity, working towards a future goal of more security (Kristensen, in press). Ultimately, all of this has a desecuritizing effect. Desecuritization as the unmaking of secu-
Myriam Dunn Cavelty
31
rity has been considered a technique for defining down threats, in other words, a normalization of threats that were previously constructed as extraordinary. This normalization is a process by which security issues lose their security aspect, making it possible to interpret them in multiple ways, and therefore, allows more freedom both at the level of interpretation and in actual politics or social interaction (Aradau, 2001). Despite the fact that the securitization of cyber-threats has failed, as shown in this article, the national security logic is upheld on the rhetorical level. This, on the one hand, makes it easier in theory to start new securitization moves and to challenge the current prognostic frame. On the other hand, it means that the fuzzy notions of cyber-threats and cyberterror will most certainly remain on the national security agenda. Therefore, decision-makers should be careful not to foment cyber-angst to an unnecessary degree, even if the threat cannot be completely shrugged off. In seeking a prudent policy, the difficulty for decision-makers is to navigate the rocky shoals between hysterical doomsday scenarios and uninformed complacency. It is clear that the focus should continue to be on a broad range of potentially dangerous occurrences involving cyber- means and targets, including failure due to human error or technical problems apart from malicious attacks. This not only does justice to the complexity of the problem but also prevents us from carelessly invoking the specter of terrorism. It has in fact been argued that one solution to the problem of cyber-security is to focus on economic and market aspects of the issue rather than on suitable technical protection mechanisms (Andersson, 2001). If we apply this viewpoint, we quickly realize that the insecurity of the Internet can be compared to environmental pollution and that cyber-security in fact shows strong traits of a public good that will be underprovided or fail to be provided at all in the private market. Public goods provide a very important example of market failure, in which individual behavior seeking to gain profit from the market does not produce efficient results (Dunn & Mauer, 2007; Suter, 2007). Clearly, looking at cyber-security as an economic problem means to desecuritize the issue even further. At the same time, to focus on market aspects of the issue can help create a market for
cyber-security, which could reduce much of the insecurity of the information infrastructure, and thus also diminish the vulnerability of society.
NOTES
1. Data availability and possibility for replication: This study tries to incorporate the notion that the manner in which people and institutions interpret and represent phenomena and structures makes a difference for the outcomes. This ontology reflects an epistemology that is based on intersubjectivity, which sees subject and object in the historical world as a reciprocally interrelated whole (Adler and Haas, 1992, p. 370; Cox, 1992, p. 135). Data is analyzed using a hermeneutical interpretive method of text analysis, which is the most suitable approach for questions raised by post-positivist theories and speech act theory in particular (Adler, 1997). There is no claim that hypotheses need to be falsified in Poppers sense; instead, the entire research community acts as ultimate tribunal of truth (Howarth, 2000, p. 142) so that the analysis is ultimately legitimate when it is persuasive, consistent, and coherent. 2. The media routinely features sensationalist headlines that cannot serve as a measure of the problems scope. Examples of such articles include the following: Christensen, J. (1999, April 6). Bracing for guerrilla warfare in cyberspace. CNN Interactive; Kelley, J. (2001, February 6). Terror groups hide behind Web encryption. USA Today; McWilliams, B. (2001, December 17). Suspect claims Al Qaeda hacked MicrosoftExpert. Newsbytes; FBI: Al Qaeda may have probed government sites. (2002, January 17). CNN.; and Islamic cyberterror: Not a matter of if but of when. (2002, May 20). Newsweek. 