Contemporary Politics Limits to a cyber-threat

Contemporary Politics

ISSN: 1356-9775 (Print) 1469-3631 (Online) Journal homepage: http://www.tandfonline.com/loi/ccpo20

Limits to a cyber-threat R. Guy Emerson To cite this article: R. Guy Emerson (2016): Limits to a cyber-threat, Contemporary Politics, DOI: 10.1080/13569775.2016.1153284 To link to this article: http://dx.doi.org/10.1080/13569775.2016.1153284

Published online: 07 Mar 2016.

Submit your article to this journal

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=ccpo20 Download by: [Australian National University]

Date: 07 March 2016, At: 12:19

CONTEMPORARY POLITICS, 2016 http://dx.doi.org/10.1080/13569775.2016.1153284

Limits to a cyber-threat R. Guy Emerson

Downloaded by [Australian National University] at 12:19 07 March 2016

Department of International Relations and Political Science, Universidad de las Americas, Puebla, Mexico ABSTRACT

KEYWORDS

This paper reveals the limits to representing cyberspace as a threat. In contrast to more conventional threats, the suggestion is that the not-immediately-apparent consequences of a cyber-attack make it largely reliant on official practices of representation. Exploring the implications of this reliance, the paper outlines how attributing meaning and culpability – always contested practices – are amplified in the potential absence of a readily apparent attack. Given these limits, does the cyber-threat then require a different lexicon of danger to both educate and engender a sense of caution? Examining the discursive construction of the cyberthreat, the paper demonstrates how this threat draws upon an established economy of danger – likening it to warfare and terrorism – but also suggests a limit to these representations. Specifically, by engaging post-structuralist literature the paper illustrates that these limits are best understood through an appreciation of the performative and the constitutive ‘lack’ in signification. It thus concludes that the value of the cyber-threat is not determined by transparently representing a cyber-attack. Rather, it is drawn from processes of hyper-securitization and through the establishment of institutions like the NATO Center of Excellence in Cooperative Cyber Defense that retroactively bring into existence the very object it purports to defend against.

Cyberspace; terrorism; securitization; poststructuralism; discourse

Limits to a cyber-threat In contrast to other contemporary dangers, the relatively novel and feasibly non-material basis – initially at least – of the cyber-attack means that its less tangible nature potentially requires different practices of representation to more conventional dangers. While potential terrorist or nuclear attacks carry a level of ambiguity – in that they can happen anywhere/anytime and through a variety of ways – the ultimate form that the attack takes and its consequences fit within an already established understanding of danger. A cyber-attack, by contrast, not only contains this anywhere/anytime ambiguity, but so too does its uncertainty extend to an appreciation of its consequences. That is, both the form and results of a cyber-attack are less immediately apparent. This distinction has multiple implications. If a key government function is to cultivate an account of what is dangerous and, in the event of an attack, to attribute blame to a responsible agent(s), then the ambiguity of a cyber-threat potentially complicates the official role. Further, proposed solutions by government – increased surveillance, an Internet filter – potentially CONTACT R. Guy Emerson © 2016 Taylor & Francis

[email protected]

Downloaded by [Australian National University] at 12:19 07 March 2016

2

R. G. EMERSON

become harder to justify as a result of the obscurity surrounding the danger. Given these complications, how is the state to relay the cyber-threat? The paper explores this question by first charting the limits to representing the cyberthreat in relation to hyper-securitization as developed by the Copenhagen School. These are twofold and relate to the contestability of an ontic attack. The first concerns the practical difficulties in tracing the origin of the cyber-attack and relaying its consequences to the public. In short, the novel and not-immediately-apparent nature of the cyber-attack cloud its official portrayal. The second constraint focuses on this representation to argue that there is both a material and symbolic limit to discursively relaying the cyberattack. It is a material limit best understood through an appreciation of the performative in terms of the difficulty in drawing the ‘doer’ (cyber-attacker) when the ‘deed’ (cyberattack) is itself contested. So too, however, is there a symbolic limit that is illustrated by the constitutive ‘lack’ in signification, wherein the not-immediately-apparent attack fails to support (or better, constitutively contaminate) representations of a cyber-threat. In light of these constraints, the paper returns to the theme of hyper-securitization to reveal how the cyber security sector is made threatening through its placement within a larger taxonomy of danger. On the one hand, it is the linguistic practices of annexing the cyber security sector onto more conventional threats: cyber-warfare, cyber-espionage, cyber-terrorism or cyber-deterrence. On the other hand, it is non-linguistic practices like the establishment of Cyber Command in the USA, or, the NATO Center of Excellence in Cooperative Cyber Defense in Estonia, which become the retroactive basis to the threat. The paper thus contributes to an understanding of the cyber security sector by exploring how it is securitized, but also the limits of this securitization; limits derived from its instability when communicated to the public. Before turning to the substantive sections of the paper, however, it is necessary to be clear on three issues. First, in exploring the complications associated with the cyber-threat the aim is not to challenge the cyber-threat per se (whether it is real or not), nor is it to explore its internal characteristics (the anatomy of an attack and/or the state response in terms of a cyber-forensic investigation). Rather, it is to examine how the threat is represented to the public and demonstrate the limitations inherent to its portrayal. Second, while it is acknowledged at the outset that cyberspace intersects a number of fields – including computer security from viruses, automated spam and net phishing – the focus is on cyber security and global politics. It is how state officials represent cyberspace as a threat to the nation, be it in the form of an attack, espionage or vandalism.1 Third, due to space constraints, the paper focuses predominantly on how the cyberthreat is represented in the ‘West’, understood below as the USA, NATO and Australia.

A unique threat? In the most thorough investigation into the representation of cyberspace, Hansen and Nissenbaum (2009) describe it as a unique constellation of referent objects. They describe how it is communicated through three ‘grammars’: hyper-securitization, everyday security practices and technification. Examined in reverse order, the latter concerns not the technical basis of the threat itself, but how the threat is constructed in such a way as to make it reliant upon technical, expert knowledge. The power of the grammar lays in the epistemic authority it grants particular securitized actors, and its seemingly apolitical, ‘neutral

