0
Cybersecurity Threats And Threat Agents: How the European
Union Acknowledges Them, And How They Are Presented In
Political Debate
Etienne Bruce Lalanne (10862544) 24/06/2016, Amsterdam
Thesis project: European Security Politics
Words: 22,677 (excl. front page, table of contents, bibliography and appendix) Thesis supervisor: Prof. Dr. Marieke de Goede
1 Table of Contents:
1 Introduction & Problem Statement...p.2
2.1 Theoretical Framework...p.8
2.2 Securitization Theory...p.8
2.3 Technology and Security...p.12
2.4 Cybersecurity...p.16
3 Methodological Framework...p.20
3.1 Critical Discourse Analysis...p.20
3.2 Sample Selection Process...p.23
3.3 Methodology...p.24
4 ENISA Threat Landscape Analysis...p.25
4.1 Introduction...p.25
4.2 Threats and Categorizations...p.26
4.2.1 Introduction...p.26
4.2.2 Category 1: Tools...p.26
4.2.3 Category 2: Enablers...p.31
4.2.4 Category 3: Events...p.35
4.3 Threat Agents...p.40
5.1 European Parliament debates...p.44
5.2 Cyber Terrorism...p.44 5.3 Cyberwarfare...p.45 5.4 Cybercrime...p.46 5.5 Reflection...p.48 6. Discussion...p.49 7. Conclusion...p.51 Bibliography...p.54 Annex...p.61
2 1. Introduction & Problem Statement
This thesis revolves around the perception of threats and threat agents in the European Union’s cybersecurity. As a broader topic, the study of cybersecurity can be considered both societally and scientifically relevant. With regard to the fast advancing technological nature of Western society, guaranteeing cybersecurity is gradually becoming an obligation for individuals, companies, organizations, and states alike. With the European Union containing 28 member states which have to hold its legislation above their own, it is of the uttermost importance for the European Union to have adequate legislation regarding cybersecurity, both to protect its own institutions, as well as its member states and the aforementioned
companies, organizations and individuals residing in said states.
Scientifically, the study of cybersecurity is of great contemporary importance, due to its recent and fast evolution over the past decades. Deibert describes cyberspace as “a new environment, a new ecosystem or domain equal in importance to land, sea, air, and space within which states and other actors seek competitive advantage” (Deibert, 2011, p.3). Cybercrime, for example, since it is of a digital nature, can arguably be considered as of a different nature than ‘physical’ crime, or other non-cyber sorts of threatening activities. Although objectives and motivations are often the same, between digital and non-digital counterparts, the means of execution differ vastly, thus creating an entire new facet to the study of security, when given a digital perspective. As Murphy puts it: “No passport is required in cyberspace. And although police are constrained by national borders, criminals roam freely. Enemy states are no longer on the other side of the ocean, but just behind the firewall” (Murphy, 2010) Hence, it is of crucial importance to determine the threat(s) that the European Union, amongst others, may be facing. While the digital sphere encompasses more and more of our lives, much of it is accepted blindly, without fully understanding how such new technologies function. Cybercrime, and therewith breaches of cybersecurity are often talked about, but rarely in explanatory detail.
The study of cybersecurity is one that brings many debates along with it. The field has been enveloped with a sense of urgency, already since the 1990’s, where media started to talk about “‘electronic Pearl Harbors’ and ‘weapons of mass disruption’” (Hansen & Nissenbaum, 2009, p.1155). Murphy elaborates on such a disastrous scenario, listing possible events which could potentially happen as results of cyber-attacks, such as: “computer bugs bring down military e-mail systems; oil refineries and pipelines explode; air-traffic control systems collapse; freight and metro trains derail; financial data are scrambled; the electrical grid goes
3
down […]; orbiting satellites spin out of control” (Murphy, 2010). While Murphy’s scenario may certainly seem a little over the top, it does bring to light all the sorts of events which could happen, if an attack were successful. The catastrophic scenario and its implications are a heavily debated subject in the academic world. Sceptics such as Brandon Valeriano argue that cybersecurity is a policy area only maintained by an irrational fear of the unknown, strongly criticizing heavy investments in cybersecurity (Tuohy, 2012, pp. 5-6). Others consider the possibility of a cybersecurity breach with potential effects comparable to “the impact of setting several atomic bombs on major cities” (Weinberger, 2011, p.145). The two sides of the debate could largely be condensed to those who argue no such catastrophe has happened, and therefore, it should not be feared, and those who claim that it simply hasn’t happened yet, and should be prepared for.
An issue that arises when discussing cybersecurity and the involved actors is that of attribution. Effectively, once an act is committed, it is by the attribution of whom the perpetrator was, or was perceived to be, that the act itself will be defined. In essence, the name given to an act depends on who – or which agent – committed it, and the reasons for which it has been committed. In the field of cybersecurity, one can encounter a variety of threat agents. Clapper (2015), in the Worldwide Threat Assessment of the US Intelligence Community, identified three sorts of threat agents, namely “state-sponsored, profit-driven criminals, and politically or ideologically motivated activists or hacktivists” (p.2). Each of these threat agents is commonly associated to a type of action: states conduct cyber-warfare, profit-driven criminals commit cybercrime, and the politically or ideologically motivated activists are associated with cyberterrorism (ibid, p.2). These three categories of actors will be the ones used throughout this thesis. Hence, this section will deal with elaborating shortly upon each term, how it is defined, and what it represents.
The first concept to be defined will be cyberwarfare. Cyberwarfare or cyber war is generally considered as any cyber-attack perpetrated by a state, towards another state. Clarke and Kanake define it as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption” (Clarke and Kanake 2010, p.6). It should be mentioned that certain scholars, such as Thomas Rid, argue against the use of this definition, given the definition of war by Clausewitz, who argues that war is “violent, instrumental, and political” (Rid, 2012, p.10) in nature. Still according to Rid, no cyber offense or cyber-attack recorded so far has met all three of these criteria, and thus, no such event as cyberwarfare has happened yet. While it was deemed important enough to be
4
mentioned, this thesis will not be going into this controversy and debate in further detail. In terms of cyberwarfare, two historic events can be said to come closest to its definition,
namely the explosion of a Siberian pipeline in 1982, and the cyber-attack on Estonia in 2007. The former is considered as the “most violent ‘cyber’ attack” (Rid, 2012, p.10), due to it being one of the only cyber-attacks until now to have had real-world, i.e. non-cyber
consequences, and in this case in the form of a pipeline explosion. The explosion is said to have been caused by the CIA “inserting malicious code into the control system that ended up being installed in Siberia […] the code that controlled pumps, turbines, and valves was programmed to operate normally for a time and then ‘to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds’” (Rid, 2012, p.10). The resulting explosion, which took place in June of 1982 was referred to as
“monumental” (ibid, p.10) and was allegedly rated by the US Air Force at “three kilotons, equivalent to a small nuclear device” (ibid, p.10).
