International Relations and Security in the Digital Age
This book examines the impact of the information revolution on international and domestic security, attempting to remedy both the lack of theoretically informed analysis of information security and the US-centric tendency in the existing literature. International Relations and Security in the Digital Age covers a range of key topics, including: critical infrastructure protection; privacy issues; international cooperation; cyberterrorism; and security policy. It aims to analyse the impact of the information revolution on international and domestic security; examine what existing international relations theories can say about this challenge; and discuss how international relations theory can be developed to better meet this challenge. The analysis suggests that liberalism’s focus on pluralism, interdependence and globalization, constructivism’s emphasis on language, symbols and images (including ‘virtuality’), and some elements of realist strategic studies (on the specific topic of information warfare) contribute to a better understanding of digital-age security. This book will be of interest to students of security studies, globalization, international relations and politics and technology. Johan Eriksson is Associate Professor of Political Science at Södertörn University College, and Senior Researcher at the Swedish Institute of International Affairs, Stockholm, Sweden. Giampiero Giacomello is Assistant Professor of International Relations in the Department of Politics at the University of Bologna, Italy.
Routledge advances in international relations and global politics
Foreign Policy and Discourse Analysis France, Britain and Europe Henrik Larsen Agency, Structure and International Politics From ontology to empirical enquiry Gil Friedman and Harvey Starr
The Politics of Central Banks Robert Elgie and Helen Thompson Politics and Globalisation Knowledge, ethics and agency Martin Shaw History and International Relations Thomas W. Smith
The Political Economy of Regional Co-operation in the Middle East Ali Carkoglu, Mine Eder, Kemal Kirisci
Idealism and Realism in International Relations Robert M. A. Crawford
Peace Maintenance The evolution of international political authority Jarat Chopra
National and International Conflicts, 1945–1995 New empirical and theoretical approaches Frank Pfetsch and Christoph Rohloff
International Relations and Historical Sociology Breaking down boundaries Stephen Hobden Equivalence in Comparative Politics Edited by Jan W. van Deth
Party Systems and Voter Alignments Revisited Edited by Lauri Karvonen and Stein Kuhnle
Ethics, Justice and International Relations Constructing an international community Peter Sutch
Ethnonationalism in the Contemporary World Walker Connor and the study of nationalism Edited by Daniele Conversi
Capturing Globalization Edited by James H. Mittelman and Norani Othman
Meaning and International Relations Edited by Peter Mandaville and Andrew Williams
Uncertain Europe Building a new European security order? Edited by Martin A. Smith and Graham Timmins Power, Postcolonialism and International Relations Reading race, gender and class Edited by Geeta Chowdhry and Sheila Nair Constituting Human Rights Global civil society and the society of democratic states Mervyn Frost US Economic Statecraft for Survival 1933–1991 Of sanctions, embargoes and economic warfare Alan P. Dobson The EU and NATO Enlargement Richard McAllister and Roland Dannreuther Spatializing International Politics Analysing activism on the internet Jayne Rodgers
Political Loyalty and the Nation-State Edited by Michael Waller and Andrew Linklater Russian Foreign Policy and the CIS Theories, debates and actions Nicole J. Jackson Asia and Europe Development and different dimensions of ASEM Yeo Lay Hwee Global Instability and Strategic Crisis Neville Brown Africa in International Politics External involvement on the continent Edited by Ian Taylor and Paul Williams Global Governmentality Governing international spaces Edited by Wendy Larner and William Walters
Political Learning and Citizenship Education Under Conflict The political socialization of Israeli and Palestinian youngsters Orit Ichilov Gender and Civil Society Transcending boundaries Edited by Jude Howell and Diane Mulligan State Crises, Globalisation and National Movements in NorthEast Africa The Horn’s dilemma Edited by Asafa Jalata Diplomacy and Developing Nations Post-Cold War foreign policymaking structures and processes Edited by Justin Robertson and Maurice A. East Autonomy, Self-governance and Conflict Resolution Innovative approaches to institutional design in divided societies Edited by Marc Weller and Stefan Wolff Mediating International Crises Jonathan Wilkenfeld, Kathleen J. Young, David M. Quinn and Victor Asal
Postcolonial Politics, The Internet and Everyday Life: Pacific Traversals Online M. I. Franklin Reconstituting the Global Liberal Order Legitimacy and regulation Kanishka Jayasuriya International Relations, Security and Jeremy Bentham Gunhild Hoogensen Interregionalism and International Relations Edited by Heiner Hänggi, Ralf Roloff and Jürgen Rüland The International Criminal Court A global civil society achievement Marlies Glasius A Human Security Doctrine for Europe Project, principles, practicalities Edited by Marlies Glasius and Mary Kaldor The History and Politics of UN Security Council Reform Dimitris Bourantonis Russia and NATO Since 1991 From Cold War through cold peace to partnership? Martin A. Smith