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

3

agenda’ that only further legitimates the securitizing move (Hansen & Nissenbaum, 2009, p. 1167). The security professionals’ knowledge regarding the technological means of dealing with the cyber-threat renders them resistant to criticism, be it voiced by online communities, civil rights groups or other ad hoc organizations (Aradau, 2004, p. 396). Everyday security practices draw on the lived experiences of citizens in the digital age so as to secure ‘the individual’s partnership and compliance in protecting network security’ (Hansen & Nissenbaum, 2009, p. 1165). This posture is reflected in policy statements emanating from the Pentagon, where it is argued that the best way to mitigate the threat is ‘just ordinary hygiene: downloading the patch to keep your software up to date, and making sure your firewalls are operating’ (Lynn, 2010). A third grammar – hyper-securitization – then locates cyber security within ‘multidimensional cyber disaster scenarios’ and attempts to emphasize the dangers associated with the sector by alluding to its potentially disastrous consequences (Hansen & Nissenbaum, 2009, p. 1164). First introduced by Buzan (2004, p. 172), hyper-securitization is a ‘tendency both to exaggerate threats and to resort to excessive countermeasures’. With respect to cyberspace, it is claims that we are surrounded by ‘cyber-hype’ (Eun & Aßmann, 2015, p. 3), and attempts ‘to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify’ (Cramer & Thrall, 2009, p. 1).2 Although Hansen and Nissenbaum (2009, p. 1164) correctly point to the objectivist tendencies latent in the language of ‘hype’ or ‘exaggeration’ – thereby suggesting that the ‘real’ threat is of a different nature – the point to acknowledge is how hyper-securitization places the cyber-threat within a chain of potentially catastrophic consequences. Such practices are far from confined to cyber security. As Hansen and Nissenbaum demonstrate, securitization consistently operates within an ‘if-then’ logic wherein the suspicions associated with future threats are often accompanied by the present deployment of precautionary principles and actions. Rather than designating future threats ex nihilo, however, in invoking dangerous futures the past is often offered as a ‘legitimating reference’ to underscore ‘the gravity of the situation’ (Hansen & Nissenbaum, 2009, p. 1164). While the aim is not to dismiss the importance of these grammars operating as a constellation, the analysis below focuses on hyper-securitization and the claim that there are limits inherent to this particular grammar due to the contestability of a prior incident. As intimated in the introduction, any legitimating reference to past atrocities is hamstrung in the cyber security sector given that its disastrous consequences – to date, at least – have yet to materialize. The implications of this absence are crucial to outlining a limit to the discursive construction of the cyber-threat. By way of further introducing this constraint, attention first turns to the case of Estonia initially outlined by Hansen and Nissenbaum. The aim in doing so is not to refute their findings, but to light a different dimension of the three-week events that speaks to the limits associated with a cyber-threat.

Limits to hyper-securitization: a contestable legitimating reference In perhaps the most widely acknowledged cyber-attack, the 2007 incidents were directed against the Estonian government in reaction to the removal of a 6-foot-tall Soviet-era bronze statue in Tallinn. Described by the New York Times (2007) and Washington Post (2007) respectively as the ‘first real war in cyberspace’ and as a ‘very real example of cyberwarfare’, a series of Distributed Denial of Service (DDoS) attacks brought down the

Downloaded by [Australian National University] at 12:19 07 March 2016

4

R. G. EMERSON

websites of the Estonian President, Parliament and the country’s two largest banks. Each site was bombarded with thousands of visits, thereby disabling them by exceeding the bandwidth of the servers hosting the sites. As a result, Estonians were unable to contact public authorities or conduct financial transactions online at various times over a threeweek period; consequences augmented by the country’s extensive adoption of e-government and e-banking. The interest lies in exploring how government and NATO officials sought to relay the events to the public. Demonstrating the degree of complexity involved, the Estonian Defense Minister, Jaak Aaviksoo, maintained that although ‘[w]e don’t have the conceptual space to properly name these attacks, … we clearly feel it as a threat to national security’ (Tanner, 2007). Speaking later in the week, the defence ministry noted ‘[w]e’ve been lucky to survive this. If an airport, bank or state infrastructure is attacked by a missile, it’s clear war. But if the same result is done by computers, then what do you call it? Is it a state of war? These questions must be addressed’ (Hanlon, 2007). Although reticent to officially condemn Russia, the international response spoke to this uncertainty, but also noted the sense of precedence. The EU Justice Commissioner Franco Frattini maintained that it was a ‘coordinated attack against a state, not only against a ministry, not only against a bank … but against a state’ (Agence France Presse, 2007). Equally forthright, NATO officials called it an ‘operational security issue’ and as ‘something we’re taking very seriously … it goes to the heart of the alliance’s modus operandi’ (Traynor, 2007). There was a similarly blunt assessment in Washington. Recounting the incident to the U.S. House of Representatives Armed Services Subcommittee, General Alexander (2010) told those present that ‘a distributed denial of service attack on much of the government of Estonia’s infrastructure [made] it almost impossible for their banks to do business internally and … caused tremendous damage’. Following General Alexander’s testimony Representative Howard ‘Buck’ McKeon (2010) cautioned: ‘[l]et there be no doubt this [cyber] space is contested and presents a persistent vulnerability for our military, civilian and commercial infrastructures’. Moreover, by linking the attacks with the vulnerability of the nation officials sought to reduce the sense of ambiguity. Placing the attacks within a statist discourse translates the cyber-threat into familiar terms concerning the domestic/international divide. It is made to fit within a ‘moral geography’ of the contemporary nation-state system wherein state officials rather than non-state actors are granted the authority to act (Saco, 1999, p. 275). The uncertainty behind the attack – be it targeted and clandestine, or, web defacing and as visible as possible – becomes secondary to the deviation from what is understood as legitimate/illegitimate. Moreover, the doubt concerning the attackers themselves – whether recreational or professional hackers – is also reduced. The morally laden language of the national interest allows the state to territorialize the cyber-attacks and dismiss its perpetrators. Having deviated from normalcy, the attackers are dismissed, with the ambiguity surrounding the events not necessarily resolved, but nonetheless contained. However, by further interrogating the attribution of blame it is possible to point to limits to these discursive strategies. Indeed, despite forensic investigations clearly establishing the extent of attacks, the events in Tallinn highlight the instability in the official account of what happened and who was responsible. As Hansen and Nissenbaum (2009, p. 1170) note, the Estonian authorities were unable to trace the origin of the attack to an official Russian source. While the first round of attacks may have emanated from the Kremlin, Russian officials correctly noted that it was possible

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

5

for professional hackers to copy their IP address.3 Two years after the Estonian case it came to light that rather than an officially sanctioned operation by the Russian state, responsibility for the attacks was claimed by the pro-Kremlin youth group Nashi (Carvell, 2009). This not only clouds official attempts to territorialize the attacks, but also highlights the uncertainty surrounding the nature of attacks and the intent of the ‘attackers’. Targeted computer interventions, widespread attacks that disrupt services or ‘hactivists’ defacing the web, each operate with different objectives in mind and involve different levels of sophistication and visibility.4 Factors that only further complicate the state’s ability to relay the cyber-threat to the public. Moreover, the difficulty in locating the origin of the strikes increased with the second round of attacks. Rather than specific actors from clear geographic locales, in the follow-up strikes botnets were used to launch the DDoS attacks. In practice, this meant that up to one million computers worldwide were used – potentially without their owner’s knowledge – with the attacks originating from as many as 50 countries according to NATO spokesperson Robert Pszczel (Michaels, 2007). This not only further clouds the uncertainty surrounding the origins of the attack, but also complicates the official role of establishing culpability. As Deibert, Rohozinski, and Crete-Nishihata (2012, p. 18) argue, that experts could not find decisive evidence of Russian involvement only further confuses ‘the battle space’ and muddies attribution. The suggestion below, however, is that this difficulty in locating the attacks speaks to larger instabilities in representing a cyber-attack. Although there is always a level of contestability when attributing blame, this is compounded in the cyber security sector. Indeed, as is developed below, not only is the attribution of blame in relation to cyberattacks reliant on official representations – and therefore always already contestable – but given its contestable and not-immediately-apparent consequences, so too does an understanding of the attack emanate almost exclusively from official representations. For example, while the meaning and responsibility for terrorist attacks can be contested – 9/11 as an attack on U.S. freedom, or, a response to Washington’s humiliation of Islam – that the attack took place cannot. With a cyber-attack this distinction is less straightforward. In contrast to attacks of a more material nature, there is less physical damage to legitimate official accounts of what happened. There is no ontic attack that both serves as the basis for representation and exists independently of it. This limit results in part from the public appreciation of a cyber-attack, where it is potentially visible only to those with the appropriate electronic identification systems and to those whose access to ‘national secrets’ affords them the perspective from which to deem any intrusion as an act of war or espionage. The June 2015 Chinese-based hack of American public service records is demonstrative in this regard. Here, U.S. officials maintained that the personal data of an estimated 18 million current, former and prospective federal employees was affected by a cyber breach at the Office of Personnel Management. However, the consequences of this penetration were not immediately apparent to the public, but had to be relayed. For U.S. officials, who spoke on the condition of anonymity, the hackers were identified as being statesponsored, and most likely Chinese. The Stuxnet computer worm case is of a similar nature. Although widely believed to have critically damaged the Iranian uranium enrichment facility at Natanz – affecting the control of machinery and/or centrifuges for separating nuclear material – the consequences of worm (likely of US–Israeli origin), remain the