The latter example, the cyber-attack on Estonia, happened in April of 2007. Tallinn authorities had decided to move a Russian World War II memorial statue from the center to the outskirts of the city, which resulted in violent street riots at first, on the 26th and 27th of April (Rid, 2012, p.11). On April 27th, cyber-attacks started, which lasted until the 19th of May, resulting in “what was then the worst-ever DDoS1” (Rid, 2012, pp.11-12). On the peak of the attack, on May 9th, 58 Estonian websites were down, including “the online services of Estonia’s largest bank, then known as Hansapank” (ibid, p.12). While there was no lasting damage from the attacks, the events in Estonian cyberspace are worthy of mentioning as the first large-scale attack against a country’s infrastructure, as websites of political parties, governments, and businesses were all targeted by an estimated number of over 85,000 hijacked computers (ibid, pp.11-12). Another aspect about the attacks which should be mentioned is that, even though the Estonian government has raised suspicion that the Russian government was behind the attacks, due to the removal of a Russian statue, and the attacks reaching a peak on the 9th of May, the date on which Russia celebrates its victory in World War II, there is no concrete evidence that this was the case (ibid, pp.11-12).
The two examples were chosen to illustrate the potential damage output cyber-attacks can have in a case of cyberwarfare. Although there were no recorded casualties in either case,
1 DDoS is an acronym for Distributed Denial of Service. Through massive accessing of a certain website or
server, the maximum capacity of users is overstepped and the website or server crashes, rendering it unavailable. DDoS attacks are similar to DoS (Denial of Service) attacks in the sense that DoS attacks come from a single computer or IP address, whereas DDoS attacks come from multiple computers or IP addresses.
5
they show that cyber-attacks can potentially have violent effects, and that massive
coordinated attacks, that mainly states would be capable of, can yield great results as well. The second concept which which will be defined is that of cyberterrorism, as well as ideologically motivated hackers, also known as hacktivists. Pollitt, using definitions of terrorism and cyberspace, combines the two in order to create his own definition of cyberterrorism. He defines it as “the premeditated, politically motivated attack against information, computer systems, and data which results in violence against non-combatant targets by sub national groups and clandestine agents” (Pollitt, 1998, p.9). It should be mentioned that in certain cases, scholars make distinctions between cyberterrorism and ideologically motivated hacking or hacktivism. Heickerö explains this controversy by arguing that “for an attack to be regarded as cyber terrorism, the intended effect has to be serious human and economic casualties, intense fear and anxiety—terror—among the citizens” (Heickerö, 2014, p.555). However, the concept of casualty is difficult to apply in cyberspace, as it only exists in digitalized–and not in a physical–form, hence rendering it complicated to apply in the same manner. For the sake of clarity, in this thesis, the term cyberterrorism will be used to designate both cyberterrorists according to Heickerö and ideologically motivated hackers, as the line of distinction between the two groups is not clear enough, and partially inexistent in some cases. In a study published for the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee, it is stated that cyberterrorists are mostly prone to use strategies of DDoS, disclosure2 and defacement3 “to reach their goals” (Van Der Meulen et al, 2015, p.33). Examples of hacktivism include the international group Anonymous’ so-called ‘Operation Avenge Assange’ which attacked numerous financial organizations’ websites after those had blocked payments to Wikileaks (Mansfield-Devine, 2011, p.5). Anonymous used a DDoS tool in order to perform their ‘attacks’ and succeeded in disrupting the websites of PayPal, MasterCard, as well as the website of US Senator Joe Liebermann, who had wanted Assange be tried under espionage laws (ibid, p.5). Another example, which used the strategy of defacement rather than DDoS, was what is referred to as the electronic jihad incident of 2000. In this case, hackers based in Iran attacked Israeli websites and replaced their content with Islamic rhetoric (Valeriano & Maness, 2011, p.24).
2 Disclosure, in this case, refers to the disclosure of unauthorized data, probably obtained in an illegal manner,
possibly through hacking (van der Meulen et al, 2015, p.40)
3 Defacement, in this case, refers to the modification of information found in specific websites (van der Meulen et al, 2015, p.40)
6
The two examples of cyber-terrorism were chosen to demonstrate the effect that previous cyber-terrorist attacks have had so far.
The definition of cybercrime, in contrast to the other two concepts, is usually very broad. As this thesis aims to make use of documents published by an agency of the European Union, the used definition of cybercrime is the one given by the European Commission in its Cybersecurity strategy document:
“a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target. Cybercrime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g. on-line distribution of child pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g. attacks against information systems, denial of service and malware)” (European Commission, 2013, p.3)
In the case of this thesis, the used definition will apply mainly to the first and third aspects of the definition, barring out content-related offences. It can be argued that cyberwarfare and cyberterrorism are included in the definition of cybercrime. However, as this thesis aims to find out about threat agents, and those are divided into three clear categories by Clapper and Van der Meulen (Clapper, 2015, p.2; Van Der Meulen et al, 2015, pp.28-30), the types of attacks, which are also defined by the perpetrating agent and their motivation, will be delimited as such. The difference between cyberwarfare and cyberterrorism is also not essentially found in the types of attacks themselves, but more in the initiator and/or perpetrator, as well as the motivation of the attacks. Hence, in the case of this thesis,
cybercrime will be referring to profit-driven criminal activity committed in cyberspace with no political or ideological motivation.
Since this thesis revolves around the European Union and its cybersecurity, this is what this section will now start to dive into. The European Union has a very complex constitution and history. It started as an economic ‘community’, and still works as an economic union nowadays, with member states joining its ranks for financial growth and economic benefit. However, since, it has also evolved into a political Union, with member states now being tied to European Law, in addition to their own, a common currency for most member-states and police and judicial co-operation, to only name a few aspects. The fact that the member states cooperate economically, as well as politically would mean that they would have common interest in a secure cyberspace, out of financial and political reasons. Hence,
7
the question can arise: What and who does the European Union consider as threats to its cybersecurity and that of its member states? In order to answer this question, this thesis will aim to assess both technical, as well as political views and statements on the matter. The technical aspect will be represented by the European Network and Information Security Agency (ENISA). The political statements, on the other hand, will be taken from political debates held in the European Parliament.
ENISA is an agency of the European Union, which defines itself as being “a centre of expertise of cyber security in Europe” (ENISA, n.d.). It is mentioned that it functions with the objective of “contributing to a high level of network and information security (NIS) within the Union” (ibid). ENISA’s role is that of cooperation with member states, as well as the private sector, in order to “deliver advice and solutions” (ibid) to them, regarding NIS. Amongst these advice and solutions, one finds “identifying the cyber threat landscape” (ibid), which is then reported upon in publications called ENISA Threat Landscapes (ETL). It is these ETLs that this thesis aims to use as sources for analysis, in order to understand what are defined as threats, and which agents are involved in the creation and perpetration of those threats.
