Future Policy and Legislative Issues of Cyber Intelligence – NO PLAGIARISM
ORIGINAL PAPERBreaking the Cyber-Security Dilemma: AligningSecurity Needs and Removing VulnerabilitiesMyriam Dunn CaveltyReceived: 21 November 2013 / Accepted: 13 April 2014 / Published online: 30 April 2014Springer Science+Business Media Dordrecht 2014Abstract Current approaches to cyber-security are not working. Rather thanproducing more security, we seem to be facing less and less. The reason for this is amulti-dimensional and multi-faceted security dilemma that extends beyond the stateand its interaction with other states. It will be shown how the focus on the state and‘‘its’’ security crowds out consideration for the security of the individual citizen,with detrimental effects on the security of the whole system. The threat arising fromcyberspace to (national) security is presented as possible disruption to a specific wayof life, one building on information technologies and critical functions of infrastructures, with relatively little consideration for humans directly. This non-focus onpeople makes it easier for state actors to militarize cyber-security and (re-)asserttheir power in cyberspace, thereby overriding the different security needs of humanbeings in that space. Paradoxically, the use of cyberspace as a tool for nationalsecurity, both in the dimension of war fighting and the dimension of mass-surveillance, has detrimental effects on the level of cyber-security globally. A solutionout of this dilemma is a cyber-security policy that is decidedly anti-vulnerability andat the same time based on strong considerations for privacy and data protection.Such a security would have to be informed by an ethics of the infosphere that isbased on the dignity of information related to human beings.Keywords Cyber-security Human security Surveillance InformationethicsM. Dunn Cavelty (&)Center for Security Studies (CSS), ETH Zurich, Haldeneggsteig 4, IFW (C 25.1), 8092 Zurich,Switzerlande-mail: email@example.comSci Eng Ethics (2014) 20:701–715DOI 10.1007/s11948-014-9551-yIntroductionCyber-threats and the measures necessary to counter them are the security issue ofthe hour. In recent years, a number of sophisticated cyber-attacks and intensifyingmedia attention have combined to give the impression that cyber-incidents arebecoming more frequent, more organised, more costly, and altogether moredangerous. As a result, cyber-fears have percolated upwards, from the expert levelto executive decision-makers and politicians; and diffused horizontally, advancingfrom mainly being an issue of relevance to the US to one that is at the top of thethreat list of more and more countries, resulting in a flurry of government-led andprivate-led cyber-security initiatives.1However, despite concerted efforts and increasing sums of money spent onvarious aspects of cyber-security over the years, cyberspace does not seem tobecome more secure—rather the opposite, considering the plethora of technical andgovernmental reports that use the language of urgency and general doom.Furthermore, the actions of some states convey an additional level of unease:Though consolidated numbers are hard to come by, the amount of money spent ondefence-related aspects of cyber security is rising (Brito and Watkins 2011;Boulanin 2013). Furthermore, an increasing number of states go (semi) public aboutopening up ‘cyber-commands’, which are military units for (potentially offensive)cyber war activities.If we assume that more—rather than less—security in and through cyberspace isone, if not the key goal of cyber-security policies, then the current approach tocyber-security is not working. Worse, as I will show in this article, actions gearedtowards gaining more security are (directly and indirectly) to blame for making boththe virtual but also, by implication, the real world less and not more secure. Whatwe seem to be facing is a ‘‘security dilemma’’, where efforts by one actor(traditionally, states) to enhance its security decrease the security of others (Jervis1978). Because cyber-capabilities cannot easily be divulged by normal intelligencegathering activities, uncertainty and mistrust are on the rise. Although most statesstill predominantly focus on cyber-defence issues, measures taken by some nationsare seen by others as covert signs of aggression by others and will likely fuel moreefforts to master ‘‘cyber-weapons’’ worldwide (Dunn Cavelty 2012; Rueter 2011).That said, the cyber-security dilemma, like other security dilemmas before it,extends to much more than just the security of and between states. In its basic form,cyber-security signifies a multifaceted set of technologies, processes and practicesdesigned to protect networks, computers, programs and data from attack, damage orunauthorized access. The related security discourse is about a diverse set of threatforms, ranging from basic computer viruses to cyber-crime and cyber-espionageactivities, as well as cyber-terror and cyber-war. Each sub-issue is represented andtreated in a distinct way in the political process: Multiple actors employ differentpolitical, private, societal, and corporate notions of security to mobilise (or demobilise) different audiences (Stevens and Betz 2013; Dunn Cavelty 2008). In a less1 Several governments have released or updated cyber-security or cyber-defense strategies in the lastseveral years. See http://www.ccdcoe.org/328.html for a good overview.702 M. Dunn Cavelty123basic form, then, cyber-security is a heterogeneous set of discourses and practiceswith multiple, often contradictory effects. Because cyberspace is a realm used andcolonized by many different actors for a variety of things, the security-actions bystates also directly come to bear on human lives in multiple ways—and vice versa.In this article, I want to propose possible avenues for breaking the cybersecurity-dilemma, especially since the basics of the situation are malleable byhuman action: Cyberspace, unlike the air, space, or the sea, is an entirely man-maderealm, at all times shaped by economic and political forces (Deibert et al. 2008). Inthe pages that follow, I will first