The Wet op de Inlichtingen en Veiligheidsdiensten 2017; an example of a successful cyber securitization

The Wet op de Inlichtingen en Veiligheidsdiensten 2017; An example of a successful cyber securitization

Author: Jeroen Dubach Student ID: 11363258

Master Thesis Political Science: International Relations Thesis Supervisor: Rocco Bellanova

Second Reader: Luc Fransen

E-mail address: jeroendubach@hotmail.com

1

Table of contents

Chapter 1. Introduction ... 3

1.1 Introduction ... 3

1.2 State of the art & relevance ... 5

1.3 Research question ... 6

1.4 Structure of the thesis ... 7

Chapter 2. Theoretical framework ... 9

2.1 Introduction ... 9

2.2 The Copenhagen School’s securitization theory ... 10

2.2.1 What is securitization? ... 10

2.2.2 How does securitization happen? ... 11

2.2.3 Where does securitization happen? ... 12

2.3 Criticism on The CS’s securitization theory... 13

2.4 Cyber Securitization ... 14

2.4.1 Hypersecuritization... 15

2.4.2 Everyday security practices ... 16

2.4.3. Technification ... 17

2.5 Conclusion ... 18

Chapter 3. Research design ... 19

3.1 Introduction ... 19

3.2 Discourse within the CS securitization theory ... 20

3.3 Discourse analysis in the CS securitization theory ... 21

3.4 Data sources ... 22

3.5 Timeframe of collection of data sources ... 23

3.6 Operationalization ... 25

3.6.1 Operationalisation of phase I ... 26

3.6.2 Operationalisation of phase II ... 29

3.7 Conclusion ... 29

4. The WIV2017: an act of cyber securitization ... 31

4.1 Introduction ... 31

4.2 A cyber securitizing move develops ... 31

4.2.1 The Commission Dessens’s report ... 32

4.2.2 The letter of the Minister of Domestic Affairs and Kingdom Relations on the findings of the Commission Dessens’ report ... 37

2

4.2.3 The plenary debate following the publication of the report and the letter of the Minister 39

4.2.4 Statement of the Cabinet ... 41

4.2.5 Securitizing move sub-conclusion ... 44

4.3 The acceptance of the progressive cyber securitizing move ... 45

4.3.1 Acceptance of the progressive cyber securitizing move by the legislature... 46

4.3.2 Acceptance of the progressive cyber securitizing move by the First and Second Chamber of Parliament, and publication of the WIV2017 ... 49

4.3.3 Acceptance of the progressive cyber securitizing move sub-conclusion ... 50

5. Conclusion ... 51

References ... 54

3

Chapter 1. Introduction

1.1 Introduction

Providing the right interception capabilities to the Dutch intelligence- and security services to counter threats that originate in and through cyberspace is a top priority for the Dutch

government (Nationaal Coordinator Terrorismebestrijding en Veiligheid 2013:6). Recent years have seen an increase in efforts by The Dutch government to protect the state against threats and risks that are digital in nature (‘cybersecurity’). One of these efforts has been the enforcement of the ‘Wet op de inlichtingen- en veiligheidsdiensten 2017’ (Law on the

intelligence- and security services 2017, hereafter: ‘WIV2017’). The WIV2017 expanded the interception capabilities available to the Dutch intelligence-and security services to now also include the untargeted hacking and monitoring of cable bound telecommunications. In the world of the intelligence- and security services, and also for the deployment of the armed forces, telecommunications are traditionally seen as a valuable source of information

(AIVD/MIVD, 2013: 9). The relevance of this source of information has only increased more over the last years due the increasing dependence of people on the use of telecommunication- and internet services (AIVD/MIVD, 2013: 9). As such, intercepting telecommunications of persons and organizations that pose a threat to the national security of the Netherlands, and to military missions of the Dutch armed forces, is vital to protect the interests of the Netherlands (AIVD/MIVD, 2013: 9).

Calls for the broadening of the interception capabilities available to intelligence- and security services are often accompanied with political statements, referencing to the

increasing and changing threat assessments states face (Kamerstuk II, 2015/2016, 34 588, nr. 3: 6). Fast paced technological developments, the increase in cyber-attacks, ransomware attacks, digital espionage and even the meddling in domestic affairs and elections by foreign agents through digital means, are much heard arguments stressing the necessity to revise interception regimes that are in place (National Cyber Security Center, 2018).

As such, this thesis is interested in investigating the process that leads to the incorporation of new interception capabilities in legislation. More specifically, the way in which language is used to construct issues as requiring legal measures to remedy threats is of interest. As the topic of interest to this thesis centers around the interception capabilities that are attributed by states to their intelligence- and security services a link with surveillance

4

studies and securitization theory can be established. According to Ball, Haggerty & Lyon (2012: 1-10), surveillance study is characterized by the study of causes and consequences of increased world interdependence and cooperation; in the standardization of techniques and policies and new trans-border organizations; and in cross-border flows of data and persons. As such, there is no commonly held view of how surveillance studies is qualified (Marx, 2007: 377). Represented fields within the discipline include amongst others law, with an emphasis on constitutional, legislative and regulatory questions (Froomkin, 2000; Sharpe, 2000). Sociology, with an interest in the historical development of the theory (Lyon, 1994). Economics with a focus on the implications of information asymmetry for markets, new kinds of intellectual property, and regulation (Stigler, 1980; Noam, 1997). Communication studies, for instance with a focus on the use of phone taps and data mining by investigative authorities (Wise, 2004). But surveillance studies can also be organized according to substantive topics, such as the frequently studied topics of individual privacy (Nissenbaum, 1999, Nissenbaum & Price, 2004). Studies can also be technique centered, such as on the use of biometrics (Nelkin & Tancredi, 1994) and RFID chips (Garfinkle, 2000).

Although the topic of interest of this thesis overlaps with subjects within the field of surveillance studies, this thesis will not apply this field of study to this thesis. The primary interest of this thesis is not to study whether, for example, the impact of the expanded

interception regime might infringe upon individual privacy, or how it should be regulated, and whether the legislation is adequately drafted to fulfill its purpose. Rather, the interest of this thesis lies in determining whether governments now have the tendency to construct issues, such as those exemplified above with a strong cyber aspect to it, as security problems, as opposed to technical, criminal, economic or political issues. To this purpose, securitization theory is better suited, as this theory specifically defines the process with which public issues are constructed as a matter of security (Buzan, Waever & De Wilde, 1998: 23-24).

The political significance of issues, and the ensuing policies that are formulated to deal with these issues, depend heavily on the language that is used through which the event is securitized. The process of constructing a public issue as being a matter of security, by moving it from a nonpoliticized issue to a securitized issue, is what is called securitization (Buzan, Waever & De Wilde, 1998: 23-24). By applying this process of securitization, the issue at hand gains a status and prevalence that a non-security problem does not have (Hansen & Nissenbaum, 2009: 1156). Additionally, by securitizing certain issues, a particular manner in which these issues are viewed is reinforced (Hansen & Nissenbaum, 2009: 1156). The

5

process of constructing public issues that originate out of cyberspace as security issues is what is called cyber securitization (Hansen & Nissenbaum, 2009: 1156).

