1
MSc Political Sciences
International Relations
Master Thesis
The Cyber-Securitization of European Smart Grids
The Role of ENISA
Strahinja Karanović
12770892
June 2020
Amsterdam
21ECTS
Summer Semester 2020
Supervisor:
Second Reader:
Dr. Rocco Bellanova
Dr. Dimitris Bouris
2
Abstract
In light of the rapid digitalization and increasing awareness about the cyber- threats This Master thesis will answer the question “How does ENISA address the cybersecurity of European Smart Grids?” The topic is based on the concept of cybersecuritization, and the theoretical approach of the Copenhagen School of Security Studies. In this context, the main aim of this research is to clarify if, and how does ENISA frames the discourse of smart grids cybersecurity. By utilizing the critical discourse analysis on the primary data corpus, the thesis casts the light on the dual role this agency undertakes in European Security Politics. The results imply that ENISA acts both as a policy promoter and an initiator. Furthermore, it is argued that the perception of what cyber-threats are and how they should be addressed, is a discursive construct shaped by ENISA and other European actors based on the specific socio-political conditions. Ultimately this work contributes to the theoretical debate over the post-constructivist perception of security and expands understanding of the possible usage of Bacchi’s critical discourse analysis approach.
Key Words: Cybersecuritization; Cyberspace; Cybersecurity; Energy Sector; Critical
Infrastructures; Smart Grids; Discourse; ENISA; European Security; Problematization; Copenhagen School; Public-Private Partnership; ISACs; International Certification
3
Table of Contents
1. Introduction: New Technologies under the Shadow of Digital
Threats……….…6
1.1. Introduction………...…6
1.2. Security in the Digital Era: Developments and Challenges………..6
1.3. Smart Grids and Cyber-Threats: From European Angle ………..8
1.4. Research Question and Main Concepts……….………..11
1.5. Literature Review………12
1.6. Thesis Outline………..………13
2. Theoretical Framework: Cybersecuritization and the New Understanding of Security………..14
2.1. Introduction……….…….14
2.2. Security: The Evolution of the Concept from its Origins to the Modern Interpretation………14
2.3. The Copenhagen School and the Securitization Theory………..……18
2.4. Securitization of Cyberspace ………..20
2.5. Cybersecuritization, Energy Sector and the Public-Private Partnership………...…22 2.6. Theoretical Framework………...24 2.7. Intermediary Conclusions………26 3. Methodological Approach………..………….27 3.1. Introduction……….27
3.2. Critical Discourse Analysis……….………27
3.3. The Collection and Mobilization of Data………....32
3.4. “What is Problem Represented to be” and Analysis of Cybersecurity Discourse...33
3.5. Intermediary Conclusions………...35
4. Representation of Securitization and Certification of Critical Infrastructures in ENISA’s Press Releases and Official Publications ………..37
4.1. Introduction………..………..37
4.2. The main Problems Represented and the underlying Presuppositions…..…………37
4
4.2.2. The core Presuppositions and the Context of Problem Representations….…45
4.3. Main Conditions for the Evolution of the Problematization……….……….48
4.4. Questioning the Problem Representation: Alternative Approaches and Identified Silences………...55
4.5. The Effects Produced by the Representation of the Problem………..………58
4.6. Production, Dissemination and Defending of the Addressed Problem Representations………..…61
4.7. Intermediary Summary………..……65
5. Conclusion………67
5.1. Summary………...…….67
5.2. Answer to the Research Question and Contribution………67
5.3. Research Limitations and Final Remarks………...………68
5
Summary of Abbreviations and Acronyms
Abbreviation Explanation
ChS Copenhagen School CI Critical Infrastructure
A/T/O/A Actor, Threat, Object, Audience Framework CIRT Cyber Incident Response Team cPPP Contractual Public-Private Partnership
CS Cybersecurity
DoS Denial of Service
E3PR European Public-Private Partnership for Resilience
EC European Commission
ENISA European Union Agency for Cybersecurity EP European Parliament
EU European Union
IoT Internet of Things IR International Relations PPP Public-Private Partnership
SG Smart Grid
SME Small and Middle-Size Enterprises WPR What is Problem Represented to be NGO Non-Governmental Organization
MS Member State/s
ISAC Information Sharing & Analysis Centre
EE-ISAC European Energy - Information Sharing & Analysis Centre
DSM Digital Single Market
6
1. Introduction: New Technologies under the Shadow of Digital Threats
1.1. Introduction
The invention of the Internet has redefined our world from the very core. It has reshaped virtually every aspect of modern society, including communication, trade, transport, or even warfare. This was followed by the rapid growth of revolutionary technology directly relying on the interconnection in digital space i.e. cyberspace. However, the activities in cyberspace were promptly accompanied by various forms of elusive attacks and misuses that have caused concerns all over the globe. One of the political entities whose actions must balance between the immanent rise in digitalization and accompanied cyber-threats is European Union.
The core objectives of the thesis are to 1) Study the role of ENISA in addressing the cyber-threats and cooperative models. 2) Clarify and further explore the securitization of European SGs in the context of cybersecurity. 3) Identify the interconnection of various sectors in the context of security studies
This chapter provides an overview of the rising importance of cybersecurity in the European Union, more specifically concerning the digitalized energy grids, better known as Smart Grids (SGs). It will further present the research question and the context in which it will be addressed throughout the work. Moreover, this chapter also engages in a detailed overview of the scholarly literature relevant to the research topic. The chapter is divided into six subsections. While the first one serves as a section outline and first mentioning of the topic the next section presents modern technological and societal developments as well as new challenges that have emerged in modern European society. The following subsection introduces the European vision of SGs and relevant cyber-threats. The fourth subsection introduces the research question that this thesis will aim to answer and the main concepts on which this question relies. This is followed by the detailed literature review and finally by the presentation of the thesis outline.
1.2. Security in the Digital Era: Developments and Challenges
With the new technology developments that marked the “4th industrial revolution” that include the Internet of Things – IoT; 5G network; sophisticated robotics; utilization of renewable energy, and mass social media, the world increasingly faces new threats that emerge in cyberspace. Some of the greatest threats are hacker attacks capable of hindering the usage of online servers, the entire databanks or even branches of industry (Partridge, 2019)
7
Furthermore, the data gathered and stored online is potentially misused by third parties, in some cases governments themselves (DataProtection1, n.d.). Moreover, the mass information exchange on the internet has allowed an undisrupted resource and data supply for controversial or criminal actors, terrorist organizations being just one of the prominent actors that utilize the benefits of World-Wide-Web to acquire financial support (Jacobson, 2010). The era marked by the further development in the internet and digitalization, namely an increase in social network utilization, and increased user interaction is often referred to as post-Web 2.0 world (Hosch, 2020). Hence, although this era is more interconnected than ever it is also a more interdependent and increasingly vulnerable one (Partridge, 2019).