3. As Geoffrey French put it, referring to the diversity of terminology in a variety of information warfare articles (French, 2000), Before too long, the articles seem to have been written by Lewis Carroll, with dire warnings of the Jabberwock, the Jubjub bird, and the frumious Bandersnatch. 4. This definitions main weakness is that it does not apply a critical approach to the concept of terrorism. By deliberately not addressing the problem at the heart of all definitions of terrorism (one persons terrorist is another persons freedom fighter), we avoid investigating the difficulty and subjectivity of labelling a person or group terrorist. 5. Computer Security Act of 1987, Public Law 100-235, H.R. 145, (1988), (100th Congress). 6. The Counterfeit Access Device and Computer Fraud Abuse Act, 18 U.S.C. 1030 (1984).; Computer Fraud and Abuse Act (U.S.) 18 U.S.C. 1030(a) (1986). 7. 18 U.S.C. 1385 (1878).
32
REFERENCES
Abele-Wigert, I. & Dunn, M. (2006). The international CIIP handbook 2006: An inventory of protection policies in 20 countries and 6 international organizations (Vol I). Zurich, Switzerland: Center for Security Studies. Adler, E. (1997). Seizing the middle ground: Constructivism in world politics. European Journal of International Relations, 3, 319-363. Adler, E., & Haas, P. M. (1992). Conclusion: Epistemic communities, world order, and the creation of a reflective research program. International Organization, 46, 367-390. Alberts, D. S., & Papp, D. S. (Eds.). (1997). The information age: An anthology of its impacts and consequences (Vol. 1). Washington, DC: National Defense University. Alberts, D. S., Papp, D. S., & Kemp, W. T., III. (1997). The technologies of the information revolution. In D. S. Alberts & D. S. Papp (Eds.), The information age: An anthology of its impacts and consequences (pp. 83-116). Washington DC: National Defense University. Andersson, R. (2001). Why Information Security is Hard: An Economic Perspective. In IEEE Computer Society (Ed.), Proceedings of the 17th Annual Computer Security Applications Conference (pp. 358-365). Washington, DC: IEEE Computer Society. Aradau, C. (2001, December). Beyond good and evil: Ethics and securitization/desecuritization techniques. Rubikon, Retrieved May 1, 2007 from http:// venus.ci.uw.edu.pl/~rubikon/forum/claudia2.htm Arquilla, J. (1998, February 6). The great cyberwar of 2002: A WIRED Scenario. WIRED, 122-127, 160-170. Arquilla, J., & Ronfeldt, D. (Eds.). (2001). Networks and netwars: The future of terror, crime, and militancy. Santa Monica, CA: RAND. Arquilla, J., & Ronfeldt, D. F. (1996). The advent of netwar. Santa Monica, CA: RAND. Austin, J. L. (1962). How to do things with words. London: Oxford University Press. Barak, S. (2004). Between violence and e-jihad: Middle Eastern terror organizations in the information age. In L. Nicander & M. Ranstorp (Eds.), Terrorism in the information agenew frontiers? (pp. 83-96). Stockholm: Swedish National Defence College. Bendrath, R. (2001). The cyberwar debate: Perception and politics in US critical infrastructure protection. Information & Security: An International Journal, 7, 80-103. Bendrath, R. (2003). The American cyber-angst and the real worldany link? In R. Latham (Ed.), Bombs and bandwidth: The emerging relationship between IT and security (pp. 49-73). New York: The New Press. Bendrath, R., Eriksson J., & Giacomello G. (2006). Cyberterrorism to cyberwar, back and forth: How the United States securitized cyberspace. In J. Eriksson
& G. Giacomello (Eds.), International relations and security in the digital age (pp. 57-82). London: Routledge. Berkowitz, B. D. (1997). Warfare in the information age. In J. Arquilla & D. Ronfeldt (Eds.), In Athenas camp: Preparing for conflict in the information age (pp. 175-189). Santa Monica, CA: RAND. Bowman, L. M. (2000, December 10). Cybercrime fighters: The feds want you! ZDNet News. Retrieved May 2, 2007 from http://news.zdnet.com/2100-9595_ 22-526271.html?legacy=zdnn Buzan, B., Wver, O., & de Wilde, J. (1998). Security: A new framework for analysis. Boulder, CO: Rienner. Campen, A. (1992). The first information warfare. Fairfax, VA: