Conceptualizing Cybersecurity within Neoliberal Governance: The United States Energy Sector‟s Critical

(1)

Conceptualizing Cybersecurity within Neoliberal Governance: The United States Energy Sector‟s Critical

Infrastructure Protection through Public-Private Partnerships

Monika Povilenaite

S2672499

Grote Leliestraat 131a, Groningen 9712 ST +31644456613

Supervisor: Prof. Dr. Luis Lobo-Guerrero

University of Groningen

2015

(2)

2

Declaration by Candidate

I hereby declare that this thesis, „Conceptualizing Cybersecurity within Neoliberal Governance:

The United States Energy Sector‟s Critical Infrastructure Protection through Public-Private Partnerships‟, is my own work and my own effort and that it has not been accepted anywhere else for the award of any other degree or diploma. Where sources of information have been used, they have been acknowledged.

Name: Monika Povilenaite Date: 2015-05-22

(3)

3

Abstract

The concept cybersecurity has received little attention in the International Relations scholarship despite an abundance of literature „talking cybersecurity‟ and its policy implications. The term is often taken for granted and comes in handy for characterizing, framing, and normalizing neoliberal governance practices. This thesis, therefore, aims to clear the conceptual confusion and address the question – what does „cybersecurity‟ mean within neoliberal governance?

Drawing on academic and policy-related sources, this research traces the conceptual history of cybersecurity as a concept that is both discursively and materially embedded and fundamental to the neoliberal governance structures. By problematizing this idea, the thesis contextualizes the concept of cybersecurity within the energy sector‟s critical infrastructure protectio n policies in the United States. Using genealogical inquiry, in the tradition of Michel Foucault‟s work, the thesis takes an interdisciplinary look at cybersecurity and brings to light the heterogeneous nature of human subjectivity, reality, and historical change embedded within a single concept and its epistemological connections to the notions of energy s ecurity and critical infrastructures.

The thesis proceeds to argue that the concept of cybersecurity is an enabler of particular neoliberal governance practices, specifically the model of public-private partnerships. The argument is that the model of public-private partnerships is used to govern multiple conceptual realities, embedded within a single concept of cybersecurity, and to forge new connections, meanings, and ideas in response to evolving socio-political conditions. In a way, the partnership is a vehicle of neoliberal governance that effectively reconfigures the relationship between the state and the private actors, redefines the relationship between reality and human subjectivity, and normalizes some level insecurity as a fact of life. Therefore, this continuous process of redefining threats, security needs, and referent objects of security makes public-private partnerships an attractive managerial governance tool for fixing mistakes at the same time as they emerge.

(4)

4

Introduction

Context

In the past decade, cybersecurity has become a global policy interest and, consequently, shot up to the top of the national security agendas worldwide. It has become a buzzword and, in some cases, even an oxymoron embellished with contradictory discourses, meanings, and policies. The United States (U.S.) has been at the forefront of these changes due to its technological, economic, and political prowess. In 2013, for instance, the Director of National Intelligence, the country‟s top intelligence official, singled out cyber-attacks against the country‟s critical infrastructuresas the greatest threat to the U.S. national security, surpassing terrorism (Clapper 2013). Critical infrastructure – both physical and virtual systems, networks, and assets – isperceived as predominantly exposed to the threats and risks vis-à-vis cyberspace. Recently published survey report by the Organization of American States (OAS) and security firm Trend Micro further highlights the cyber-related vulnerabilities of the critical infrastructure services.

For example, 76 % of survey respondents suggest that cyber-attacks targeting infrastructures are getting more sophisticated and harder to detect (OAS & Trend Micro 2015). The survey also reports that 54 % of the detected cyber intrusions were attempts to manipulate physical systems and equipment that is used to control specific service provision (OAS & Trend Micro 2015).

This shows that the concerns over the proliferation of cybersecurity threats and the exposure of critical infrastructures have indeed become increasingly vocal and perceived as imminent.

Unwittingly, the societies worldwide have become dependent upon cyber-enabled systems that run our everyday lives and the United States in no exception to this. The public discourse in the U.S. often touts the potential effects of cyber-attacks as disruptive, crippling, and devastating to the American econo my, national security, and a way of life. The vulnerabilities of the energy industry are often singled out as the sole critical infrastructure sector which, if successfully attacked, could shut down the electricity production, delivery, and supply as well as halt oil and natural gas operations (Onyeji, Bazilian & Bronk 2014). The multiplier effects, however, could be even more disruptive and impact transportation, communications, and financial markets (Onyeji, Bazilian&Bronk 2014). Such perceptions have resulted in a new class of security threats being called „the cyber-enabled physical attacks‟ that forge a link between the virtual and the physical that was previously less vocal (Onyeji, Bazilian&Bronk 2014). The reliance on computer networks for increased efficiency of the physical systems is increasing,

(6)

6 hence, exposing the weaknesses that were previously unaccounted for. Therefore, the concerns show the convergence of the virtual and the physical that has significant policy repercussions in terms of how cybersecurity and the energy sector‟s critical infrastructure protection (CIP) are combined both in discourses and governance practices.

In the United States, the necessity to ensure cybersecurity of critical infrastructures has been vocal for a long time, resulting in an institutionally embedded policy framework. Particular attention to the issue was paid by the Clinton administration in the 1990s. Later, the terrorist attacks of September 11, 2001, spurred a War on Terror that has changed the relationship between the federal government and the private sector by bringing them closer together as ever and increasing the role of the private sector in ensuring national security (CRN 2009). During the last decade, the efforts to address arising cybersecurity threats to critical infrastructures have become focused on specific sectors – one of them being energy industry. The attention given stems from the understanding that modern information and communication technologies and energy sector‟s infrastructures are codependent and their interconnectedness is a fabric of modern life (CRN 2009). Consequently, the U.S. government has been actively initiating policies that focus on bolstering cybersecurity efforts in protecting critical infrastructures. One of such policies – public-private partnership (PPP) –is a form of cooperation between the state and the private sector. Within cybersecurity policies, critical infrastructure protection through PPPs is often flaunted as the solution to all arising problems, particularly in the energy sector, which is mostly privately owned and operated(Dunn Cavelty &Suter 2009). However, as it often happens with popularbuzzwords, the terms „cybersecurity‟ and „critical infrastructure protection‟ have attained different meanings for different actors and have changed considerably since the Internet revolution in the 1990s.