In order to understand better what is meant by a threat, this section will now shortly elaborate on the principle of speech acts as a modus of creation of threats. Every threat is made up of different factors, as elaborated upon in the Copenhagen School theory of securitization, which will be gone into in greater detail in a later part of this thesis. In its purest form, the theory of securitization requires an issue, a securitizing agent, who defines the issue as a threat, and an audience who accepts the issue as a threat as defined by the securitizing agent (Buzan et al, 1998, p.27). Such a discursive act of defining an issue as a threat is referred to as a speech act (ibid, p.27). However, in terms of cybersecurity, an issue rarely arises naturally on its own, but is most often brought forward by a threat agent, an agent at the origin of the threat. As was explained, in the field of cybersecurity, threat agents are usually cyber-criminals working for monetary profit, cyber-terrorist aiming to spread discord and their ideology, or nation-states aiming to conduct warfare or cyber-espionage (Clapper, 2015, p.2; Van Der Meulen et al, 2015, pp.28-30). In this situation, the ETLs and parliamentary debates can be considered as speech acts par excellence, seeing as they are literally the definition of particular events as threats by competent authorities.
The aim of this thesis is to find out who and what the European Union considers as threats, through ENISA and the European Parliament. Hence, the research question this thesis aims to answer is: Who and what does the European Union consider as threats in
8
cybersecurity, through the expertise of ENISA, and how is it reflected in the political discourse that are European Parliament debates?
In order to answer this research question, several sub-questions are to be answered: - What does the ENISA identify as threats, following its ENISA Threat Landscapes?
Who are the threatening actors in those threats?
- Which actors or types of cyber-attacks are mentioned in European Parliament debates?
- How are the findings of the analysis of the ENISA Threat Landscapes reflected in the European Parliament?
In order to answer the research question, as well as the sub-questions, this thesis proceeds as follows: After the introduction, a theoretical framework will outline the concepts of
securitization, technology and its relation to security, and cybersecurity itself. Next, the conceptual framework of this thesis will be laid out, elaborating upon the chosen method of analysis, discourse analysis, as well as on the methodology followed, including questions aiming to be answered, sampling process and hypotheses. Following, this thesis will present the analyses, and will discuss the findings of both parts. Finally, this thesis’ findings are summarized in a conclusion.
2.1 Theoretical Framework
In order to answer this thesis’ research question, this section will be explaining relevant theories. As the research question revolves around the cybersecurity of the European Union, different theories which revolve around cybersecurity will be laid out. The first subsection will focus in detail on Securitization Theory. Next, the following subsection will be diving into the evolution of technology and its links to security. Finally, the theoretical framework will be brought to an end by elaborating upon cybersecurity itself, the application of the Securitization Theory to cyberspace and what defines cybersecurity as a security sector. 2.2 Securitization Theory
Securitization, in the field of International Relations is the process of making an issue into a ‘security issue’. This section elaborates on securitization theory by first describing the meaning of securitization, before going deeper into the field of security and the actors involved in the process. This theory was deemed necessary to address given the context of
9
cybersecurity that surrounds this thesis. Since the analysis revolves around threats and threat agents, which are integral parts of the securitization theory, this section will shed light on the matter, as well as on the process of securitization, including speech acts.
The process of securitization, in essence, means to make a threat into a security issue. In order for that to happen, the threat has to be considered so important that the security and well-being of the addressed is seen as threatened by that issue. Often, one speaks of an “existential threat” (Buzan et al, 1998, p.21) when considering something a security issue. Once a threat has been identified as a security issue, it “justifies the use of extraordinary measures” (ibid, p.21) in order to be handled. The term and assessment originated in the military, as an existential threat would mean an important military threat which, if unchecked, would threaten the well-being of whomever they opposed. Hence, extraordinary measures originally referred to extraordinary military measures. As Buzan et al phrase it, it is “the move that takes politics beyond the established rules of the game and frames the issue either as a special kind of politics or as above politics” (Buzan et al, 1998, p.23).
There are several actors or objects involved in the securitization process, which are the securitizing actor or agent, the referent object, the threat or issue, and the audience. The referent object is the individual or group targeted by the threat. In military situations, the referent object is usually the state, but it may be “other kinds of political entities” (Buzan et
al, 1998, p.22). Pretty much any group can be a referent object, as Buzan et al further
exemplify, “[i]t is also possible to imagine circumstances in which threats to the survival of the armed forces would elevate those forces to referent object status in their own right” (ibid, p.22). Non-human groups can also be referent objects, such as in environmental issues, where a species of animals, types of habitat such as forests or lakes, or even the entire planet earth may potentially be threatened, and in need of extraordinary measures of help (ibid, p.23). The securitizing agent or actor (from here on out, they will be referred to as
securitizing actors) is the agent or actor who argues that the referent object is threatened by the issue at hand (Buzan et al, 1998, p.36). The argument is mostly done through the use of rhetoric, and one speaks of a “security speech act” (ibid, p.40), or simply a speech act, when a securitizing actor declares something to be a security threat (ibid, pp.35-36). Stritzel, for example, refers to the process of securitization as “a successful speech act” (2007, p.358). Buzan and Waever consider that a speech act is a process
“through which an intersubjective understanding is constructed within a political community to treat something as an existential threat to a valued referent object, and to
10
enable a call for urgent and exceptional measures to deal with the threat” (Buzan and Wæver, 2003, p.491)
It should be mentioned that speech acts have, as the name would suggest, an important discursive aspect to it. Waever goes into further detail regarding the language part of the speech act:
“with the help of language theory, we can regard ‘security’ as a speech act[…] By saying it [security] something is done (as in betting, giving a promise, naming a ship). By uttering ‘security,’ a state-representative moves a particular development into a specific area, and thereby claims a special right to use whatever means are necessary to block it” (1995, p.55).
Hence, it can be argued that the very utterance of the word security, the discursive act in itself, is a major component of the securitization process performed by the securitizing actor.
The securitizing actor can be part of the referent object, but need not be. Usually, a securitizing actor is considered a representative of the referent object they are aiming to protect from the issue they are aiming to securitize (ibid, p.41). Actors can also be individuals or groups, as Buzan et al exemplify in the case of De Gaulle and France:
“Individuals can always be said to be the actors, but if they are locked into strong roles it is usually more relevant to see as the “speaker” the collectivities for which individuals are designated authoritative representatives (e.g., parties, states, or pressure groups) – for example, France-materialized-as-de Gaulle rather than the person de Gaulle. […] States treated de Gaulle as acting on behalf of France and held France responsible for his acts; thus in the world of “diplomatics” France was constituted as the actor” (Buzan
et al, 1998, pp. 40-41)
Actors are also often “in a position of authority” (Peoples & Vaughan-Williams, 2010, p.79), and require “enough social and political capital” (ibid, p.79) in order to be convincing in their speech act. Buzan et al go further in detail on the necessary influence a securitizing actor must have in order to complete the securitization process. If an actor is not successful in convincing his audience about the presence of an existential threat, or its importance, one refers to the incomplete process as a “securitizing move” (Buzan et al, 1998, p.25). Peoples and Vaughan-Williams note that the presentation of an issue as an existential threat is facilitated by certain factors. The securitizing actor needs to be taken seriously, and is thus often more convincing if they are considered “security experts” (2010, p.79) than if not. Further, they mention that it is “easier to present an issue as an existential threat if objects associated with the issue carry historical connotations of threat, danger, and harm, or where a history of hostile sentiments exist” (ibid, p.79). For example, since tanks carry a heavy connotation as weapons of war, should tanks mass up at a state border, the securitization of
11
the issue would be easier for a securitizing actor to achieve. Also, if there is a history of conflict between states, the remembrance factor can also sway an audience in situations where a non-rival state could conduct the same actions and not be perceived as a threat (ibid, p.79).