6

R. G. EMERSON

object of much speculation given the secrecy involved (Farwell & Rohozinski, 2011; Lupovichi, 2015). To this end, in contrast to the more material threat of terrorism, a cyber-threat is far more reliant on official representations that (1) demonstrate it is a definitive act, and (2) that this act constitutes a threat.

Downloaded by [Australian National University] at 12:19 07 March 2016

A performative solution? At first glance, this reliance on official representation does not seemingly impede the cyber-threat. If understood in relation to a performative account of the speech act, the absence of a discrete referent object (an ontic attack) is not necessarily an impediment to the drawing of the threat. Rather, this is the very nature of the performative. It is the signifier alone constituting the referent object – the performative is an utterance ‘in which to say something is to do something; or in which by saying something we are doing something’ (Austin, 1980, p. 12). The success of the performative is not determined through its ability to adequately describe or comprehensively represent a political reality that already exists. Rather, it ‘becomes politically efficacious by instituting and sustaining a set of connections as a political reality’ (Butler, 1993, p. 210). Put alternatively, the performative is not based on rigid designation of the world ‘out there’, but on its capacity to constitute the object. In this sense, the performative threat operates as a construction rather than a representational term, constituting the political field by creating subject-positions and meaning. Such a distinction is important, as the question of interest is less the ability of officials to transparently index the real threat ‘out there’ – whether the cyber-threat is ‘exaggerated’ – and more the capacity to enact the political field. It becomes a study into how particular actors, institutions and beliefs are invoked in the securitizing move. However, there are at least two complicating factors that impede this performative understanding of the cyber-threat. The first relates to eliciting a responsible agent, while the second concerns a closer examination into the possibility of performatively enacting a cyber-threat in the absence/contestability of an actual attack. First, central to the instability noted above is the drawing of a responsible agent. Whether it is cloned IP addresses or DDoS attacks that involve many (who may not be aware of their participation), culpability is clearly a murky area. This ‘attribution problem’, for Betz and Stevens (2011, p. 32) also has legal, technical and strategic challenges. However, understood in reference to the argument above, these challenges are amplified if the threat is enacted performatively. Central to drawing a responsible agent is the act itself. The meaning attached to any terrorist does not begin at a fixed subject from which analysis of their actions later stems. Rather, depictions of a culpable agent begin with the act, so as to define the subject (Warner, 1993, p. 440). It is the attack itself that gives the terrorist their identity; one is not a terrorist without committing or taking steps to commit a terrorist act. The identity of the agent, in this sense, is constituted by the very expressions that are said to be its results (Butler, 1999, p. 25). It is the action that retroactively constitutes the actor; the deed that constitutes the doer. Applied to the findings above, however, if the attack (deed) is contested then the capacity to draw an agent (doer) is, at least, likely to be itself contested or, at most, so unstable that any account of responsibility becomes problematic. Put simply, if the attack cannot be specified then a culpable agent cannot be named. This instability is only further manifest by Nietzsche’s (1989, p. 45) claim that it is the ‘doer’ who is understood as the locus of

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

7

moral responsibility. The relation between language, subjecthood and responsibility is recurrent in Nietzsche’s work, where in On the Genealogy of Morals he highlights the ‘misleading influence of language’ in positing a subject or a doer who stands behind the deed. The instability in the event thus not only impedes the drawing of the agent, it also results in the attribution of blame becoming all the more precarious. Second and related, it is possible to trace the contestability of the deed/doer to the contestability of an actual attack. The argument below is that the value of the cyber-threat is directly related to a degree of materiality. This is not to suggest that cyber-attacks resist construction, far from it. The reactions to the events in Estonia are demonstrative of just this process. Rather, and put crudely, the analysis concerns the limits of a danger that is primarily discursively constructed. In the absence of a definitive, ontic attack, or, in the event that such an attack is contested, the process of construction takes on the added responsibility of constituting the materiality of the attack itself. It is an exploration into this process that is the focus below.

Absence/contestability of a legitimating reference In pointing to the discursive limits of a cyber-threat the aim is not to simply maintain that an ontic attack is outside the process of construction. It is not to argue that the material attack is an implicit source of resistance that continually undoes any attempt at representational closure. From this perspective, the dynamism of the event exceeds any and every attempt to fix it definitively. Conversely, neither is it to move in the other direction towards empiricist foundationalism whereby the material act is taken as a given with attention turning to a politics of representation regarding the construction of meaning and responsibility. Were this the case, analysis would remain blind to how the act itself came to be understood as an act in the first place (Butler, 1993, p. 35). While not wanting to dismiss these approaches, such perspectives could apply to any threat. All acts of terrorism, war and espionage are the locus of a politics of representation and/or exhibit a dynamism that exceeds any attempt to definitely fix it. The aim instead is to explore the limits of a cyber-threat in regards to its potentially non-material basis. Attention thus turns to the interaction between signification and the material. In exploring this interaction, however, it is important not to merely collapse the two fields. It is not to follow the arguments of Baudrillard (1994, pp. 1–13) on hyper-reality. It is not to imply that there is an implosion of signification and the materiality of the referent, wherein there are only simulacra free from all references to the real. Rather, this paper explores the discursive limits of the cyber-threat, and not the material attack standing outside or collapsing into symbolization. It is suggested, therefore, that a distinction exists between the symbolic construction and the material, but that a nuanced understanding of this distinction is required. A way of proceeding towards this distinction is to view materiality as a limit or contaminant that helps to constitute meaning. Based on more recent formulations on the work of Jacques Lacan, the argument is that the Real – understood in Lacanian terms and conceived here as an ontic event – resists construction, but that in so doing this lack constitutes something crucial for signification. While for Lacan this results in the complex transference of the signified first into the imaginary and then the symbolic realms, the point to note is that a signifier best functions to the extent that it is contaminated