In the light of the post-Web 2.0 world, virtually every aspect of the European society is transformed by digital innovations that are utilized by a wide range of actors, both state and non-state ones (Kumar et al., 2019). The activities in the multiple areas of society have been revolutionized (ibid.). One such area is the energy sector where new, sophisticated improvements led to the development of the so-called Smart Grid (SG). Other noteworthy developments include smart living, advanced ecology measures, and digitalized transport and trade. In these and other cases, the undisrupted usage of IoT and masses of digital data is crucial for the functioning of modern forms of industry and infrastructure that are increasingly utilizing modern technologies (ibid.).
European Union (EU) is one of the key political players that are actively addressing the challenges of protection against the cyber-threats, the so-called cybersecurity. EU, together with other prominent actors such as the USA, Russia, and China are adjusting their policies to provide an optimal approach for addressing the digital threats (Cavelty, 2010; Yao et al., 2017).
Nonetheless, the safety of all the systems potentially endangered from the threats emerging in cyberspace is not only a rising concern for public authorities. Private actors, such as corporations and individuals are equally endangered by online threats which make cybersecurity vital for their interests (EESC, 2018). The exact source of cyber threats often remains undiscovered which makes combating such issues more challenging. Furthermore, the multitude of stakeholders influenced by hazardous online activities frames the
1 The Internet sources without the named author will be cited by stating the key fragments of the headline or
the website name followed by the issue year, or the date of the year when it was last approached, in the case that the date is unknown.
8
cybersecurity as a transnational issue relevant in the context of international politics, and international security studies (Valeriano/Maness, 2018).
The EU security approach serves as an example where the interests of individuals regarding the safety in cyberspace are intertwined with the national cybersecurity strategies. For example, the individual actors require safe and uninterrupted usage of the World Wide Web to engage in online activities and require the overall protection of their private data from cybercriminals. Similarly, the member states prioritize the protection of important data and critical infrastructures as well as combating terrorist activities online. It must be further emphasized, these issues cross national borders both due to the international nature of the European Union as an entity and by the lack of formal limitations in cyberspace (Jukka et al., 2016). By relying on the cooperation of these actors EU aims to establish a common framework for combating digital threats and providing online safety to all the users under its authority (ibid.).
It is argued that the European institutions and its agencies should serve as additional “engines” of ensuring the Unions security in the digital field (Commission 3, 2019). For example, the European Commission emphasizes the importance of placing the EU in front of the other actors, such as nation-states, in the context norm-setting within cybersecurity (ibid.). It also urges for the creation of the common cybersecurity framework applicable to all member governments and underlines the importance of strong cooperation between public and private actors within the EU (ibid). One of the core cybersecurity actors in the EU that is delegated to addresses the issues of cyber-threats is the European Union Agency for Cybersecurity (ENISA). This actor has been formed as an independent agency to standardize and enhance cybersecurity, including the one concerning the energy sector and critical infrastructure (CI) (ENISA 1, n.d.).
1.3. Smart Grids and Cyber-Threats: From European Angle
A particularly interesting area that connects both public and private interests is the energy sector. Energy is a milestone of the modern European economy and therefore influences political actions worldwide (EESC, 2018).
This sector, including fossil fuel supply, renewable sources, and transmission grids is not immune to the “digital revolution” that relies on new technologies (Yuan et al., 2011). On the contrary, modern, energy networks are currently increasingly relying on IoT, mass data
9
collection and sophisticated software to achieve higher efficiency and provide users with a stable and sustainable energy source (Yao et al., 2017). These highly sophisticated networks are a fairly recent development, created parallel to smart cities, smart logistics, and similar “smart” projects (Xue/Yu, 2016).
Smart energy grids are more digitalized and efficient versions of energy supply that offer active participation in energy management and sustainability combined with advanced energy-spending oversight and overall more reliable energy supply (Xue/Yu, 2016). All the difference between standard and digitalized energy grids can be observed in the following picture.
Picture 1: Differences between the classic and smart grids Source: (Energy Atlas, 2018)
Besides the numerous observed benefits, such as active user-participation in the system or the decentralization of energy production and supply, smart grids are more vulnerable to cyber-attacks, data theft and misuse of personal information (Oliveira, 2010). As one of the world pioneers in developing smart grids coverage, the EU acknowledges these downsides of
10
digitalization and therefore strives to take the position of a “guardian” of these networks and interests of the multitude of stakeholders from cyber threats (Commission 1, n.d.). The overall strategy for providing safety of SGs is addressed by the European Commission (EC) (Commission 2, 2018). As it is argued, EC further relies on the ENISA for its expertise and policy promotion role, as well as the creation of the cybersecurity recommendations (ENISA, 2016: 6-7). Due to the acknowledged vulnerability of smart grids and the overall rising issue of cyber-attacks, the EU emphasizes the need for proper standardization of cybersecurity among all the member states and the urgent need for the increased ENISA involvement (Commission 3, n.d.; EURLEX, 2017). A further motivation to frame cyber threats as one of the priorities of the collective European security can be found in events such as cyber-attacks in Estonia in 2007 or the infamous computer viruses such as the one causing infrastructure damage ever since 2010 and labeled as Stuxnet (Christiou, 2019).
Consequently, the 2017 Cyber Security Act has been adopted to address these policy deficiencies. One of the core ideas behind this policy is that the ENISA would play a vital role in assisting with establishing and implementing the EU- wide certification framework for cybersecurity (Commission 4, 2018). This implies that the European Union Agency for Cybersecurity plays a vital role in ensuring more secure cyberspace. However, the exact extent to which this agency influences the approach to the protection from cyber-threats and the results of its activity remain to be further assessed. Moreover, while the Critical Infrastructures are explicitly named as a part of the proposed cybersecurity strategy the, Smart Grids remain unaddressed (EURLEX, 2017). As an increasingly important infrastructure element, it seems important to further research the exact position that SGs have in the eyes of the core European players who are engaging in cybersecurity topics.