Since the actor has to perform a speech act to determine a security issue threatening the referent object, there needs to be an “audience” (Buzan et al, 1998, p.41) who listens to the speech act. The audience, in such a case, is the person or group of people that the actor has to convince through his speech act in order to securitize an issue. As Peoples and Vaughan-Williams put it: “in any securitizing speech act there is always a speaker and an audience. In order for securitization to work, an audience has to accept a threat as credible” (2010, p.78). Audiences usually hold the decision-making power in the securitizing process, but need not be part of the referent object.
Security studies are divided into security sectors. While securitization originally stems from military issues, it now also takes place in non-military sectors, such as environmental, economic, societal and political (Peoples & Vaughan-Williams, p.80). In each of the mentioned sectors, the military sector included, one identifies different types of interaction within the sectors, which can lead to different sorts of threats. Interaction in the societal sector is linked to relationships of collective identity, and therefore, it could securitize any “existential threat to collective identity/language/culture” (ibid, p.80). Sectors have
characteristics specific to them, such as a specific group or groups which behave as referent objects, as well as specific sorts of threats, or particular grammar pertaining to a sector (Buzan et al, 1998, p.27). Hence, any emerging potential threat could be categorized as belonging into one of the sectors. Hansen and Nissenbaum also make the case to include cybersecurity as its own sector, rather than have it divided and included in the political and economic sector (2009, p.1155).
Peoples and Vaughan-Williams mention that there are different “level[s] of analysis” (2010, p.82) in security studies. Such levels go from the individual to the global level, with the national (state) level between the two (ibid, pp. 81-82). The national level is the most prominent level in security studies, as “individual security and global security remain
fundamentally opaque and impractical for the purposes of analysis” (ibid, p.82). For example, in terms of the societal security sector, it would be hard to pinpoint a global identity
altogether, and especially one which could be existentially threatened by any sort of issue. Further, an individual’s, but not a group’s identity being threatened might not provide enough leverage for a threat to be considered serious enough for it to become a security issue (ibid,
12
p.82). However, it is not impossible for securitization to take place at another level than that of the state. Once again using the societal sector as an example, any group unified by a common identity could argue that its identity is being existentially threatened, and the larger the group, the more influence it can have. A group unified by a common identity may also transcend the boundaries of the state, such as religion does (ibid, p.83). Floyd does, however, mention that “most securitizations are still performed by state actors, as these – unlike most other securitizing actors – have the capabilities to make securitizations happen” (2007, p.41). This thesis, for example, will look at securitization from a European perspective, making the European Union the referent object. While the European Union is not a state itself, but comprised of member states, through the fact that it has institutions, one can easily identify securitizing actors and audiences in the securitization process.
As this section has demonstrated, the process of securitization goes through the utterance of a speech act by a securitizing actor, which has to be accepted by an audience. As this thesis will analyse what it considers speech acts in the form of ENISA Threat Landscapes and European Parliament debates, this theory subsection has observed the actors in the
process of securitization, as well as the term speech act, and its relation to language. 2.2 Technology & Security
As this thesis aims to examine the securitization of cyberspace, it is of crucial importance to understand the relationship between security and technology, as cyberspace is exclusively technologically created. This can be considered an unusual attribute in the area of security, to say the least. Cybersecurity is essentially an outcome of the combination of the concept of security and technology. Since the concept of security and the theory of securitization has been observed in the previous section, this section will now give an introduction to the concept of technology, and its relation to security. This section will start by define the concept of technology, before observing its use in and correlation with the field of security.
This first subsection will observe the definitions of the term technology, and the different manners that technologies can be perceived. Technology is, when observed in its most simplified state, a mass of inert manmade objects, or at the very least it can be defined as such. Bijker refers to technology “at the most basic level” as “sets of physical objects or
artefacts” (2006, p.682). However, the field of social science also stipulates that “a device of
any kind matters insofar as it is embedded in human activities” (Guittet and Jeandesboz, 2010, p.233). Therefore, the notion and concept of technology encompass not only the object itself, what it is and what it is capable of, but also the details of its use (ibid, p.233). It is also
13
worth noting that the former includes “technological systems” (ibid, p.233, more than
anything. A technological system is made up of individual objects, but also treated as a whole singular object itself, as Guittet and Jeandesboz explain: “For instance, we conceive of a car as a whole, as one single object, until the moment when it stops to function: it is then broken down, metaphorically and literally, into its various components (e.g. engine, brakes,
carburetor [sic.])” (ibid, p.233).
Technology can also be defined in non-material ways. Most notably, it can be thought of as a notion of actions, or practices, not only an object, but the way it is utilized as well (Guittet and Jeandesboz, 2010, p.233; Franklin, 1999, p.6), or as Bijker puts it as “human
activities, such as in ‘the technology of e-voting,’ where it also refers to the designing,
making and handling of such machines” (2006, p.682).
Finally, still regarding the concept of technology, it can be argued that technologies carry a sort of implication, depending on who or what is contemplating it. While, for
example, weapons carry the obvious implication of violence, even more neutral technologies can result in very different opinions. Bijker elaborates on the matter with the example of a nuclear reactor:
“to union leaders a nuclear reactor may exemplify an almost perfectly safe working environment with very small chances of on-the-job-accidents compared to urban building sites or harbors. To a group of international relations analysts, the reactor probably represents a threat because of its potentially enhancing nuclear proliferation, while for the neighboring village the risks of radioactive emissions and the benefits of employment may strive for prominence.” (Bijker, 2006, p.684)
It is important to consider last aspect of the definition of technology; as certain
technologies of cybersecurity may certainly be part of such a phenomenon as well. A practice in cybersecurity which normal users may consider harmless may be considered as a threat by security agencies. This subsection has thus provided definitions of the concept of technology, as well as how certain groups or individuals may regard technologies in different manners. The coming subsection will now assess the relationship that technology has had and still has with security, including an evolution of the paradigm of security, and the role technology has played in the shift. Technology is used in many different manners pertaining to security, such as “the use of advanced biometrics, databases and risk models for the purpose of border protection, migration control, identification of individuals, crowd control and other [uses] regarding population management or social control […] or the
14
Jeandesboz themselves emphasize: “Technology, […] has been singled out as a crucial element of contemporary dominant narratives on (in)security. Secondly, it has been incorporated not as an instrument or outcome of security practices, but as one of their components” (ibid, p.230).
