Abstract
This paper builds on the work of scholars working on ontological security, cyber security, and computer science to understand the problem of threat assessment and vision before, during, and after cyber-attacks. The previous use of ontological security theory (OST) has been limited because it has relied upon an overly simplistic vision of threat assessment at the international, state, and individual level. While previous scholars have examined the background, latent, or assumed visions of security threats as interpreted by agents and how their conditions do or do not effectively capture the anxieties of populations and practitioners this piece seeks to put these issues in conversation. In conceiving of ‘the state’ and ‘threat’ this piece examines the notion of vision, because as states conceive of threats in terms of terrorism (overt and theatrical) and cyber (covert and private) a mismatch of responses is noted. This piece reads the current cyber security landscape (2009-2019) in the United States through a lens of repeated and rambunctious cyber-threats and attacks and a largely passive response by the US citizenry through OST alongside: (1) the literature on computer science dealing with the concept of ontology, (2) the traditional threat framework found in the terrorism literature around response to threat with a comparison to the cyber-conflict literature, an (3) examination of the interplay between the public and government around the visibility and salience of cyberthreats.
International Relations (IR) is a field of vision. Elements traditional to IR like nuclear deterrence, armed conflict, terrorism, or great power balancing, all require states to interpret the behavior and posture of other actors to define the menu of options that are available to them. Ontological security theorists in general agree with this position, arguing that feelings and interpretations of their security are required for states to understand their position in relation to others in the international system. Thus, a state’s identity is defined as much by its relationship and feeling of threat toward and among other states. But what happens if the linchpin of defining a state’s security is covert, what if the mechanisms by which a state understands its security standing is accomplished not in the light, but rather in the shadows, around computer networks, non-state actors, disinformation campaigns, hacking, and at least for democratic states like the US through electoral manipulation?
At a recent conference panel with intelligent scholars of various stripe I was asked ‘when was the last cyber attack?’ They noted the presence of Stuxnet (a US-Israeli produced computer virus targeting the Iranian nuclear refining infrastructure at the Natanz plant) but hinted in confusion that there had not been much since. And my colleague was not alone, polling on the threat of cyber-attack routinely finds that these actions among the lowest of concerns for most Americans, 1 The problem inherent in the disconnect between the assumptions of my informed colleagues and the reality of the cyber landscape is vision and sight. Cyberthreats often fall in between and within the context of our blindspots, hackers and non-state actors use the fact that much of what they do, be it malware or ransomware toward a hospital, misinformation or disinformation online, or direct attacks on networks or individuals, all too often are relegated to page A7 instead of the front page and largely away from public vision. However, if say, a series of bombs were exploded paralyzing the financial sector of a major American city the focus would immediately be apprehended and the eyeballs of many Americans would be glued to said attack.
This approach is both normative and theoretical in that it is directed at a central question: why do people misconstrue or fail to take seriously cyber threats? We argue that for democracies to thrive with well-informed voters making decisions in their elections and transmit their policy preferences to their elected leaders. But this requires the referential Self to effectively understand and develop their own identities relative to the national or effective assessments of threat must be possible. Placing OST in the conversation helps us to organize how publics conceive of their security and organize it into preferential voting behaviors. This folds in notions of threat and visibility, as well as the presumption that to properly ascertain how threatening an action may be is entirely relative to the perception that the problem is something tractable enough to apprehend, and cognizable enough to properly fold into an existing structuration of concern. Voters in an overwhelming information environment may fail to properly aggregate potential threats to their governments or persons, but this does not mean those threats do not exists. It only means we (as the public) may fail to properly tabulate and understand how those threats relate to our lived experience.
Ontological Security Theory, Cyber Conflict, and Vision
Ontological security theory as a set of practical and empirical assumptions about state and individual behavior is an important tool for heuristically constructing how preferences are sorted in an atmosphere of threat and contestation. Huysmans’s (1998) study is particularly important for this work because it situates how states come to view internal/external others as threats to the self/identity both in terms of space and vision. Because, as Huysmans argues, OST is founded upon relational security practices and the ability to perceive which are and are not manifest security threats is hotly in contention and is driven “by ‘securitizing’ the unknown into an identifiable threat” (Steele, 2017). The unknown in this case can be typified, though not flippantly, by the “half a billion cyber security breaches in first semester of 2014” (Oltramari et al., 2014) or the “16,555 vulnerabilities between January 1, 2018, and December 31, 2018” (Syed, 2020). This picture of the cyber horizon is made even more chaotic when one recognizes that “65% of the victims of intrusion and information theft in the private sector are notified by third parties and that the detection process usually takes up to 13 months” (quoted in Syed, 2020).