Even though these attacks have not been as destructive as civil wars or famine, they have initiated the debate about the exact consequences that digital threats can have on entire countries and their population. The potential consequences can hinder the critical infrastructure in developed states (Anwar/Mahmood, 2014; Commission 3, 2019; Oliveira, 2010), and that is why the thesis topic represents a specific merging point of cyber- and energy- security.
An increasing emphasis on the importance of addressing cyber threats as a part of the broader European security politics can be observed in the 2017 statement ofPresident Jean-Claude Juncker:
11
"In the past three years, we have made progress in keeping Europeans safe online. But Europe is still not well equipped when it comes to cyber-attacks. This is why, today, the Commission is proposing new tools, including a European Cybersecurity Agency, to help defend us against such attacks." (Europa Nu, 2017)
Here it can be inferred that one of the pressing issues for the entire Union is the protection from the threats stemming in cyberspace. Due to the acknowledged lack of capacity to answer such threats, the issue of cybersecurity is placed within the broader context of EU security, and an important actor, ENISA, is being tasked with a, increased role in providing security in this field. This statement also leads to questions such as: what are exactly the threats that the Europeans need to be protected from? Which are the particular tools for combating these threats and who should be the one implementing these security actions? Finally, it would be interesting to explore what does exactly “safe” means and who or what defines how these, and other concepts should be understood.
It must be underlined that the Smart Grids is the field where both energy and cybersecurity issues are intertwined. The European Union recognizes the safety of Smart Grids as a vital part of its security policy that requires the cooperation of numerous political actors across the member states (Commission 3, 2019). In this way, the SGs are also placed within the context of EU security interests. With their reliance on the IoT, it is to be expected that they should also be in the focus of the European Cybersecurity Agency.
1.4. Research Question and Main Concepts
All the previously-described facts lead to the following research question that will be addressed by this thesis:
How does ENISA address the Cybersecurity of European Smart Grids?
Research focuses on exploring the activity of one important EU actor with a task to enhance the resilience of other European actors in cyberspace. The aim is to uncover, do these actors shape what the “danger” means, if yes – how? Furthermore, what are the targets of its security practices which approach does this agency undertake and why? Finally, the thesis wants to explore if the securitization in cyberspace is unique and if yes- in which way?
Moreover, it aims to link it to the energy security field by researching the issue of Smart Grids' safety. The research focuses on further elaborating on concepts of international standardization and securitization. The standardization of European smart grids has a transnational character, thus this thesis should be viewed in the context of international
12
relations. Lastly, this research underlines that the areas of security can be highly interdependent. Therefore it is necessary to analyze multiple security fields to understand the development of security policies.
1.5. Literature Review
The overall topic of cybersecurity and even more one of the smart grids is quite new. Research on the Cybersecurity is carried out across different disciplines – medicine, warfare, political science, and many more (Cavelty/Egloff, 2019; Kruse et al., 2017; Finney, 2014). It is thus not surprising that numerous scholars address this issue from a multitude of angles. The angles include a focus on securitization and international cooperation in the field of cybersecurity; the impact of discursive construction; comparison between different policy approaches or the influence of the cybersecurity policies on energy grids (Christou, 2014/2019; Dubach, 2018; Geelen, 2018, Kyoung et al., 2015; Leszczyna, 2018). This thesis aims to contribute to this growing literature by focusing on the securitization of digital space and the system of Smart Grids.
On the one hand, there is a literature that already covers the (cyber-) securitization as well as vulnerability and the importance of critical infrastructures (Anwar/Mahmood, 2014; Chebbo, 2007; Line et al., 2011; Onyeji et al., 2014; Pearson, 2011; Wang/Lu, 2013). This literature emphasizes the raising importance and interconnection between developing cybersecurity standards and critical infrastructures, such as smart grids. On the other hand, the majority of research focuses on some of the well-known leaders of digitalization (i.e. China) (Lu et al., 2009; Yao et al., 2017) and cybersecurity standardization (i.e. USA) (Deibert, 2017), thus leaving the rapidly developing EU policy and practice in this field relatively understudied. Moreover, a large portion of the mentioned literature focuses on the roles governments play in this context while the roles of agencies or private actors remain unclear.
For example, energy security and cybersecurity are often studied separately, while it can be argued that the security of modern energy networks cannot be comprehended without the inclusion of the cybersecurity aspect.
The focus on the discourse and securitization approach is not unique but places the thesis in a more contemporary vision of security, in contrast to “traditional”, that is, more realist and state-centric approaches, to security studies. Some of the research on the role of ENISA has been already done, yet it is a fairly unaddressed topic, especially concerning its connection to
13
the energy sector. The focus on these agencies’ role concerning the energy sector is one of the originalities of this work. Finally, by in-depth analyzing the role of ENISA, the thesis will be distinct by taking into consideration the role of non-state actors in standardization and international relations overall.
The literature of European Studies actively addresses the topics of European cybersecurity (Carrapico/Barriha, 2017/2018; Sliwinski, 2014) and the changes in governance with the respect to the European agencies (Egeberg/Trondal, 2011/2017; Wonka/Rittberger, 2010). Although providing an interesting analysis of the role of various EU agencies, this work will rely mainly on the theoretical premises of the International Relations and Security Studies. More specifically the theoretical core of this thesis will rely on the existing literature that discusses the concepts of security and securitization and it will be thoroughly discussed in the following section some of the core scholarly works that this research is based upon are Buzan (1998), Carr (2016), Hansen/Nissenbaum (2009) and Zedner (2009).
1.6. Thesis outline
The thesis will be organized into six parts. The first chapter will make a brief introduction to the topic and aim of the research as well as the introduction of the research question and main concepts that will be addressed inside of the thesis. The second chapter will focus on the theoretical debate and choice of approach to the topic with the additional section summarising the academic literature addressing the relevant issue. The next part will in detail clarify the methods and argue which data, about what actors and why will be analyzed. The statement about the ethical implications and impact of COVID-19 is also mentioned in the same part. The analysis and discussion will be merged in the fourth chapter and divided into subsections, each of them exploring a specific part of the topic. Finally, the last chapter of the thesis summarises the results of the research and point out important questions remaining to be further researched.
Briefly summarized, this chapter has contributed to the overall knowledge of the cybersecurity and modern inventions, such as smart grids, and has framed the research question in the context of European Security Politics and International Relations. Finally, it has provided an overview of the academic literature covering this topic and the parts where further research is required.