Downloaded by [Australian National University] at 12:19 07 March 2016

8

R. G. EMERSON

constitutively by the materiality that it purports to, but never can fully, represent.5 This limit, however, far from impeding signification helps constitute meaning, lending authenticity to representations of danger and existential suffering. According to this logic, the materiality of a terror attack and the impossibility of its entire representation do not impede signification, as this limit (or, to use the phrasing above: contaminant) helps constitute signification. The impossibility of the complete representation of an attack simultaneously haunts and makes possible the process of signification as the presence of its absence. The construction of the attack, in this sense, will not encompass the ontic event in its entirety but will still embody it in a limited, abbreviated, spectral way.6 Put alternatively, the event has to be in some way present in the field of representation but its means of representation are going to be constitutively inadequate (Laclau, 1996, p. 56). If we return to the cyber-attack, then its less immediately apparent and/or contested materiality means that it is more reliant on discursive construction to constitute the entire field of signification. Without the material event to act as the constitutive contaminant, the entire field of signification is reliant on symbolization. And this is the limit to the cyber-threat, as the lack of materiality in the referent cascades down into signification. That is, the absence of the material contaminant in the referent (the ontic attack) passes into the signifier (no constitutive contaminant), with the contestable attack thus impacting upon the efficacy of language. There is – in the words of Rafael Sanchez Ferlosio – ‘an absolutist inflammation of the signifier’, wherein the sign becomes a thing of total necessity, yet at the same time, also of absolute contingency.7 Total necessity in the sense that it becomes the principal vehicle through which the gravity of the situation is communicable, yet contingent in that its material and symbolic limits leave it open to contestation to a far greater extent than is apparent in attacks of a more material nature. The cyber-threat becomes an anomaly in the sense that it contains a material limit that is both physical and symbolic: physical in regards to its not-immediately-apparent consequences, and symbolic insofar as there is no material contaminant in its representation.

A broader, coded appreciation of the performative A way of further demonstrating this anomaly is to return to performativity and its use by the Copenhagen School. However, in contrast to an appreciation of the performative drawn primarily from John Austin – as per the majority of Copenhagen School scholars – the analysis below adopts a Derridean position to reveal how the value of the performatively enacted cyber-threat is irreducible to the securitizer or the utterance itself. Rather, it must conform to a series of shared conventions that make the threat intelligible (or not). By operating under this broader appreciation of the performative, it will be shown that the cyber-threat is not brought into being by the securitizer, but through its adherence to conventions; and importantly a degree of materiality is integral to these conventions. Performativity is integral to securitization. Ole Wæver (2004, p. 13) claims that security is a speech act, as ‘[i]t is by labeling something a security issue that it becomes one’. Moreover, in Security: A New Framework for Analysis – where securitization receives its fullest treatment – its authors maintain that ‘it is the utterance itself that is the act. By saying the words, something is done’ (Buzan, Wæver, & de Wilde, 1998, p. 26); an assertion that mirrors Austin’s famous description: ‘in which to say something is to do something’. Spoken by the right person in the correct circumstances – first person singular present

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

9

indicative active form – the performative speech act brings about what it says (Austin, 1980, pp. 56–64). The statements ‘I pronounce you husband and wife’, or ‘I christen thee the Queen Mary’, Austin argues, constitute what they speak of, producing that which they name. A marriage, the christening of a ship or a threat appears by virtue of the power of the subject and its will to constitute a phenomenon into being. However, by moving beyond an Austin-inspired appreciation of the performative to a more Derridean position it is again possible to reveal how materiality is integral to representations of any threat. Central to Derrida’s recalibration of the performative is movement beyond the uttering subject (the securitizer) and her intentions. In contrast to Austin’s performatives that require the communication of intentional meaning by a stable subject – that is, calls for a state of emergency by government officials – for Derrida the present subject and her intentions are coloured by the iterable structure of the performative. At its most basic, this iterable structure means that the performative is no longer a singular act in the present, but is derivative of broader social practices that must be cited in order to be intelligible. The performative must repeat and be consistent with past practices. Unable to ‘create or engender a context on its own, much less dominate it’, the performative never creates itself ex nihilo, but is tied to already existing conventions (Derrida, 1988, p. 79, 97). While Austin claims that the statements ‘I pronounce you husband and wife’, or ‘I christen thee the Queen Mary’, produce what they name – and thus appear by virtue of the power of the subject to constitute a phenomenon into being – Derrida counters: [c]ould a performative utterance succeed if its formulation did not repeat a “coded” or iterable utterance, or in other words, if the formula I pronounce in order to … launch a ship or a marriage were not identifiable as conforming with an iterable model? (Derrida, 1988, p. 18)

To be intelligible the utterance must operate within established conventions or codes. Both the speaker and that which is said are only made possible through their operation within conventionality. The speech ‘act’ is thus historicized insofar as attention now concerns the regimes of power within which it is embedded. Far from a one-time-only event in the present, the securitized speech ‘act’ is conditioned through its operation within established (linguistic and non-linguistic) conventions, by its passage through an inter-subjectively shared series of norms or codes. In practice, this means that the felicitous condition for the performative is less the power of the subject to constitute what she names, than it is the citation of existing conventions. For the cyber-threat, then, in order to be intelligible it must echo prior actions and operate within established conventions over how threats are relayed to the public. The power of the performative construction is not the initial will on the part of NATO officials to ascribe danger; rather, this reading only succeeds if it is viewed as conforming to existing conventions on, in this case, what constitutes a threat. And the argument here is that central to these conventions is an ontic attack; that the norms and the standards which govern the circulation of the threat centre on a degree of material contamination. For example, it is an ontic attack that underscores ‘the gravity of the situation’, and it is a legitimating reference to past disasters that mobilizes the spectre of a dangerous future. In the absence of such a legitimating reference, mobilization is hamstrung with the securitized speech act unable to constitute the political field. It is unable to create the required subject-positions and meaning. With respect to the former – as was demonstrated – in

Downloaded by [Australian National University] at 12:19 07 March 2016

10

R. G. EMERSON

the absence of the ‘deed’ it is more difficult to draw a responsible ‘doer’. With respect to the latter, in the absence of a material attack there is no constitutive lack in signification that helps symbolization. Accordingly, the transmission of meaning is impeded. It is in the context that our understanding of what is threatening is premised on a degree of materiality. Again, this is not to say that the value of the cyber-threat is a matter of its correspondence with reality; that the cyber-threat fails due to its inability to adequately represent or index a ‘real’ threat. Rather, the argument relates to the conceptual categories used to understand danger. These categories do not necessarily correspond to reality, but to the conventions and expectations that govern how threats are represented to the public. Put simply, they are the conceptual categories through which danger is understood and not the ‘real’ danger itself. The argument here is that central to these categories is the material. More specifically and in relation to the cyber-threat, it is the absence/contestability of an ontic attack that fails to constitutively contaminate symbolization and it is the difficulty in drawing the doer in the absence of the deed. These limits are irreducible to the speech act itself, but are the conventions through which we come to understand security. They concern how danger has been understood historically and the discursive conventions through which it has been communicated to the public. To repeat, in order to be intelligible the cyber-threat must echo prior actions and thus operate within established codes that the audience is familiar with. The failure to operate within these codes means that there is a disconnect between the cyber-threat and the established conventions that shape the audience’s appreciation of danger.