Motivation and significance of the research

Despite the importance of cybersecurity in the policy realm, it has largely escaped the attention of International Security Studies (ISS)scholars. The analysis of cybersecurity has long been dedicated to the field of computer science.More recently, it has become a socio-politically topical issue that is highly visible in the public realm. The United States, for instance, has been the leader in creating domestic cybersecurity policies and advocating for international cooperation frameworks (CRN 2009). However, the scholarly endeavors ha ve been scarce and mostly accommodating to cybersecurity policy needs. These efforts, however, are often guided

(7)

7 by conflicting conceptualizations and diverging understandings of cybersecurity and its significance to other policy areas. The interplay between the virtual and the physical security dimensions, thus, is only marginally discussed and largely under-researched. The inherently interdisciplinary problems that arise, such as the interconnectedness of energy security and cybersecurity, have significant impact on how cybersecurity issues are framed on the national security policy agenda. More coherent and, most importantly, different look at cybersecurity issues then is required that would bring together the knowledge of computer science, economics, politics, and philosophy in order to overcome the tendency to pursue grand narrative.

Motivated by this problematic, this thesis seeks to understand the conceptual history of cybersecurity and its relation to, seemingly unrelated, issues of energy security and critical infrastructure protection. In the United States, energy sector‟s critical infrastructures are problematized because of their dependencies upon computerized systems and the perceived danger of devastating multiplier effects (Clapper 2013). The energy sector, interestingly, has also self-proclaimed its vulnerability to cyber-attacks and haspublicly problematized its cyberspace dependencies. It, thus, has made the United States the first country to jointly address the problem of critical infrastructure protection and cybersecurity seriously (Bendrath 2001). As a result, the U.S. has pursued a comprehensive set of sector-specific CIP policies that explicitly address its cyber-related issues (CRN 2010). Interestingly, these policies are institutionalized through PPPs that call for an increased cooperation between the government and the private sector. Although the framework of PPPs has existed in one form or another for a long time, they have become strongly embedded with the rise of neoliberalism in the 1970s (Dunn Cavelty &Suter 2009). This raises many questions about the nature of the power-knowledge relationship embedded in the PPPs and broader concerns about the reach of the market into all aspects of modern life. Because of such a broad range of cybersecurity issues that are evident in the American cybersecurity and CIP policies, it makes for an interesting case study worth delving deeper into.

The varying conceptualizations of cybersecurity, energy security, and critical infrastructure protection, therefore, necessitate an interdisciplinary approach which would connect the theories with practices and discourses with policies. This is why it is particularly important to untangle what cybersecurity exactly means by looking at how it changed and evolved throughout its relatively short history. Tracing the history of the meanings behind cybersecurity as well as their connections to the critical infrastructures and energy security

(8)

8 carries significant scholarly promise. Such historiographical research allows for further theorizing on how seemingly indiscernible conceptual shifts influence and enable particular modes of neoliberal governance. As Graham and Thrift (2007: 3) put it, „things are not just formed matter; they are transductions with many conditions of possibility and their own forms of intentionality‟. For the purposes of this thesis, cybersecurity is also a matter of interconnections that are actively generated and negotiated to create a particular social order (Aradau 2010). This research, therefore, questions both the disciplinary and policy dichotomies that single out cybersecurity as something „virtual‟, disconnected from the physical materiality, and historically static. Ontologically, this entails accepting that all factors of life are interconnected with dichotomies serving only an analytical purpose. In order to overcome these rigid dichotomies, this thesis seeks to bring agency to the non-human and examine the materiality of cybersecurity by looking at its connections with energy security and critical infrastructure protection.

Research question and sub-questions

The establishment of cybersecurity and critical infrastructure as objects of protection has important implications for how security, politics, and governance become conceptually intertwined. Therefore, the issue mandates scholarly attention in order to grasp how the development of the concepts of cybersecurity and critical infrastructure protection can be understood and contextualized. Hence, the idea behind this research is that any account seeking to contextualize the interplay of cybersecurity, critical infrastructure protection, and the U.S.

energy sector‟s PPPs must engage with the history of these concepts from the standpoint of today. That is, the thesis seeks to understand what is currently happening in cybersecurity politics by placing them in the historical context and theorizing them in relation to neoliberal governance practices. Hence, the developments in cybersecurity bear some questions that this thesis seeks to uncover, such as what does cybersecurity actually mean and what is its relation to energy security; how has it become intertwined with the term „critical infrastructure protection‟

and the notion of energy security; and how has it become used as the vehicle of neoliberal governance through public-private partnerships? Tackling these questions is essential in understanding the historical trajectory that cybersecurity and energy sector‟s critical infrastructure protection is undertaking in the United States.

Following this, the thesis engages with three undertakings corresponding to its chapter contents. Firstly, it uses the genealogical method for historicizing the evolution of the concept of

(9)

9

„cybersecurity‟ and its relation to „energy security‟. Genealogical approach helps to contextualize how the current American cybersecurity agenda has become problematized as an instance of security and how it has become merged with the notion of energy security.With the research commencing in the field of computer science, this chapter provides insights into how the concept and its interdisciplinary connections have come to being. Such approach entails ontologically rejecting the teleological understand ing of history and accepting that structures are perpetually changing and evolving. As a result, this chapter brings to light both the continuities and discontinuities in the history of the concept of cybersecurity, emphasizing its connections to energy security.Particular attention is given to the role of cybersecurity in the two sub-sectors identified by the U.S. Department of Energy – power as well as oil and natural gas. The chapter reviews the literature tackling the historical changes in the concept of cybersecurity, focusing on theprevalent dichotomies and public discourses that had significant impact on the U.S. national security agenda.After all, how we define „something‟ creates possibilities for governance. Thus, the problematization of cybersecurity at the policy level is particularly interesting case that carries an immense importance for further theorizing on the changing character of neoliberal governance.