Technology, although not inexistent before the previous century, has made significant progress and has been used more and more during the past decades in numerous fields in order to enhance performances. Since the end of the Cold War, new technologies relating to information and communication have been massively developed and used “for the conduct of both external and internal security activities” (Guittet & Jeandesboz, 2010, p.230). Forensic science, for example, has gained from technological development, as it has “facilitated the internationalization of police operations” (ibid, p.230).
However, the concept of threat to security has also evolved since the Cold War. While there previously existed a bipolar order, with security discourse focusing on “the ‘enemy’” (ibid, p.230), the bipolar order was dissolved, and evolved into more of a situation of “global (in)security” (ibid, p.230), where “liberal regimes, considered as the most committed to globalization and openness, are at risk because of a variety of unpredictable, transnational developments and operators” (ibid, p.230). Hence, the focus of security agencies has shifted from the aim of protecting a territory from a known enemy to reducing vulnerability from an unseen threat (ibid, p.230). This shift in the focus of national security has been labelled as moving from a “logic of protection” to a “logic of ‘risk management’” (ibid, p.230). Guittet and Jeandesboz note that the reliance on the notion of risk is considered one of the “driving factors of the transformation of security practices” (ibid, p.230), further mentioning that this concerns both the fields of policing and the military, and therewith influences both internal as well as external security. The mentioned transformation was achieved with technology
playing an important role, most particularly in the US, where, after the 11 September 2001 attacks, security agencies started relying heavily on technological, rather than human, intelligence (ibid, p.231). The shift from a logic of protection to one of risk management is arguably personified in the field of cybersecurity. Given the transnational aspect of
cyberspace not being limited by national borders, it represents both the aspect of global insecurity from the victims point of view, potentially threatened from all sides, as well as from the aggressor’s point of view, with a pool of targets, not limited by physical boundaries. Guittet and Jeandesboz note that in discourse about the global (in)security, technology is often mentioned as “a fix, a solution to a set of specific problems” (ibid, p.231), and that its greatest asset is that, due to its logical, rather than emotional nature, it “does not incorporate
15
opinions and biases other than technical ones” (ibid, p.231), quickly followed by the fact that it is perpetually evolving, always getting more effective and sophisticated. However, Guittet and Jeandesboz mention that technology can be seen as having an influence, precisely through its evolution, as it “contributes actively to the definition of dangers and risks, and of (in)security practices” (ibid, p.235) which all evolve alongside technology. In essence, if technology advances, it can result in a greater capacity of analysis to detect risks from a security agency’s point of view, but also a greater capacity for creation of risks for a threat agent.
In the recent decades, as the doxa or accepted paradigm shifted from the bipolar order to the global (in)security setting, technology has created a niche in the systems used by security professionals. Guittet and Jeandesboz list a few examples of ways of usage of technology in the realm of security, including “biometrics, databases, information-sharing and data-mining procedures” (2010, p.231). It is noted that, although these measures are used in order to increase security, through “daily surveillance and the everyday tracing of
individuals and groups” (ibid, p.232), the carried effect has often been the creation of a greater feeling of insecurity amongst the observed population (ibid, p.232; Bigo, 2008, pp. 105-106). The use of technology to increase surveillance can be explained by the aim to achieve “deterrence and dissuasion” (Guittet and Jeandesboz, 2010, p.232), hence aiming to securitize a nation through the creation of insecurity towards anyone susceptible of posing a threat, thus demonstrating a shift in security activities and policy aims moving from ensuring the security of a population, to creating insecurity of threatening actors. Huysmans elaborates on such usage of technology with aims of insecurity, mentioning that the “modulation of insecurity […] crucially depends on technological and technocratic processes” (Huysmans, 2006, p.8). He does, however, emphasize on the fact that, although it may seem that the technological dispositions are formed in response to policies being created, such is not the case :
“They are not just developed in response to a political decision but often already exist in one form or another within professional routines and institutional technology and evolve over time according to professional and bureaucratic or institutional requirements – such as the need to innovate” (Huysmans, 2006, p.8)
One could therefore argue that the technological use and advancement is “not just a mere policy tool, or the outcome of a decision” (Guittet and Jeandesboz, 2010, p.232), but rather a phenomenon related to that of security practices. As Guittet and Jeandesboz put it, “security practices play an important role in the framing, developing and promoting of technological
16
systems, and in return, technology frames, shapes and channels security practices” (ibid, p.232).
This second subsection of the section on technology and security has given an insight into the relationship between technology and security. It was considered important to include, as this very relationship is the one that, amongst other things, has created the subject of cybersecurity. The technology that is cyberspace and its usage, combined with the global insecurity, is what has brought upon the securitization of cyberspace, and there with the term and field of cybersecurity.
2.3 Cybersecurity
In order to bring the theoretical framework for this thesis to an end, this subsection will now go over the sector of cybersecurity as pertaining to the Copenhagen school
securitization theory. Different aspects of cybersecurity will be observed, such as its role as a security sector, threats associated to cybersecurity, and the grammar of cybersecurity.
This first part of the section on cybersecurity will help get an insight into the field as a security sector, and in details surrounding it. Hansen and Nissenbaum argue that
cybersecurity should be recognized as a sector of security studies, and not as an “attempted securitization” (ibid, p.1156), as it was labelled on grounds of it having “no cascading effect on other security issues” (Buzan et al, 1998, p.25), therefore declaring that there was “no need to theorize cyber security as a distinct sector akin to the military, the political, the environmental, the societal, the economic, and the religious one” (Hansen & Nissenbaum, 2009, p.1156).
Regarding security sectors, Hansen and Nissenbaum consider them as “lenses” (ibid, p.1157) through which one observes and considers a security issue, with a specific
constitution of referent objects, types of threats, and a particular form of “grammar” of securitization associated to the sector (ibid, p.1157). Hansen and Nissenbaum base their argumentation on why cybersecurity should be a security sector of its own on the fact that the Copenhagen schools “understanding of security as a discursive modality with a particular rhetorical structure and political effect makes it particularly suited for a study of the
formation and evolution of cyber security discourse” (2009, p.1156). Further, they argue that by now, cybersecurity has been successfully securitized, at least in the USA, by the
“establishment of the Commission on Critical Infrastructure Protection” (ibid, p.1157), as well as in the creation of a NATO-backed cyber defence centre in Estonia. Yould even states that “it appears that IT may be the common underlying factor upon which all security sectors
17
are destined to converge” (Yould, 2003, p.78). The argument is further developed by Hansen and Nissenbaum, stating that the military sector is already closely linked to digital
technologies. Additionally, it is stated that several states, such as China, Myanmar and Singapore have already greatly securitized their internet (Hansen & Nissenbaum, 2009, p.1157), creating an argument that, even if it is not the case in the USA, it plays in the favour of being observed as part of a cybersecurity phenomenon, rather than a purely economic, political or criminal one (ibid, pp.1157). Hansen and Nissenbaum also mention that there is a wealthy amount of referent objects to be found in cybersecurity, seeing the amount of
commercial transactions taking place digitally, the amount of private data to be protected on the web, and the potential for surveillance and data-mining (ibid, p.1157).