analyse the cyber-security dilemma by focusing onthe way the issue is talked about and approached on the policy level and then bylooking at how the social entities with power (mainly states and big corporations)shape this discourse and the (physical) information environment by specificsecurity-related practices. In general, it will be shown how the focus on the state and‘‘its’’ security crowds out consideration for the security of the individual citizen. Inother words, the type of security that is currently produced is often not securityrelevant to the people. That way, a problem for human security is created (Axworthy2001), which consists of a sustained feeling of insecurity, insecurities in the form of(material) vulnerabilities in the infosphere, and exploitation of these insecurities byseveral political actors.The diagnosis of how the dilemma is created in parts one and two will then allowme to suggest a remedy in the third part. I argue that national security and a form ofsecurity that ‘‘distances itself from the exclusive grip of a state-determined conceptand becomes security relevant to people’’ (Hoogensen and Stuvøy 2006: 219)should not be and must not be at loggerheads with each other. In cyber-security inparticular, the two can meet. If we want national security and human security at thesame time, we need a type of security that is based on strong considerations forprivacy and data protection and is decidedly anti-vulnerability. Such a security,which I outline in the last chapter, should be informed by a human-centricinformation ethics of the infosphere (Floridi 1999; Capurro 2006).What Kind of Security is Cyber-Security?In this chapter, I will introduce the specificities of the cyber-security relevantdiscourse in order to show what kind of security cyber-security is.2 I trace twoelements: the specificities of the ‘‘threat’’ and the related ‘‘referent object’’ (thatwhich is seen in need of protection). In any political process, the definition ofreferent objects is not only closely connected to how a danger is viewed, it also is anunavoidable decision since any danger discourse must be tied to some kind ofendangered entity to become meaningful (Hagmann and Dunn Cavelty 2012). Whatis shown in this chapter is that the ‘‘human’’ is presented as a direct threat in theform of the (evil) hacker, the inadequate software developer or system2 A focus on discursive expressions should not be understood as a denial that there are ‘‘real world’’issues at stake. The reality of network incidents is undisputed; however, the analysis goes explicitlybeyond the impacts of ‘‘real’’ (objective) threats arising from cyberspace to look at their representation inthe political process.Breaking the Cyber-Security Dilemma 703123administrator, but is hardly ever a specific and direct referent object of security. Thethreat to (national) security is presented as possible disruption to a specific way oflife—one building on information technologies, economic performance and‘‘critical’’ functions of infrastructures—but the direct threat to human security,especially a threat that undermines acquired values such as anonymity, privacy,freedom of speech, free access to information, etc. does not figure prominently inthe policy discourse.An Amorphous Threat and its RepresentationIn the mid-1990s, a growing concern with information security found a technicalvocabulary, a set of analytical tools, and practices of intervention in a longstandingmode of thinking about infrastructures as a security problem (Collier and Lakoff2008). The related threat discourse consists of an outward-looking focus about nondeterrable threats (in the form of malicious human actors) and an inward lookingfocus about one’s own vulnerability.The outward-looking focus sees an increasing willingness of malicious actors toexploit weaknesses in an enemy’s defense without hesitation or restraint.Government reports are full of references to the cyber-aspect elevating the ‘‘old’’national security trope to a new urgency-level. This happens through a change in the(interlinked) temporal and the spatial dimension of the threat that make cyber-attackpotentially less risky for the aggressor than other type of attacks: In cyberspace,anonymous actors are represented by symbols and their actions unfold their effectsanywhere instantaneously—catching them is very difficult or even impossible dueto the specificities of the technological environment.The inward-looking focus on the other hand is about vulnerabilities in (computer)systems. In computer security, a vulnerability is understood as the confluence ofthree elements that in themselves combine the inward and the outward lookingperspective: a system susceptibility or flaw, an attacker’s knowledge of and accessto the flaw, and an attacker’s capability to exploit the flaw (i.e. NIST 2002: 15). Theresult of a successful utilization of a vulnerability is a compromise of the systemsinformation security. Due to the characteristics of digitally stored information, anintruder can delay, disrupt, corrupt, exploit, destroy, steal, and modify information,with various implications (Waltz 1998).A general basic issue for cyber-security is that the information infrastructure thatwe use every day for data-transfer was never built with security in mind:vulnerabilities abound. One of the reasons for the continued existence and constantnew creation of these vulnerabilities is that security is constantly ‘‘underproduced’’in a market dominated by the so-called network effect, under which the benefits of aproduct increase when the number of users increases, and the ‘‘winner takes it all’’.Quasi-monopolies and time pressures lead to a focus on fast delivery in commercialsoftware development. Quality criteria, like security, play only a minor role(Anderson and Moore 2006). Another reason is that the most powerful actorsproviding the most important information services today have an interest in keepingthem insecure: Big Data is considered the key IT trend of the future, and companieswant to use the masses of data that we produce every day to tailor their marketing704 M. Dunn Cavelty123strategies through