Re-injecting the real: (1) annexation While the absence/contestability of a material event was found to limit the efficacy of the cyber-threat, the aim below is to demonstrate how this limit can be overcome. This is possible by ‘re-injecting’ the real so as to operate within established codes for understanding danger. More specifically, it is to return to the theme of hyper-securitization, but to focus less on the absence of a legitimating reference and more on the ‘multi-dimensional cyber disaster scenarios that pack a long list of severe threats into a monumental cascading sequence’ (Hansen & Nissenbaum, 2009, p. 1164). The argument below is that the cyber-threat is reliant on the practice of hyper-securitization that sutures it onto more stable threat conventions. The value of the cyber-threat is less its capacity to refer to itself and/or cite a material threat, and more its ability to be associated with other (more stable) threats. In short, links to cyber-warfare, cyber-espionage, cyber-terrorism or cyber-deterrence become integral to the value of the cyber-threat. It is through these contexts that the materiality not potentially apparent in the cyber security sector can be annexed onto the cyber-threat. Put alternatively, it is in this context that the cyberthreat can be attached to the already established conventions regarding how security is understood and represented to the public. Continuing in the performative vein, the ability to annex – or in the words of Derrida graft – the mark onto other contexts is very much recognized. Analogous in this regard are the marks ‘squared circle’ or ‘abracadabra’. As noted by Derrida (1988, pp. 11–2) ‘squared circle’ or ‘abracadabra’ undoubtedly highlight the absence of a referent but not the absence of meaning. That is, they take on meaning despite the obvious

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

11

absence of a discrete referent object. Translated into the objectives below, the focus of attention shifts from the absence/contestability of an actual referent for the cyberthreat itself to its capacity to function alongside other threats and in other contexts. That is, just as ‘squared circle’ or ‘abracadabra’ take their meaning from their annexation onto other contexts, so too can the cyber-threat. In order to investigate the process of grafting, attention turns to how the cyber-threat has been constructed in the USA and Australia. Before exploring these contemporary representations, however, it is important to note that the risks associated with cyberspace are not new. In 1991, for example, the Computer Science and Telecommunications Board produced a report – titled Computers at Risk: Safe Computing in the Information Age – which warned that ‘tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb’. These concerns were then expanded upon by politicians and analysts, with claims that a ‘netwar’ may result in an ‘electronic Pearl Harbor’, while ‘cyberwars’ would become the twenty-first century equivalent of what the blitzkrieg was to the twentieth century (Arquilla & Ronfeldt, 1993, p. 31; Bendrath, 2003, p. 50). While these concerns resulted in President Bill Clinton establishing the Commission on Critical Infrastructure Protection in 1996, the institutional response to the threat posed by cyberspace has increased in recent times. In 2009, the White House founded the new post of Cyber-security Coordinator and, in the same year, U.S. Cyber Command (Cybercom) was established at the Pentagon. Moreover, in September 2011 Australia and the USA marked the 60th anniversary of the Australia, New Zealand, United States Security Treaty (ANZUS Treaty) by extending the defence pact to include ‘cyber security’. In an agreement signed by the respective heads of Defence and both the Australian Foreign Minister and U.S. Secretary of State, the Government of Australia (2011) claimed that a ‘cyber attack’ on either party ‘would trigger the mechanisms of the ANZUS Treaty’, while for its part, then U.S. Secretary of Defense Panetta (2011) maintained that the joint statement ‘sends a very strong signal about our commitment to work together to counter and respond to cyber attacks’. In exploring the contemporary US and Australian responses the claim is that both Washington and Canberra attempt to resolve the novelty/ambiguity associated with the cyber-threat by drawing on and slightly modifying already established categories of danger. The Pentagon, for example, locates cyberspace within an existing framework of militarized domains, placing the ‘fifth’ digital domain alongside those of land, sea, air and space (Lynn, 2011a). This position was confirmed by the 2012 Defense Strategy Document Sustaining U.S. Global Leadership: Priorities for 21st Century Defense, which linked cyberspace with more conventional threats of ‘ballistic and cruise missiles, [and] advanced air defenses’. Similarly, the Australian Government’s Defence White Paper (2009), Defending Australia in the Asia Pacific Century: Force 2030 describes cyberspace as a ‘new area of risk’ and associates it with ‘space warfare and … weapons of mass destruction’. Moreover, so too is the digital age understood via already existing geopolitical tensions. The then FBI director Robert Mueller, for example, told the House Intelligence Committee that cyberespionage constituted ‘one of the most significant and complex threats facing the nation’, and then proceeded to name Russia, China and Iran as the greatest dangers (The Courier-Mail, 2011). Within this militarized setting it is little surprise that these states are seen as the predominant cyber-threats, with the deterritorializing possibilities of the digital age captured via already existing geopolitical imaginaries of fear and difference.

12

R. G. EMERSON

Downloaded by [Australian National University] at 12:19 07 March 2016

However, perhaps the most effective means of codifying the cyber-threat and demonstrating its catastrophic potential is via claims of cyber-terrorism. U.S. Deputy Secretary of Defense Lynn (2011b), for example, suggested that ‘terrorist organizations or rogue states could obtain and use destructive cyber capabilities’, while at a hearing on Capitol Hill, Stempfley and McGurk (2011) from the Office of Cyber Security and Communications maintained that ‘terrorist groups and their sympathizers have expressed interest in using cyberspace to target and harm the United States and its citizens’. More perilous still, President Obama (2009) noted the following: Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country, attacks that are harder to detect and harder to defend against. Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests but from a few keystrokes on the computer, a weapon of mass disruption.

Similarly, former Australian Foreign Minister Rudd (2011) maintained that [t]here was a time when war was begun with a shot … [n]ow it can begin with the simple click of a mouse. A silent attack that you may never even know occurred until it all unfolds in front of you. This new world goes by the names of cyber security, cyber warfare or cyber terrorism.

Whether it is a ‘weapon of mass disruption’, an ‘electronic Pearl Harbor’, or ‘more damage with a keyboard than with a bomb’, the danger is ever-present and made intelligible to the public via the potentially catastrophic consequences associated with past terrorist acts. By adopting the language of terrorism not only is the cyber-threat made more intelligible, but so too does it (partially) reconcile the difficulties noted at the outset by distinguishing between state and non-state actors. The distinction of terrorism from international war, violence and surveillance acts to isolate the unique causality and danger of non-state violence from the special sanctity given state violence (Connolly, 1991, p. 207). The morally laden language of terrorism thus allows the state to define cyber-attacks and their perpetrators, as the potentially catastrophic consequences – ‘weapon of mass disruption’ – demonstrates how the informational age threatens life itself. The source of a cyberthreat – whether recreational or professional, state- or non-state-based – becomes secondary to the danger and illegitimacy attributed to cyber-terrorism. Moreover, the specific nature of the cyber-threat potentially makes it more perilous than conventional threats. In this setting, traditional – although highly contestable – means of protection such as deterrence are rendered irrelevant, given the asymmetric basis of cyber-warfare.8 Expanding on the nature of this new terrain, Deputy Secretary Lynn (2010) argued that the ‘low cost of computing devices means that our adversaries do not have to build expensive weapons, like stealth fighters and aircraft carriers, to pose a significant threat to our military capabilities’. ‘Deterrence in these circumstances’, Lynn maintained, ‘will of necessity be based more on concepts of denial of benefit than imposing cost through retaliation’. Making this point even more explicit before reporters at the Pentagon, Lynn continued: ‘if you’re a smart adversary and you’re seeking an asymmetric way to come at the United States, cyber will appear to you very, very quickly’. This point was reaffirmed by the Director-General of the Australian Security Intelligence Organisation (ASIO), Irvine (2010), when he noted that ‘[c]yber has the potential to reduce the conventional and nuclear weapons advantage of a country’. Given such irregularities,