Secondly, the thesis places particular emphasis on the nexus of cybersecurity and critical infrastructure protection by analyzing the development of the institutional framework in the U.S.

energy sector. The chapter reviews the literature analyzing the materiality of cybersecurity and its relation to critical infrastructures. It also tackles relevant policy documents that have created the institutional merger of cybersecurity and critical infrastructure protection. The focus here is on questioning the supposedly objective truths embedded in the concepts of cybersecurity and critical infrastructure protection. This chapter, therefore, further goes to argue that how we define a concept and forge epistemological connections is intentional and an inherently political act. It brings to attention the multiplicity of human subjectivity in the way of different perceptions of urgency, threat, and vulnerability embedded into the concept of cybersecurity. Therefore, it further problematizes the necessity to address it through pervasive though seemingly innocent governance practices.

Thirdly, the thesis goes deeper into the issues of governance in order to uncover the relationship between the concepts discussed and the policy practices. Specifically, it looks into how conceptualizations of cybersecurity and energy sector‟s critical infrastructure

(10)

10 protectionhave enabled the proliferation of public-private partnerships. It also shows how these concepts have become the vehicle of neoliberal governance that further calls for proliferation of the PPPs. The analysis of such partnerships already in place allows tapping into how the concept of cybersecurity has become consolidated to serve a particular way of neoliberal governing.

Because of their emphasis on information sharing and cooperation, the PPPs are reproducing a neoliberal way of life and actively renegotiating the importance of cybersecurity for modern life.

Therefore, the argument is that cybersecurity PPPs, focused on the energy sector‟s critical infrastructure protection, is both a control mechanism and a knowledge technology. The concept of cybersecurity within the PPPs is not merely an administrative tool – it is proactively promoting a neoliberal way of life, reconfiguring social relations, and normalizing market values.

Research Method and Theory

In tackling the research question, the approach taken is neither positivist nor post- positivist. Such labels only prescribe analytical boundaries and preclude from uncovering the truths that we often take to be self-evident. Therefore, this thesis takes cybersecurity and the associated concepts to be neither self-evident nor merely constructed. In order to untangle these complexities, the thesis uses conceptual historiography in the tradition of critical theory as the overall research method. More specifically, it utilizes the genealogical method following the tradition of Michel Foucault‟s work in order to uncover the power-knowledgerelations embedded in the concepts, policies, and practices of neoliberal governance. This approach requires tackling of the power-knowledge assemblage that produces a multiple subjectivities, truths, and realities (Koopman 2008). By following Foucault‟s practice of genealogical inquiry, this thesis holds that history is open to scrutiny because it is always written from the standpoint of the present (Foucault 1998; Koopman 2008). Hence, with the aim of uncovering power-knowledge relations, the thesis tackles the historical contingencies, continuities, and discontinuities in relation to the governance practices that they enable. Instead of pursuing policy-oriented research agenda of how to best manage cyber-related threats, this thesis taps into the power re lations governing the way we understand, „talk‟, and govern security.

The chosenanalytical framework helps to tackle how cybersecurity has become intertwined with the concept of critical infrastructure and how it has enabled PPPs as a tool of neoliberal governance. Foucauldian theorizing on neoliberalism and governance assemblages are

(11)

11 particularly useful for analyzing energy sector‟s PPPs. Additionally, such method allows to look at cybersecurity comprehensively, i.e. without assigning robust dichotomies so often evident in the social science literature. The analysis is drawn from publicly available policy documents relevant to the issue as well as scholarly literature. Consequently, this research presents a new take on cybersecurity, connects it with critical infrastructure protection policies of the energy industry, and theorizes the importance of the conceptual developments for neoliberal governance.

This thesis, hence, sets out to uncover the meanings and connotations that have created the notion and policies of cybersecurity as we know it today with regards to the energy sector‟s critical infrastructure protection. This endeavor entails accepting that, in a way, there is no single history of cybersecurity or energy sector‟s critical infrastructure protection but multiple histories of intertwined meanings, practices, institutions, and mechanisms of governance. Any scholar aiming to uncover a grand narrative that would easily explain everything is deemed to fail.

Therefore, looking at one case of cybersecurity in the energy sector‟s critical infrastructure policies uncovers significantly more than a single history of cybersecurity. The variety of ideas, meanings, material things, changes, and possible alternatives within one case points to the plethora of ways of writing a history of the past from the standpoint of the present.

(12)

12

1: The Genealogy ofCybersecurity in the United States

This chapter further traces the conceptual history of cybersecurity using the genealogical method in the tradition of Michel Foucault‟s work. His ideas have been influential in the study of politics, particularly in historiographical analysis. Foucault‟s historical perspective emphasizes the importance of contextualizing social phenomenon in relation to its development (Koopman 2008). It, therefore, allows for tackling how particular thinking, institutions, and practices have been shaped and shaped themselves. In the literature, cybersecurity is often divided into dichotomies and presented as inherently controversial, largely due to the issues of cybercrime and privacy concerns (Eriksson & Giacomello 2006). Scholarly engagements with the issues of cybersecurity then are limited to policy analysis. Guided by the questions, such as what cybersecurity actually means and why it is problematized, this chapter aims to historicize the changing meanings attached to cybersecurity and its relation to energy security, which is pertinent to further analysis of the energy sector‟scritical infrastructure protection. This is why the genealogical approach is essential for analyzing the historical continuities and discontinuities that shape cybersecurity thinking. The task here is to tackle how the concept of cybersecurity has become as we know it today, i.e. embedded with particular meanings, assumptions, and conflicting truths.

For Foucault, problematizing something means introducing uncertainty, rejecting familiarity, and questioning the things taken as a given (Collier & Lakoff 2007). Therefore, following Michel Foucault‟s work, cybersecurity here is taken as a problematization of security, or, more specifically, a problematization of the selective security concerns related to cyberspace.

Looking at the genealogy of the concept of cybersecurity means introducing an element of doubt into previously taken for granted ways of thinking, talking, and acting. Such approach allows for an analytical engagement that uncovers power-knowledge relations that have historically embedded cybersecurity into the fabric of modern political thinking. This chapter further introduces Foucault‟s genealogy as the method of critical inquiry into power-knowledge relations, elaborates on why and in what ways cyberspace is a problematization of security, and reflects on the merger of cybersecurity and energy security with regards to the U.S. energy politics.