1.2 State of the art & relevance

The study of cyber security within the broader field of security studies is a relatively new practice, and as such the practice of studying cyber security has been limited. In the

developmental stages of the theory, research pertaining to cyber security was predominantly focused on adjacent issues related to cyber security, but not touching upon its later developed meaning, including issues such as cyber-war (Der Derian, 1992), information warfare

(Denning, 1999; Der Derian 2003:453), critical infrastructure protection (Bendrath, 2003), network security (Arquilla & Ronfeldt, 1993, 2001) and information security (Denning, 1999).

Over time, the theory evolved to a narrower and more specific understanding of cyber securitization as a study that is focused on researching how different actors within the field of politics construct cyber threats with the use of discourse. Scholars applying this evolved understanding of cyber security are interested in researching how the construction of cyber threats affects not only the perception of politics, but also how policies are drafted as a response to those perceptions. More specifically, scholars such as Bendrath (2001) and Lawson (2012) investigated how cybersecurity became an integral part of the national security agenda, by showing how a specific link exists between national security and the cyber-dimension.

As this thesis is particularly interested in how discourse can construct public issues pertaining to cyber space as security issues, a short introduction is required into perhaps the most promising explanatory framework in this regard, the cyber securitization framework. This framework developed by Hansen & Nissebaum is derived from the Copenhagen School’s (‘CS’) securitization theory (Hansen & Nissenbaum, 2009: 1156). The framework explains what threats and referent objects characterize cyber security, how it distinguishes itself from other security sectors and it offers a specific manner of threat discourse through which instances of cyber securitization can be analyzed (Hansen & Nissenbaum, 2009: 1157). More specifically, the authors distinguish three grammars of cyber securitzation that are specific to the cyber sector, with which an act of cyber securitization is realized.

6

Since the development of this framework of cyber securitization, it has been applied by Hansen & Nissenbaum to the Estonian ‘cyber war’ incident of 2007, by Georgieva in analyzing the hypersecuritzation discourse in the United States’ cyberspace policies in the post 9/11 context (Georgieva, 2015), and by Geelen to analyze the discursive construction of computer security in Dutch security policymaking (Geelen, 2016). A practical application of the grammars of the cyber securitization framework to analyze whether a legislative process can be qualified as cyber securitization has not been undertaken up till now. Additionally, a method the measure the success of a securitizing move within a legislative process has not been realized. This thesis is relevant as it will add to the existing empirical data concerning the applicability of the framework, by applying the cyber securitization framework on the case of the enforcement of the WIV2017 by the Dutch government. Additionally, this thesis is also relevant as it will devise a method with which the success of a securitizing move within a legislative process can be measured. This method can then be applied in further research in which the cyber security framework is applied.

1.3 Research question

As mentioned earlier, the Dutch government has increased their efforts to secure the digital domain. The enforcement of the WIV2017 is one of the most recent examples of their efforts. The WIV2017 is supposed to strengthen the intelligence position of the Dutch intelligence- and security services to combat the “changed threat assessment” the Netherlands faces (Kamerstuk II, 2015/2016, 34 588, nr. 3: 6). This thesis applies the cyber securitization framework on the case of the WIV2017 as to study whether this case is an example of a successful cyber securitization. As such, the following research question is formulated:

Does the process leading up to, and including, the enforcement of the WIV2017 qualify as a cyber securitization in accordance with the framework of cyber securitization?

Due to the emphasis on the use of language and grammar in the construction of threats within the framework of cyber securitization, the methodological approach that will be

applied to this thesis is that of discourse analysis. Discourse analysis is in essence a methodology in which “an interrelated set of texts, and the practices of their production, dissemination, and reception (…) bring an object into being” (Bryman, 2012: 536). As such, discourse analysis can be used to analyse the emergence and evolution of threat

7

To be able to answer the main research question, this thesis needs to establish whether a cyber

securitization has been realised in the process leading up to, and including, the entering into

force of the WIV2017. The theoretical framework will show that a successful cyber

securitization is realised when, i) a securitizing actor initialises a cyber securitizing move, and

ii), this cyber securitizing move is accepted by the target audience (Hansen & Nissenbaum, 2009; 1158-1160). This thesis chose to adopt the term cyber securitizing move to avoid confusion with the traditional meaning of a securitizing move as mentioned in the CS

securitization theory. With use of discourse analysis, this thesis will answer the following sub-research questions:

1. Did a cyber securitizing move occur within the discourse pertaining to the WIV2017?; 2. If so, was the cyber securitizing move accepted by the target audience?

The answer to the first question is relevant as a cyber securitization can’t be realised without a

cyber securitizing move being initialised by the securitizing actor. If it is determined that a cyber securitizing move had occurred, the second question is relevant as it then needs to be

determined whether the cyber securitizing move was in fact successful. The successfulness of the move is determined by judging whether the move was accepted by the target audience. The answers that are formulated on the basis of these two sub-research questions will enable this thesis to answer the main research question.

1.4 Structure of the thesis

The structure of this thesis is as follows. The first chapter provides the theoretical framework on which this thesis is build. This chapter will explain, and introduce, the CS securitization theory, addressing its theoretical foundation and key assumption. Additionally, some of the criticisms that have emerged over the years against it, will be discussed. As this thesis is interested in how the process of securitization works with regard to matters pertaining to cyberspace, the final section of this chapter will discuss the main theoretical underpinnings of the cyber securitization framework developed by Hansen & Nissenbaum (2009). This cyber securitization framework is inspired by the CS’s perspective on securitization. A such, it offers a discursive analytical method with which the process of cyber securitization can be studied. The key proposition of this framework is that cyber securitization occurs through the use of three grammars of cyber securitization which tie threats, referent objects, sectors and securitizing actors together. These three grammars are, hypersecuritizations, everyday

8

security practices and technification. The final section of this chapter will elaborate on these grammars of cyber securitization.

The following chapter concerns the research design of this thesis This chapter explains how the theoretical underpinnings of this thesis are researched with use of discourse analysis. As discourse can be researched in many ways, this chapter also explains why this thesis is focused on collecting public policy documents as its primary source material for analysis. Additionally, it will explain within what timeframe the relevant source materials are collected. More importantly, this chapter will also provide the operationalization of how both sub-research questions will be sub-researched and analysed. In particular, the operationalisation of the three grammars of cyber securitization will be discussed, explaining how this thesis aims to recognize these grammars of cyber securitization within the discourse.

The fourth chapter constitutes the empirical body of this thesis. This chapter draws on the data sources to provide answers to both sub-research question. In particular, this chapter will formulate the answers to bot sub-research questions based on the findings of the analysis. Lastly, this thesis will end with a conclusion, providing a summary of each chapter and answering the main research question. This thesis will conclude that the enforcement of the WIV2017 qualifies as cyber securitization.