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

13

vigilance and preemption become imperative, with the objective to ‘deny an adversary the benefits of an attack’. This association of the cyber security sector with more established threat scenarios is integral to communicating the cyber-threat. Rather than conforming to established conventions over how threats are communicated in itself, the cyber-threat is parasitic on other more stable contexts to constitute the required subject-positions and meanings. It is only in association with cyber-warfare, cyber-espionage, cyber-terrorism and cyber-deterrence that the required sense of fear is conferred on the cyber security sector. Cyberspace is thus placed within an established catalogue of danger; a position expressed most clearly by the Australian Defence Signals Directorate claim that ‘online is the new frontline’. It is only through this association that the cyber-threat is capable of calling forth a victim and culpable agent – demarcating the state/citizen from the cyber-terrorist. By grafting the cyber-threat onto these more conventional dangers officials construct a sign-chain consistent with Hansen and Nissenbaum’s hyper-securitization; a sign-chain of ‘multi-dimensional cyber disaster scenarios that pack a long list of severe threats into a monumental cascading sequence’. The cyber-threat thus takes on meaning despite the absence/contestability of a discrete referent object.

Re-injecting the real: (2) The ‘response’ In addition to its annexation onto more stable contexts, a second way in which the cyberthreat is made intelligible is through the ‘response’. Again performativity is integral to this argument. As noted, the value of the performative does not concern its capacity to adequately represent reality, but rather to constitute a reality (a reality that cannot be constructed ex nihilo but conforms with established conventions or codes). Put alternatively, the performative is not a representational term – a description of a state of affairs in the world – but a construction. It enacts the world by bringing into being a new state of affairs. If the performative enacts rather than describes, then it is better to understand the referent object as ‘the retroactive effect of naming itself’. That is, it is the performative signifier itself that ‘supports the identity of the object’ (Žižek, 2008, p. 104 [emphasis in original]).9 This inverts descriptivism insofar as the referent is parasitic on the (performative) signifier, with the signifier constituting what it names. Returning to the cyber-threat, this account contrasts with the chronology and causality of official descriptions that first posit a threat and then respond to it. The events are instead inverted, whereby the US or NATO ‘reaction’ actually produces the cyber-threat. Far from a separate process of (1) an event and then (2) a securitized response, by viewing the cyber-threat in this critical light it is suggested that both processes are entwined and integral to the production of the cyber security sector. The construction of the cyber-threat – including the meaning and identity of the object – is produced retroactively. The importance of acknowledging the retroactive inscription of meaning is that it becomes possible to see how the material response to the cyber-threat is able to bring into being the subject it purports to defend against. In the absence of physical consequences, and/or, in light of its greater contestation, the official response becomes the vehicle to retroactively ascribe not only meaning and but also materiality to the cyberattack/attacker. Understood accordingly, not only are links to other threat scenarios

Downloaded by [Australian National University] at 12:19 07 March 2016

14

R. G. EMERSON

integral to the cyber security sector being represented as a threat, but so too are physical ‘responses’ like the US cyber command, the Cyber Security Operations Centre in Australia, or the NATO Center of Excellence in Cooperative Cyber Defense. More than a one-dimensional linguistic exercise of construction, the cyber-threat is performatively constituted through a variety of policy responses, institutions and physical actions. It is these institutions and policies that become the material basis of the threat; these ‘responses’ that become all the more important to enact the materiality that the cyber event does not necessarily carry. While it was previously noted that the absence of the material deed limited the performative enactment of the cyber-attacker doer, here this is compensated for by the retrospective re-injection of the material via the policy and/or institutional response. It is this response that becomes the material basis – not the ontic cyberattack itself – from which to draw the cyber-threat. The argument then is that more than other attacks it is the cyber-attack in which the method becomes matter. That is, it is the representation of the cyber-attack that must take on the materiality which the attack itself cannot. It is the annexation of the cyber security sector onto other security sectors and the material ‘response’ that become the basis of the cyber-threat’s legitimacy. It is through these two moves that the cyber security sector is able to comply with established conventions over how we understand security threats. It is in this context that Baudrillard’s (1994, p. 23) comments are prescient, The only weapon of power, its [the state’s] only strategy … is to reinject the real … to persuade us of the reality of the social, of the gravity of the economy and the finalities of production. To this end it prefers the discourse of crisis.

Translated into the findings above, it is a discourse of crisis that is both linguistic and nonlinguistic. Linguistically, it operates by annexing the cyber-threat onto the contexts of warfare, terrorism and espionage. Rather than constituting what it names, the cyberthreat functions to the extent that it is parasitic on these more stable threat contexts. Non-linguistically, it is the institutional ‘response’ that is integral to re-injecting of the real. These institutions become the material basis to retroactively constitute the cyberthreat. It is only through these contexts that the cyber-threat carries the required degree of materiality so as to conform to existing conceptual categories used to understand danger. This – and not claims of a cyber-threat in itself – is where the value of the cyber-threat is generated.

Conclusions The instability of the cyber-threat – demonstrated by its lack of materiality both physically and symbolically – means that the official role in making the public aware of the cyberthreat is inherently more difficult. Physically, it is the practical difficulties in relaying a cyber-attack to the public and tracing its origins. It is the potentially false IP addresses that make locating origins impossible, the DDoS attacks that make those ‘responsible’ potentially unaware, and the not-immediately-apparent consequences of the cyberattack itself. Symbolically, it is the absence/contestability of an ontic attack that fails to lend authenticity to (or constitutively contaminate) signification. It is the difficulty in drawing the ‘doer’ in the absence of the ‘deed’, and the absolute inflammation of the signifier wherein it alone becomes the vehicle through which the gravity of the situation is