AFCEA International Press. Cashell, B., Jackson, W. D., Jickling, M., & Webel, B. (2004). The economic impact of cyber-attacks (Congressional Research Service Documents, CRS RL32331). Washington, DC: Congressional Research Service. Castells, M. (1996). The rise of the network society. Oxford, England: Blackwell. Cha, A. E., & Krim, J. (2002, August 22). White House officials debating rules for cyberwarfare. The Washington Post, p. A02. Chertoff, M. (2005, July 14). Statement of Secretary Michael Chertoff, U.S. Department of Homeland Security, before the United States Senate Committee on Homeland Security and Government Affairs, Washington, DC. Retrieved May 2, 2007 from http:// www.homelandsecurity.ms.gov/docs/Chertoff Testimony_Senate_07142005.pdf CIA. (2002, April 8). The Questions for the Record from the Worldwide Threat Hearing on 6 February 2002. Retrieved May 3, 2007 from http://www.fas.org/ irp/congress/2002_hr/020602cia.html Cohn, C. (1987). Sex and death in the rational world of defense intellectuals. Signs: Journal of Women in Culture and Society, 12, 687-718. Collin, B. C. (1997). The future of cyberterrorism: Where physical and virtual worlds converge. Crime & Justice International, 13, 15-18. Conway, M. (2002, November 4). Reality bytes: Cyberterrorism and terrorist use of the Internet. Firstmonday, 7. Retrieved May 2, 2007 from http:// firstmonday.org/issues/issue7_11/Conway Cox, R. W. (1992). Towards a post-hegemonic conceptualization of world order: Reflections on the relevancy of Ibn Khaldun. In J. N. Rosenau & E. Czempiel (Eds.), Governance without government: Order and change in world politics, Cambridge Studies in International Relations Nr. 20 (pp. 132-158). Cambridge, England: Cambridge University Press. DCI Center for Security Evaluation Standards Group. (1995, September 15). An inventory of standards affecting security, 7th annual edition. Retrieved May 2,
Myriam Dunn Cavelty
33
2007 from http://www.fas.org/sgp/othergov/inventory. html Defense Science Board (DSB). (1994). Report of the Defense Science Board Summer Study Task Force on information architecture for the battlefield. Washington, DC: Department of Defense. Defense Science Board (DSB). (1996). Report of the Defense Science Board Task Force on Information WarfareDefense (IW-D). Washington, DC: Department of Defense. Denning, D. (2000, May 23). Cyberterrorism: Testimony before the Special Oversight Panel on Terrorism. Committee on Armed Services, U.S. House of Representatives. Retrieved May 2, 2007 from http:// www.cs.georgetown.edu/~denning/infosec/cyberterror. html Denning, D. (2001a). Is Cyber-terror next? Essay for the Social Science Research Council. Retrieved May 2, 2007 from http://www.ssrc.org/sept11/essays/denning. htm Denning, D. E. (2001b). Activism, hacktivism, and cyberterrorism: The Internet as a tool for influencing foreign policy. In J. Arquilla & D. Ronfeldt (Eds.), Networks and netwars: The future of terror, crime, and militancy (pp. 239-288). Santa Monica, CA: RAND. Department of Homeland Security (DHS). (2006, September 12). Cyber storm: Exercise report. Washington, DC. Retrieved May 3, 2007 from http://www. dhs.gov/xlibrary/assets/prep_cyberstormreport_sep06. pdf Deutch, J. (1996, June 25). Testimony of the Director of U.S. Central Intelligence before the Senate Governmental Affairs Committee, Permanent Subcommittee on Investigations. Devost, M. G. (1995). National security in the information age. Unpublished masters thesis, University of Vermont, Burlington. Retrieved May 7, 2007 from http://www.devost.net/papers/national_security_in_the_ information_age.html Devost, M. G., Houghton, B. K., & Pollard, N. A. (1997). Information terrorism: Political violence in the information age. Terrorism and Political Violence, 9, 72-83. Dunn Cavelty, M. (in press). Cyber-security and threat politics: US efforts to secure the information age. London: Routledge. Dunn Cavelty, M. & Mauer, V. (in press). Concluding remarks: The role of the state in securing the information agechallenges and prospects. In M. Dunn Cavelty, V. Mauer, & S. Krishna-Hensel (Eds.). Power and security in the information age: Investigating the role of the state in cyberspace. Aldershot, England: Ashgate. Dunn, M. & Wigert, I. (2004). The international CIIP handbook 2004: An inventory of protection policies in fourteen countries. Zurich, Switzerland: Center for Security Studies.