9

Chapter 2. Theoretical framework

As mentioned in the previous chapter, here this thesis will introduce the theoretical

underpinnings of this thesis. As the cyber securitization framework by Hansen & Nissenbaum (2009) builds on the CS’s theory of securitization, it is necessary to elucidate the source from which it is derived. As such, this chapter starts with an explanation and overview of the core mechanics of the CS securitization theory. Attention is payed to explaining the way in which an issue is securitized and what steps such a process entails. Moreover, this section explains how the realisation of a securitization depends on the successful transition of the

securitization process through two distinct phases. These are the initiation of a securitizing

move by the securitizing actor, and the acceptance of the securitizing move by the target

audience.

The following section briefly discusses the main criticisms of and contributions to -the CS securitization -theory that emerged since its inception.

This chapter then moves on to the discussion of cyber securitization theory. As this thesis is interested in establishing whether a cyber securitization was realised in the process leading up to, and including, the entering into force of the WIV2017, the core mechanics of cyber securitization theory need to be elaborated on. This section provides a brief overview of the history of cyber securitization theory, after which an in depth overview of the

underpinnings of the theory are provided. Specific attention is given to the three grammars of cyber securitization, as these grammars provide details about how a cyber securitization can be recognized within discourse. As mentioned in the introductory chapter of this thesis, the research question of this thesis is answered by applying the method of discourse analysis. As such, an in depth discussion of the way in which a cyber securitization can be recognized within discourse is crucial. Additionally, in depth discussion of the grammars of cyber securitization is necessary as the methodology chapter will build on this knowledge by operationalizing these grammars into tools with which the source material of this thesis is analysed.

10 2.2 The Copenhagen School’s securitization theory

As mentioned in the introduction of this chapter, the foundation of the CS theory of

securitization is attributed to Buzan, Waever and De Wilde, who by combining their work, came to a book that is seen as the foundation of the theory ever since (Buzan, Waever & De Wilde, 1998). This section discusses the CS securitization theory by dividing it into three sub-sections. The first sub-section explains what securitization is, the second explains how

securitization happens, and the third explains with regard to what securitization happens.

2.2.1 What is securitization?

According to Buzan, Waever and De Wilde, ‘security’ is a move “that takes politics beyond the established rules of the game and frames issues either as a special kind of politics or as above politics” (Buzan, Waever & De Wilde, 1998: 23). As such, securitization “can be seen as a more extreme version of politicization” (Buzan et al., 1998: 23). With this, the authors refer to the practice of securitizing an issue. According to the theory, any public issue finds itself on a transitional, linear scale, in which it can move from left to right - from

nonpoliticized to securitized -, according to the relevance that is attributed to the issue. In the words of the authors:

“any public issue can be located on the spectrum, ranging from

nonpoliticized (meaning the state does not deal with it and it is not in any other way made an issue of public debate and decision) through politicized (meaning the issue is part of public policy, requiring government decision and resource allocations or, more rarely, some other form of communal governance) to securitized (meaning the issue presented as an existential threat, requiring emergency measures and justifying actions outside the normal bounds of political procedure” (Buzan et al., 1998: 23-24).

By stating that the securitization process can move from left to right, it is meant that an issue that is securitized through this process, can also be desecuritized to a politicized or nonpoliticized issue (Waever, 1995: 57-75). The essential element in securitizing an otherwise nonpoliticized or politicized issue is the defining of the issue as an ‘existential threat’,

meaning that the issue causes a “threat to the existentialism of a referent object” which is then used as “the specified reasoning behind the move to securitize an issue in order to make it exceptional.” (Roush, 2015: 4). With regard to the existentialism of the threat, this threat does

11

not have to be real, it only needs to be presented as such, making what is called ‘security’ a self-referential practice (Buzan et al., 1998: 24).

2.2.2 How does securitization happen?

According to the theory, a securitization is realised when two criteria are met. The first is that a securitizing move has to have occurred (Buzan et al., 1998: 25). The second criteria is that the securitizing move has to be accepted by the audience as such (Buzan et al., 1998: 25).

A securitizing move occurs when a discourse develops which “takes the form of presenting something as an existential threat to a referent object” (Buzan et al., 1998: 25). This discourse in which referent objects are portrayed to be existentially threatened needs to be initialised by someone, the securitizing actor (Buzan et al., 1998: 33).

In essence, Buzan et al distinguish among “three types of units involved in security analysis” which together form the units of analysis on which securitization theory is build (Buzan et al., 1998: 35). The first unit that is distinguished is that of the ‘referent objects’, by which they mean “things that are seen to be existentially threatened and that have a legitimate claim to survival” (Buzan et al., 1998: 36). The second unit is the ‘securitizing actors’, with which is meant the instigating party - actor - that declares the referent object to be

existentially threatened (Buzan et al., 1998: 36). According to Waever, the securitizing actor is most often the elites, as “by definition something is a security issue when the elites declare it to be so” (Waever, 1995: 54). The third unit used in the analysis of securitizing moves are

functional actors. With functional actors is meant those “actors who affect the dynamics of a

sector but without being the referent object or the actor calling for security on behalf of the referent object, this is an actor who significantly influences decisions in the field of security” (Buzan et al., 1998: 36).

As mentioned previously, in order for a securitizing move to translate into a securitization, the deciding factor is whether the audience has accepted the issue as such (Buzan et al., 1998: 25). The securitizing move in itself does not securitize it (Buzan et al., 1998: 25). In line with this explanation of securitization, Nissenbaum build on this description with defining securitization as a process in which “an activity or state-of-affairs is presented as an urgent, imminent, extensive, and existential threat to a significant collective”

(Nissenbaum, 2005: 66). Nissenbaum equally stressed the importance of the audience (significant collective) accepting the proposed measures for a securitizing move to become a

12

securitization (Nissenbaum, 2005: 66). Buzan et al., define the audience as “those the

securitizing act tries to convince” (Buzan et al., 1998: 41). When speaking of the acceptance of a securitizing move by an audience, Nissenbaum sheds light on this definition by

describing a securitization as “an activity or state-of-affairs” in which it is presented “as an urgent, imminent, extensive, and existential threat to a significant collective” (Nissenbaum, 2005: 66). Thus, the audience is seen as a significant collective that the securitizing act tries to convince to accept the securitizing move. Hansen & Nissenbaum, elaborate on this concept by stating that “audiences do not exist “out there” but are constituted in discourse” (Hansen & Nissenbaum, 2009: 1165). As such, the security discourse separates the “we”, being the securitizing actor that speaks, from “the “you’s” who are simultaneously addressed by the linking of fears and threats” (Hansen & Nissenbaum, 2009: 1165). For a securitization to occur, it is not necessary that the emergency measure has to be adopted or implemented. “It is enough that the existential threat is argued and has gained resonance for a platform to be made with which it is possible to legitimize emergency measures or other steps that would not have been taken had the discourse not been formulated in terms of existential threats, points of no return and necessity” (Buzan et al., 1998: 25).