14
2. Theoretical Framework: Cybersecuritization and the New
Understanding of Security
2.1. Introduction
This main goal of this chapter is to provide the reader with a clear explanation of the theoretical background and core concepts on which this research is based upon. The author also underlines the importance of engaging in the discussion of the historical background of security as a concept to understand the ever-shifting meaning of what securitization concept represents, thus advocating the theoretic approach elected as optimal for the research. Therefore, the main contribution of this chapter is the introduction of the key concepts that will be used in further steps and the need for incorporating them to understand the securitization processes, but more importantly creation of “theoretic lenses” with which the research of the thesis will be addressed.
This chapter of the thesis consists of six sub-chapters. The first sub-chapter focuses on the change in the understanding of security concepts through history. The second sub-chapter provides a deeper insight into the securitization theory and overall theoretic approach of the Copenhagen School. Furthermore, sub-chapter number three expands the understanding of the security practices even further and links it to the field of cybersecurity, based mainly on the theoretical work of Hansen and Nissenbaum (2009). The fourth sub-section underlined the importance of further researching public-private partnerships in the context of cybersecurity particularly on the example of the energy sector while the fifth sub-chapter combines the elements from the previous parts into one theoretical framework that will be utilized in the further research. Finally, this chapter will end with a summary of the information given in the last sub-chapter.
2.2. Security: The Evolution of the Concept from its Origins to the Modern Interpretation
This section contributes to the overall understanding of the terms “security” and “securitization” by providing a detailed summary of the evolution of these concepts and practices surrounding them. It is crucial to engage in the review of the change in the security discourse, moving away from the mainstream understanding of security. This work addresses the topic and actors that have not been the main focus of mainstream security studies through
15
history. Because of this, explaining the changes that appeared after the Cold War is paramount for better comprehension of the theoretical approach that is elected for this study.
The concept of security is a broad term that carries multiple meanings accumulated through history (Zedner 2009: 26). Its exact origins are difficult to trace but the writings of numerous authors over the last four centuries have shaped our understanding of what security means (Zedner 2009: 26-27). Notably, Thomas Hobbes argued the clear-cut connection between the concepts of security and the modern state by stressing out that the main role of the states is to ensure the security to its subjects (ibid: 27) In this context, security can be understood as a protection from the chaotic and violent state of nature provided by the sovereign and omnipotent state (ibid: 26-27). The works of other authors such as John Locke, Jeremy Bentham, and J. S. Mill take a critical approach to the Hobbes’s interpretation of security and further expand the understanding of this concept by emphasizing that the security is a precondition for liberty (Zedner 2009: 27-28). Furthermore, in the eyes of authors such as Adam Smith, security has been seen as a foundation of free market and commerce thus expanding the concept to the field of economy as well (Zedner 2009: 33).
In time, the government has expanded to the social sphere of life. In particular, on the West of the European Continent, states have undertaken efforts to provide social security for broader masses and thus minimize crime and violence (Zedner 2009: 34). This state activity and the creation of social security did not only expand the understanding of what security exactly means, but has also served as a precondition to what we today know as a welfare state (Zedner 2009: 34-35). However, social security remained largely seen as a part of national security until the end of the Cold War (ibid.).
Despite broadening the understanding of what security encompasses, the term remained synonymous with the idea of protecting national borders, deploying the military, as well as developing and using coercive state organs such as police and prisons. Such a view of security is widespread even today (Zedner 2009: 35-36). This traditional understanding of security places the Westphalian state as the ultimate provider of security but also as the object that must be securitized in the first place. In other words, the accent is placed on the practices of national security whose securitization goal is mainly protecting national borders i.e. territory and state sovereignty (ibid: 36). In this context, the importance of coercive power over state’s subjects, military might of nations, and power politics in international relations are put at the
16
forefront of any interpretation of security practices or international conflicts (Zedner 2009: 36-39).
Such an approach towards security saw its peak during the Cold War where the vital interests of global superpowers, USA, and USSR, have been the main focus of security research (Zedner 2009: 36-37). This focus on national security was such that all the other threats were overshadowed by the fear of nuclear annihilation (ibid: 37-38). An additional contribution to the institutionalization of state-based approach can be attached to the creation of United Nation and development of the concept of territorial inviolability and sovereignty which has emphasized the security of the state itself on the global scale (Bilgin 2003: 203)
On the other hand, even during the Cold War period, but primarily after the end of this global strife, a new wave of thought started posing a challenge to the dominating state-centric vision of security. This has been done by developing and promoting the more societal and individual interpretations of security in academic peace research (for example Galtung, 1969 and Boulding 1978) but also within critical (Third World) security approaches and activities of the Commission on Global Governance (The USSR stance on nuclear disarmament) (Bilgin 2003: 204-207). This shift in interpreting what security means and whose security are we addressing resulted in the development of a more modern notion of “human security” that encompasses issues such as sustainable development, prevention of various threats and security of every individual (Bilgin 2003: 208-209). In this sense, while analyzing security the focus of the research is not limited to the interests of state actors and utilization of power politics but rather places the interests and wellbeing of individuals as a referent object. In other words, the security of the state doesn’t necessarily correspond to the security of the people (Bilgin 2003: 213).
An additional catalyst for the broadening of the security concepts can be found in “new threats” that are becoming increasingly relevant since the 21st century. Some of the prominent examples of these additional security threats include natural disasters such as earthquakes and floods, mass migrations, poverty, health threats such as pandemics as well as terrorism, hooliganism, drug trafficking, and global ecological issues (Bigo, 2013; Bilgin 2003: 217-218).
A final change in the understanding of security is increased questioning of who bears the responsibility to secure the lives and wellbeing of the individual. It cannot be denied that the states still possess substantial and legitimate power to establish stabile security frameworks
17
through the usage of their security forces, but the ever-increasing role of non-state actors such as NGO’s and International Organizations points out the importance of broadening our view on who are active security agents (Bilgin 2003: 216).
In conclusion, the traditional notion of the security as being mostly an issue and responsibility of the government and military threats against the state sovereignty presenting the main object of security studies is being increasingly challenged since the middle of 20th century with new approaches claiming that the security is a much broader and relative concept thus bringing in-game numerous state and non-state actors and focusing on a wide range of threats affecting every individual (see Graphic 1). This thesis is ultimately built upon such, more novel, approach to illuminate the security situation in cyberspace that influences multiple levels of society.