(13)

13

1.1. Foucault’s Genealogy – Critical Inquiry into Power-Knowledge Relations For the purposes of this thesis, this section introduces Michel Foucault‟s work on genealogy and further elaborates on its relevance to the conceptual analysis of cybersecurity. Interestingly, genealogy is Friedrich Nietzsche‟s term, which Michel Foucault uses to „distance himself from traditional humanistic historiography as well as from a certain kind of Marxist totalizing theory‟

(Shiner 1982: 386). Foucault‟s genealogy incorporates his earlier concept of „archaeology‟, hence, expanding the scope of critical inquiry and questioning the teleolo gical understanding of history (Shiner 1982). It explicitly studies the relationship between the systems of exclusion, i.e.

institutions, and the discourses (Shiner 1982). Genealogical method of critical inquiry then is interested in understanding and questioning the past from the standpoint of the present in order to bring to light that which otherwise is taken for granted or perceived as natural (Foucault 1980). It entails questioning the present in order to understand the past and critique its impact. As a research method, genealogy is particularly revealing of the historical discontinuities that result inthe formation of problematizations.

Furthermore, Foucault‟s genealogical method directly engages with the relationship between power and knowledge in order to uncover the realities and subjectivities that it constitutes. Thus, it puts emphasis both on the epistemic and the political as they do not occur independently (Koopman 2008). Genealogical inquiry, then, means questioning how one constellation of power-knowledge relations is transformed, negotiated, replaced, and redesigned in the form of dispositif – „heterogeneous ensemble consisting of discourses, institutions, <…>

regulatory decisions, laws, scientific statements – in short, the said as much as the unsaid‟

(Foucault 1980: 194).The constellation of power-knowledge comes about as a result of the process of exclusion, which is inherently intertwined with the power to make value-based judgment in the first place. What makes genealogical method particularly relevant to this thesis is its emphasis on „the constitution of knowledges, discourses, domains of objects, etc., without having to make reference to a subject which is either transcendental in relation to the field of events or runs in its empty sameness throughout the course of events‟ (Foucault 1980: 117).

Consequently, it overcomes the so often visible tendency in the policy-oriented literature to pursue a grand narrative that would easily draw cause and effect relations hips or assign values.

Unlike archaeology, genealogical method accounts for multiple domains in which power- knowledge relationship can be observed. Instead of analyzing a single episteme, genealogy is

(14)

14 interested in the interconnections and constellations that come to existence (Koopman 2008).

Genealogy, therefore, holds that there are multiple forms of knowledge that are governed by power relations that, in turn, constitute multiple realities, subjectivities, and system(s) of truth (Shiner 1982; Foucault 1979). It means, then, that any form of knowledge is inherently political since the dispositif is constantly re-negotiating, re-designing, and re-constituting certain types of knowledge at the expense of others (Shiner 1982). Therefore, genealogy allows tapping into how a specific social order exercises power and becomes institutionally and epistemologically embedded (Shiner 1982). Power relations structure the rules that govern the way we think, understand, and act upon particular knowledge (Shiner 1982). The power-knowledge assemblage embedded in the dispositif, thus, is a matter of governance as they privilege particular truth(s) that produce „domains of objects and rituals of truth‟ (Foucault 1979: 194). This is particularly important in the analysis of the dispositif of security which constitutes the core of neoliberal governance (Aradau & Munster 2007, 2008; Dillon & Lobo-Guerrero 2008).For Foucault, power-knowledge relation is not only epistemic or political but also productive as it attempts to give structure to life (Shiner 1982). Genealogical approach, therefore, gives an insight into how power-knowledge constellation is being exercised through governance (Shiner 1982). It therefore brings into focus how power and knowledge influence action.

Along with power-knowledge relationship, the notion of problematization is also important for genealogical inquiry. By looking at the point of intersection between power and knowledge, genealogy questions the conditions of possibility that allow for such an „eruption of an event‟ to occur (Foucault 1998: 377). The temporal dimension here is particularly important because genealogy accepts that time is contingent andrelational. The genealogist, therefore, rejects the idea that historical time is linear and continuous by looking at multiple temporalities, including continuity alongside discontinuity (Koopma n 2008). Thus, genealogy analyzes the contingent emergence of historical temporalities as „continuities and transitions, repetitions and differences‟, or, in Foucault‟s terms, as problematizations (Koopman 2008: 360). By problematizing thecontingent emergence of a particular power-knowledge assemblage, the genealogistcan study and contextualize the practices of power and knowledge that historically prevail over others. More broadly, such approach questions the idea of objectivity, hence, accepting the fluid nature of human subjectivity, its multiplicity, and its entanglement with the very object of genealogical inquiry.

(15)

15 The problematization of a particular power-knowledge constellation is also closely related to Foucault‟s idea of disciplinary power. Power and knowledge are constitutive of each other through systemic patterns of exclusion, i.e. they are „neither unidirectional nor exterior‟

(Shiner 1982: 392). Their arrangement, thus, results in the disciplinary institutions that govern and preserve particular social order (Aradau 2010). The regulative practices of governance structure relationships as well as materialize and coordinate subjects (Aradau 2010). Foucault‟s disciplinary power assumes the materiality of the prison, school, hospital, and factory, whereas the materiality of thedispositif of security relies on agency (Aradau 2010). However, what this thesis aims to do is to analyze the agency of the non-human, i.e. the concept and its regulative governance practices. Drawing inspiration from Foucault‟s work, the task here is to tackle how seemingly innocent concept (cybersecurity) acquires meanings, negotiates itself within the multiplicity of other power-knowledge constellations (energy security and critical infrastructure protection), and functions through regulative practices of neoliberal governance (public-private partnerships).

For the purposes of this thesis, the genealogy offers not only an analytical starting point but also the possibility of delving deeper into historically contingent conditions of possibility that enable a particular set of power-knowledge relations, in this case, as expressed through the concept of cybersecurity and its entanglement with energy security. By problematizing the concept of cybersecurity itself, the thesis uses genealogy as a tool that can shed light to how it has emerged as a heterogeneous construct of human subjectivity (Aradau 2010). In other words, the thesis is concerned with how cybersecurity is both actively created by power-knowledge relations and, at the same time, creates itself through continuous adaptation and systems of exclusion. The intersections of cybersecurity with other concepts are especially interesting as they showcase how the power-knowledge relations are being re-designed and re-structured to accommodate the fluidity of human subjectivity. Therefore, the genealogical critical inquiry looks at cybersecurity as the problematization of security that is historically contingent upon prevailing power-knowledge relations that actively structure and re-structure the dominant social order.