Buzan et al., attribute successful securitizations to the use of speech-act by the

securitizing actor, as they claim that “the process of securitization is what in language theory is called a speech act” (Buzan et al, 1998. p. 26). Hjalmarsson adheres to this reading of securitization by stating that “the speech act is the main mechanism through which security is constructed” (Hjalmarsson, 2013: 3). The speech act can take the form of framing (Waever & Buzan, 2003: 491). Framing occurs in those instances where there is a discursive process through which “an intersubjective understanding is constructed within a political community to treat something as an existential threat to a valued referent object, and to enable a call for urgent and exceptional measures to deal with the threat” (Waever & Buzan, 2003: 491). Based on the framework provided by the CS , the speech act thus must be seen as the primary method with which securitization occurs.

2.2.3 Where does securitization happen?

According to the CS theory of securitization, securitizations can occur within five sectors (Buzan et al., 1998: 27). These five sectors are, the political, economic, military, societal, and the environmental sectors. The specifics of what constitutes a securitizing move differs between these sectors, this is due to the fact that each sector is characterized by

13

specific ways in which sub-forms of grammars of securitization tie the referent objects, threats and securitizing actors together (Buzan et al., 1998: 27). Each of these sectors has its own specific form of security logic, this results in the securitizing actor having to apply a securitizing sub-form of grammar tailored to the intended sector. This is necessary, as otherwise the relevant audience will have difficulties understanding the attempted

securitization correctly. This in turn could constitute a failure of the speech-act. In the military sector for example, the grammar is focused on issues such as the sovereignty of the state, and/or territorial integrity of states (Buzan et al., 1998: 49). As such, it is constructed around the military use of force, geography, historical and political factors (Buzan et al., 1998: 70). In the economic sector, the grammar is focused on the wellbeing of the states economy. As such, the security logic in this sector is constructed around citizens having access to basic human needs (food, water, education), and businesses with regard to risks, boycotts and risk of investment they can experience (Buzan et al., 1998: 116-117). This distinction in five different sectors is relevant, as this thesis will show how the cyber securitization framework of Hansen & Nissenbaum challenged the assumption that only five sectors exist. More on this will follow in the discussion of cyber securitization theory.

2.3 Criticism on The CS’s securitization theory

Critics of CS securitization theory raise doubts about the question whether the theory adequately reflects real-world practices. These questions arise out of differences of opinion with regard to the when and how of issues becoming securitized within a specific political community, and the specific conditions that are essential in order for a securitization to be successful (Balzacq, 2011). Although the CS has defined these conditions as consisting of existential threats, breaking free of rules, emergency action and effects on inter-unit relations, a number of scholars have raised questions against it (Buzan et al., 1998: 23-33). In particular, questions have been raised against the conceptualization of the audience (Leonard & Kaunert, 2011: 57-75), the lack of a coherent model to measure failures of securitization (Salter, 2008: 321-349), and the lack of conceptual clarity and the consistent application of the theory in empirical analysis (Stritzel, 2007: 357-383).

These criticisms raise valid points and underscores the need for more research into securitization theory as to further the insights the theory provides. However, this thesis likes to point out that much of the criticism raised by these scholars emanates from what are

14

of the criticisms raised against the CS securitization theory, as it influences the perspectives on, and the evaluation of, the theory. Balzacq’s criticism in particular illustrates this

ontological difference, as he constitutes that the difference originates out of the divide

between the “philosophical” and the “sociological” view on securitization (Balzacq, 2011: 1). With the “sociological” view meaning that securitization is moved towards a more empirical, research oriented, approach that is based on isolating and determining exact variables, that are subsequently applied to “real-world securitizations” (Balzacq, 2011: 1).

In contrast to the sociological view, the philosophical view adheres to the viewpoint that the purpose of the theory is to provide new insights into the basic modalities of complex security issues. In particular, much of the criticism the CS theory endures is not aimed at the specific logic it uses, but rather focuses on:

(…) other aspects of the theory such as the lack of empirical and methodological detail, or that the Copenhagen School is focused on the ‘speech-act‘ ignoring then the context of such acts, failing to specify how audiences, the specific local audience, sociological conditions and choice of policy tools affect the likely outcome and motivation of securitizing

moves.” (Corry, 2015).

With analysing security not as a objective condition, but instead as a social construct that is the product of discourse, it offers an approach with which a wide range of issues can be researched. Such a view is not limited to the traditional, limited, military subjects, but instead any issue that is subject to securitizing speech-acts can become securitized. That way, it can be applied to a broad range of subjects, from migration an societal security in Europe

(Huysmans, 2007), SARS and HIV/AIDS (McInnes & Rushton, 2013: 115-138) to the topic of this thesis, cybersecurity (Hansen & Nissenbaum, 2009: 1155-1175).

2.4 Cyber Securitization

When speaking of cybersecurity or cyber securitization, Hansen & Nissenbaum’s cyber security framework successfully addresses the question of how security in cyberspace relates to the CS securitization theory. Hansen & Nissenbaum theorize that cybersecurity is a distinct sector within securitization theory, that makes use of a particular constellation of threats and referent objects. More specifically, the theory aims to uncover how cyber issues are

15

discourse in which these cyber issues are constituted as threatening to the survival of one or more referent objects (Hansen & Nissenbaum, 2009: 1156).

According to Hansen & Nissenbaum, cyber securitization is characterised by the use of security logic, so called grammars of cyber securitization. They formulate three “distinct sub-forms” of grammars of securitization, that tie referent objects, threats, and securitizing actor together in the cybersecurity sector (Hansen & Nissenbaum, 2009: 1163). These are i) hypersecuritizations, ii) everyday security practices, and iii) technification (Hansen & Nissenbaum, 2009: 1163). The premise behind these grammars is that these incorporate a certain acuteness and, more importantly, a specific interplay which is distinct to the cyber sector. With this approach, Hansen & Nissenbaum seek to uncover the specific narratives that characterize securitization in this sector. With this framework they “facilitate an

understanding of the connections between these discourses as well as of the political and normative implications of constructing cyber issues as security problems rather than as political, economic, criminal, or technical ones” (Hansen & Nissenbaum, 2009: 1157). The following sub-sections will outline each of the three grammars of cyber securitization.

2.4.1 Hypersecuritization

The first grammar of cyber securitization is ‘hypersecuritization’. In particular, hyper-securitizations differs from regular hyper-securitizations by its emphasis on the instantaneity and the interlocking of effects that occurs within the discourse. The result of these interlocking of effects is that hyper securitizations are endowed with a high degree of power which is unique to the cybersecurity sector. This high degree of power derives from the ability to connect referent objects within a wide range of sectors - such as the financial-, military-,

environmental sectors – by linking these sectors through the simultaneous – or cascading – suffering of adverse effects of a damaged network, thus interconnecting them on the basis of experiencing negative consequences (Hansen & Nissenbaum, 2009: 1164). Such an ‘inter-linkage’ enables the securitizing agent to connect what are in essence abstract referent objects such as ‘the network’, to well-defined ones, such as society, infrastructure and the

environment by emphasising the reliance of these well-defined referent objects on the network for their proper functioning or security (Hansen & Nissenbaum, 2009: 1164). Thus, as more well-defined referent objects are tied to an abstract referent object within the

cybersecurity sector, the securitizing agent will stress a higher need to securitize said abstract referent object.