personalized advertising and prediction of future consumerbehaviour (Morozov 2013). Therefore, there is no interest in encrypted (andtherefore secure) information exchange. On top of this, the intelligence agencies ofthis world have the same interest in data that can be easily grabbed (Bo¨hme 2005).The human in this threat discourse is the weakest link that creates vulnerabilitiesi.e. through ‘‘faulty’’ software development, or the human is a hapless victim that isexploited by i.e. the actions of cyber-criminals. Through the economic damage thatis produced that way, the threat is linked back to the economic security and welfareand often back to national security (Dunn Cavelty and Suter 2012). However,humans are also the prime threat in the archetype/stereotype of the ‘‘hacker’’,individuals with technical superpowers, able to easily pose a sever threat topowerful actors with very limited resources (at least in theory) (Conway 2008;Barnard-Wills and Ashenden 2012).Vulnerable Critical ObjectsThe selection of a ‘‘referent object’’ of security is closely interrelated with how thethreat is represented. As mentioned, some objects—commonly called infrastructures—and the functions they perform are regarded as ‘critical’ by the authorities (inthe sense of ‘vital’, ‘crucial’, ‘essential’) because their prolonged unavailabilityharbours the potential for major crisis, both political and social (Burgess 2007). Inthe mid-1990s, the issue of cyber-security was persuasively interlinked with thistopic of ‘‘critical infrastructures’’ and their necessary protection and in the processmade into a salient national security issue (PCCIP 1997). Because criticalinfrastructures combine symbolic and instrumental values, attacking them becomesintegral to a modern logic of destruction (Coward 2009: 408f.) that seeks maximumimpact.One classical goal of (national) security is to throw a ‘‘protective or preservativemeasure […] around a valued subject or object’’ (Dillon and Lobo-Guerrero 2008:276). Before this security can unfold, the valued subject/object needs to be identifiedand also localized in space. In cyber-security linked to critical infrastructureprotection, the identification and designation of the protection-worthy is performedfollowing the well-established steps of (technical) risk analysis techniques, whichcontains both an act of ‘‘naming’’ and an act of prioritizing. At the beginning of suchan analysis stands the identification of the assets (including services) that arecritical: Criticality is seen as a measure of the consequences associated with the lossor degradation of a particular asset or object. Therefore, criticality needs a referencepoint: it can only exist in relation to something (pre-)defined as important andnormal/desirable (Brunner et al. 2010).Cyber-security linked to critical infrastructures creates and is implemented in aspecial type of security environment. Whereas the traditional logic of nationalsecurity suggests unilateral government action and policy, the policies of cybersecurity are inevitably blurred by liberalization, domestic considerations and otherpolicy imperatives (Coaffee and Murakami Wood 2006). The management ofinfrastructure is in general not (or no longer) the prerogative of government; insteadit is based on the logic of the market. While it remains the essential task of aBreaking the Cyber-Security Dilemma 705123government to provide the security of society, it has simultaneously becomeimpossible for any government to achieve this by itself. What is at stake is not thebody of the state or its borders, ‘‘but the conjoined body of public and private-sectornetworks’’ (Der Derian and Finkelstein 2008: 102). Therefore, the private sectorbecomes instrumental in not only helping with the act of ‘‘identification’’ of criticalobjects, but also more directly in assuring the health of networks and the servicesprovided by them.Whereas the methodology employed to identify critical assets is very similar inboth the public and private sector, the commonalities end when it comes to theprotection goals. From the public sector’s perspective, criticality is linked to the lossof one or more broad national functions. That set of functions—or protectionprinciples—has expanded over time, beginning with national defense and economicsecurity, to include public health and safety, and then national morale (Kristensen2008). Through definition of these national functions along the lines of general wellbeing of a nation and its citizens, the link between critical infrastructure protectionand national security is forged. For the state, the goal of protection is the collectivewell-being represented as a way of liberal life (Anderson 2010)—but, byimplication, also the continued function of the state. The relationship betweenstate and infrastructure emerges as an alternative to the image of Abraham Bosse’sLeviathan on the frontispiece of Hobbes famous book: Instead of being made up ofits citizens, the state is regarded as consisting of the things inside its territory thatmake life there ‘good’; assets that are not directly identified with its citizens, butmaterial assets that give substance (and significance) to the state through being itsfoundation (Dunn Cavelty and Kristensen 2008).For the private sector, the reference point varies depending on the businessmodel; in the abstract, however, it is their functioning, or ‘business continuity’, thatis the ultimate protection goal. The reference object for companies, therefore, isthemselves. Crucial for the continued performance and effectiveness of many oftoday’s companies that operate as traders of information/knowledge with the help ofinformation/knowledge networks, is protection against loss of information androutine preservation of knowledge. These techniques sever the human mind/body as‘‘’incubator’ of this knowledge’’ from the knowledge itself (Der Derian andFinkelstein 2008: 102), which is given autonomous value over that which becomesreplaceable as a result of these practices. In this view, humans become reduced tonodes in the network, needed to ensure the wealth and health of the networks, butnot their own