1.2. Cyberspaceas a Problematization of Security

The Foucauldian perspective on power-knowledge relations is a particularly useful analytical tool in tracing the genealogies of cybersecurity. It can be argued that the concept of cybersecurity

(16)

16 is a relatively new problematization within security politics, embedded in a specific historical context, hence, perpetually evolving and relational. The undertaking here is not merely theoretical as the meaning of cybersecurity is „derived from its position within a particular discourse which is itself related to practices of governance‟ (Joseph 2013: 40). As this section furthers shows, the uncertainties brought by the developments in technologies and unravelling political systems of the end of the 20^th century has created a new way of identifying, naming, materializing, and institutionally grounding the perceived uncertainties of cybersecurity. It is a constitution of cyberspace as a security problem which is problematized here. That is, the act of defining something as having significance or value, such as designating cyberspace a security problem, gives status and priority to that „security problem‟ in relation to other issues (Hansen &

Nissenbaum 2009). Such problematization is inherently political and based on the power- knowledge relations that result in the exclusion of other „security problems‟ in favor of cyber- related issues. Therefore, it is important to look into the role that the political and the epistemic play in problematizing the concept of cybersecurity.

The language that is used to describe cybersecurity is an essential part in the way the concept is problematized as a security issue. Language, or discourses, according to Foucault (1980), forms an integral part of the dispositif of a prevailing power-knowledge assemblage. The language used is closely related to the environment in which cybersecurity is supposedly occurring – the cyberspace. This term, coined by a famous American speculative fiction writer William Gibson in 1982, quickly got attention and semantic recognition beyondhis readership (Dunn Cavelty 2013). In the political discourses, it was later popularized by John Perry Barlow in relation to his political activism (Dunn Cavelty 2013). Apart from the influence of popular authors and activists, the wide-spread fascination with the cyberspace also stems from the popularity of complexity theory at the end of the 20^th century (Dunn Cavelty 2013). These influences, for example, have shaped the way threats of cybersecurity are discursively constructed and perceived. Specifically, the most often used threat descriptions focus on biology- based analogies to describe technological threats, such as viruses, and worms (Lawson 2012). In this way, the „old‟ threats become „new‟ as they are merged together to form ubiquitous meanings of cyberspace vulnerabilities and insecurities. It is, therefore, a reconfiguration of power-knowledge relations that establishes cyberspace as a problematization of security.

(17)

17 The term itself is inherently political as cyberspace is understood as having both virtual and physical dimensions. For instance, the physical dimension relies on the existence of material systems that create and enable cyber activities (Deibert & Rohozinski 2010). This dimension is further strengthened by the notion of place which entails sovereign claims for control and ownership (Dunn Cavelty 2013). The virtual dimension, however, relies on the data and knowledge production which require agency or the sovereign (Dunn Cavelty 2013). At this point, common denominator emerges, i.e. the agent who navigates, controls, and governs the cyberspace. Consequently, the cyberspace is interactive, relational, and a sight of productive power-knowledge relations. What such conceptualizations lack, however, is the agency and the materiality of the non-human. That is, the term cyberspace itself, though non- material, is a power-knowledge constellation that enables a particular configuration of the social order. The embedded meanings of cyberspace, then, have consequences for how policies, institutions, and governance practices are constructed. Therefore, the intertwined nature of both the virtual and physical dimensions results in the variety of ways in which cybersecurityis constructed as a problematization of security.

Similarly to the term „cyberspace‟, „cybersecurity‟ is also used interchangeably to describe qualitatively distinct meanings. For instance, the term „information security‟ is often used to refer to cybersecurity although scholars argue that the latter is conceptually wider – cybersecurity aims to protect both the physical and virtual assets (Solms&Niekerk 2013).Security itself is broadly conceived as „safety, freedom from the unwanted effects of another‟s actions, condition of being protected from danger‟ (Nissenbaum 2005: 64). The term„cybersecurity‟, then, is constructed around two different sets of meanings. The first one, focusing on the security of physical systems and networks, relies on computer science and engineering epistemic communities for its legitimacy (Nissenbaum 2005).This is why the technical discourses form an integral part of the concept of cybersecurity. The legitimacy of computer and information systems experts makes them an epistemic authority that can actively proclaim particular cybersecurity threats or vulnerabilities (Hansen & Nissenbaum 2009).

The second one, a more politically prominent set of meanings, is preoccupied with the collective security of computer systems and its political impact on national security (Nissenbaum 2005). This understanding of cybersecurity entails concerns over threats to the cyber space as a medium around which social, economic, and political order is concentrated. In this context,

(18)

18 cyber-related vulnerabilities pose a direct threat to the traditional territorially bound nation state (Hansen & Nissenbaum 2009). Since the term „cyberspace‟ is two-dimensional and relational, the efforts to ensure cybersecurity had become focused on the subjects that function vis-à-vis cyberspace, i.e. individuals, legal entities, and nations (Solms&Niekerk 2013). The focus on agent, however, was short- lived because the cybersecurity discourses have moved towards collective security in the form of networked systems security. Such systems are often identified as vital and perceived as inherently vulnerable (Lakoff 2008). As a result of such logic, vital networked systems have acquired human- like agency and materiality. The historical process of materialization relies on the prevalent rationalities that create ideational meanings and establish relations (Aradau 2010). This set of meanings, then, creates a connection between cybersecurity and collective networked systems, such as critical societal infrastructures, that are perceived as insecure and at constant risk. Therefore, cybersecurity becomes preoccupied with ensuring the safety of both human and human-like agents that are exposed to vulnerabilities vis-a-vis cyberspace. Thus, with the term „cyberspace‟ deeply embedded within a particular set of connotations and logics, the concept of cybersecurity becomes the power-knowledge constellation that offers a solution to the perceived security problems.

Interestingly, the emergence of cybersecurity as a problematization is not an epochal shift or an immediate transformation of traditional notions of security. Instead, the concept of cybersecurity has beenin a continuous process of negotiating and adjusting its relative position within the broader dispositif of security (Aradau & Munster 2007, 2008). Vital systems security here is of particular significance for the way the dispositif of cybersecurity has developed. Unlike other security conceptions that are based on traditional enemy images or particular events, vital systems logic relies upon the status of scientific knowledge within the security dispositif (Aradau

& Munster 2007, 2008; Lakoff 2008).The epistemic authority, then, embeds the concept of cybersecurity within a particular set of rationalities, discourses, and meanings that dynamically operate in relation to each other to gradually change the referent object of security. The networked systems, as a result, acquire human- like features and become a necessity for human existence. Hence, security becomes focused on ensuring the efficiency and functionality of these networked systems in order to address broader concerns about human safety and economic stability.