The Politics of Protection Sites of insecurity and political agency Edited by Jef Huysmans, Andrew Dobson and Raia Prokhovnik International Relations in Europe Traditions, perspectives and destinations Edited by Knud Erik Jørgensen and Tonny Brems Knudsen The Empire of Security and the Safety of the People Edited by William Bain
Global Civil Society Contested futures Edited by Gideon Baker and David Chandler Rethinking Ethical Foreign Policy Pitfalls, possibilities and paradoxes Edited by David Chandler and Volker Heins International Cooperation and Arctic Governance Regime effectiveness and northern region building Edited by Olav Schram Stokke and Geir Hønneland
Globalization and Religious Nationalism in India The search for ontological security Catrina Kinnvall
Human Security Concepts and implications Shahrbanou Tadjbakhsh and Anuradha Chenoy
Culture and International Relations Narratives, natives and tourists Julie Reeves
International Relations and Security in the Digital Age Edited by Johan Eriksson and Giampiero Giacomello
International Relations and Security in the Digital Age Edited by Johan Eriksson and Giampiero Giacomello
First published 2007 by Routledge 2 Park Square, Milton Park, Abingdon, Oxon OX14 4RN Simultaneously published in the USA and Canada by Routledge 270 Madison Avenue, New York, NY 10016 This edition published in the Taylor & Francis e-Library, 2007.
“To purchase your own copy of this or any of Taylor & Francis or Routledge’s collection of thousands of eBooks please go to www.eBookstore.tandf.co.uk.” Routledge is an imprint of the Taylor & Francis Group, an informa business © 2007 Johan Eriksson and Giampiero Giacomello for selection and editorial matter; individual contributors, their contributions All rights reserved. No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging in Publication Data International relations and security in the digital age / edited by Johan Eriksson and Giampiero Giacomello. p. cm. – (Routledge advances in international relations and global politics ; 52) Includes bibliographical references and index. 1. International relations–Computer networks. 2. Security, International–Computer networks. 3. Internet--Political aspects. 4. Technology and international affairs. 5. Cyberterrorism. I. Eriksson, Johan, 1967- II. Giacomello, Giampiero, 1959JZ1242.I576 2007 327.10285’4678--dc22 ISBN 0-203-96473-X Master e-book ISBN ISBN10: 0–415–40185–2 (hbk) ISBN10: 0–203–96473–X (ebk) ISBN13: 978–0–415–40185–2 (hbk) ISBN13: 978–0–203–96473–6 (ebk)
2006025057
This book is dedicated to Emma Michela and Emil Gunnar
Contents
List of tables Contributors Acknowledgements
1
Introduction: Closing the gap between international relations theory and studies of digital-age security
xiii xv xix
1
JOHAN ERIKSSON AND GIAMPIERO GIACOMELLO
PART I
The politics of threats 2
The virtual sanctuary of al-Qaeda and terrorism in an age of globalization
29 31
MAGNUS RANSTORP
3
From ‘cyberterrorism’ to ‘cyberwar’, back and forth: how the United States securitized cyberspace 57 RALF BENDRATH, JOHAN ERIKSSON AND GIAMPIERO GIACOMELLO
PART II
The politics of protection 4
Securing the digital age: the challenges of complexity for critical infrastructure protection and IR theory MYRIAM A. DUNN
83
85
xii 5
Contents Assessing theories of information technology and security for the Middle East
106
HAMOUD SALHI
6
Public–private cooperation and information assurance: a liberal institutionalist approach
132
LORENZO VALERI
7
International policy dynamics and the regulation of dataflows: bypassing domestic restrictions
158
IAN HOSEIN AND JOHAN ERIKSSON
8
Conclusion: Digital-age security in theory and practice
173
JOHAN ERIKSSON AND GIAMPIERO GIACOMELLO
Bibliography Index
185 219
Tables
5.1 Internet diffusion in the Middle East and population estimates 5.2 Internet penetration in the most penetrated states in the Middle East as of March 2006 5.3 Internet penetration in the least penetrated states in the Middle East as of March 2006 5.4 Ranking e-government readiness in the Middle East in 2004–2005
109 110 110 111
Contributors
Ralf Bendrath is Research Fellow at the Collaborative Research Centre ‘Transformations of the State’ at the University of Bremen, Germany. His research interests include technological influences on the change of privacy and data protection, information warfare, cybersecurity, and peace and security policy, as well as the forms and the legitimation of global governance. He has published widely on peace and security policy, cyber-security and information warfare, and was actively involved in the preparations for the World Summits on the Information Society (WSIS) 2003 and 2005. Myriam A. Dunn, PhD, is Research Fellow at the Centre for Security Studies at ETH Zurich (Swiss Federal Institute of Technology). She heads the new risks research unit and serves as coordinator for the Comprehensive Risk Analysis and Management Network (CRN), an international initiative for international dialogue and cooperation between governments, academics and the private sector in the field of strategic risk analysis. Her research interests include international relations theory with a specific focus on security studies, the impact of the information revolution on the international system, and philosophy of science. She is author of the International Critical Information Infrastructure Protection Handbook (3rd edition, 2006), author of Cyberthreats and Countermeasures: Explaining the Threat Politics behind Efforts to Secure the Information Age (forthcoming from Routledge, 2007) and contributing editor of Information Revolution and the International System: Challenges in Security and Governance (forthcoming from Ashgate, 2007).