Downloaded by [Australian National University] at 12:19 07 March 2016

CONTEMPORARY POLITICS

15

communicable. This is the limit associated with the cyber security sector: an absent/contested materiality that has both physical and symbolic consequences. Given these limitations, by examining the representation of the cyber-treat in Washington and Canberra, it became imperative that officials associate the cyber security sector with more conventional, stable threat contexts. It is also to recognize the importance of representations of cyber-warfare, cyber-espionage, cyber-terrorism or cyber-deterrence. Here, the paper has focus exclusively on how the ‘West’ (the USA, Australia and NATO) has located cyberspace within existing frameworks of militarized domains, with the ‘fifth’ digital domain placed alongside those of land, sea, air and space. It should be noted however, that these practices potentially differ from how cyberspace is represented in China or Russia. This distinction points to the potential for further comparative research into how the cyber-threat is made known not only to different populations, but also different domestic audiences. As Salter (2008, p. 326) notes, a range of audiences that are likely to identify and invest in differing accounts of what constitutes a threat. Popular audiences, for example, might invest in an existential threat that elite and scientific audiences would not. The establishment of institutions and infrastructure to mitigate the cyber-threat complimented these practices of representation. U.S. Cyber Command, the Cyber Security Operations Centre in Australia and the NATO Center of Excellence in Cooperative Cyber Defense, became integral because if the cyber-threat is seen as without foundation, then the state is increasingly hamstrung in its capacity to instil the appropriate forms of behaviour that it claims are necessary to mitigate the danger. Far from promoting the everyday security practices that call for citizen ‘partnership and compliance in protecting network security’, the result is more lethargy than vigilance. Moreover, constraints on the state’s ability to exhort caution and fear mean that the discursive structures within which meaning and identity are reproduced themselves become less stable. Territorialized understandings of the cyber-threat that are designed to reinforce the centrality of the state and to distinguish legitimate from illegitimate behaviour become all the more volatile. Central to the conclusions of this paper is an appreciation of performativity. However, more than the power to constitute what it names, a ‘coded’ approach demonstrates how in order to be intelligible the cyber-threat must conform to established conventions. More specifically, these conventions are reliant on a degree of materiality – on a ‘legitimating reference’ to past events, or, to an ontic attack from which meaning and culpability can then be drawn. It is in the absence of both these requirements that the theme of hyper-securitization becomes important. It is the placement of the cyber-threat within a sign-chain of cascading threats, its annexation onto other (more stable) threat contexts. Moreover, it is the material response – the policy response or the establishment of new institutions to combat cyber-attackers – that underpins the cyber-threat. It is in relation to the iterable production of the cyber-threat within this conventionality that it becomes intelligible. Put simply, the value of the cyber-threat does not concern its correspondence with reality. The cyber-threat does not succeed/fail due to its ability/inability to adequately represent or index a ‘real’ threat. Rather, its value is determined through its capacity to correspond with the established conceptual categories. And so long as it reinjects the real via annexation onto more stable threat contexts and through an

16

R. G. EMERSON

institutional ‘response’, then the instability of the cyber-threat is not necessarily resolved, but nonetheless contained.

Downloaded by [Australian National University] at 12:19 07 March 2016

Notes 1. For more a specific definition of cyber-war, see Clarke and Knake (2012). It concerns ‘[a]ctions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption’. 2. For a debate on the actual nature of cyber-threat (see Arquilla, 2012; Rid, 2012). While Rid is critical of Arquilla’s claims regarding the possibility of a cyber-war, Rid nonetheless acknowledges that ‘aggressive behavior online is widening’ and that the sophistication of attacks has increased. 3. This is often referred to as cloning an IP address. This is done to protect the identity of the hacker, by masking themselves behind the IP addresses of other users. For more on the difficulty of locating cyber-attackers (see Kello, 2013, p. 33; Lindsay, 2013, p. 378). 4. In terms of defining a cyber attack, the U.S. typology includes computer network attacks (CNA), computer network exploitation (CNE) and computer network defense (CND) as the third pillar of its Computer Network Operations (CNO). For its part Canberra defines cyber security as: ‘[m] easures relating to the confidentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means’. To reiterate, however, this paper is not concerned with how the cyber-threat is necessarily defined. Indeed, the above typology and definition appears adequate. Rather, the paper explores how such threats are made apparent to the public, and how the ambiguity already alluded to in its representation is mitigated. 5. For more recent interpretations on the importance of this process (see Butler, 1993, pp. 68–70; Laclau, 1996, p. 56; Žižek, 2008). 6. This claim that the materiality of any attack can never be fully represented is broadly based on the notion of the trace outlined by Jacques Derrida. As signification is processes of difference and deferral, the linguistic system signifies insofar as it differantially refers to another element and, therefore, is not itself present. The present, in this sense, is constituted by a network of traces. Viewed accordingly, the analysis here does not question absence in signification nor notions of the trace; rather, it suggests that an inability to completely represent an actual referent, in this case the disastrous consequences of a terrorist attack, helps constitute meaning, thereby haunting signification as the presence of its absence. For more on Derrida and the trace (see Derrida, 1982, p. 12, 21). 7. Cited in Baudrillard (2005, p. 68). 8. For a more detailed discussion on the deterrence value of cyberspace (see Lupovichi, 2015; Liff, 2012; Libicki, 2009) 9. For more on the signifier as an impossible object of desire, and thus the site of phantasmatic investment (see Žižek, 2008, p. 104), especially chapter 3 ‘Che Vuoi?’ Expanding on this reading, Žižek critiques discourse analysis for its failure to mark the ‘Real’ which resists symbolisation.

Disclosure statement No potential conflict of interest was reported by the author.

Notes on contributor R. Guy Emerson is a Professor at the Department of International Relations and Political Science at the Universidad de las Americas, Puebla. He has recently published in New

CONTEMPORARY POLITICS

17

Political Economy, Contemporary Politics, International Studies Perspectives, Social Identities, Alternatives, Humanities Research, and the Journal of Iberian and Latin American Studies.

Downloaded by [Australian National University] at 12:19 07 March 2016

References Agence France Presse. (2007). EU urged to deepen cooperation after Estonia cyber-attacks. 22 May. Alexander, K. (2010). House armed services subcommittee, cyberspace operations testimony’, Washington, DC. Retrieved March 12, 2014, from www.defense.gov/home/features/2010/0410_ cybersec/docs/USCC%20Command%20Posture%20Statement_HASC_22SEP10_FINAL%20_OMB %20Approved_.pdf Aradau, C. (2004). Security and the democratic scene: Desecuritization and emancipation. Journal of International Relations and Development, 7(4), 388–413. Arquilla, J. (2012). Cyberwar is already upon us: But can it be controlled? Foreign Policy. Retrieved February 12, from http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page = full/ Arquilla, J., & Ronfeldt, D. (1993). Cyberwar is coming! Comparative Strategy, 12(2), 141–165. Austin, J. L. (1980). How to do things with words. (Eds. J. O. Urmson & Marina Sbisà). Oxford: Oxford University Press. Baudrillard, J. (1994). Simulacra and simulation trans. Sheila Faria Glaser. Ann Arbor: University of Michigan Press. Baudrillard, J. (2005). The intelligence of Evil or the lucidity pact. Trans. Chris Turner. Oxford: Berg. Bendrath, R. (2003). The American cyber-angst and the real world – Any link? In Robert Latham (Eds.), Bombs and bandwidth: The emerging relationship between information technology and security (pp. 49–73). New York: The New Press. Betz, D., & Stevens, T. (2011). Cyberspace and the state: Toward a strategy for cyber-power. Oxon: Routledge. Butler, J. (1993). Bodies that matter: On the discursive limits of ‘Sex’. New York, NY: Routledge. Butler, J. (1999). Gender trouble: Feminism and the subversion of identity. New York, NY: Routledge. Buzan, B. (2004). The United States and the great powers: World politics in the twenty-first century. Cambridge, MA: Polity. Buzan, B., Wæver, O., & de Wilde, J. (1998). Security: A new framework for analysis. Boulder, CO: Lynne Rienner. Carvell, A. (2009). Russian youth group claims responsibility for 2007 Estonian cyber attacks. Retrieved March 12, 2014, from http://www.geek.com/articles/news/russian-youth-group-claimsresponsibility-for-2007-estonian-cyber-attacks-20090312 Clarke, R., & Knake, R. (2012). Cyber war: The next threat to national security and what to do about it. New York, NY: Harper Collins. Connolly, W. E. (1991). Identity/difference: Democratic negotiations of political paradox. Ithaca, NY: Cornell University Press. Cramer, J., & Thrall, T. (2009). Introduction: Understanding threat inflation. In Jane Cramer & Trevor Thrall (Eds.), American foreign policy and the politics of fear: Threat inflation since 9/11 (pp. 40– 53). New York, NY: Routledge. Derrida, J. (1982). Margins of philosophy. (A. Bass, Trans.). Chicago, IL: University of Chicago Press. Derrida, J. (1988). Limited Inc. (Samuel Weber, Trans.). Evanston, IL: Northwestern University Press. Deibert, R., Rohozinski, R., & Crete-Nishihata, M. (2012). Cyclones in cyberspace: Information shaping and denial in the 2008 Russia-Georgia war. Security Dialogue, 43(1), 3–24. Eun, Y.-S., & Aßmann, J. S. (2015). Cyberwar: Taking stock of security and warfare in the digital age. International Studies Perspectives, 1–18. Retrieved from http://onlinelibrary.wiley.com/doi/10.1111/ insp.12073/abstract Farwell, J., & Rohozinski, R. (2011). Stuxnet and the future of cyber war. Survival, 53(1), 23–40. Government of Australia. (2009). Defence white paper 2009: Defending Australia in the Asia pacific century. Canberra: Department of Defence. Government of Australia. (2011), Cooperation on Cyber – A new dimension to the US alliance. Retrieved from http://www.foreignminister.gov.au/releases/2011/kr_mr_110916.html