Graphic 1: Traditional vs. modern understanding of security (Bilgin, 2003; Zedner, 2009)
Traditional
State-Centric
vision of the
world
Focus on inviolability of territory, "national interests" and deterring military threats of other statesModern
(Post-Cold War)
Multitude of
actors - Varying
interests
Emphasis on human security, interests of individuals and answering the new18
2.3. The Copenhagen School and the Securitization Theory
In the light of shifting away from the traditional and mostly realist approaches in security studies, a group of authors proposed a more inclusive and less state-centric view of international security and international relations. Buzan, Waever, and de Wilde, associated with their work at the Copenhagen Peace Research Institute, have presented a more discursive approach towards explaining and analyzing security phenomena (McSweeney 1996: 81-82). The works of these, and other authors, have shaped what we today know as the Copenhagen School (CS) approach of international relations (ibid.).
CS's main goal is to fuse the main conceptions of both realism and constructivism thus providing academia with a new theoretical tool applicable to more complex cases in international relations and security studies (Williams 2003: 511). Furthermore, their contribution lays also in successfully linking the socially constructed (and intersubjective) nature of security threats and the important role states still play in addressing the security issues reflecting their strategic interests (ibid: 512).
The Copenhagen School mainly focuses on the transformation of elements from various fields of society into security-relevant issues (Williams, 2003: 512-513). This transformation process is regarded as a result of a discursive activity that takes the central place in what CS sees as securitization theory (ibid.). Proponents of this theoretical approach argue that the political actors frame certain phenomena within society as a relevant part of security policy (Williams, 2003: 513). A concrete example of this conception is reflected in the framing of a specific social identity (for example a specific cultural or ethnic group) by the securitizing political agents as an object whose protection is of paramount importance. Any kind of registered confrontation with this framed conception of social identity is thus identified as a threat (Williams, 2003: 519).
The addressing of digital threats and malfunction of smart grids as vital for the EU, even though no cyber-attacks claimed as many victims like viruses, protests, or heart decease, can be explained as a part of a securitization process. Because of this, the securitization theory of CS will be utilized as an approach in this thesis to study the framing of cyber threats in European security politics. Cyber threats are addressed as one of the priorities of European Security and, understandably the energy sector safety as a backbone of the modern economy and social welfare. It can be argued that several actions needed to take place for this issue to be a standard part of the 2013 European Cybersecurity Strategy since the digital vulnerability
19
and consequences of cyber-attacks are not as obvious to all actors (Council of the European Union, 2013).
To explain the exact process of how a particular threat gains its importance within a particular society the academics propose a clear pattern of the securitization process. As it is argued, securitization is achieved through continuous addressing of a specific issue by political actors in a form of discourse. The actions can include various forms of speeches and legislation deployed by prominent actors while at the same time they ought to be accepted by the so-called “audience” for additional political measures to be mobilized to tackle them (Buzan 1998; Waever 1995).
As can be observed the main contribution of the CS of thought is expanding the
understanding of what security encompasses beyond the traditional domain, thus respectively expanding the possible scope of research to the security-relevant topics that have for a long time remained overshadowed. Another important contribution of this theory is the
classification of securitization into five main sectors: military, economy, society, and environment (Buzan et al. 1998: 27). Furthermore, it is observed that the securitization follows common patterns depending on the region where the discourse takes place (ibid.: 42-43). Although it can be argued that this list of sectors should be expanded or not even made this strict, it presents a valuable addition to the classical understanding of the security relating mostly to the military sector. It is also noteworthy that we can in this way observe the
differences or similarities in which the issues are being addressed in two or more states or perhaps continents.
In summary, the securitization approach strives to understand which actions i.e. which processes led to the successful framing of an issue as a crucial issue of security. As presented above, the securitization theory adds additional complexity to the classical understanding of security. It helps to clarify the process of framing the comparatively less harmful issues as vital for the safety of the state, the society, or even the global society (Waever 1995).
Buzan (1998) presents an Actor/Threat/Object/Audience scheme as a universal approach for analyzing the securitization of security phenomenon. As he argues, the actor is a political entity that initially frames an issue as security-relevant. The (existential) threat is a phenomenon that is perceived as endangering the safety of the referent object by the actor. What exactly presents a threat and what the relevant object, depends on the activity of an actor and its discursive power to initiate the political response. Finally, for securitization to be
20
“successful” i.e. for the actions to be taken to address the threat, the legitimacy needs to be acquired from the audience. The exact audience that needs to be persuaded naturally depends on the political system in question. In the case of the EU, the audience could be regarded as all the governments of member states, EU institutions, or even all the citizens of the EU.
In the context of cyber-securitization of smart grids, the actors are numerous agents with agenda-shaping capacity, for example, European Commission, European Parliament, Member States, Private Companies, ENISA, and others. Threats are various forms of malicious cyberspace activities (Denial of Service, Hacker attacks, information theft, and similar) originating either from states or private actors. The referent objects are Smart Grids and more broadly the energy sector of the entire EU. Finally, the audience can be described as both member states and individuals whose interests are at stake and whose consent is necessary to frame an issue as “security-relevant”.
Consequently, this thesis uses the above-described Actor/Threat/Object/Audience framework to better understand the process that led to the framing of cybersecurity of the Smart Grids as crucial for EU policy. The specific focus will be placed on the vision of cyber threats and the necessity of broad audience acceptance. The main focus, however, will be on the main securitizing actor at play, that is, ENISA.
Nonetheless, the author of this work regards cybersecurity issues as too broad, and areas of security studies too interconnected for the described theoretical framework to suffice. The scope of this research requires a more precise and cybersecurity-related framework to address the topic of the thesis.
2.4. Securitization of Cyberspace
As we have seen, the securitization processes can take place in multiple areas of society by addressing a broad range of threats, both human- and nature-initiated, that are endangering various referent objects, not only states.
The focal point of this thesis, cybersecurity, is a very broad term where an exact source of threat or even an object that requires protection is difficult to assess. Cybersecurity has been discovered by international security studies quite recently (Cavelty 2016: 93). Arguably, the most comprehensive framework for analyzing the securitization in cyberspace can be found in the work of Hansen and Nissenbaum from 2009 that tackles the question of the theoretical framework for analyzing the cyber-securitization. Their work addresses an on-going debate,
21
in particular among scholars of ChS about how to classify cybersecurity and in which way it should be analyzed, however, it is argued that the cybersecurity is being increasingly securitized and digital threats are having ever more space in security researches (Hansen/Nissenbaum 2009: 1156-1157).