The securitization of a states’ internet can take up different forms. Deibert mentions examples of such practices by authoritarian governments. “Governments […] intervene, first through the erection of digital firewalls to block citizen access to information, and then through the development of military capabilities”, as well as through the use of “techniques line network exploitation and denial of service” (Deibert, 2011, p.3). He further argues that such actions are taken against “opposition groups or human rights activities and dissidents”, as these are considered as threats by authoritarian governments who aim to “limit and contain what these groups do, in addition or as a complement to Internet content filtering practices” (ibid, p.3).
Hansen and Nissenbaum elaborate on the threats specific to the sector of
cybersecurity, and the potential magnitude they could have, mentioning “cyberdisasters” (2009, p.1161) as an illustrating example. Cyberdisasters, as is explained by the computer science and telecommunication board (CSTB), are attacks which could “compromise systems and networks in ways that could render communications and electric power distribution difficult or impossible, disrupt transportation and shipping, disable financial transactions, and result in the theft of large amounts of money” (CSTB, 2002, p.6). The most important aspect to keep in mind about cybersecurity is the “networked character of computer systems”, which is precisely what inflates the potential magnitude of cyber-attacks (Hansen & Nissenbaum, 2009. p.1161). This subsection of the cybersecurity section has therewith proceeded with the introduction of the field of cybersecurity.
This final part of the section on cybersecurity will now address the discourse of cybersecurity, and the used grammar, with three pertinent examples by Hansen and Nissenbaum. As this thesis will be analysing ENISA publications and Parliament Debates revolving around cybersecurity, getting an insight into its discourse and grammar was
18 considered of crucial importance.
Cybersecurity stands out of the crowd in more aspects pertaining specifically to it. Its discourse stands out, as it “moves seamlessly across distinctions normally deemed crucial to Security Studies: between individual and collective security, between public authorities and private institutions, and between economic and political-military security” (Hansen &
Nissenbaum, 2009, p.1161). It is further elaborated upon, mentioning the private’s sector fear of large amounts of money being stolen by hackers, the dread of intellectual property owners when faced with file sharing and its effect on their rights and revenues, as well as the
overarching scare of bugged software and computer viruses which could have detrimental consequences for numerous sectors – be they private or public – all “produce a powerful blending of private-economic and public-national security concerns” (ibid, p.1161).
Another specificity about cybersecurity is the securitization grammar tied to it as a securitization sector. As previously stated, sectors can have particular grammar, or recurring themes, tied to its discourse of securitization. Hansen and Nissenbaum elaborate on three “security modalities that are specific to the cyber sector” (2009, p.1163). These three modalities are: Hypersecuritization, everyday security practice and technification.
The first concept, hypersecuritization refers to “an expansion of securitization beyond a “normal” level of threats and dangers” (ibid, pp.1163-1164). It is mentioned that
hypersecuritization carries with it the stigma of “a tendency both to exaggerate threats and to resort to excessive countermeasures” (ibid, p.1164), but Hansen and Nissenbaum argue that the “exaggerated” part of the definition is pejorative in nature, since for the most part “all securitizations […] have an element of the hypothetical” (ibid, p.1164). The fact being that scenarios for cyberdisasters are littered with disastrous potential threats which have not occurred yet is what creates the inherent scepticism surrounding cybersecurity, argue Hansen and Nissenbaum, and with it, brings the idea of exaggeration.
The next assessed grammar concept is that of everyday security practice. It refers to “the way in which securitizing actors […] mobilize “normal” individuals’ experiences” (ibid, p.1165). This process is beneficial in two ways: it is done “to secure the individual’s
partnership and compliance in protecting network security and to make hypersecuritization scenarios more plausible by linking elements of the disaster scenario to experiences familiar from everyday life” (ibid, p.1165). In essence, one can define it as securitization taking place as per the theory of the Copenhagen School, and the general public is the audience (ibid, p.1165). However, the concept goes further, and the everyday securitization portrays the individual “not only as a responsible partner in fighting insecurity, but also as a liability or
19
indeed a threat” (ibid, p.1166). Cyberspace is portrayed as a “dangerous” (ibid, p.1166) area, and a careless individual may infect his own computer with a virus, “facilitate a security breach” (ibid, p.1166), or “may unwittingly download [illegal] pornography labelled as something else” (ibid, p.1166).
The third and last observed grammatical concept pertaining to cybersecurity is that of technification. Technifcation, as the name may suggest, refers to the usage of technical terms in the securitization discourse. This is mainly brought upon by the “strong emphasis on the hypothetical” (ibid, p.1166) which, as previously explained, is commonly found in
cybersecurity discourse. Given the roaming uncertainties tied to its threats, cybersecurity requires “expert discourse” (ibid, p. 1166), which will include technicalities, to provide legitimacy to its arguments (ibid, p.1168). Hansen & Nissenbaum argue that technification allows for “epistemic authority” (ibid, p.1167), as the technical aspect becomes “a domain requiring an expertise that the public (and most politicians) do not have” (ibid, p.1167). It is also mentioned that “this in turn allows “experts” to become securitizing actors while distinguishing themselves from […] politicians” (ibid, p.1167). It should be mentioned that these three grammatical concepts are not exclusive to cybersecurity discourse. In numerous cases can they be found in environmental discourse, especially the latter two concepts. However, as they are often found in cybersecurity discourse, they can effectively be considered as part of what defines it.
In order to end this section, let us shortly resume what was discussed. The
Copenhagen School theory of securitization was explained, elaborating upon the different actors taking place in the securitization process. This part was essential to the answering of this thesis’ research question, as it gave us the theoretical framework of securitization, and the tools for analysis in the definitions of speech acts and threat agents. Following, the concept of technology was observed, and its links to security practices. This gave a broader understanding of technology, how people come to consider it, and its inherent importance in the field of security practices. Finally, cybersecurity was observed. This last section offered a more in-depth insight in the field than the first section did, preparing the analysis by giving a clearer picture of what cybersecurity discourse is made up of. Aspects mentioned in the theories, most particularly the grammar pertaining to cybersecurity will be looked out for during the analysis.
20 3. Methodological Framework
This section will delineate the methodology this thesis will be using for its analysis. First, it will address the chosen method of analysis, why it was chosen and what it entails. Next, it will elaborate upon its sampling procedure and the chosen samples. Finally, it will outline how the samples will be analysed, stating questions aiming to be answered, as well as a hypothesis.