xvi
Contributors
Johan Eriksson is Associate Professor of Political Science at Södertörn University College, and Senior Researcher at the Swedish Institute of International Affairs, Stockholm. His research interests include international relations theory, security studies, foreign policy analysis, cybersecurity, ethnopolitics, and the relationship between academia and the policy world. He is the author/editor of five books including Threat Politics: New Perspectives on Security, Risk and Crisis Management (Ashgate, 2001). Articles have appeared in, for example, International Political Science Review, International Studies Perspectives, Foreign Policy, Journal of Contingencies and Crisis Management, and Cooperation and Conflict. Giampiero Giacomello is Assistant Professor of International Relations at the Dipartimento di Politica, Istuzioni, Storia, Università di Bologna. His research interests include strategic studies, cyberterrorism, foreign policy analysis and political psychology. He is the author of National Governments and Control of the Internet (Routledge, 2005). Articles have appeared in, for example, International Political Science Review, Review of International Studies, Studies in Conflict & Terrorism, and Information and Security. Ian Hosein is a Visiting Fellow at the London School of Economics and Political Science (LSE), where he lectures and researches on technology policy. He is a Senior Fellow at Privacy International where he works on various issues including communications surveillance, free expression and international policy-making. He is an advisor to a number of nongovernmental, governmental and intergovernmental organizations on matters relating to identity, surveillance and anti-terrorism policy. He has a B.Math (Hons) from the University of Waterloo and a PhD from the University of London (LSE). Magnus Ranstorp is Research Director of the Centre for Asymmetric Threat Studies at the Swedish National Defence College. Previously he was the Director of the Centre for the Study of Terrorism and Political Violence at the University of St Andrews. His research interests are terrorism and political violence, radical Islamist movements, social movement theory, intelligence studies and information operations. His articles have appeared in, for example, Colombia Journal of
Contributors
xvii
International Affairs, Studies in Conflict & Terrorism, Terrorism & Political Violence, and Mediterranean Politics. He is also the author of Hizb’allah in Lebanon (Macmillan, 1996). His most recent edited work is Mapping Terrorism Research: Trends, Achievements and Future Directions (Routledge, 2006). Hamoud Salhi is Assistant Professor of Political Science at California State University at Dominguez Hills, and a political analyst for Algeria’s Elkhabar Weekly. Previously he was a senior writer for Gulf News, United Arab Emirates. His research interest is in the fields of international relations and comparative politics, with the Middle East and North Africa as areas of concentration, focussing on security, democracy, governance, Islamist movements and information technology. His most recent article is on Syria’s threat to US national security, published in Strategic Insight, The Center for Contemporary Conflict at the Naval Postgraduate School in Monterey, California. He has also published another article on the political and social impact of information technology in the Gulf Arab states for New Media and Information Technology in the Middle East Working Papers, Georgetown University. Salhi is now working on a manuscript about US foreign policy in the Middle East in the post-9/11 environment to be published by SNED in Algeria. Lorenzo Valeri is a Manager at Accenture, working for both private and public sector organizations on their IT strategy, as well as security and privacy needs. Prior to joining Accenture, he was a research leader at the European offices of RAND Corporation where he was in charge of managing all public policy activities in the field of security and privacy. His projects were financed by a large array of organizations including the European Commission, UK Department of Trade and Industry, British Telecom and Deutsche Telekom. He was also seconded to the Working Party for Information Security and Privacy of the OECD where he worked on the privacy implications of international transfer of personal data. He holds a PhD and Master’s degree from King’s College London.