(19)

19 The analysis of such shifts is only possible while rejecting the common deterministic notions of historical change – the grand narratives, describing linear processes of change where one order replaces the other. Instead, the rejection of such teleological view enables to look for patterns of emergence, of how cybersecurity has become problematized as well as has gained materiality and human- like agency. It is an essential epistemological tool for further analysis of how networked systems, i.e. critical infrastructures of the energy sector, have become merged with the concept of cybersecurity. In this context, the next section traces the genealogies of cybersecurity in relation to energy security, which is particularly important for further analysis of the interconnectedness of cybersecurity and energy sector‟s critical infrastructure protection.

1.3. Merging the Concepts of Cybersecurity and Energy Security

As discussed in the previous section, cybersecurity has become an important problematization of security. It has gained the features of materiality and human- like agency due to the influence of epistemic communities in establishing the necessity for collective security of vital systems – energy sector‟s critical infrastructures. However, the important missing element here is the energy security and societal dependencies upon energy resources for a modern way of life.

Indeed, without energy resources modern neoliberal life would hardly be possible as societies fuel their development with oil and natural gas to generate power which, in turn, enables all the technologies that have become problematizations of security (Yergin 2011). Without energy, precisely electricity, then, there would be no Internet age or cyberspace to begin with (Yergin 2011; Graham & Thrift 2007). Therefore, it is necessary to trace the genealogy of this crucial epistemological connection, namely how the meanings and rationalities of cybersecurity and energy security have become merged in the U.S. political discourses and practices. Thus, for analytical purposes, this section further distinguishes between two energy sub-sectors identified as pertinent to the American economy and smooth societal functioning – power as well as oil and natural gas sub-sectors (White House 2003). Hence, this section further argues that in the context of American energy sector, the cybersecurity of its critical infrastructures has become merged withthe notion of energy security to enable the adoption of an ever-growing array of governance practices.

Similarly to the concept of cybersecurity, the notion of energy security has several dimensions, namely the physical and systems security. The emphasis on physical security entails protection of assets, supply chains, trade routes, and creation of mechanisms for quick repair

(20)

20 andmaintenance (Yergin 2011; Graham & Thrift 2007). Energy supply chain itself incorporates assets necessary to recover, process, and distribute energy resources, i.e. pipelines, refineries, and power grids. Ensuring physical security of energy supply chain is further complicated by the fact that physical assets are acquired over long time (Yergin 2011). Additionally, the complexity and interconnectedness of the energy supply chain mandates an efficient organizational model that would prevent accidents and ensure smooth functioning. Such security, hence, ispreoccupied with ensuring efficient access to energy supplies both in physical and commercial terms (Yergin 2011).This line of thinking, developed in the context of de-regulation of energy markets in the 1980s and the 1990s, aims to ensure seamless business and national security continuity (Cherp &

Jewell 2011). Cybersecurity, in turn, plays a significant role in ensuring that physical security dimension is ensured on the almost automatic and autonomous basis. This has created a perception in the U.S. that, for instance, smart grids of the electric power generating infrastructures are inherently exposed to intrusions due to them being connected to the cyberspace (Yergin 2011).That is, as the energy supply chain is becoming more efficient, the United States is growing more aware of its self- induced cybersecurity vulnerabilities.

Paradoxically, the reliance on cyberspace has produced not only vulnerabilities but also enabled more efficient energy production, distribution, and delivery as well as increased energy demand.

This element is often left out from the discussion of cybersecurity of the energy sector as it does not call for more pervasive efforts to govern physical security.

Another important feature of energy security – the systems logic – emphasizes energy security as a system of national policies, international agreements, and institutional frameworks created to coordinate energy supply and demand, deal with emergencies, immediately address vulnerabilities, and maintain stable flow of energy from producers to consumers (Yergin 2011).

Broadly, energy security is conceived of as the capacity to ensure that energy consumers have access to resources when they need them and at the mutually acceptable price. This dimension of energy security is also concerned with long-term future planning. That is, systems logic dictates that due to vulnerabilities inherent in all systems, energy security is never static (Cherp & Jewell 2011). Thus, it requires favorable economic conditions and policies that would encourage investments into new energy resources and infrastructures in order to be sustained in the future (Yergin 2011).More broadly, however, the concept is far more complex and entails the act of balancing not only energy supply and demand equation but also geopolitical and strategic interests upon which the energy politics is built. The relations among countries and energy

(21)

21 security are closely connected in a codependent relationship in which power-knowledge constellation is constantly changing in response to emerging challenges. In this way, energy security isa complex although vague concept that is fundamentally important to the modern life (Yergin 2011). As energy systems grow in complexity, the perceptions of risks and vulnerabilities multiply to encompass an ever- growing range of potential weaknesses, including cyber-threats.

Systems vulnerability logic is particularly important for the notion of energy security inthe U.S. power sub-sector. In a way, computer systems and power generation systems are discursively and materially almost inseparable and co-dependent (Graham & Thrift 2007). There is an element of a „mutual constitution of electronic and electrical syste ms‟ as computer systems both ensure the flow of electricity and consume a large proportion of it (Graham & Thrift 2007:

12). This co-dependence is often largely ignored in the policies due to the perceptions of cyberspace and cybersecurity as something solely virtual. For instance, the power sub-sector‟s deregulation in the U.S. had ignored the material and virtual connectivities that enable power generation and delivery (Graham & Thrift 2007). However, the systems vulnerabilities logic has later dictated that any mundane system failure or glitch can have catastrophic large-scale effects, causing major economic problems and devastating fallouts (Graham & Thrift 2007). This understanding gave rise to the idea that power sub-sector‟s cybersecurity is intertwined with broader concerns over energy security and vitality of the capitalist economy (Graham & Thrift 2007). Consequently, the emphasis has shifted towards ensuring that energy security and cybersecurity priorities go hand in hand, giving rise to various policy mechanisms, such as public-private partnerships, insurance, and emergency planning. Hence, the systems vulnerability logic has brought new notions of security management into the power sub-sector, focusing on threat prediction, preparedness, and quick recovery.