health.National Security versus Human Security in CyberspaceIn cyber-security as currently understood and practised, human beings are seen asvictims, as weakest link in the system, as direct threat—but not (or only veryindirectly) as beneficiaries of the type of security that states (and companies) want.On the one hand, the neglect of the human element is a direct consequence of afocus on technical systems as targets and technology-based countermeasures incyber-security. On the other hand, the lack of consideration for ‘‘the human’’ in this706 M. Dunn Cavelty123field also seems to be an effect of the issue that human security scholarship hasalready tackled decades ago: that too much focus on the state and national securitytends to crowd out consideration for the individual citizen, with often detrimentaleffects for security overall (cf. Burgess and Owen 2004). I look at both aspects andtheir consequences for security below and then turn to the clash between this type ofsecurity and human security.Technical Systems, Political ConsequencesA focus on technical objects is not a bad thing per-se. In fact, the type of securitythat emerges directly from the wish to ensure cyber-security is one that seeminglydodges problematic issues normally associated with security, at least in the firstinstance. Ultimately, we are looking at the practice of protecting inanimate things;the regulation of machines and their performance. Computers, servers, and thecomputer-powered infrastructures are non-human objects, which are someone’slegitimate property and have a certain (usually undisputed) value for societies.Cyber-security measures thus imagined have little to no bearing on citizens’ livesdirectly. Most importantly, there are no concerns about freedom/security trade-offs,and no civil liberty issues (Buzan et al. 1998). This security does not depend uponthe invocation of a state of emergency, but is ‘clean’ and ultimately, ‘good’, sinceeverybody seems to benefit from an interruption-free performance of vital systems.However, this view is inevitably problematized, because these machines cannotbe isolated from human life. The image of modern complex critical infrastructures isone in which it becomes futile to try and separate the human from the technological.Technology is not simply a tool that makes life livable: rather, technologies becomeconstitutive of novel forms of ‘a complex subjectivity’, which is characterized by aninseparable ensemble of material and human elements (Coward 2009: 414).Therefore, even if technologies may appear to regulate objectively and apolitically,there is always a connection to a place, to a space, to a space of protection, to values,to life. An even closer look at the seemingly apolitical management of a technicalissue with technical means reveals a deeply political nature, because the selection ofreferent objects as described above always entails a larger argument aboutprotection: Endangered entities are judged to have legitimate claims to protection(while others do not). In other words, this type of security will only provide relief toa valued referent object—not necessarily ‘‘the citizen’’ or humans more generally.In cyber-security, as argued above, economic imperatives like profit maximization are decisive. It is not a given, then, that cyber-security is a truly public good,understood as security for all. Quite the opposite: the type of security that emergesmainly benefits a few and already powerful entities and has no or even negativeeffects for the rest. The type of referent object to be protected and by implication,the type of life to be saved, is represented by the uninterrupted flow of informationlinked to the accumulation of capital and economic growth (Swyngedouw 2007),which in turn is linked to national security. This is at the heart of the cyber-securitydilemma, in which the dominant form of security is making large parts of thepopulation arguably less secure. Various security needs are not aligned; and whilethey do not always have to be, more awareness of the clash between them is needed.Breaking the Cyber-Security Dilemma 707123State Power in CyberspaceReferent objects also reveal a lot about (hidden) power structures. Contrary to thebeautiful utopia of cyber-libertarians like Barlow (1996), who saw cyberspace as aserious challenge to traditional state power, the dystopian reality is more like a‘‘feudal power structure’’ that consolidates power in the hands of the few (Schneier2012a). Even though the cyber-realm has challenged us to think about powerdifferently, the most power rests with a few IT companies that act with littlerestraint in their own self-interest, often changing social norms by accident ordeliberately, at all times using ‘‘the users’’ to increase their profits. At the same time,states are asserting their power positions rather forcefully (Schneier 2013), mostly inthe name of security.Assertion of state power is linked to the possibility (and desirability) to createborders in cyberspace, which results in a changing topology of cyberspace as weknow it (Mueller et al. 2013). Prominent concepts like ‘‘Cyber-Westphalia’’ tap intothe founding myths of a stable political world order based on state power and invokeimages of a delimited and thus defendable and securable place, newly reordered bythe state as the real guarantor of security (Demchak and Dombrowski 2011). In thisview, held by many government actors, the process of re-establishing state controlin cyberspace is inevitable, because security is the most basic need of human beingsand seeking security will triumph over other, lesser, inferior needs (such as privacy).Furthermore, the more the issue is presented like a traditional national securityissue, the more natural it seems that the keeper of the peace in cyberspace should bethe military, and the most relevant concepts are cyber-defense, cyber-deterrence,etc. However, actions by military actors with relation to cyberspace directly fuel thecyber-security dilemma as we have seen.Of course, there is a certain appeal to a vision in which the unruly, anarchical anddangerous side of cyberspace is kept ‘‘outside’’, and