16

Another notable distinguishing feature of Hansen and Nissenbaum

hyper-securitization in cybersecurity discourse involves the hypothetical nature of cyber incidents. Securitizing actors often invoke images of historical catastrophes to emphasize the urgency to take extraordinary measures to protect the referent object instead of citing actual precedents. Hansen & Nissenbaum (2009: 1164) point to the example of statements such as those made by U.S. Secretary of Defense Leon Panetta who compared the potential effects of a serious cyber-attack to Pearl Harbor and to 9/11, by saying that “a cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11”. The invocation of such images of historical disasters effectively establishes the vulnerability of the referent object, making a strong case for extraordinary measures to be urgently taken in order to counter the existential threat. Moreover, as Hansen and Nissenbaum, using such imagery of the enormity of the threats “makes the discourse more susceptible to charges of

exaggeration”, and it additionally raises the stakes that are attached to ignoring the warning signs (Hansen & Nissenbaum, 2009: 1165).

2.4.2 Everyday security practices

The second grammar of cyber securitization revolves around the manner in which a wide range of securitizing actors are able to mobilize the experiences of normal individuals. This is referred to by Hansen and Nissenbaum as “everyday security practices”, and operates in a two-fold manner: firstly, it secures the individual‘s partnership and compliance in

protecting network security; secondly, it makes hyper-securitization scenarios more plausible by linking elements of the disaster scenario to experiences familiar from everyday life

(Hansen & Nissenbaum, 2009: 1165). Within Securitization Theory, this grammatical

modality can be directly linked to the concept of the audience, defined by Buzan as “those the securitizing act attempts to convince” as it facilitates the success of the securitization by making the consequences of cybersecurity breaches more relatable (Buzan, Waever, De Wilde, 1998: 41). Indeed, as Thierry Balzacq theorized: “the success of securitization is highly contingent upon the securitizing actor‘s ability to identify with the audience‘s feelings, needs, and interests” (Balzacq, 2005: 182). Thus, in order to ensure a greater measure of success, the securitizing actor has to tune their language to the audience‘s experience

(Balzacq, 2005: 182). According to Hansen and Nissenbaum, this is precisely what everyday security practices do; they facilitate the acceptance of public security discourses by generating

17

a resonance with an audience‘s lived, concrete experiences (Hansen & Nissenbaum, 2009: 1165).

According to Hansen and Nissenbaum, while elements of such everyday security practices may be evident in other sectors as well, they particularly excel in the case of cybersecurity. Indeed, as they point out:

“(…) there is for example a marked difference between Cold War military securitizations of nuclear Holocaust which implied the obliteration of

everyday life, and the securitizations of everyday digital life with its dangers of credit card fraud, identity theft, and email scamming” (Hansen &

Nissenbaum, 2009: 1165).

Key here is the reach of such everyday security practices in cybersecurity, as “those few who do not own or have computers at work are nevertheless subjected to the

consequences of digitization” (Hansen & Nissenbaum, 2009: 1165). As such, these everyday security practices do not reinstall a de-collectivized concept of “individual security” or

“crime”, but rather constructs various threats as being threats towards the entire network, thus, to a larger extent, to society (Hansen & Nissenbaum, 2009: 1165).

2.4.3. Technification

The third grammar of cyber securitization is called ‘technification’, and concerns the role of technical, expert discourse within cyber securitization. As Hansen and Nissenbaum point out, due to the required knowledge to master the field of computer science and the fact that this knowledge is often not available to the broader public, the field of cybersecurity leans heavily on the specialized knowledge of cybersecurity experts (Hansen & Nissenbaum, 2009: 1165). Sophisticated computer threats are given significance through a wide range of experts which are consulted whenever issues of cybersecurity are discussed. This grants such experts a unique position in which they are able to speak in an authoritative manner to the public about matters of cybersecurity and to give significance to them (Hansen &

Nissenbaum, 2009: 1165). As such, such cybersecurity experts no longer fulfil the invisible role behind scenes traditionally occupied by experts in other sectors. Instead, they become securitizing actors themselves by transcending their specific scientific locations to speak to the broader public in a move that is both facilitated by and works to support cyber

18

The privileged role that experts play in cyber securitization discourse has important consequences. Indeed, as Hansen and Nissenbaum point out, cybersecurity experts are not only merely experts, but technical ones who technify cybersecurity by constituting it as being their domain (Hansen & Nissenbaum, 2009: 1165). This technification fulfils a similar role as the speech act in securitization in that they are not merely descriptive, but that they “do something” (Hansen & Nissenbaum, 2009: 1165). They construct an issue as reliant upon certain technical expertise for its resolution and hence as politically neutral or unquestionably normatively desirable (Hansen & Nissenbaum, 2009: 1165). As such, the mobilization of technifications is strongly related to what Huysmans refers to as the concept of “security experts”; professionals who gain their legitimacy of - and power over - defining policy problems from trained skills and knowledge and from continuously using these in their work (Huysman, 2001. p. 9). These security experts play an extremely important role in modulating social and political practice in both the public and private domain (ibid.).

2.5 Conclusion

This chapter has provided insight into the CS securitization theory and the phases with which a securitization is realised. For a securitization to be successful, first a securitizing move has to be initiated by the securitizing actor. A securitizing move occurs when a discourse develops within a sector in which something is presented as an existential threat to a referent object. This securitizing move subsequently has to be accepted by the target audience.

This chapter also discussed the cyber security framework developed by Hansen & Nissenbaum, which expands upon the CS theory of securitization by adding a distinct sector in which a securitization can occur, this is the cybersecurity sector (Hansen & Nissenbaum, 2009: 1163 - 1169). The process of securitization within this sector is labelled as cyber

securitization, and is recognised by the use of three distinct sub-forms of grammars of

securitization, in which referent objects, threats, and securitizing actor are tied together (Hansen & Nissenbaum, 2009: 1163 - 1169). This chapter further elaborated on what characterises these distinct sub-forms of grammars of cyber securitization.

The research design chapter that follows explains which research method is chosen for this thesis. Additionally, it operationalizes the grammars of cyber securitization that were discussed in this chapter and explains how these grammars can be recognized in the data that is collected for this thesis.

19

Chapter 3. Research design

3.1 Introduction

As mentioned previously, securitization theory describes the process of securitization as an act in which “security” is successfully attached to a certain issue or development by the construction of an existential threat relating to said issue or development that is subsequently accepted by the target audience. This process of securitization is then analysed by focusing on the ways in which conceptualizations of security are set in motion within policy discourse. This process of securitization revolves around the instigating speech-act that posits a security threat as being an existential threat to the survival of a particular referent object (Buzan et al., 1998: 7). This referent object can be the state, the environment, the financial system and even identity and culture of people (Buzan et al., 1998: 7). The framework of cyber securitization expanded upon the process of securitization by adding a distinct sector in which a

securitization can occur, the cybersecurity sector (Hansen & Nissenbaum, 2009: 1163 - 1169). Within the cybersecurity sector, threats, referent objects and the securitizing actor are tied together with the use of three distinct sub-forms of grammars of securitization that are specific to this sector. (Hansen & Nissenbaum, 2009: 1163 - 1169). These sub-forms of grammars of securitization are hypersecuritizations, everyday security practices and technifications (Hansen & Nissenbaum, 2009: 1163 – 1169).

