Security as a context, generative force, and policy concern for the co-production of cyberspace: historical overview since WWII until the end of the Cold War

Many cybersecurity literature take the 1990s as a starting point to trace the process of securitising cyberspace; implicitly suggesting that it initially emerged as a non-security sector, which was then securitised. Although it is true that ‘cyberspace’ and ‘cybersecurity’ were novel terms at that period, their ontological status cannot be reduced to their mere utterances. If the security of cyberspace as a constructed metaphor signifies the security of computers and networks, with all their associated software, hardware, and data - technologies that have long historical roots - then an ahistorical approach to studying its evolution would be both insufficient and over-simplified. Therefore, this paper aims to prove that security has always been an integral part of the co-production of cyberspace: As a context in which it was developed, as a generative force behind many of its technologies, and as a policy concern in different phases of its evolution, since the emergence of the first computer till the advent of the internet. It seeks to prove that the history of cyberspace is better analysed as a complex process of restructuring, not just technically, but also politically and socially, in which the interests of various actors competed, and security considerations were intertwined with technical ones, and in many respects coproduced them. This analysis is important to show that security was not imposed on cyberspace by political discourses, but has always been intrinsic to the existence of its components and technologies. Besides, it challenges the deterministic accounts of the development of computers and networks, which present them in an idealistic, utopian image as being solely products of civilian and academic efforts

The peculiarities of securitising cyberspace: a multi-actor analysis of the construction of cyber threats in the US (2003-2016)

The rapid development of information and communication technologies rendered cybersecurity an integral aspect of contemporary security discourses and practices in different fields. Yet, despite the obvious intellectual demands of the field, most academic literature on cybersecurity in international relations and security studies remain policy-oriented and under-theorised. One of the few exceptions are studies utilising the Copenhagen school’s securitisation theory to studying discourses and practices of cybersecurity, particularly in the US. Nevertheless, the cyber securitisation literature is still limited in its engagement with the complexity of cybersecurity. One important aspect of this limitation is their focus on official and government’s discourses; an approach that is not applicable with a multi-stakeholder, privately-dominated cyberspace. This state-centric approach does not reflect the diversity of cybersecurity discourses by highlighting only the militarised, geopolitical narratives, adopted by some policy makers. Besides, it overlooks the nuances in threat perceptions, not just between the private and the public sectors, but also among different agencies inside the government. Therefore, focusing on the US as a case study, this paper will employ the securitisation theory’s sectoral analysis for studying the process of securitisation in the field of cybersecurity, using a multi-actor approach which considers the role of several state and nonstate actors in producing and managing cybersecurity discourses, and how complex public-private relationships influence cybersecurity policies and practices. The paper uses the method of discourse analysis in studying cybersecurity discourses of the government, private sector, and media in the US, by examining multiple resources, including official policy documents, congressional hearings, and opinion articles. The analysis covers the period from 2003, when the first cybersecurity strategy was announced, until the end of the Obama administration in 2016. The arguments presented by this paper contribute to the theorisation of the complex conceptual and policy problems of cybersecurity and of cyber securitisation processes through an inductive approach that develops an understanding of the logics and politics of security and risk as contextuallybound and sector-dependent

Cybersecurity and the politics of knowledge production: towards a reflexive practice

How does a reflexive scholarly practice matter for producing useful cybersecurity knowledge and policy? We argue that staking relevance without engaging in reflexivity diminishes the usefulness of knowledge produced both in academia and in policy. To advance a reflexive research agenda in cybersecurity, this forum offers a collective interrogation of the liminal positionality of the cybersecurity scholar. We examine the politics of ‘the making of’ cybersecurity expertise as knowledge practitioners who are located across and in between the diverse and overlapping fields of academia, diplomacy and policy. Cybersecurity expertise, and the practices of the cybersecurity epistemic community more broadly, rely heavily on the perceived applicability and actionability of knowledge outputs, on the practical dependency on policy practitioners regarding access, and thus on the continuous negotiation of hierarchies of knowledge. Participants in this forum reflect on their research practice of negotiating such dilemmas. Collectively, we draw on these contributions to identify obstacles and opportunities towards realising a reflexive research practice in cybersecurity

The non-anthropocentric informational agents: codes, software, and the logic of emergence in cybersecurity

Many theoretical approaches to cybersecurity adopt an anthropocentric conceptualisation of agency; that is, tying the capacity to act to human subjectivity and disregarding the role of the non-human in co-constructing its own (in)security. This article argues that such approaches are insufficient in capturing the complexities of cyber incidents, particularly those that involve self-perpetuating malware and autonomous cyber attacks that can produce unintentional and unpredictable consequences. Using interdisciplinary insights from the philosophy of information and software studies, the article counters the anthropocentrism in the cybersecurity literature by investigating the agency of syntactic information (that is, codes/software) in co-producing the logics and politics of cybersecurity. It specifically studies the complexities of codes/software as informational agents, their self-organising capacities, and their autonomous properties to develop an understanding of cybersecurity as emergent security. Emergence is introduced in the article as a non-linear security logic that captures the peculiar agential capacities of codes/software and the ways in which they challenge human control and intentionality by co-constructing enmity and by co-producing the subjects and objects of cybersecurity