Dunn, M. (2002). Information age conflicts: A study on the information revolution and a changing operating environment (Zrcher Beitrge zur Sicherheitspolitik und Konfliktforschung, No. 64). Zurich, Switzerland: Center for Security Studies. Dutton, W. H. (Ed.). (1999). Society on the line: Information politics in the digital age. Oxford, England: Oxford University Press. Ellison, R. J., Fisher, D. A., Linger, R. C., Lipson, H. F., Longstaff T., & Mead, N. R. (1997, November). Survivable network systems: An emerging discipline. (Technical Report. CMU/SEI-97-TR-013. ESC-TR97-013). Pittsburgh, PA: Carnegie Mellon University, Software Engineering Institute. Retrieved May 2, 2007 from http://www.cert.org/research/97tr013. pdf Eriksson, A. E. (1999). Information warfare: Hype or reality? The Non-Proliferation Review, 6, 57-64. Eriksson, J. (Ed.). (2001a) Threat politics: New perspectives on security, risk and crisis management. Aldershot, England: Ashgate. Eriksson, J. (2001b). Cyberplagues, IT, and security: Threat politics in the information age. Journal of Contingencies and Crisis Management, 9, 211-222. Eriksson, J. & Giacomello, G. (2006). The information revolution, security, and international relations: (IR)relevant theory? International Political Science Review, 27, 221-244. Eriksson, J., & Noreen, E. (2002). Setting the agenda of threats: An explanatory model (Uppsala Peace Research Papers, 6). Uppsala, Sweden: Uppsala Universitet. Retrieved May 2, 2007 from http:// www.pcr.uu.se/publications/UPRP_pdf/uprp_no_6. pdf Exec. Order No. 13,228, 3 C.F.R. 796 (2001). Exec. Order No. 13,231, 66 Fed. Reg. 53,063 (2001). Fisher, U. (2001, November). Information age state security: New threats to old boundaries. Journal for Homeland Security. Retrieved May 2, 2007 from http://www.homelandsecurity.org/journal/articles/ fisher.htm Freeh, L. J. (1997, May 13). Statement of Louis J. Freeh, Director, Federal Bureau of Investigation, Department of Justice. In U.S. Senate Committee on Appropriations, Counterterrorism: Hearing before the Committee on Appropriations, United States Senate, One Hundred Fifth Congress, first session: Special Hearing. Retrieved May 2, 2007 from http://www. fas.org/irp/congress/1997_hr/sh105-383.htm French, G. S. (2000). Shunning the frumious bandersnatch: Current literature on information warfare and deterrence. The Terrorism Research Center, Inc. Retrieved May 2, 2007 from http://www.terrorism. com Gamson, W. A. (1992). Talking politics. Cambridge, England: Cambridge University Press. Giacomello, G. & Eriksson J. (Eds.). (2007). International relations and security in the digital age. London: Routledge.
34
Gladman, B. (1998, September). Wassenaar controls, cyber-crime and information terrorism. Leeds, UK: Cyber-Rights & Cyber-Liberties (UK). Retrieved May 2, 2007 from http://www.cyber-rights.org/crypto/ wassenaar.htm Gross, G. (2004, October 1). U.S. cybersecurity chief resigns: Amit Yoran, said to be frustrated with progress, gives one-day notice. IDG News Service. Retrieved May 2, 2007 from http://www.infoworld. com/article/04/10/01/HNchiefresigns_1.html? DISASTER%20RECOVERY Howarth, D. (2000). Discourse. Buckingham, England: Open University Press. Hundley, R. O. & Anderson, R. H. (1997). Emerging challenge: Security and safety in cyberspace. In J. Arquilla & D. Ronfeldt (Eds.), In Athenas camp: Preparing for conflict in the information age (pp. 231252). Santa Monica, CA: RAND. Ingles-le Nobel, J. J. (1999, October 21). Cyberterrorism hype. Janes Intelligence Review. Retrieved May 3, 2007 from http://212.111.49.124/cyberterror/resources/ janes/jir0525.htm Jacoby, L. (2003, February 11). Statement for the record of Vice Admiral Lowell E. Jacoby, USN, Director, Defense Intelligence Agency before the Senate Select Committee on Intelligence. In Current and projected national security threats to the United States: Hearing before the Select Committee on Intelligence of the United States Senate, One Hundred Eighth Congress, First