3.1 Critical Discourse Analysis:
The chosen method of analysis is discourse analysis. This method of analysis was chosen this thesis aims to analyse “speech acts”. Speech acts are, as the name suggests, acts of discursive nature, in which something is identified as a threat. In the previous section, discourse and language were mentioned as being of particular importance when dealing with speech acts. Discourse analysis was thus deemed the best method to identify and analyse the discourse of the ENISA Threat Landscapes and the European Parliament debates. Teun Van Dijk and Norman Fairclough were chosen as the primary sources for this section on discourse analysis, or critical discourse analysis, due to them being some of, if not the scholars having dealt most intensively and extensively with the matter. Further, Fairclough offers an extensive
methodology to be used when performing discourse analysis, which was found to be of great importance and use for this thesis. Van Dijk defines discourse analysis as “a type of discourse analytical research that primarily studies the way social power abuse, dominance and
inequality are enacted, reproduced, and resisted by text and talk in the social and political context” (Van Dijk, 2001, p.352). Van Dijk further mentions that for discourse analysis to be effective, it needs to be focusing on social problems and/or political issues (ibid, p.353). Discourse analysis is often used in order to determine an injustice, or a discrimination within a system, as is found in the used language. The power relations of different groups, as
understood in the socio-politico-historical setting of the discourse, are reverberated in
linguistics, and can therefore be identified (ibid, p.353). In the case of this thesis, as the focus is to analyse speech acts, or discursive actions relating to the identification of a threat, the analysis will focus on the political issue of security, rather than on social problems. Since the process of securitizing an issue following the theory of securitization eventually leads to the use of exceptional measures in order to deal with said issue, one can speak of the dominance and use of power by government towards the indicated threat.
In terms of methodology, discourse analysis is not always consistent. Van dijk mentions that methods of analysis differ, depending on the analysed source, and exemplifies
21
it when noting that “analysis of conversation is very different from an analysis of news reports in the press or of lessons and teaching at school” (2001, p.353). Nonetheless, he elaborates on common consistencies between analyses, listing concepts most usually found and worked with, mentioning ““power,” “dominance,” “hegemony,” “ideology,” “class,” “gender,” “race,” “discrimination,” “interests,” “reproduction,” “institutions,” “social structure,” and “social order”” (ibid, p.354). He also mentions that an important part of discourse analysis is bridging the micro-macro gap between language (micro) and relations of power (macro), and create an analysis based on the correlation of the micro-macro levels in each different situation.
Fairclough (2001), sketches a methodology applicable to critical discourse analysis, and, in doing so, mentions several important aspects to be taken into account. The first stage is always to identify a social wrong or political problem with a semiotic aspect, i.e. which can be interpreted (Fairclough, 2001, p.125). He elaborates, stating that discourse analysis is always problem-based, and that such an analysis is best used to portray social wrongs, with an emancipatory objective as motivation for the analysis (ibid, p.125).
Next, in the second stage, the researcher needs to identify potential obstacles to addressing the problem. Such obstacles can be found in the analysis of “the network of practices [the social or political problem] is located within”, of “the relationship of semiosis to other elements within the particular practice(s) concerned” or of “the discourse (the semiosis itself)” (ibid, p.125). With regard to the discourse itself, Fairclough mentions that one may encounter obstacles in the “structural analysis: the order of discourse”, the
“interactional analysis”, the “interdiscursive analysis” and in the “linguistic and semiotic analysis” (ibid, p.125). In essence, Fairclough argues that obstacles can be found when aiming to analyse discursive aspects which go further than language, such as social interactions which may add to the context, but may not be found in actual sources (ibid, pp.125-126). He also mentions that non-experts in linguistics may not be able to detect some linguistic features, in texts where style and figures of speech may play an important role (ibid, p.126).
Further, in the third stage, Fairclough mentions that it is important to consider whether the established order ‘needs’ the social wrong, if so why, and the potential effect this may have on the sources and analysis (ibid, p.125). He elaborates: “if one can establish through critique that the social order inherently generates a range of major problems which it ‘needs’ in order to sustain itself, that contributes to the rationale for racidal social change” (ibid, p.126). Finally, the fourth and last stage mentioned by Fairclough is to identify possible ways
22
to get past and avoid the obstacles identified in the second stage before starting the analysis (ibid, p.125). Fairclough mentions that this stage shifts one’s own methodology “from negative to positive critique” (ibid, p.126), which gives an opportunity to show
“contradictions or gaps or failures within the domination in the social order” (ibid, p.127). This section will now assess how the methodology outlined by Fairclough can be applied to this thesis. With regard to the first stage, that of identifying a semiotic problem, the problematic as such does not focus on a social wrong, but on the portrayal of specific issues as threats. However, by following the same principle, as the identification of social wrongs is applicable to the issue, despite the lack of emancipatory objectives, as one recognizes a social power utilizing negative discourse against a group or individual with the objective of singling out in mind in the form of a speech act.
Regarding the third stage, the assessment of whether the social order needs the social wrong, here again, although the thesis does not deal with a social wrong, and therewith also excludes the usual emancipatory goal of discourse analysis, it can certainly be argued that the ENISA needs to classify specific actors and issues as threats in order to continue existing, and therefore ‘needs’ the securitization process, as without security issues, there is no need for a security agency.
Finally, regarding the second and fourth stages, as the former deals with the
identification of obstacles, and the latter with how to overcome them, for the analysis of the ENISA Threat Landscapes, it is not expected that the analysis will face major linguistic challenges. Given the nature of those documents, the used language is often very direct, and does not give room for much linguistic interpretation, due to its lack of complex figures of speech and style. Given the fact that all the analysed documents are in English and that the author, despite being of French descent, has an arguably more than adequate level of English, no language barriers should be found in the analysis. Concerning the European Parliament debates, the situation becomes more complex, although not impossible to deal with. The debates are held in a multilingual fashion, with contributions being made either in English, or in the official language of the MEP. Among the analysed texts, while most were in English, others were in French, German, Croatian and Greek. Given that the author speaks English, French, and German fluently, these three languages did not create a language barrier. For the texts in Croatian and Greek, translating help was sought from Croatian and Greek nationals to make sense of the contributions. Although the language used in parliamentary debates is usually not as direct as in ENISA publications, it was found to still be very clear, and far from overly complex.
23
Given, once again, that this thesis does not focus on a social issue, it is assumed that there is no social interaction to be observed between ENISA and what or whom it considers threats. Regarding the socio-political context in terms of cybersecurity, given that the assessed documents were published from the start of 2015 onwards, one can argue that it is one of cautious prevention of threats. While there has been a recorded cyber-attack in Estonian cyberspace in 2007, as well as an attack on the French TV5 Monde television channel in 2015, it could be said that the risk is known, but not omnipresent. One can therefore assume that there might be a slight sense of urgency in the analysed sources, especially around the time when the TV5 Monde attacks occurred, which should be watched out for.