Firstly, the authors take the position that cybersecurity must be seen as a distinct field in securitization theory (Hansen/Nissenbaum 2009: 1162-1163). They argue that this is because cybersecurity addresses unique and distinguishable threats. Some of the examples include hacker attacks and information theft (ibid: 1161). Furthermore, cybersecurity is marked by specific referent objects whose importance is emphasized by securitizing actors, notably the network security, private security, and the security of critical infrastructures (Hansen/Nissenbaum 2009: 1163). A crucial argument of Hansen and Nissenbaum that relates to the topic of securitization of Smart Grids is that cybersecurity is often intertwined with referent objects of the other areas of society such as the ones linked to national security or economy (ibid.). They also emphasize the link between the individual security and the security of the referent objects relevant to the broader society (ibid.).Due to these reasons, the theory of cyber-securitization as proposed in the 2009 work of Hansen and Nissenbaum present the backbone of this research
Finally, the most prominent part of their theoretical work is the development of a 3-step process of securitizing the cyberspace. This proposed process will be mobilized while observing the cybersecurity-relevant topic of this research.
In the first place, they present the concept of hypersecuritization. Hypersecuritization is a concept generated by Barry Buzan that points out the tendency of over-exaggeration of the threat in discursive processes. In the other words, the potential (or even hypothetical) damage caused by a certain issue is over-emphasized by a securitizing actor to bring an issue to the higher level of political importance (Hansen/Nissenbaum 2009: 1164). The next concept is known as everyday security practices. This represents the linkage of digital threats to the everyday life experiences of any individual with an approach to the internet. The goal of this approach is to generate the sense of the necessity of private sector to actively engage in the protection of the network and to accept the security measures due to the awareness of the internet users, what consequence can the cyber threats have for their everyday lives (Hansen/Nissenbaum 2009: 1165). This reflects the more advanced persuasion of the audience as understood by the Copenhagen School. The last of the three processes of
22
securitization is so-called technification. The concept of technification in this sense presents the most unique concept of cybersecurity. Here the authors argue that the experts on cybersecurity including computer and information scientists have a dominant role in this type of security discourse (Hansen/Nissenbaum 2009: 1166-1167). Conclusively, it is argued that cybersecurity is also unique because of its “expert discourse” (ibid.).
This thesis will largely build upon the described theoretical conception of Hansen and Nissenbaum in the context of Copenhagen School, overtaking the notion that cybersecurity is a distinct field within securitization theory while being strongly interconnected with other security fields. The analysis of how the Smart Grids inside of the EU are securitized in the context of digital threats can be optimally analyzed by observing the discourse of securitizing actors (or simply one of the mail ones). In this example, Smart Grids presents a very specific referent object, relevant both for the energy and economy sector thus influencing the lives of both nation-states and every individual. Consequently, the focus away from the state-centric dogma, without ignoring the importance of states as engines of security frameworks as argued by CS fits this research perfectly. Furthermore, the cybersecurity of SGs and the consequence of its’ malfunctioning is strongly emphasized part of the discourse by the European Commission, State Governments, and ENISA, serving as a good example of hypersecuritization (EC Smart Grids; ENISA Smarts Grids; Luiijf et al. 2013). Everyday security practices are a recommendation of various actors in this context due to the necessity of cooperation between the private and public sector and the highly technical nature of protecting the SGs does indicate the primacy of the experts’ contribution in this discourse.
However, as Hansen and Nissenbaum acknowledged themselves, the approach is limited due to the limited amount of empirical research, and possible additions might be necessary in specific cases (2009: 1172). Due to the specific nature of research conducting as a part of this thesis, other concepts will need to be incorporated to understand the on-going securitization of SGs, but the approach discussed above will be a cornerstone for the theoretical framework of this thesis.
2.5. Cybersecuritization, Energy Sector and the Public-Private Partnership
Firstly, the works focusing on the securitization of the energy sector, in particular, electrical grids need to be taken into account to analyze this case. The 2013 work of Sezer explains the securitization of energy through the lenses of CS and illuminates the connection between this and other sectors. He argues that the threats to the energy sector are ultimately reflecting on
23
sectors such as economy, environment, or society (Sezer 2013: 11). In that sense threats to energy, grids can be regarded as threats to the whole society depending on them. The 2017 work of Maltby et al. further emphasizes the importance of energy securitization, although addressing the issues of cybersecurity just to a limited extent. A clear connection between the energy sector, PPP, and cybersecurity have been made clear in the context of securitizing critical infrastructures in Spencer’s 2017 work. It is argued that the hypothetical digital attack disrupting such infrastructures and in particular energy systems could lead to a substantial impact on numerous citizens (Spencer 2017: 2).
The crucial addition, however, addresses the lack of scientific research of the way the concept of Public-Private Partnership (PPP) interplays in this discourse. This is a concept increasingly used in international relations and also referred to in some literature addressing the cybersecurity (Kasper, 2014: 157). However, this remains strikingly underexplored, especially in the areas where the cooperation between private and public sectors is mandatory to achieve a broader and effective security framework. A particular example is a Cybersecurity in the European Union where the idea of Continent-Wide PPP is not as developed but is increasingly promoted by various agents (Bossong/Wagner 2017: 274).
Since the cyber threats in the energy sector influence a wide range of actors, it would be useful to further analyze the cooperation between public and private in this field. It can be argued that the PPP is related to the acquiring of legitimation of the audience in the context of securitization of smart grids. The multi-stakeholder participation in securitization can be observed as a part of the Buzan's’ 4 stage securitization scheme described before. The exact perception of PPP necessity and cooperation between various actors to achieve standardization of cybersecurity remains under-researched and should be illuminated in this thesis. The author would like to argue that the SGs are an invention where the importance of PPP and understanding security fields as more interconnected needs to be acknowledged.
Some theorists argue that the welfare of one nation correlates to the extent to which the critical infrastructure is actively secured by both the public and private sectors (Spencer 2017: 3). It is also emphasized how important is the PPP in protecting the critical infrastructure (including energy grids) from all kinds of threats including the digital ones (ibid. 4-5). As empirical evidence shows many states where infrastructure is mainly privatized, have already intensified the practice of shared responsibility between public and private sectors in securitizing it (Carr 2016: 43). It must be stressed out that what the world lacks is a
24
transnational universal framework of standardizing such cooperation in particular concerning cybersecurity (ibid.). As Carr argues, Cybersecurity is a pertinent example of the field where PPP is ever more prominent (2016: 54).