As the cyber securitization framework utilises - and builds on - the CS securitization theory, it requires a similar technique that needs to be developed and applied to measure the key elements of the theory. In particular this technique needs to be tailored to uncovering the practices and structures that produced the image of the existential threat. More specifically, the sources, effects and mechanisms that produced the image of the existential threat need to be explained. With this purpose in mind, this thesis employs the method of discourse analysis in ascertaining whether a cyber securitization occurred with regard to the proceedings leading up to, and including, the enforcement of the WIV2017. This method is chosen as it is widely and successfully applied within the underlying CS securitization theory (Buzan et al., 1998, Balzacq, 2011).

This chapter starts out with clarifying what this thesis understands with ‘discourse analysis’ and what its methods of analysis are. The primary focus of this section is to provide an understanding of how discourse and discourse analysis are conceptualised within the CS

20

securitization theory. After this conceptual exploration of the concepts of discourse and discourse analysis, this chapter then turns to the operationalisation section. This section explains what data is collected as source material and in relation to which timeframe. The establishment of a timeframe is important, as a securitizing move is constituted of two distinct phases within this timeframe that are analysed separately. These are the securitizing move and the acceptance of the securitizing move by the target audience. Therefore, a section is

dedicated to explaining the operationalisation of both phases. This chapter will conclude with a brief overview of the main tenets put forth and will bridge to the next chapter.

3.2 Discourse within the CS securitization theory

The concept of discourse as an analytical tool for analysing the process of securitization features prominently within the CS theory of securitization (Buzan et al, 1998; Waever, 1995; Nissenbaum, 2005). Since the CS’s theory of securitization is constructivist in nature (Geelen, 2016: 19), security within the Copenhagen School’s theory is conceptualised not merely as an objective condition that exists outside of the human interpretation of it, but rather it is

perceived to be the outcome of a discursive process which is characterized by a specific rhetorical structure through which security is socially constructed (Geelen, 2016: 19) This concept of security, and the corresponding process of securitization, is rooted in the theory of language. More specifically, it is rooted in speech-act theory (Geelen, 2016: 19). Speech-act theory is a theory that investigates the manner in which linguistic utterances (understood as speech-acts) have performative functions (Geelen, 2016:19). Meaning that these utterances not only describe a given reality, but also change the social reality they describe. With regard to the function of speech-act within securitization theory, Waever states that ‘security’ should be regarded as a speech-act (Waever, 1995: 55). He describes the utterance itself as the act that securitizes:

“by saying it, something is done (as in betting, giving a promise, naming a ship). By uttering “security”, a state-representative moves a particular development into a specific area, and thereby claims a special right to use whatever means necessary to block it” (Waever, 1995: 55).

Within the CS theory of securitization the function of language within discourse is that it is brings a certain reality into being. According to Waever, the utterance of “security” in itself is the primary reality that is brought into being (Waever, 1995: 55). By using these utterances, a range of issues within certain sectors (military, political etc.) are staged as an

21

existential threat starting the process of securitization as described in the previous chapter. The utterance than starts the process of securitization, by i) claiming that a referent object is existentially threatened, ii) necessitating the need to have the right to take extraordinary measures to counter the threat, and iii) convincing the audience to accept the proposed solution to counter the threat (Buzan et al., 1995: 36-39).

Over the years, the narrow understanding of discourse within securitization theory has become the object of criticism. This criticism focuses predominantly on the need to

acknowledge other sources of securitization, such as the use of images and certain forms of bureaucratic practices that cannot be attributed to securitizing speech-act alone, but which are part of processes though which security is communicated and constructed

(Vaughan-Williams, 2003: 511-532, Hansen, 2011: 51-74). As such, these authors advocate a broadening of the concept of discourse to include the role of other sources that have the potential to securitize. For instance, according to Balzacq (2011: 218), these sources include, “social mythologies … structures and strategies of ‘deep play’, symbols, images, and other forms of non-verbal representation that can occupy important roles in security politics”. Although, this thesis agrees with the necessity to widen the concept of discourse to include the role of the other sources mentioned here. For the purpose of this thesis, this widening of the definition of discourse is unnecessary, as this thesis uses public policy documents in its analysis, which are devoid of the sources proclaimed to also have the potential to securitize.

3.3 Discourse analysis in the CS securitization theory

Discourse analysis is a broad concept, and refers to a different approaches within several disciplines and traditions. As according to Bryman (2012: 528), there is more than one single version of discourse analysis. As such, a broad discussion about what constitutes discourse analysis can be held. However, this thesis chooses not to delve deeper into the discussion on the different approaches to discourse analysis. Instead, it chooses to focus on how it is employed within the CS securitization theory.

Within the literature of the CS securitization theory, discourse analysis as a concept has been successfully employed by scholars in analysing and mapping out the appearance and evolution of certain patters of representations that are constitutive of a threat image (Balzacq, 2011: 39). As explained previously, the essence of CS theory of securitization is to capture the distinct social phenomenon of how public issues become security issues. As such, to be able to research this social phenomenon, a technique needs to be adopted that is tailored to the task

22

of uncovering the “structures and practices that produced the threat image whose source, mechanisms, and effects need to be explicated (Balzacq, 2011: 39). Discourse analysis is such a technique as, when deduced it to its core, is an attempt to answer the question where

meaning comes from (Greenwood, Oliver, Suddaby & Sahlin-Andersson: 2008: 712). This attempt is conducted by studying discourse and the social reality it creates (Greenwood et al., 2008: 712). In its basic form this entails the process of analysing sources of discourse, such as debates, interviews, newspaper articles, archival material, and many more to uncover

practices that are social and institutional in nature and are associated with the construction (and evolution) of threat images (Balzacq, 2011: 41).

As such, the primary interest of discourse analysis is to ascertain “the constructive effects of discourse” with use of the structured and systematic study of text, which includes their production, dissemination, and consumption, in order to explore the relationship between discourse and social reality (Philips, Lawrence & Hardy, 2004: 635 – 652). These discourses are often intertwined, and social in nature, resulting out of interactions between societal structures in which the discourse is embedded. An example of this is found with reference to policy discourses, as these discourses not only construct problems, subjects and objects, they also simultaneously construct policies to address them (Georgieva, 2015: 22).

3.4 Data sources

In its discourse analysis, this thesis will use a structured and systematic study of texts, more specifically, it will study policy documents issued by members of the Dutch government and organizations commissioned by the Dutch government as its source materials for analysis. Examples of official public documents that are used in this analysis are the official minutes of debates in the First and Second Chamber of the Dutch government, letters of ministers, letters of the Cabinet, legislative proposals, et cetera. According to Hansen & Waever (2003: 28), public texts are key to discourse analysis. Furthermore, when referring to discourse analysis “one does not need to read everything, particularly not obscure texts” (Buzan et al., 1998: 177). In accordance with this line of reasoning, Georgieva (2015: 22) attributes particular value to the study of public policy texts issued by governments, as these documents link language and political power. Not only do these documents incorporate the official rhetoric of the securitizing actor, are well available to the public and clearly articulated (Georgieva, 2015: 22). They also are particularly useful in studying the securitization discourse as “they provide a description of a problem and propose solutions based on technical or professional

23

knowledge” to this problem (Georgieva, 2015: 22). As such, public policy documents “simultaneously persuade the audience that a problem exists and respond to that problem”(Georgieva 2015: 22).