Session (pp. 48-67). Washington, DC: Government Printing Office. Retrieved May 3, 2007 from http://purl.access.gpo.gov/GPO/LPS42906 Joint Security Commission (JSC). (1994, February 28). Redefining security: A report to the Secretary of Defense and the Director of Central Intelligence. Washington, DC: US Government Printing Office. Kolet, K. S. (2001). Asymmetric threats to the United States. Comparative Strategy, 20, 277-292. Kristensen, K. S. (in press). The absolute protection of our citizens: Critical infrastructure protection and the practice of Security. In M. Dunn Cavelty & K. S. Kristensen (Eds.), The politics of securing the homeland: Critical infrastructure, risk and securitisation. London: Routledge. Lacey, M. (2000, December 9). Clinton gives a final foreign policy speech. The New York Times. Latham, R. (Ed.). (2003). Bombs and bandwidth: The emerging relationship between IT and security. New York: The New Press. Lewis, J. A. (2002, December). Assessing the risks of cyber-terrorism, cyber war and other cyber threats. Washington, DC: Center for Strategic and International Studies. Retrieved May 3, 2007 from http:// www.csis.org/media/csis/pubs/021101_risks_of_ cyberterror.pdf Loader, B. D. (1997). The governance of cyberspace: Politics, technology, and global restructuring. In B. D. Loader (Ed.), The governance of cyberspace (pp. 1-19). London and New York: Routledge.
Mark, R. (2004, October 1). U.S. cybersecurity chief resigns. eSecurity Planet. Retrieved May 3, 2007 from http://www.esecurityplanet.com/trends/article.php/ 3416161 Molander, R. C., Riddle, A. S, & Wilson, P. A. (1996). Strategic information warfare: A new face of war. Santa Monica, CA: RAND. Moteff, J. (2006, September 14). Critical infrastructure: The national asset database. (CRS Report for Congress, RL33648). Washington, DC: Congressional Research Service. Moteff, J. (2007, March 13). Critical infrastructures: Background, policy, and implementation (Congressional Research Report for Congress, RL30153). Washington, DC: Congressional Research Service. Mueller, R. S. (2003, February 11). Testimony of Robert S. Mueller, III, Director, Federal Bureau of Investigation before the Select Committee on Intelligence of the United States Senate Washington. In Current and projected national security threats to the United States: Hearing before the Select Committee on Intelligence of the United States Senate, One Hundred Eighth Congress, First Session (pp. 31-47). Washington, DC: Government Printing Office. Retrieved May 3, 2007 from http://purl.access.gpo.gov/ GPO/LPS42906 National Academy of Sciences (NAS), Computer Science and Telecommunications Board (1991). Computers at risk: Safe computing in the information age. Washington, DC: National Academy Press. National Infrastructure Protection Center (NIPC). (2002, 30 January). Terrorist interest in water supply and SCADA systems. Information Bulletin 02-001. Nelson, B., Choi, R., Iacobucci, M., Mitchell, M., & Gagnon, G. (1999). Cyberterror: Prospects and implications. White Paper prepared for the Defense Intelligence Agency Office for Counterterrorism Analysis. Monterey, CA: Center for the Study of Terrorism and Irregular Warfare (CSTIW). Nicander, L. & Ranstorp, M. (Eds.). (2004). Terrorism in the information ageNew frontiers? Stockholm: Swedish National Defense College. Oliver, P. E. & Johnston, H. (2000). What a good idea: Frames and ideologies in social movements research. Mobilization, 5, 37-54. Pollitt, M. M. (1997). CyberterrorismFact or fancy? Proceedings of the 20th National Information Systems Security Conference, 1997, 285-289. Retrieved May 3, 2007 from http://csrc.nist.gov/nissc/1997/ proceedings/nissc97.zip Poulsen, K. (1999, September 8). Info war or electronic sabre rattling? ZDNet. Retrieved May 3, 2007 from http://news.zdnet.com/2100-9595_22-515631.html? legacy=zdnn Presidents Commission on Critical Infrastructure Protection (PCCIP). (1997). Critical foundations: Protecting Americas infrastructures. Washington, DC: Government Printing Office.
Myriam Dunn Cavelty
35