Reflected on this thesis research it can be argued that the acknowledged importance ENISA has in addressing and promoting PPP necessity in European governance (Bossong/Wagner 2017: 275-276) of cybersecurity needs to be thoroughly explored combining these theoretical concepts. Taking into account the main notions of securitization theory, the cybersecurity concept of Hansen and Nissenbaum, the energy security (of Copenhagen School) and finally, PPP in cybersecurity is necessary for addressing this topic.
2.6. Theoretical Framework
Within this section, the author aims to extract the key theoretic concepts i.e. elements gathered from previously discussed theoretic approaches. These elements, which are crucial for understanding how the research question will be addressed, form the theoretical framework presented in the graph below.
Graphic 2: Theoretical Framework
Public-Private Partnership "Whose Security" Post-WW2 Security Narrative Cyber-Securitizati on/ Hansen and Nissenbau m Actor/Threa t/Object/Au dience Framework
25
As it is summarised on the graph above, the elements discussed in the previous sections that form a theoretical framework of this research are:
1. The new-emerging understanding of the security concept
2. The Author/Threat/Object/Audience framework as proposed by Barry Buzan (2009) 3. The three-stage cyber-securitization developed in the work of Hansen and Nissenbaum
(2009)
4. The necessity of taking the PPP concept in the research of European securitization, in particular in the context of the energy sector
It is necessary to incorporate all four elements to address the securitization of European Smart Grids from the angle that this thesis undertakes.
Firstly, as argued, the thesis addresses the cyber-threats and their interconnection with other fields of society that have just recently become relevant objects of security studies. Because of this, it is crucial to approach this topic from a less state-centric and more inclusive angle, thus taking undertaking the more modern vision of the security concept.
The next element, the Actor/Object/Threat/Audience framework analyzes the problematic more structured. It can be argued that this approach optimally frames what the elements of the analysis are, namely: the securitizing actor (for example ENISA); the securitized object (smart grids); the threat from which the object should be securitized (cyber-attacks), and the audience that needs to accept the proposed securitization approach (various stakeholders in this case).
Furthermore, the theoretical approach of Hansen and Nissenbaum 2009 provides an optimal approach for addressing the research question. The main takes of their work are the notion that the cybersecurity is a separate, yet interconnected security field, and the possibility of customizing the research expanding to the digital context by proposing the three-step explanation of cyber-securitization practices.
Lastly, the arguments proposed in the works that address the PPP add an additional dimension to the topic by incorporating the multitude of both state and non-state actors in the analysis of the securitization practices.
Ultimately, these four elements together form a complex yet optimal approach for analyzing the securitization of EU SGs in the context of digital security.
26
2.7. Intermediary Conclusions
In summary, besides engaging in the historical argumentation of the evolution of the security concept, this chapter has contributed to the overall research in two main ways.
Firstly, it has explicitly presented the theoretical approach and concepts with which this research will engage. On the other hand, it has led to the construction and presentation of the clear-structured theoretical framework that this work is grounded on.
27
3. Methodological Approach
3.1. Introduction
The main goal of this chapter is to present the relevant method and data that will be mobilized to answer the research question, in the context of (relying on the) theoretical framework described in the previous chapter.
This chapter is divided into three sections where the first one presents the main method i.e. approach that will be used while answering the research puzzle, while the second section aims to summarize all the data that will be used during the research. In the last section, the author argues in which way the chosen methodology and data corpus can be used for addressing the research topic and ultimately providing the answer to the research question.
3.2. Critical Discourse Analysis
It is already established that the securitization processes rely on verbal actions and written discourses (Bigo, 2013). In the light of the increased focus of the academic literature on the discursive and constructivist nature of security, any aspect of the EU’s security policy can be seen as a part of the socio-political process defined by multiple actors that shape the relevant discourse (Hansen/Nissenbaum, 2009). Due to these reasons, to understand the phenomenon of SG securitization it is required to gain an in-depth understanding of this societal process. Such a complex topic interconnecting various fields of society requires a detailed qualitative analytical approach. As it is presented in the theoretical framework in the previous chapter, this thesis relies on the notion that the security threats are being socially constructed within discursive activities of securitizing actors. Furthermore, it focuses on the very recent and specific security field of cybersecurity, on which Hansen and Nissenbaum propose a specific analysis approach, also relying on the discourse influencing and interconnection of various security fields, as well as on the acknowledged need to incorporate the analysis on the recent trend of trans-sectoral cooperation in this context (see graph). As argued before, the main actor being analyzed is ENISA, since it presents an EU wide cybersecurity agency that plays a main role in addressing digital threats and is responsible for developing transnational approaches to these threats, thus presumably (from the angle of securitization theory) influencing the overall security discourse in European Union.
28
Thus, an appropriate method to illuminate the nature and importance of the discourse in this work is critical discourse analysis. To be more precise the approach conceptualized in the work of Carol Bacchi, so-called “What is the Problem Represented to be (WPR) presents an optimal approach towards the issue presented because it provides a practical guide for conducting the broad and detailed analysis of the discourse within texts and documents, and focuses mainly on content rather than actions of individual actors. Furthermore, it allows the flexible “out of the box” approach that takes into account alternative interpretations of the issue and the change in securitization approach over time (Bacchi, 2009).
What is the problem represented to be approach is designed for interpretive policy discourse
analysis is based on the six main questions that are used to unpack policy materials such as official texts, legislation, initiatives, etc? These questions are defined in the following way:
The first question states: “What is the problem represented to be in a specific policy or
policies?” Bacchi and Goodwin further clarify the purpose of this question as defining “a place to begin the analysis” (2016: 20). This question initiates the discussion about the origin and natures of certain policies or governing activities that otherwise seem “obvious” or “natural” (ibid.). With this question we are aiming to discover which phenomenon is framed as a problem i.e. is problematized. In other words, this question aims to unpack the problem or problems that are addressed in the analyzed policy. In this way, the question leads the question approaches the unveiled problems from the angle of securitization theory by emphasizing their constructed nature. It does not allow for taking any kind of addressed “threat” for granted, thus it can be induced that the terms problematized and securitized have almost the same meaning in this context.