Within the CS securitization theory, policy documents are to be interpreted as “both a move to securitize and a proof of the beginning of a successful securitization, as any issue that warrants its own policy document has already achieved a higher political status” (Georgieva, 2015: 22). Based on the description of the function of policy documents by Georgieva (2015), policy documents are of particular value to this thesis. Firstly, since this thesis is interested in determining whether a cyber securitization occurred, policy documents are of particular value in determining where the cyber securitizing move started and by whom it was initialised, as public documents incorporate the official rhetoric of the securitizing actor. Additionally, as these policy documents incorporate the official rhetoric of the securitizing actor, it provides the perfect source material for analysing whether the securitizing actor made use of the three grammars of the cyber securitization framework in its cyber securitizing move. Secondly, as policy documents also “persuade the audience”, the successful acceptance of the cyber

securitizing move by the target audience can also be derived from studying these texts. As

such, the use of policy documents in this study will enable this thesis to determine whether a

cyber securitization occurred.

With regard to the use of these data sources in this thesis, the following is important. As this thesis is collecting policy documents written in the Dutch language, a choice needs to be made with regard to the manner in which this thesis reports its findings based on these documents. As this thesis is written in the English language, an English translation will be used throughout the analysis chapter of this thesis when a reference is made to the original Dutch text. The original Dutch text of the relevant text to which is referred to in English will be added in a footnote accompanying the reference. This way, the correctness of the reference can be determined if necessary.

3.5 Timeframe of collection of data sources

When speaking of what public policy documents are relevant and in which timeframe, providing some background into the WIV2017 is in order to justify the boundaries that are set on this thesis. In 2012, with the old WIV2002 being in force for a decade, the Second

24

response, the Commission Dessens was enacted in February 2013, which published their findings in a report on the 2nd of December later that year. The Commission advised to expand the investigatory powers of security and intelligence agencies to include unfocused

interception of wired internet- and telephone communications (Commissie Dessens, 2013). However, due to the increasing distrust of the public in the functioning of intelligence agencies this had to be accompanied with more oversight and control functions (Volkskrant, 2013).

The Dutch government published the first draft of the WIV2017 on the 2nd of July 2015. Following the publication, there was a two-month internet consultation period in which anyone who wanted to could file their view on the draft text (Volkskrant 2016). As a result, more than 1100 responses - mostly criticisms - were received. These documents, include also those written by companies and organizations such as KPN, Tele2, MKB-Nederland, VNO-NCW and the College for Human Rights. In response to these critiques, the Dutch

government published a revised proposal of the WIV2017, in which they added an extra review board and made an amendment to the draft with regard to the costs of wire interception (Volkskrant, 2016).

The draft bill then went on to the Raad van State (advisory organ of the Dutch Parliament), which issues a fairly critical advice on the matter to the Dutch Parliament (Kamerstuk II 2016/2017, 34 588, nr 4). In response, the draft text was amended again on several issues and on completion of these amendments the draft text was send back to the Second Chamber in October of 2016 (Rijksoverheid, 2016). After this, the permanent Second Chamber commission for Domestic Affairs held three hearings with experts and parties involved, and during the plenary debate on the 7th of February more than 30 amendments were filed of which most were dissuaded by the Parliament and rejected by chamber majority. Eventually, the bill was accepted by the Second Chamber on the 14th of February 2017 and by the First Chamber on the 11th of July 2017. With the publication of the legislation in ‘Het Staatsblad’ on the 26th _{of July 2017 the WIV2017 officially entered into force.}

This thesis collected the source material based on the based on the timeline as set out in the previous paragraphs. As such, the source material is collected starting from the

publication of the Dessens’ report on the 2nd _{of December 2013, and ending on the 26}th _{of July}

25

As this thesis aims to investigate whether the entering into force of WIV2017 qualifies as a cyber securitization, it will use public policy documents that were issued by the Dutch government as its source material for analysis. More specifically, policy documents such as official evaluation reports, minutes of plenary debates on the WIV2017, legislative proposals, explanatory memoranda to legislative proposals, letters of ministers, letters of the Cabinet and Parliament, and official voting decisions pertaining to the WIV2017 proceedings are used.

3.6 Operationalization

The theoretical framework shows that a successful securitization consists of two phases. The first phase is the initialisation of a securitizing move by a securitizing actor, the second phase is the acceptance of that securitizing move by the target audience. This thesis choses to adopt the term cyber securitizing move from this point on to identify the securitizing move specific to cyber securitization as to avoid confusion with the securitizing move particular to a ‘normal’ securitization. As such, the success of a cyber securitization is determined by analysing, 1) whether a cyber securitizing move is initialised by a securitizing actor, and 2) whether this cyber securitizing move is accepted by the target audience.

According to the cyber securitization framework, a cyber securitizing move is distinguishable from a ‘regular’ securitization by finding evidence in support of the claim that grammars of cyber securitization are used to tie referent objects, threats and securitizing actor together in the discourse pertaining to a certain issue (Hansen & Nissenbaum, 2009: 1163).

However, with regard to how the acceptance of a cyber securitizing move is measured, the cyber securitization framework of Hansen & Nissenbaum (2009) does not provide a specific manner to measure the acceptance of such a move. The CS however does provide some explanation as to how the success of a securitization can be measured. According to the theory, for a securitization to occur, it is not necessary that the emergency measure has to be adopted or implemented. “It is enough that the existential threat is argued and has gained resonance for a platform to be made with which it is possible to legitimize emergency

measures or other steps that would not have been taken had the discourse not been formulated in terms of existential threats, points of no return and necessity” (Buzan et al., 1998: 25).

In conjunction with this explanation of the success of a securitization, this thesis choses to determine the acceptance of the cyber securitizing move by analysing whether the WIV2017 legislative proposal is accepted by the First and Second Chamber of the Dutch

26

Parliament. As the WIV2017 legislative proposal (including all relevant documents)

incorporates the rationale behind the emergency measures that are formulated to counter the existential threats that are constructed within the discourse. With the acceptance of the legislative proposal, the factual legitimization of these emergency measures or other steps is realised, and as such, the validity of the constructed existential threats is accepted. This way, this thesis can with certainty establish that the cyber securitizing move is accepted.

As such, the analysis is split into two phases:

- Phase I analyses whether a cyber securitizing move was initialised by a securitizing actor.

- Phase II analyses whether the cyber securitizing move was accepted by the target audience.