Rathmell, A., Overill, R., Valeri, L., & Gearson, J. (1997, June). The IW threat from sub-state groups: An interdisciplinary approach. Paper presented at the Third International Symposium on Command and Control Research and Technology, Institute for National Strategic StudiesNational Defense University, Washington, DC. Retrieved May 8, 2007 from http://www.kcl.ac.uk/orgs/icsa/Old/terrori.html Reus-Smit, C. (1996). The constructivist turn: Critical theory after the Cold War. (Working Paper No. 1996/4). Canberra: Australian National University. Ryan, C. (1991). Prime time activism: Media strategies for grass roots organizing. Boston: South End Press. Schwartau, W. (1994). Information warfare. Cyberterrorism: Protecting your personal security in the electronic age (2nd ed.). New York: Thundermouth Press. Searle, J. R. (1969). Speech acts: An essay in the philosophy of language. Cambridge, England: Cambridge University Press. Smith, G. (1998, Fall). An electronic Pearl Harbor? Not likely. Issues in Science and Technology, 15. Retrieved May 3, 2007 from http://www.issues.org/ 15.1/smith.htm Smith, G. (2000). How vulnerable is our interlinked infrastructure? In D. S. Alberts & D. S. Papp (Eds.), The information age: An anthology of its impacts and consequences (Vol. II, pp. 507-523). Washington DC: National Defense University Press. Snow, D. A. & Benford, R. D. (1992). Master Frames and Cycles of Protest. In Morris, A. D. & Mueller, C. M. (Eds.), Frontiers in social movement theory (pp. 133-155). New Haven, CT: Yale University Press. Snow, D. A., Rocheford, E. B., Jr., Worden, S. K., & Benford, R. D. (1986). Frame alignment processes, micromobilization and movement participation. American Sociological Review, 51, 464-481. Sofaer, A. D. & Goodman, S. D. (2000). A proposal for an international convention on cyber-crime and terrorism. Stanford, CA: Center for International Security and Cooperation, Stanford University. Suter, M. (in press). Improving information security in companies: How to meet the need for threat information. In M. Dunn Cavelty, V. Mauer, & S. Krishna-Hensel (Eds.), Power and security in the information age: Investigating the role of the state in cyberspace. Aldershot, England: Ashgate. Technical Analysis Group (TAG), Institute for Security Technology Studies, Dartmouth College (2003, November). Examining the cyber capabilities of Islamic terrorist groups. Hanover, NH: Dartmouth College. Retrieved May 3, 2007 from https://www.ists. dartmouth.edu/TAG/ITB/ITB_032004.pdf Tenet, G. J. (1997, February 5). Statement by Acting Director of Central Intelligence George J. Tenet before the Senate Select Committee on Intelligence Hearing on Current and Projected National Security Threats to the United States. Retrieved May 3, 2007 from http://www.fas.org/irp/congress/1997_hr/s970205t.htm
Tenet, George J. (1998, June 24). Testimony by Director of Central Intelligence George J. Tenet before the Senate Committee on Government Affairs. Retrieved May 3, 2007 from http://www.fas.org/irp/congress/ 1998_hr/980624-dci_testimony.htm Tenet, George J. (1999, February 2). Statement of the Director of Central Intelligence George J. Tenet As Prepared for Delivery Before the Senate Armed Services Committee Hearing on Current and Projected National Security Threats.. Retrieved May 3, 2007 from https://www.cia.gov/cia/public_affairs/speeches/ 1999/ps020299.html Tenet, George J. (2000, February 2). The Worldwide Threat in 2000: Global Realities of Our National Security. Statement by Director of Central Intelligence George J. Tenet Before the Senate Select Committee on Intelligence. Retrieved May 3, 2007 from https:// bcia.gov/cia/public_affairs/sh_ 032100.html Tenet, George J. (2002, March 19). Worldwide Threat Converging Dangers in a Post 9/11 World. Testimony of the Director of Central Intelligence before the Senate Select Committee on Intelligence. Retrieved May 3, 2007 from http://www.fas.org/ irp/congress/2002_hr/020602tenet.html The White House (1984, September 17). National Policy on Telecommunications and Automated Information Systems Security. National Security Decision Directive Number 145. Washington, DC: President of the United States. Retrieved May 3, 2007 from http://www.fas.org/irp/offdocs/nsdd145.htm The White House, Office of the Press Secretary (1998a, May 22). Fact