relative security can beestablished among states. However, this image simplifies complex matters in anunbeneficial way: Not only does inside-outside generally not apply easily tocyberspace, state control also often means control over information flows: Indeed,an increasing number of governments are already controlling what their citizens canand cannot do on the Internet. Totalitarian governments are embracing a growing‘‘cyber-sovereignty’’ movement to further consolidate their power. But democraticstates are doing very similar things: There is more government surveillance, moregovernment censorship, and more government propaganda than ever before (Deibert2013; Wagner 2014).When Notions of Security ClashState controlled borders in cyberspace would in most cases amount to (at leastpartial) governmental control over information flows. Certainly, this does not meanthat all states would start misusing this power, but trust in their benign intent withregards to civil liberties, most notably privacy, has taken a serious hit last year withEdward Snowden’s NSA revelations. Most notably, the NSA scandal has focused708 M. Dunn Cavelty123attention on the fact that there are direct human security implications arising frommass surveillance in the name of national security.In this day and age, more and more user or system specific data is up for grabs—for anybody who is interested in it, ranging from business, to criminals, and theintelligence services. While just the extensive data collection by companies andintelligence agencies is already cause for concern, the consequences of this forhuman security becomes fully apparent when the possibilities of its analysis aretaken into account. With a relatively simple network analysis, detailed insight intothe private lives and relationships of each individual can be gained. Moresophisticated methods of calculation are less interested in the present but are gearedtowards the prediction of future behaviour (and motivations) of people (cf. McCue2007). Such techniques are already used for targeted advertising, whereby analgorithm defines that if Person X buys this or that product, it is very likely that X isalso interested in this or that product. In predictive policing, similar techniques areused to calculate crime hot spots (Perry et al. 2013). A goal of intelligence servicesis to be able to have advance warning of i.e. radicalization or terrorist behaviour,based on data combination that could look like this: If Person X visit this websiteand that website, is in contact with this and that person and has this specific motionprofile, then it is likely that Person X will commit a terrorist attack in the next2 years.From a data protection perspective, these developments are daunting, particularlybecause the so-called commercialization of data is not done against the wishes ofthe user, but rather because it seems to make our lives so much more efficient andconvenient. Sure, targeted advertising is at best intrusive and does not yet constitutea human security threat. However, much more unpleasant implications of individualrisk profiles are already apparent today, with people being excluded from certainservices, because aspects of their (private) life does not meet the requirements of acompany (Amoore and de Goede 2005). In the future, it is not unlikely that evenmore unpleasant and more directly political relevant implications arise whendemocratic rights, such as political resistance or dissidence, are seen as anopportunity for government intervention in the sense of ‘‘proactive security’’ (i.e. atairports).Add to these developments a fantasy about a version of cyberspace in whichcrime or even attacks by state actors become impossible or at least very hard. Giventhat the prime issue for traditional law enforcement methods like punishment orwell-proven military tools like deterrence is the ‘‘attribution problem’’ (the difficultyof clearly identifying those initially responsible for a cyber-attack), and given thatthe attribution problem arises from technological protocols that guarantee a greatdeal of anonymity for its users, taking away said anonymity, in parts or fully, issometimes seen as one of the best solutions for a secure internet of the future (cf.CSIS 2008: 61ff.). Here, the clash of different types of security becomes directlyvisible. From a human and political rights perspective, anonymity is not a threat tosecurity, it is a crucial part of it. An Internet without the attribution problem, whichwould most likely have a negligible effect on security overall, would introduce anew issue: citizens could be readily identified and punished for their politicalactivities (Zittrain 2011).Breaking the Cyber-Security Dilemma 709123That said, the security-implications of current actions by state entities go evenfurther. It has been suspected for a while and is now confirmed that the intelligenceservices of this world are making cyberspace more insecure directly; in order to beable to have more access to data, and in order to prepare for future conflict. It hasbeen revealed that the NSA has bought and exploited so-called zero-dayvulnerabilities in current operating systems and hardware to inject NSA malwareinto numerous strategically opportune points of the Internet infrastructure (Greenwald and MacAskill 2013). As soon as military and intelligence agencies becamebuyers of so-called zero-day vulnerabilities, prizes have skyrocketed (Miller 2007;Perlroth and Sanger 2013), with several downsides to this: first, exposing thesevulnerabilities in order to patch them, as was the norm not so long ago, is becomingless likely. Second, the competition for exclusive possession of such vulnerabilitiesmight even give programmers incentives to deliberately create and then sell them(Schneier 2012b). It is unknown which computer systems have been compromised—but it is known that these backdoors or sleeper programs can be used fordifferent purposes (surveillance, espionage, disruption, etc.) and activated at anytime. It also has been revealed that the US government spends large sums of moneyto crack existing encryption standards—and apparently has also