To effectively evaluate threat in the realm of cyber security means being able to effectively adjudicate how and where threats occur. For Huysmans (1998) in the practical realm of OST, this means identifying the other or securitizing the problematic party. For those in the cyber security community (computer scientists, data systems managers, and cyber security analysts) this means creating a common language to describe threats and to properly allocate culpability. They describe the problem as “cognizance” or the ability to create a “reliable perception of the elements of the environment and…the explicit representation of their semantics” (Syed, 2020, p. 54). The promotion of a shared conceptualization of chaotic and often covert threat attempts to, “shape that chaos into a framework of meaningful chunks of knowledge, turning the operational disarray into a systematic model” that gives practitioners and theorists purchase on dealing with cyber threats. To understand cyber is to adapt or adopt a common language to create a landscape of cyberthreats. Thus, the realm of threat is not hard to understand as even those closest to the problem are aware that lacking a basic knowledge of common elements has created chaos. How then are normal people meant to understand the cyber realm as a position of threat?
In this regard Kinvall’s work is helpful because it organizes the terminology and language of threat around a common source of loss. For example, the election hacking and disinformation around the 2020 election. Kinvall employed the use of ‘chosen traumas’ from (Volkan 1998) which are folded into broader group identities. Defined from here as the “collective memory of a calamity that once befell a group’s ancestors” (Volkan 1998). Securitizing the Self, here it seems’ requires a collective trauma, which in the realm of terrorism is easily understood. The terrorist attacks on the Pentagon and World Trade Center, as well as the tragedy of Flight 93, on September 11, 2001 for example provided a necessary site for collective trauma and the torture (Steele, 2017) and then the Global War on Terror emerged as a result (Updegraff et al., 2008). The role of this trauma in creating the permission structure for conflict and bloodletting is manifest in the recent history of American Foreign Policy (Resende and Budryte, 2013). This, as opposed to say election hacking, or the sheer volume of cyber threats and conflicts as noted above, defies the mind to create known or unknown enemies precisely because vision is deterred and the necessary creation around anxiety is upended.
Political life and the establishment of norms and routines around threat is dynamic and shifting, even as the human drive for certainty remains (Onuf, 1998). Societies are driven by a sense that a coherent picture of personal security is possible and preferable even if the notion of how that world outside is created is problematic and fractured. As researchers we desire things as well, including, a “coherent Self” (Steele, 2017) but paradoxically these may be those that are most capable and likely to commit acts of violence (Steele, 2017). Again, though, this requires a construction of the Self relative to a manifest threat and a creation of a sphere of safety around a perceived possible security or insecurity. Krahmann argues that just such a security sphere exists in the marketing of cyber-security to European Union (EU) communities. The promotion by the state of anxieties around threat first appears in notion of terrorism and migration in the EU. But migrates, one might feel, inevitably, to the realm of cyber security. Krahmann argues that while “Fear can be addressed by eliminating a threat, anxiety cannot” (2018: 358).
This is precisely the problem: anxiety without vision is lost on voters and policymakers not directly focused on the issue of cybersecurity. Because the cyber realm is largely opaque to the outside world and because individuals, corporations, public utilities, hospitals, or governments who suffer from cyber attacks often hide these attacks out of shame, embarrassment, or for security concerns no trauma is effectively transmitted and thus no concerted popular response is generated. This piece is not opining for another global war on terror, nor is it seeking some sight of popular trauma to serve as a benchmark for the dangers of cyber warfare, what it is fundamentally concerned about is the dramatic uptick in cyberattacks (the Russian attack on the Ukrainian 2 and Georgian 3 power grids, the ongoing Solar Winds hacks 4 , the Russian theft of State Department emails 5 , or the constant barrage of Chinese attempts to obtain intellectual property 6 ) and the failure of the public to cognize that there are no redlines in cyber.
Other than the ICANN framework 7 which is at this point not codified into international law or recognized by the UN, there are no established rules of the road, proportionate responses in terms of Just War Theory, or mitigative efforts short of backroom diplomacy. What a just response to an attack on a power grid or to the targeting of nuclear enrichment is often made on the fly among a close network of parties in the know, without the overview of policy makers or voters. This is a highly combustible situation, and it is made all the more dangerous by the potential for miscalculations, made broadly out of the view of the voting public, to result in magnified or outsized results.
Footnotes
Declaration of Conflicting Interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