Therefore, two, seemingly unrelated, concepts of cybersecurity and energy security are merged together to form a power-knowledge assemblage that guides policy action.This, however, is not an epochal or linear historical development –the concepts are continuously renegotiated in relation to each other. For instance, in the 20^th century, the American energy security thinking was primarily based on militaristic and geopolitical notions of security that aimed to secure supplies for armies, industries, and transportation sector (Cherp & Jewell 2011).

However, the last few decades of the 20^th century introduced cybersecurity into energy politics

(22)

22 and discourses. The increased reliance on computerized systems brought immense gains in efficiency but also increased perceptions of the ramifications of merging two issue areas into one.For instance, the proliferation of computer technologies in the power sector made the U.S.

exceptionally sensitive to short-term disruptions – even today most households have back-up generators in case of potential blackouts (Cherp & Jewell 2011). Cybersecurity also emerged within energy security discourses due to the breakthroughs in natural science disciplines.

Systems analysis, engineering, complexity theory, and computer modelling made an impact on energy security policies by bringing in the idea that complex systems are inherently vulnerable and exposed (Cherp & Jewell 2011 ; Dunn Cavelty 2013). For instance, the book Brittle Power was particularly influential in bringing forward the idea that American power sector is destined to fail due to its reliance on complex large-scale technological systems (Lovins&Lovins 1982).

Both the energy industry and the government recycled this idea – cybersecurity and energy security gained a common running theme of vulnerability, exposure, and the need for action and more effective governance structures.

In the United States, policy action regarding cybersecurity of the energy industry is also strengthened by the idea that any cyber- inflicted damage has cascading effects. For instance, monetary and reputational losses create market shocks that subsequently influence energy pricing (Onyeji, Bazilian&Bronk 2014). As more and more systems are computerized, the cyber- risks threaten the reliability and efficiency of the energy industry and the whole economy. Power sub-sector is a particular policy concern as any cyber disruption has immediate domestic social and political ramifications. The perceptions of power sub-sector‟s weaknesses have multiplied since 2007 when the U.S. Department of Homeland Security conducted an „Aurora Experiment‟

– a simulated hack into power plants with the intention to cause generators to self-destruct (Onyeji, Bazilian&Bronk 2014). The experiment showed not only the vulnerabilities of the computerized systems that generate electricity but also an opportunity for increased regulatory intervention due to the imminence of the issue. Similarly, the cybersecurity of oil and natural gas sub-sector gained momentum in 2012 when Saudi Arabian Oil Company – Aramco – was attacked (Onyeji, Bazilian&Bronk 2014). Although no great damage occurred, the American policy- makers and the industry have been forced to re-evaluate their security arrangements and policies towards cybersecurity of the industry‟s physical systems – pipelines, refineries, and the entire supply chain(Onyeji, Bazilian&Bronk 2014). Hence, the emphasis on devastating

(23)

23 multiplier effects has established an epistemological link between cybersecurity and energy security with an ever-growing list of interconnected policy issues.

Driven by the systems logic, the constellation of cybersecurity and energy security has been further strengthened by the 9/11 terrorist attacks that heightened the need for more overall security. The attacks highlighted the necessity to extend security thinking as much as possible to incorporate previously separate security concerns. These heightened concerns also spread to the energy security thinking and resulted in the shift towards hard security, i.e. security of computer- run physical energy infrastructures (Gattinger 2005). Before that, the constellation of cybersecurity and energy security was mainly focused on power sub-sector and its exposure to potential threats (Yergin 2011). The terrorist attacks, however, brought to light the idea that material dimensions of energy security also depend on computerized systems and networks (Yergin 2011). Energy production systems, pipelines, installations, terminals, and distribution networks have become part of „critical infrastructures‟ deemed potential targets for attacks. Once again, power sub-sector‟s vulnerabilities became the primary issue due to its reliance on computer systems that monitor and control industrial processes in the electricity generation and distribution. As such, any attack on electricity grid has been imagined to cause fallout of an entire economy or even the country (Yergin 2011). The discourses have become focused on the multiplicity of possible perpetrators who could take advantage of the wide range of weaknesses of the energy systems – individual hackers, former employees, cybercriminals, governments, or terrorists.

In summary, the increasingly complex nature of the relationship between cybersecurity and energy security points to both historical continuities and discontinuities in the process of ever-expanding dispositif of security. As the notion of energy security is expanded beyond physical energy supply chain problems, the systems logic incorporates cybersecurity into its power-knowledge constellation.The emphasis on complex systems vulnerabilities of the energy industry, hence, shapes both the domestic policy- making and the American self-perceptions about its role in the global energy market. The merger between conceptually separatesecurity issues becomes a tool and a vehicle of neoliberal governance. The perceptions of cyber- induced risks for energy security bring to the forefront of American political discourse the necessity to protect the computerized, yet vulnerable, energy sector‟s systems, i.e. critical infrastructures. In a sense, cybersecurity is no longer just an add-on technicality used for increased efficiency of

(24)

24 energy sector‟s infrastructures – it is an important epistemological tool used to legitimize more pervasive governance efforts. Therefore, it can be argued that the nexus between the physical and systems security works in concert to ensure that cybersecurity is epistemologically and institutionally embedded within the notion of energy security. In the United States, this processof shifting rationalities and modes of reasoning has enabled a codependent relationship between cybersecurity and energy security with one actively constituting the other and making their separate analysis practically void. Therefore, both cybersecurity and energy security emerge as the dominant strategic and normative frameworks guiding policies. In such a light, the next chapter analyzes how the concept of cybersecurity has become entangled with the notion of energy sector‟s critical infrastructures and their protection.