actively exploitedand contributed to vulnerabilities in widespread encryption systems (Simonite 2013;Fung 2013; Clarke et al. 2013).The crux of the matter is that these backdoors reduce the security of the entiresystem—for everyone. The exploitation of vulnerabilities in computer systems byintelligence agencies and their weakening of encryption standards have the potentialto destroy trust and confidence in cyberspace overall. Also, there is no guaranteethat the backdoor-makers have full control over them and/or can keep them secret—in other words, they could be identified and exploited by criminal hackers or even‘‘terrorists’’. Here, state practices not only become a threat for human security:paradoxically, they also become a threat for themselves.From Problem to Solution: Human-Centric Information EthicsThis article has identified and discussed implications of cyber(-in)-security forhuman-security concerns, with a main focus on both the representation of the issueas a (security) political problem and the practices of (mainly state) actors based onsuch representations. The problem with the current system is that security is underproduced, both from a traditional state-focused national security and also from abottom-up, human security perspective. The reason, so I have argued, is a multidimensional and multi-faceted security dilemma, produced by the followinginterlinked issues:First, cyber-security is increasingly presented in terms of power-struggles, warfighting, and military action. This is not an inevitable or ‘‘natural’’ development;rather, it is a matter of choice, or at least a matter of (complicated) politicalprocesses that has produced this particular outcome. The result is not more security,however, but less: states spend more and more money on cyber-defense and likelyalso cyber-offense, which is not leading to more, but less security, as evident by the710 M. Dunn Cavelty123flood of official documents lamenting the security-deficit. Second, the type of cybersecurity that is produced is based on economic maxims, often without considerationfor the particular security-needs of the population. Third, extending a notion ofnational security based on border control to cyberspace will almost inevitably havean impact on civil liberties, especially on the right to privacy and the freedom ofspeech. Fourth, cyber-exploitation by intelligence agencies linked to the manipulation of vulnerabilities is directly making cyber-space more insecure. Whatbecomes exceedingly clear from the developments and lessons of the last decade isthat we cannot have both: a strategically exploitable cyberspace full of vulnerabilities—and a secure and resilient cyberspace that all the cyber-security policiescall for.At the heart of this challenge is, as so often when human security is implicated,the state (cf. Kerr 2007). On the one hand, state practices are emerging as a majorpart of the problem, constantly creating more insecurity and in fact also hinderingthe removal of known insecurities. At the same time, a secure, safe, and opencyberspace is not possible without involvement of the state. How, then, can thisdilemma be overcome? Because it is a dilemma extending to more than the state,solutions are not to be found solely in the cooperation between states (cf. Booth andWheeler 2008). Rather, a focus on a common issue of interest for all thestakeholders that are interested in more security is needed. Such a common groundis held by vulnerabilities.If we want a secure and resilient cyberspace, then a strategically exploitablecyberspace full of vulnerabilities has to be actively worked against. This is acompromise that some state actors need to make if they want a type of nationalsecurity that extends to cyberspace. If such a compromise is not made, then thequest for more national security will always mean less cyber-security, which willalways mean less national security because of vulnerabilities in critical infrastructures. The reason why vulnerabilities persist and even proliferate has already beenidentified above: the current incentive structures in the market are skewed (Dyneset al. 2008). This is where states are needed to help improve cyber-security throughadditional regulation (and through further encouragement of voluntary arrangementfor the increase of cyber-security in the corporate sector). Furthermore, there is nodoubt from a human security perspective that the zero-day exploit ‘‘market’’ needsto be regulated internationally for security reasons (Kuehn 2013). In addition, primehuman security concerns like the freedom of speech and the right to privacy shouldno longer be seen as anti-security, but as pro-security if linked to vulnerabilities:reducing the amount of data that is unencrypted will substantially reduce cybercrime and cyber-espionage, with benefits for both human-centred and state-centredsecurity.In turn, the ethics that should guide our future engagement with cyber-securityhave to take into account the special and all-embracing characteristics ofcyberspace. So far, ethical considerations with bearing on cyber-security havemainly been made from a military perspective, following the tradition to addressnew forms of warfare and weapons systems under ethical viewpoints (cf. Rowe2010; Dipert 2010; Barrett 2013). Cyber-security, as argued in the very beginning, isfar more than this, however: From both a state and a human security perspective,Breaking the Cyber-Security Dilemma 711123cyberspace has become more than just a technological realm in which wesometimes interact for social or economic reasons. Cyberspace has become afundamental part of life and is constitutive of new, complex subjectivities.An ethics that fits such a broad understanding is Information Ethics. It constitutesan expansion of environmental ethics towards a less anthropocentric concept ofagent, which includes non-human (artificial) and non-individual (distributed)entities and advances a less biologically-centred concept of ‘‘patient’’, whichincludes not only human life or simply life, but any form of existence. This ethics isconcerned with the question of an ‘‘ethics in the infosphere’’ (Floridi 