It is also noteworthy that the policy text usually represents a complex work that encompasses multiple and often interconnected issues (ibid.). Moreover, as Bacchi argues, some problems are not addressed explicitly but can be implicitly addressed in the text. For example, a policy directive or initiative might emphasize a need for a certain action, change, or improvement, therefore pointing out the specific deficit in society and/or political life. This can arguably, also be used for observing the recommendations and initiatives undertook by ENISA, thus potentially revealing issues that are framed by its actions, but at the same time are not directly addressed in the discourse.
Furthermore, the first question doesn’t aim to identify the true or hidden purpose of the policy or program, or to assess its success or impact on every day politics but rather to analyze the
29
solutions to the problem that this policy proposes and to gain a deeper insight to the problem addressed explicitly or implicitly (Bacchi/Goodwin, 2016: 21).
The second question or “What deep-seated presuppositions or assumptions underline this
representation of the problem” has multiple goals. It firstly emphasizes the underlying ideas i.e. assumptions or still under-examined ways of thinking that must be taken into account for the policy to be understood in the specific context (Bacchi/Goodwin 2016: 21). The next purpose of using this question is to gain insight into how was the problem representation constructed or to be more precise on which core concepts or social constructs does this problematization rely upon? Furthermore, it aims to clarify if this process follows a certain pattern and in which way (ibid.).
The final purpose of this question is to clarify what are the (securitizing) subjects and objects and which roles they fulfill inside of problematization mechanisms (Bacchi/ Goodwin, 2016: 22). This part of the question is closely related to the A/T/O/A concept of the securitization process, as argued by Buzan and presented in the theory section. It allows for the analysis to separately focus on each of the elements of this framework and potentially revealing how exactly the process of problematization i.e. securitization looks in a specific case.
The third question “How has this representation of the “problem” come about?” initiates
thinking about the problem representation in the terms of so-called “Focaudian genealogy” (ibid.). To answer this question it is required to trace the practices that framed and defined the problem addressed in policies during a certain period and in this way discover the “evolution” of the particular problematization (ibid.). As Bacchi argues, its goal is to underline the main conditions that have led to a specific shaping of the observed problem representation (Bacchi, 2009)
Question number four “What is left unproblematic in this problem representation? Where
are the silences? Can the “problem” be conceptualized differently?” leads the researcher to observe the “blind spots” of the generated problematization. Moreover, it creates the opportunity to think outside of the box, i.e. by analyzing the changes in the discourse over time and possible alternative approaches that could have been used to address a specific issue (Bacchi/Goodwin 2016: 22-23). Lastly, this question leads us to think about the alternative and possibly contesting problematization processes on the same topic that can, in turn, shed light on the broader context within which this policy emerged (ibid.). This possibility of thinking broader about the topic is especially useful when tacking the issue that can be linked
30
to multiple spheres of research. For example, it firstly emphasizes that how some object is securitized is not fixed and can be challenged by alternative approaches. Besides, the topic such as smart grids can be approached from multiple angles, taking cybersecurity, energy security, or even social security into consideration. This is an important addition to the research since Hansen and Nissenbaum argue that to analyze cyber-securitization practices; it is also crucial to observe their linkage to other security areas.
Furthermore, by mobilizing the fifth question “What effects (discursive, subjectification, lived) are produced by this representation of the “problem”?” the research turns its focus on the numerous implications that the observable representation of the problem carries (Bacchi/ Goodwin, 2016: 23). It is of utmost importance to emphasize that these implications need to be seen as part of political consequences rather than measurable outcomes or “results” of the policy. The aim here is not to judge the success of a political initiative but to focus on the interconnected discursive effects; subjectification effects; and lived effects (ibid.).
According to Bacchi, discursive effects are based on the results of the previous question and emphasize the discursive limits that are established as a result of problem representation and frames what can be thought and said i.e. which actions are acceptable and desirable. The subjectification effects present the nature of political subjects that are created within problematization processes and lastly lived effects identify the connection between discursive and subjectification effects and real-life practices among the population and political players influenced by the policy (Bacchi/ Goodwin 2016: 23). Namely, this particular question could prove to be useful to address the question of PPP within the cybersecurity discourse, since it would allow observing of how exactly is the discourse limited i.e. framed by ENISA, and in which way is the concept of PPP placed within this discourse. Finally, it would also analyze how and if this placing of PPP within a discourse reflects the actions of impacted stakeholders.
The final question in Bacchi’s approach is “How and where has this representation of the
“problem” been produced, disseminated, and defended? How has it been and/or how can it be disrupted and replaced?” In this way research again emphasizes the constructive nature of what is considered as “truth” and that is regarded as a problem (Bacchi/Goodwin 2016: 23-24). This question has two main goals. Firstly it underlines the practices that have shaped the problem representation and how it has been addressed (Bacchi/Goodwin 2016: 24). The other
31
goal analyses the existing or potential contestations of the addressed problem representations based on the material collected in questions 2 and 3 (ibid.).
In summary (see graph 1), this 6 step approach aims to clarify which is the exact problem being constructed as a part of the policy material, in which way is this problem addressed, by which political actors and in which context. Moreover, it also strives to present the limitations and challenges, represented by alternative approaches, of the problem representation. Finally, it underlines the origins of recognizing a specific phenomenon as an issue and the potential or real implications this way of problematization generates inside of specific society.
6 Questions of WPR discourse analysis approach
What is the problem represented to be in a specific policy or policies?
II What deep-seated presuppositions or assumptions underline this representation of the problem
III How has this representation of the “problem” come about?
IV What is left unproblematic in this problem representation? Where are the silences? Can the “problem” be conceptualized differently?
V What effects (discursive, subjectification, lived) are produced by this representation of the “problem
VI How and where has this representation of the “problem” been produced,
disseminated, and defended? How has it been and/or how can it be disrupted and replaced?
It is important to note that questions 2 and 3 pave the road for questions 4 and 6 while question 5, in turn, builds upon the results of question 4. In other words, these are no separate questions and the phenomenon of problematization is highly complex and interconnected. When observing the
“problem” it’s important to keep in mind that there are possibly many problems and spheres of society addressed in policy material and often multiple relevant materials must be observed to paint
the clear picture of the discourse.
Table 1: Six Questions for Analysing the Policy Materials and their interconnection Sources: (Bacchi, 2009; Bacchi/Goodwin, 2016)