Sheet. Combating Terrorism: Presidential Decision Directive 62. Washington, DC: President of the United States. Retrieved May 3, 2007 from http://www.fas.org/irp/offdocs/pdd-62.htm The White House. (1998b, May 22). Protecting Americas critical infrastructures: Presidential decision directive 63. Washington, DC: President of the United States. The White House. (2000). Defending Americas cyberspace: National plan for information systems protection: An invitation to a dialogue (Version 1.0). Washington, DC: President of the United States. Thomas, T. L. (2003, Spring). Al Qaeda and the Internet: The danger of cyberplanning. Parameters (Spring), 112-123. Thornton, A. (2001). Does the Internet create democracy? Ecquid Novi, 22, 126-147. Tilford, E. H., Jr. (1995). The revolution in military affairs: Prospects and cautions. Carlisle Barracks, PA: Strategic Studies Institute. Vatis, M. A. (1998, February 10) Statement by Michael Vatis, deputy assistant director and chief of the Federal Bureau of Investigations National Infrastructure Protection Center (NIPC) before the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information. Retrieved May 3, 2007 from http://www.fas.org/irp/congress/ 1998_hr/ 98061101_ppo.html
36
Vatis, M. A. (2001). Cyber attacks during the war on terrorism: A predictive analysis. (Working Paper). Hanover: Institute for Security Technology Studies at Dartmouth College. Retrieved May 3, 2007 from http://www.ists.dartmouth.edu/analysis/cyber_a1.pdf Verton, D. (2004, October 1). Nations cybersecurity chief abruptly quits DHS post: Im not a long-term government kind of guy, says Amit Yoran. Computerworld. Retrieved May 3, 2007 from http://www.computerworld.com/managementtopics/ management/story/0,10801,96369,00.html Wver, O. (1995). Securitization and desecuritization. In R. Lipschutz (Ed.), On security (pp. 46-86). New York: Columbia University Press. Wallace, C. (2002, September 16). Will next terror attack be electronic? Experts fear terrorists may attack through cyberspace. ABC News.com. Retrieved May 3, 2007 from http://abcnews.go.com/WNT/story? id=130108&page=1 Walt, S. (1991). The renaissance of security studies. International Studies Quarterly, 35, 211-239. Watson, D. L. (2002, February 6). The Terrorist Threat Confronting the United States, Statement for the Record of the Executive Assistant Director on Counterterrorism and Counterintelligence, Federal Bureau of Investigation, before the Senate Select Committee on Intelligence, Washington, DC. Retrieved May 3, 2007 from http://www.fbi.gov/congress/congress02/ watson020602.htm
Weimann, G. (2004a, March). www.terror.net. How modern terrorism uses the Internet. (United States Institute of Peace, Special Report 116).Washington, DC: United States Institute of Peace. Weimann, G. (2004b). CyberterrorismHow real is the threat? (United States Institute of Peace, Special Report 119). Washington, DC: United States Institute of Peace. Wilson, C. (2003, October 17). Computer Attack and Cyber-terrorism: Vulnerabilities and Policy Issues for Congress (CRS Report for Congress, RL32114). Washington, DC: Congressional Research Service. Wilson, T. R. (2000, February 2). Military threats and security challenges through 2015. Statement before the Senate Select Committee on Intelligence given by Vice Admiral Thomas R. Wilson Director, Defense Intelligence Agency. Retrieved May 3, 2007 from http://www.fas.org/irp/congress/2000_hr/000202wilson.htm Winner, L. (1977). Autonomous technology: Technicsout-of-control as a theme in political thought. Cambridge MA: MIT Press.
Received: 01/05/2007 Revised: 04/30/2007 Accepted: 05/06/2007
doi:10.1300/J516v04n01_03

JITP4-1 Cyber Terror Cavelty

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

JITP4-1 Cyber Terror Cavelty

Uploaded by

Copyright:

Available Formats

Cyber-Terror Looming Threat or Phantom Menace?

The Framing of the US Cyber-Threat Debate

KEYWORDS. Cyber-terrorism, security studies, threat framing, information infrastructure

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Myriam Dunn Cavelty

JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

Received: 01/05/2007 Revised: 04/30/2007 Accepted: 05/06/2007

You might also like