3.6.1 Operationalisation of phase I

Phase I assesses whether a cyber securitizing move occurred in the discourse pertaining to the WIV2017. The phase starts with the evaluation of the WIV2002 and ends with the Statement issued by the Cabinet on the 14th of November 2014. According to the cyber securitization framework, a cyber securitizing move is distinguishable by finding evidence in support of the claim that grammars of cyber securitization are used to tie referent objects, threats and securitizing actor together in the discourse pertaining to a certain issue (Hansen &

Nissenbaum, 2009: 1163). As such, all policy documents that are collected within this phase are analysed looking for the incorporation of grammars of hypersecuritization, everyday security practices and technification. How this thesis aims to measure these grammars of cyber securitization is explained in the following paragraphs.

Hypersecuritization

According to the cyber securitization framework, hypersecuritization can be distinguished from ‘regular’ securitization due to its emphasis on the instantaneity and interlocking of effects that occurs when referent objects are threatened (Hansen &

Nissenbaum, 2009; 1164). Whether or not these effects manifest is dependent on the security of the network the threats can originate from (Hansen & Nissenbaum, 2009; 1164). On the basis of this description, hypersecuritization can be separated into five elements with which the occurrence of hypersecuritization can be measured. These elements are: 1) the

27

within different sectors, that are tied together or interconnected through their connection to 5) a damaged network. Hansen & Nissenbaum do not state that all elements have to be present for a hypersecuritization to have occurred. However, for the purpose of this thesis it is assumed that a hypersecuritzation has occurred when 4 or more elements are present in the discourse.

As this thesis has previously defined existential threats and referent objects it is not necessary to clarify these elements here further. With regard to clarifying the interlocking of effects, this is particularly powerfully portrayed when a damaged network would be

responsible for severe repercussions in several sectors at once, such as the societal, financial and military, thus connecting referent objects and sectors together. As such, the interlocking of effects is closely related to the interconnectedness of systems and networks. The more systems are connected to – and dependent of – a network (or several networks), the more susceptible referent objects are to threats when this network is damaged. Therefore, when searching for signs of the interlocking of effects, a clear indication of this can be found in how securitizing actors attribute threats to referent objects to the interconnectedness of systems and networks, the reliance on communications technologies and other technological developments. What is understood with the instantaneity of effects is not elaborated on by Hansen & Nissenbaum (2009). However, since instantaneity is derived from the word instantaneous – meaning happening or acting in an instant or at once – it refers to the speed with which the effects occur. As such, it is closely related to - and recognizable by - the way in which systems and networks are interconnected, and how threats that make use of these systems and networks can spread rapidly throughout these systems, causing harm or damage to multiple referent objects in multiple sectors at once. Additionally, it can be distinguished when a certain referent object experiences direct negative consequences as a result of the damaged network (e.g. the loss of life during offensive or defensive military operations as a result of the hacking or jamming of communication networks). What is meant with a damaged network is also not elaborated on by Hansen & Nissenbaum (2009). As such, it is an

ambiguous definition, which in the context of hypersecuritization this thesis defines it as a network that is not well protected, not functioning properly, not being monitored, being monitored by foreign agents, hacked, wiretapped, bugged, et cetera. Whether the securitizing agent speaks of a damaged network is therefore heavily dependent on the context within which existential threats to referent objects are constructed.

28

The second grammar of cyber securitization revolves around the manner in which a wide range of securitizing actors are able to mobilize the experiences of normal individuals. This is referred to by Hansen and Nissenbaum as “everyday security practices”, and operates in a two-fold manner: firstly, it secures the individual‘s partnership and compliance in

protecting network security; secondly, it makes hyper-securitization scenarios more plausible by linking elements of the disaster scenario to experiences familiar from everyday life

(Hansen & Nissenbaum, 2009: 1165).

This grammar can be recognized in discourse by finding evidence in which the securitizing actor speaks directly to ‘normal’ people with disaster scenarios that would effect their everyday lives. For instance, by stating how hackers that hack into networks used by bank and water companies could affect the ability of citizens to fulfil their basic everyday needs, such as the access to food and water. As such, evidence in support of the use of this grammar of cyber securitization is found when the securitizing actor explicitly speaks cyber security on an individual threat level, connecting negative outcomes of threats to every day experiences of the individual. Everyday security practices is also recognizable by the way in which it portrays individuals as liabilities or threats in discourse (Hansen & Nissenbaum, 2009: 1166). Evidence of this is found when the securitizing actor speaks of how the irresponsible behaviour of one person compromises the security or safety of network or the ‘whole’.

Technification

The third grammar of cyber securitization is called ‘technification’, and concerns the role of technical, expert discourse within cyber securitization. As Hansen and Nissenbaum point out, due to the required knowledge to master the field of computer science and the fact that this knowledge is often not available to the broader public, the field of cybersecurity leans heavily on the specialized knowledge of cybersecurity experts (Hansen & Nissenbaum, 2009: 1165). Sophisticated computer threats are given significance through a wide range of experts which are consulted whenever issues of cybersecurity are discussed. This grants such experts a unique position in which they are able to speak in an authoritative manner to the public about matters of cybersecurity and to give significance to them (Hansen & Nissenbaum, 2009: 1165).

The use of this grammar of cyber securitization is recognized by finding evidence of the use of highly technical language in the cyber security discourse, or by the way in which

29

expert opinions on the subject matter define the bandwidth of the cyber security discourse. Technification is visible in discourse when the opinions of outside experts - thus people outside government - on the subject matter are leading and shaping the discourse in highly technical terms so that these experts in fact become securitizing actors themselves. As such, these technical experts have to be part of the discursive process themselves, shaping the discursive construction of threats in technical terms.

3.6.2 Operationalisation of phase II

Phase II assesses whether the cyber securitizing move is accepted by the target

audience. As explained in paragraph 3.5, this thesis choses to determine the acceptance of the

cyber securitizing move by analysing whether the WIV2017 legislative proposal is accepted

by the First and Second Chamber of the Dutch Parliament. To this purpose, this phase is divided into a two-step process. Step 1 analyses to what degree the grammars of cyber securitization that were uttered in the cyber securitizing move are incorporated into the Explanatory Memorandum that accompanied the draft version of the WIV2017. The Explanatory Memorandum is the document in which the legislature signals the necessity, intent and scope of the legislation. As such, with this document the legislature explains the problems this legislation aims to solve, the threats it wants to counter, and informs how to articles are to be understood. The inclusions of similar or identical grammars of cyber securitization in the Explanatory Memorandum is therefore important, as this is indicative of the acceptance of the existential threat constructions that were initialised by the securitizing actor by the audience. Step 2 is determining the actual acceptance of the WIV2017 proposal by analysing the outcome of the voting proceedings on the proposal in the First and Second Chambers of the Dutch Parliament. If it is found that both Chambers voted in favour of the proposal, the factual implementation of the emergency measures or other measures is legitimized, with which acceptance of the cyber ssecuritizing move is established.

3.7 Conclusion

This chapter explained the research design of this thesis. It began with a conceptual discussion of discourse and discourse analysis within the CS theory of securitization. It then moved on to explaining why policy documents are used as source material in its analysis, and within which timeframe the source materials are collected. After this, the operationalisation of the analysis was explained, showing how this study is divided into analysing the two phases that constitute