2001) andbeyond that, an ‘‘ethics of the infosphere’’ (Capurro 2006). In information ethics, thelowest possible common set of attributes which characterises something asintrinsically valuable and an object of respect is its abstract nature as aninformational entity (Floridi 1998). In this view, all informational objects are inprinciple worth of ethical consideration. However, to ensure that such an ethics doesnot involuntarily place the technical over the social, we must make sure that theprotection of these data is not founded ‘‘on the dignity of the digital but on thehuman dimensions they refer to’’ (Capurro 2006). The duty of a moral agent isevaluated in terms of contribution to the growth and welfare of the entire infosphere(Floridi 1999: 47), but always related to a bodily being in the world. Any process,action or event that negatively affects the infosphere with relevance to human lifeimpoverishes it and is an ‘‘instance of evil’’ (Floridi and Sanders 1999, 2001).Vulnerabilities are such an evil.ReferencesAmoore, L., & De Goede, M. (2005). Governance, risk and dataveillance in the war on terror. Crime, Lawand Social Change, 43(2–3), 149–173.Anderson, B. (2010). Preemption, precaution, preparedness: Anticipatory action and future geographies.Progress in Human Geography, 34(6), 777–798.Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314, 610–623.Axworthy, L. (2001). Human security and global governance: Putting people first. Global Governance,7(1), 19–24.Barlow, J. P. (1996). A declaration of the independence of cyberspace, electronic frontier foundationwebsite. http://homes.eff.org/*barlow/Declaration-Final.html.Barnard-Wills, D., & Ashenden, D. (2012). Securing virtual space: Cyber war, cyber terror, and risk.Space and Culture, 15(2), 110–123.Barrett, E. T. (2013). Warfare in a new domain: The ethics of military cyber-operations. Journal ofMilitary Ethics, 12(1), 4–17.Bo¨hme, R. (2005). Vulnerability markets—What is the economic value of a zero-day exploit? Paper heldat the 2005 Chaos Communication Congress Berlin, Germany. http://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_22C3_VulnerabilityMarkets.pdf.Booth, K., & Wheeler, N. (2008). The security dilemma: Fear, cooperation and trust in world politics.New York: Palgrave.Boulanin, V. (2013). Cybersecurity and the arms industry. SIPRI Yearbook 2013: Armaments,disarmament and international security (pp. 218–226). Oxford: Oxford University Press.Brito, J., & Watkins, T. (2011). Loving the cyber bomb? The dangers of threat inflation in cybersecuritypolicy. Mercatus Center George Mason University, Working Paper No. 11-24, April 2011.712 M. Dunn Cavelty123Brunner, E., Dunn Cavelty, M., Giroux, J., & Suter, M. (2010). Protection goals. Focal report on CriticalInfrastructure Protection for the Federal Office for Civil Protection, No. 4. Zurich: Center forSecurity Studies.Burgess, J. P. (2007). Social values and material threat: The European Programme for CriticalInfrastructure Protection. International Journal of Critical Infrastructures, 3(3–4), 471–487.Burgess, J. P. & Owen, T. (Eds.) (2004). Special section: What is ‘human security’?, Security Dialogue,35(3), 345–346.Buzan, B., Wæver, O., & de Wilde, J. (1998). Security: A new framework for analysis. Boulder: LynneRienner.Capurro, R. (2006). Towards an ontological foundation of information ethics. Ethics and InformationTechnology, 8(4), 175–186.Clarke, R. A., Morell, M. J., Stone, G. R., Sunstein, C. R., & Swire, P. (2013). Liberty and security in achanging world: Report and Recommendations of The President’s Review Group on Intelligenceand Communications Technologies. Washington, DC. http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf.Coaffee, J., & Murakami Wood, D. (2006). Security is coming home: Rethinking scale and constructingresilience in the global urban response to terrorist risk. International Relations, 20(4), 503–517.Collier, S. J. & Lakoff, A. (2008). The vulnerability of vital systems: How critical infrastructure became asecurity problem. In M. Dunn Cavelty & K. S. Kristensen (Eds.), The politics of securing thehomeland: Critical infrastructure, risk and securitization (pp. 17–39). New York: Routledge.Conway, M. (2008). The media and cyberterrorism: A study in the construction of ‘reality. In M. DunnCavelty & K.S. Kristensen (Eds.), The politics of securing the homeland: Critical infrastructure, riskand securitisation (pp. 109–129). London: Routledge.Coward, M. (2009). Network-centric violence, critical infrastructure and the urbanization of security.Security Dialogue, 40(4–5), 399–418.CSIS Center for Strategic and International Studies (2008). Securing Cyberspace for the 44th PresidencyA Report of the CSIS Commission on Cybersecurity for the 44th Presidency. Washington, DC.http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf.Deibert, R. J. (2013). Black code: Inside the battle for cyberspace. Toronto: McClelland & Stewart.Deibert, R. J., Palfrey, J. G., Rohozinski, R., & Zittrain, J. (2008). The practice and policy of globalinternet filtering. Cambridge: MIT Press.Demchak, C. & Dombrowski, P. (2011). Rise of a cybered westphalian age. Strategic Studies Quarterly,Spring, pp. 32–61.Der Derian, J. & Finkelstein, J. (2008). Critical infrastructures and network pathologies: The semioticsand biopolitics of heteropolarity. In M. Dunn Cavelty & K. S. Kristensen (Eds.), The politics ofsecuring the homeland: critical infrastructure, risk and securitisation (pp. 84–105). London:Routledge.Dillon, M., & Lobo-Guerrero, L. (2008). Biopolitics of security in the 21st century: An introduction.Review of International Studies, 34(2), 265–292.Dipert, R. R. (2010). The ethics of cyberwarfare. Journal of Military Ethics, 9(4), 384–410.Dunn Cavelty, M. (2008). Cyber-security and threat politics: US efforts to secure the information age.London: Routledge.Dunn Cavelty, M. (2012). Militarizing cyberspace: Why less may be better. In C. Czosseck, R. Ottis, &K. Ziolkowski (Eds.), Proceedings of the 4th International Conference on cyber conflict (pp.141–153). Tallinn: CCD COE Publications.Dunn Cavelty, M. & Kristensen, K.S. (2008). Introduction: Securing the homeland: Critical infrastructure, risk, and (in)security. In M. Dunn Cavelty & K. S. Kristensen (Eds.), The politics of securingthe homeland: Critical infrastructure, risk and securitization (pp. 1–14). New York: Routledge.Dunn Cavelty, M. & Suter, M. (2012). The art of CIIP strategy: Taking stock of content and processes. InJ. Lopez, R. Setola, S. D. Wolthusen (Eds.). Critical infrastructure protection: Informationinfrastructure models, analysis, and defense (pp. 15–38). Springer: Berlin.Dynes, S., Goetz, E., & Freeman, M. (2008). Cyber Security: Are economic incentives adequate? In E.Goetz & S. Shenoi (Eds.), Critical infrastructure protection, IFIP International Federation forInformation Processing (Vol. 253, pp. 15–27). Boston: Springer.Floridi, L. (1998). Does information have a moral worth in itself? Paper presented at Computer Ethics:Philosophical Enquiry in Association with the ACM SIG on Computers and Society, London Schoolof Economics and Political Science, London, December 14–15, 1998. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=144548.Breaking the Cyber-Security Dilemma 713123Floridi, L. (1999). Information ethics: On the theoretical foundations of computer ethics. Ethics andInformation Technology, 1(1), 37–56.Floridi, L. (2001). Ethics in the Infosphere. The Philosophers’ Magazine, 6, 18–19.Floridi, L. & Sanders, J. W. (1999). Entropy as evil in information ethics. Etica & Politica, special issueon Computer Ethics, 1(2).Floridi, L., & Sanders, J. W. (2001). Artificial evil and the foundation of computer ethics. Ethics andInformation Technology, 3(1), 55–66.Fung, B. (2013). The NSA hacks other countries by buying millions of dollars’ worth of computervulnerabilities. Washington Post. http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-bybuying-millions-of-dollars-worth-of-computer-vulnerabilities/.Greenwald, G. & MacAskill, E. (2013). Obama orders US to draw up overseas target list for cyberattacks, The Guardian. http://www.theguardian.com/world/2013/jun/07/obama-china-targets-cyberoverseas.Hagmann, J., & Dunn Cavelty, M. (2012). National risk registers: Security scientism and the propagationof permanent insecurity. Security Dialogue, 43(1), 80–97.Hoogensen, G., & Stuvøy, K. (2006). Gender, resistance and human security. Security Dialogue, 37(2),207–228.Jervis, R. (1978). Cooperation under the security dilemma. World Politics, 30(2), 167–214.Kerr, P. (2007). Human security. In A. Collins (Ed.), Contemporary security studies (pp. 122–134).Oxford: Oxford University Press.Kristensen, K.S. (2008). The absolute protection of our citizens: Critical infrastructure protection and thepractice of security. In M. Dunn Cavelty & K. S. Kristensen (Eds.), The politics of securing thehomeland: Critical infrastructure, risk and securitisation (pp. 63–83). London: Routledge.Kuehn, A. (2013). Extending cybersecurity, securing private internet infrastructure: The U.S. EinsteinProgram and its Implications for Internet Governance. In R. Radu, J.-M. Chenou & R.H. Weber(Eds.) The evolution of global internet governance (pp. 157–167). Schulthess: Zu¨rich.McCue, C. (2007). Data mining and predictive analysis: Intelligence gathering and crime analysis.Oxford: Butterworth Heinemann.Miller, C. (2007). The legitimate vulnerability market: The secretive world of 0-day exploit sales. In 6thWorkshop on the Economics of Information Security (WEIS 2007). http://weis2007.econinfosec.org/papers/29.pdf.Morozov, E. (2013). To save everything, click here: Technology, solutionism, and the urge to fix problemsthat don’t exist. London: Allen Lane.Mueller, M., Schmidt, A., & Kuerbis, B. (2013). Internet security and networked governance ininternational relations. International Studies Review, 15(19), 86–104.NIST (2002). NIST Special Publication 800-30, Risk Management Guide for Information Security.PCCIP President’s Commission on Critical Infrastructure Protection. (1997). Critical foundations:Protecting America’s infrastructures. Washington: US Government Printing Office.Perlroth, N., & Sanger, D. E. (2013). Nations buying as hackers sell knowledge of software flaws. TheNew York Times, 14, A1.Perry, W. L., McInnis, B., Price, C. C., Smith, S. C., & Hollywood, J. S. (2013). Predictive policing: Therole of crime forecasting in law enforcement operations. Santa Monica: RAND.Rowe, N. C. (2010). The ethics of cyberweapons in warfare. International Journal of Techoethics, 1(1),20–31.Rueter, N. (2011). The Cybersecurity Dilemma. MA thesis. Duke University.Schneier, B. (2012a). The vulnerabilities market and the future of security. Forbes, May 30. http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-ofsecurity/.Schneier, B. (2012b). When it comes to security, we’re back to Feudalism. Wired, http://www.wired.com/opinion/2012/11/feudal-security/.Schneier, B. (2013). The battle for power on the internet. The Atlantic, http://www.theatlantic.com/technology/archive/2013/10/the-battle-for-power-on-the-internet/280824.Simonite, T. (2013). NSA’s own hardware backdoors may still be a ‘‘problem from hell’’, http://www.technologyreview.com/news/519661/nsas-own-hardware-backdoors-may-still-be-a-problem-fromhell/.Stevens, T., & Betz, D. J. (2013). Analogical reasoning and cyber security. Security Dialogue, 44(2),147–164.714 M. Dunn Cavelty123Swyngedouw, E. (2007). Impossible/undesirable sustainability and the post-political condition. In J.R. Krueger & D. Gibbs (Eds.), The sustainable development paradox (pp. 13–40). New York:Guilford Press.Wagner, B. (2014). The politics of internet filtering: The United Kingdom and Germany in a comparativeperspective. Politics, 34(1), 58–71.Waltz, E. (1998). Information warfare: Principles and operations. Boston: Artech House.Zittrain, J. (2011). Freedom and anonymity: Keeping the internet open, http://www.scientificamerican.com/article/freedom-and-anonymity/.Breaking the Cyber-Security Dilemma 715123Reproduced with permission of the copyright owner. Further reproduction prohibited withoutpermission.
QUALITY: 100% ORIGINAL – NO PLAGIARISM.
- **REMEMBER TO PRECISE PAGE NUMBER**
- Hit The Order Button To Order A **Custom Paper**