3.2 Sample selection process
The analysis will be using two forms of sources, which are ENISA Threat Landscapes, and European Parliament debates. Concerning the former, the ENISA Threat Landscapes were chosen since they presented the perfect balance between ENISA publications on
cybersecurity which were too vague to draw actual information from and Threat Landscapes focusing on individual parts of cybersecurity, which presented information which was considered too specific for the answering of the research question. The ETLs were found on the ENISA publications page. After using the search engine, and filtering the results by topic and by publication date, as well as by using the terms “ENISA Threat Landscape” as
keywords. The time frame of analysed documents ranged from the December of 2013 until April of 2016, which was the moment in time this selection of sources was made. Within the boundaries of that timeframe, the search yielded 3 results of ENISA Threat Landscapes. Those three publications are the ENISA Threat Landscape of 20154, the ENISA Threat Landscape of 20145, and the ENISA Threat Landscape of 20136. The time frame was chosen to accommodate for at least three ETLs, since it was considered that, given the information provided in them, a large number of sources was perhaps not necessary, as more than sufficient enough information was provided for an analysis to be performed. Further, the number of three allowed for brief comparisons between the Threat Landscapes, as well as the illustration of tendencies.
4 Referred to as ETL 2015 from here on out 5 Referred to as ETL 2014 from here on out 6 Referred to as ETL 2013 from here on out
24
Regarding the European Parliament debates, the source was chosen to investigate whether the technical expertise of ENISA is reflected in the political discourse of the European Union. The European Parliament was considered to best represent the political discourse of the European Union in its debates, given the great number of potential participants, as well as the great diversity of origin of the MEPs. Regarding the selection process of the European Parliament debates, the sources were found by going on the European Parliament website, under the Plenary section. Using the search function and the keywords “cyber security”, then filtering out by date, keeping only documents prefaced with “Debates” from the same timeframe as the ETLs, 52 documents were found (see Annex for full list). It should be noted that no results more recent than December of 2015 were found in the search. Still, the sample size of 52 debates was considered sufficient, even without debates from 2016.
3.3 Methodology
The two analyses will be slightly different. As stated earlier, this thesis’ research question is “Who and what does the European Union consider as threats in cybersecurity, through the expertise of ENISA, and how is it reflected in the political discourse that are European Parliament debates?”. Therefore, the analysis of the ETLs will aim to be finding out what is considered as a threat, and who are the associated threat agents. Hence, every threat
mentioned in the ETLs will be analysed and shortly elaborated upon. If a threat appears in more than one ETL, the analysis of that threat will include additions from all the ETLs mentioning it. For each threat, the analysis will aim to find out if there is a threat agent majorly associated to it, whether stated explicitly or implicitly. The analysis will attempt to assess whether there are specific types of threats portrayed in the ETLs, and should this be the case, it will be reflected upon critically.
The analysis of the European Parliament debates will be very focused on threat agents. As European Parliament debates are more of a political matter than a technical one, it is not expected to provide much information about threats. Hence, the analysis will aim at finding out which threat agents are being mentioned, and, when given, in which context. The aim of the analysis of European Parliament debates is to provide an answer to the question: does the political debate reflect the expertise of ENISA with regard to threat agents and their involvement? This question is an important one in order to answer the research question of this thesis. A discrepancy between whom ENISA considers dangerous threat agents, and whom the European Parliament refers to in their debates may mean that policy regarding
25
cybersecurity would not be adapted to the threats the Union may be facing. On the other hand, if there is no discrepancy, one could argue that the Union seems to be functioning well, with communication between its Network and Information Security Agency and its
Parliament.
This thesis brings forward the hypothesis that, out of the three main groups of threat agents usually found in cybersecurity, those being terrorists, nation-states and cyber-criminals, the cyber-criminals might be mentioned most often in the ENISA Threat
Landscapes and the European Parliament debates. The argumentation behind this hypothesis is: given that the European Union is a primarily economic union, despite its aspects of a political union, the main concern it would have may rather be monetary than political. Cyber-criminals being the only out of the three threat agent groups to be motivated by financial gains, rather than political motives, they appear as the logical candidate.
4 ENISA Threat Landscape Analysis
4.1 Introduction:
This subsection of the analysis will concern itself with the European Threat Landscapes of 2015, 2014 and 2013 published by ENISA. First, a list of mentioned threats will be created using the top threats mentioned in each document. While the top threat lists are very similar across the three Threat Landscapes, material from all three will be used and analysed. Each threat will be elaborated upon, a definition and explanation of the terms will be given when judged necessary. Any mention of threat agents pertaining to specific threats will also be noted in the section concerning the specific threat. Following this, the mentionable aspects of the findings will then be discussed. Given the fact that ENISA seems to use the word ‘threat’ rather loosely, the discussion will focus on differentiating between the different sort of mentioned threats. The discussed findings of the Threat Landscapes will then later be compared to the findings of mentioned threats in the European Parliament’s debates.
It should be mentioned that the threats listed here are listed in the order in which they are presented in the ETL 2015, except for Targeted attacks, which was the only threat which was not found in ETL 2015 or ETL 2014, but only in ETL 2013. Under each threat, it is mentioned which threat agents the ETL 2015 mentions in its table p.60 with the abbreviation TA for threat agents. While the table identifies primary and secondary users, the mention after each threat does not take notice of that. Further, as most threats are mentioned in all
26
three ETLs, some are mentioned under different names, depending on the document. While all the names are stated above each threat, once the threat is mentioned by name once again, only the first name of the threat mentioned in the ETL 2015 will be used.
The analysis will be split into two parts. First, the analysis will dive into how threats are portrayed and categorized in the European Threat Landscapes, in order to potentially shed some light on the findings. The second section will focus on threat agents. The threat agent groups will be elaborated upon, and the findings, i.e. the different mentions of threat agents will be summarised briefly and discussed.
4.2 Threats and Categorizations 4.2.1 Introduction
This section will address the portrayal of threats in the ETLs. While performing the analysis on the ETL documents, it was found that the term “threats” was used relatively loosely, as it was found that very different sorts of phenomena were being grouped under the broad term that is a ‘threat’. Out of the 16 threats described, three categories or types of threats were created, in order to generate a better understanding of how the European Threat Landscapes function. It was found that some described threats were very broad, and therewith encompassed all sorts of potential victims and threat agents, while others were much more concise. The three categories were defined as being: Tools or weapons of sorts, enablers and events or results. Each category will briefly be explained, before the threats found in that category will be individually assessed, according to the information given about them in the ETLs. Once all the threats of a category have been laid out, they are then analysed more deeply with regard to their portrayal in the ETLs, as well as how insightful the information was with regard to answering this thesis’ research question.
4.2.2 Category 1: Tools
Threats of category 1 were considered to be a sort of tool or weapon for threat agents to use to achieve their aims. The threats which were found to belong in this category were the following: Malware, Botnets, Physical damage, and Ransomware.
Malware (ETL 2015)/Malicious code: Worms/Trojans (ETL2014 & ETL 2013)
The threats of Malware, as mentioned in ETL 2015 and malicious code: Worms/Trojans as mentioned in ETL 2014 and 2013 were joined into a common threat, as the previous ETLs named the most common types of malwares, and the ETL 2015 simply joined them as a