(25)

25

2: Cybersecurity and Critical Infrastructure Protection Nexus

The historical continuities and discontinuities in the development of cybersecurity, analyzed in the previous chapter, have pointed towards the necessity to engage with the concept of critical infrastructure and its epistemological connections with cybersecurity. This chapter, thus, further tackles how the concepts of „cybersecurity‟ and „critical infrastructures‟ have become semantically merged together and with what institutional consequences, particularly in the United States.As cybersecurity has assumed a significant place in the American policy jargon, it has become almost interchangeably used with the concept of critical infrastructures, specifically in the energy sector (Hansen & Nissenbaum 2009). The connection between these two concepts, however, is neither obvious nor natural. This chapter, therefore, is guided by the following question – how has the concept of cybersecurity become intertwined with the term „critica l infrastructure protection‟, specifically in the U.S. energy sector? The chapter aims to reflect on the meanings and conflicting historical tendencies in the merger of the two, seemingly unrelated, concepts that significantly influence policies in the form of critical infrastructure protection through public-private partnerships. The task here is to tackle the meanings, embedded into the concept of critical infrastructure as well as reflect on the materiality of both cybersecurity and critical infrastructure as an enabler of a particular institutional framework governing American energy sector.

2.1. Genealogy of Critical Infrastructures

The previous chapter traced the genealogy of cybersecurity as a problematizat ion of security and reflected on its connections with energy security in the context of the United States. The analysis uncovered that such problematization is almost synonymous to the perceived vulnerabilities of the energy sector‟s critical infrastructures. Therefore,how the meaning of critical infrastructure has developed is pertinent to how cybersecurity is conceptualized within such context. Following Foucault- inspired line of thinking, the concept of critical infrastructure is not taken for granted or perceived as natural. Similarly to the concepts „cybersecurity‟ and „energy security‟, the term

„critical infrastructure‟ is also taken as being perpetually changed and renegotiated as well as responsive to the social world in which it is embedded. Thus, this section further traces the genealogy of critical infrastructure in order to tap into the power-knowledge assemblage that forges its connection with cybersecurity and creates institutional frameworks in the form of critical infrastructure protection through PPPs.

(26)

26 On the most basic level, the concept of „critical infrastructures‟ is mostly understood as the „physical systems that are computerized‟ (CRN 2009: 11). Interestingly, such an obscure definition already signals the conceptual merger with the concept of cybersecurity. However, more profoundly, critical infrastructure is about the role that material things play in the society, i.e. how they allow for smooth and seamless functioning even at the times of turmoil (Aradau 2010). Another important feature of critical infrastructures that embodies the concept is the emphasis on interconnectedness, interdependence, and complexity (Dunn Cavelty 2013). While the traditional notions of security entail the protection of territorial integrity and citizenry, the security of critical infrastructure is concerned with the security of the physical systems and material assets (Aradau 2010). Additionally, Bendrath (2001) argues that, in relation to military threats, the concept of critical infrastructure acts both as an agent and as a structure that is necessary to respond to that threat. Such dual nature of the concept makes it a powerful epistemological tool in enabling a particular set of relations between power and knowledge.

Protecting critical infrastructure, then, means protecting the material things and their connections as well as societies that depend upon them (Aradau 2010). As a result, physical cyber-connected critical infrastructures become conceptualized as fundamental to the very functio ning of modern life and security against other threats, such as terrorism, natural hazards, and economic crises.

The concept, therefore, has gone well beyond its original definition of „physical systems that are computerized‟ (CRN 2009: 11). That is, it has gradually grown to incorporate a broad range of societal dependencies upon material things and their interconnections.

On the policy level, the concept of critical infrastructure has also gradually developed from traditional military contexts to being used to denote national security priorities. The mere act of adding a word „critical‟ influences the context in which the concept „infrastructure‟ is used and what it denotes (Collier & Lakoff 2007). As part of the military strategies, „infrastructures‟

have been the targets of attack in order to weaken the enemy (Collier & Lakoff 2007). However, as part of the national security policies, the add-on word „critical‟ has epistemologically transformed infrastructures into material things that have to protected and secured in order to preserve a particular way of life (Aradau 2010). The scholars, however, do not agree on when this transformation happened or what triggered it – some suggest that the shift occurred during the Cold War (Collier & Lakoff 2007) while others attribute it to the 9/11 terrorist attacks (Aradau 2010). It is likely, however, that both have had a significant impact on how the concept of critical infrastructure was both created and created itself in the American politics.

(27)

27 Going back to the 1980s – when the infrastructures started being operated by computers – there was a growing concern with the security of information and cyber-related assets (Collier &

Lakoff 2007). Epistemology wise, the reporton national security and systems vulnerability, issued in 1984 by a think-tank at Georgetown University,vocalized technophobic security concerns. The report, entitled „America‟s Hidden Vulnerabilities: Crisis Management in a Society of Networks‟, forged a semantic connection between the U.S. national security and the vulnerabilities of computerized systems in the form of „critical infrastructures‟ (Collier & Lakoff 2007). This line of thinking, legitimized by the epistemic expert authority, was later put in practice by the Clinton administration in the form of „critical infrastructure protection‟ (Aradau 2010). As such, this concept was not in the original report but was coined by the Clinton administration in the 1990s (Aradau 2010). Over time, the concept has been renegotiated, adapted, and changed in relation to the emergingthreats and governance practices. The 9/11 terrorist attacks have also contributed to the way critical infrastructures have been understood in the policy realm. For instance, the reports and policies that followed in the years after 9/11 have extensively emphasized the importance of both protecting critical infrastructures against terrorism and ensuring that the society at large is secured through resilient critical infrastructure networks (Aradau 2010). With the growing number and variety of threats, the concept of critical infrastructure has been many times extended to incorporate more points of potential vulnerabilities than initially indicated in the 1984 report from Georgetown University or proclaimed by the Clinton administration. The definitions of critical infrastructure have become abundant with the most current one emphasizing the systems and assets, both physical and virtual, which are perceived as vital for the overall security, economic well-being, and collective safety (White House 2013a). In a way, the concept has become a heterogeneous epistemological construct, encompassing virtual and physical dimensions and relying on the vital systems logic for its legitimacy and policy leverage.

Despite its societal importance, the scholarly engagements with the concept of critical infrastructure are rather scarce. One strand of thought, informed by the Copenhagen School‟s securitization theory, takes the concept of critical infrastructure as a speech act that labels infrastructures as „critical‟, thus, vital and in need of protection (Buzan et al 1998; Aradau 2010).

Such approach, then, emphasizes the performative character of the concept both as a target of a potential exploitation and the prerequisite for the modern life. The materiality of critical infrastructures, in this line of thought, further facilitates securitization. However, the

Conceptualizing Cybersecurity within Neoliberal Governance: The United States Energy Sector‟s Critical