Downloaded by [Australian National University] at 12:19 07 March 2016

18

R. G. EMERSON

Hanlon, M. (2007, May 25). Attack of the cyber terrorists. Daily Mail. Hansen, L., & Nissenbaum, H. (2009). Digital disaster, cyber security, and the Copenhagen School. International Studies Quarterly, 53, 1155–1175. Irvine, D. (2010). Director-general’s speech UC lecture series. Retrieved from http://www.asio.gov.au/ Publications/Public-Statements/2010/27-Aug-2010-UC-Lecture-Series-Speech.html Kello, L. (2013). The meaning of the cyber revolution: Perils to theory and statecraft. International Security, 38(2), 7–40. Laclau, E. (1996). Deconstruction, pragmatism and hegemony. In Chantal Mouffe (Ed.), Deconstruction and pragmatism (pp. 47–67). London: Routledge. Libicki, M. (2009). Cyber deterrence and cyberwar. Santa Monica: RAND Corporation. Liff, A. (2012). Cyberwar: A new, “Absolute Weapon?” The proliferation of cyberwarfare capabilities and interstate war. Journal of Strategic Studies, 35(3), 401–428. Lindsay, J. (2013). Stuxnet and the limits of cyber warfare. Security Studies, 22(3), 365–404. Lupovichi, A. (2015). The “Attribution Problem” and the social construction of “Violence”: Taking cyber deterrence literature a step forward. International Studies Perspectives, 1–21. Retrieved from http://onlinelibrary.wiley.com/doi/10.1111/insp.12082/abstract Lynn, W. J. (2010). Remarks on cyber at the council on foreign relations, as delivered by deputy secretary of defense William J. Lynn, Iii, Council on Foreign Relations, New York City, Thursday, September 30, 2010. Retrieved March 12, 2014, from http://www.defense.gov/Speeches/Speech.aspx?SpeechID= 1509 Lynn, W. J. (2011a). Remarks on the Department of defense cyber strategy, as delivered by deputy secretary of defense William J. Lynn, III, National Defense University, Washington, D.C., Thursday, July 14, 2011. Retrieved March 12, 2014, from http://www.defense.gov/Speeches/Speech.aspx?SpeechID= 1593 Lynn, W. J. (2011b). Remarks on cyber at the RSA conference, as delivered by William J. Lynn, III, San Francisco, California, Tuesday, February 15, 2011. Retrieved March 12, 2014, from http:// www.defense.gov/Speeches/Speech.aspx?SpeechID=1535 McKeon, H. (2010). House Armed Services Subcommittee, Cyberspace Operations Testimony. Retrieved March 12, 2014, from www.defense.gov/home/features/2010/0410_cybersec/docs/USCC% 20Command%20Posture%20Statement_HASC_22SEP10_FINAL%20_OMB%20Approved_.pdf Michaels, J. (2007, June 15). NATO to Study Defense Against Cyberattacks; Computer Assault Staggered Estonia. USA Today. Nietzsche, F. (1989). On the genealogy of morals (Walter Kaufmann and R. J. Hollingdale Trans.). New York, NY: Vintage Books. Obama, B. (2009). Remarks by the President on securing our nation’s cyber infrastructure. Retrieved March 12, 2014, from http://www.whitehouse.gov/the_press_office/Remarks-by-the-Presidenton-Securing-Our-Nations-Cyber-Infrastructure/ Panetta, L. (2011). Clinton, Panetta and Australian Ministers after defense talks. Retrieved from http:// translations.state.gov/st/english/texttrans/2011/09/20110916091505su2.346003e-02.html Rid, T. (2012). Think again: Cyberwar. Foreign Policy, February 27. Retrieved from http://foreignpolicy. com/2012/02/27/think-again-cyberwar/ Rudd, K. (2011). Just a mouse click away from war. Retrieved from http://www.foreignminister.gov.au/ articles/2011/kr_ar_110919.html Saco, D. (1999). Colonizing cyberspace: “National Security” and the internet. In Jutta Weldes, Mark Laffey, Hugh Gusterson, & Raymond Duvall (Eds.), Cultures of insecurity: States, communities, and the production of danger (pp. 261–291). Minneapolis: University of Minnesota Press. Salter, M. (2008). Securitization and desecuritization: A dramaturgical analysis of the Canadian Air Transport Security Authority. Journal of International Relations and Development, 11(4), 321–349. Stempfley, R., & McGurk, S. P. (2011). Statement before the United States House of Representatives, Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, Washington, DC, July 26, 2011. Retrieved March 12, 2014, from http://republicans. energycommerce.house.gov/Media/file/Hearings/Oversight/072611/StempflyMcgurk.pdf Tanner, J. (2007). Estonia: Cyber attacks a security threat. Associated Press Newswires. 17 May. The Courier-Mail. (2011). FBI to target cyberthreats. 8 October.

CONTEMPORARY POLITICS

19

Downloaded by [Australian National University] at 12:19 07 March 2016

The New York Times. (2007). A cyberblockade in Estonia. June 2. The Washington Times. (2007). Cyberwarfare Worries. June 2. Traynor, I. (2007). Russia accused of unleashing cyberwar to disable Estonia, The Guardian, 17 May. Wæver, Ole. (2004, March 17–20). Aberystwyth, Paris, Copenhagen: New schools in securitytheory and their origins between core and periphery. Paper presented atInternational Studies Association Conference, Montreal. Warner, D. (1993). An ethic of responsibility in international relations and the limits of responsibility/ community. Alternatives, 18(4), 431–452. Žižek, S. (2008). The sublime object of ideology. London: Verso.