Acknowledgements
Information technology in general, and the diffusion of the Internet in particular, unquestionably has become one of the most dominant features of globalization, increasingly affecting states and societies around the world. Claiming that this challenge implies both opportunities and threats is basically a truism. Surprisingly however, theorists of international relations have paid only scant attention to the challenges of the digital age, especially from a security studies perspective. Moreover, the specialist literature on information security, information operations, cyberterrorism, and cybercrime has largely ignored theories of international relations and security, and has shown hardly any interest in theory building. Our intention with this book is to contribute towards filling the gap between theories of international relations and the practice of digital-age security. The idea of this project was born in the summer of 2002 in New York City, when we were Research Fellows at Columbia University, with a generous grant from the SSRC (Social Science Research Council). Ralf Bendrath and Ian Hosein, two of our contributors, were also Research Fellows, and we were all assigned to the SSRC program on Information Technology, Global Security and International Cooperation. Many thanks to the SSRC and Columbia University for providing the opportunity without which this book would never have come into existence. We are also grateful for the generous financial support provided by the Swedish Emergency Management Agency to the ‘Threat Politics’ research project, led by Johan Eriksson. Invaluable funding and critique were also provided by the ‘Power Disparity’ research project (The Baltic Sea Foundation), led by Olav F. Knudsen.
xx
Acknowledgements
Many thanks also to those who participated and gave valuable critique at the workshop on theorizing digital-age security, which we organized at the International Studies Association (ISA) conference in MontrĂŠal in March 2004. This also gave us an opportunity to discuss some of the very first drafts of the papers published in this book. Thanks also to our fellow contributors for their enthusiasm and commitment. Together we have formed an international team, which not only bridges disciplinary boundaries, but also connects the academic and policy worlds. Finally, special thanks to our editors at Routledge, Heidi Bagtazo and Harriet Brinton. Your professionalism and support have been indispensable for turning the manuscript into a book. Johan Eriksson and Giampiero Giacomello Turri di Montegrotto Terme, Italy
1
Introduction Closing the gap between international relations theory and studies of digital-age security Johan Eriksson and Giampiero Giacomello
The development and interconnectedness of information and communications technologies (ICTs) such as the Internet, email, satellite television and mobile phones are diffusing globally at an impressive speed.1 The Internet is undoubtedly the most striking example. From only a handful of websites in the early 1990s, the Internet grew to contain several million websites at the turn of the millennium. Moreover, the costs of producing, using and communicating information have constantly decreased, making ICTs available to an increasing number of people all over the world (Choucri 2000: 248–52; Nye 2003: 215–16; 2004a, 2004b). There is still a significant ‘digital gap’, dividing the haves from the have-nots in terms of access and usage, a long-standing and welldocumented problem both within and between societies (Choucri 2000; Hammond 2001; Norris 2001). Notwithstanding persistent inequalities, the image is clear: the shrinking costs of ICTs have made them widespread and decentralized, reaching far beyond the political and economic elites of western societies. These observations apparently mark the limit of consensus among informed observers. The lack of consensus is particularly apparent when the basic question of this book is addressed: What are the implications of the information revolution for national and international security? Some would argue that the state is still the main player on the field, maintaining (although adapting) its role as the supreme provider of security, even in cyberspace (Fountain 2001). Others claim that the emergence of ‘virtual states’ and network economies implies a decline of interstate violence, and hence that security generally plays a significantly lesser role than in previous times. This truly optimistic perspective ‘sketches a future with an ever-widening zone of international peace’ (Rosecrance
2
Johan Eriksson and Giampiero Giacomello
1999: 24). Still others hold that the information revolution has greatly increased the significance of firms, interest organizations, social movements, transnational networks and individuals. In this vein, these non-state actors may be challengers to, as well as providers of, security (Castells 1998: 376; Henry and Peartree 1998; Arquilla and Ronfeldt 2001; Nye 2003, 2004a, 2004b). The general observation in this perspective, however, is that the information revolution makes security an increasingly important concern in all sectors of society. In 1962, Arnold Wolfers wrote that national security is the absence of threat to a society’s core values. If modern, economically developed countries are increasingly becoming ‘information societies’, then following Wolfers’ argument, threats to information can be seen as threats to the core of these societies. The challenge of the information revolution for security and the state still remains unexplored, however, both in terms of policy and substantive issues. We argue that generally, past research on this topic has been idiosyncratic and policy oriented, with little or no effort made to apply or develop theory. In particular, very few attempts have been made to apply international relations (IR) theory in analysing the information revolution, an exercise which seems warranted both for the understanding of the impact of the information revolution on security and for the development of IR theory.2 With this book, we intend to take a step towards filling this gap. More specifically, the purpose of this book is twofold: • •
to analyse the impact of the information revolution on national and international security; to examine what existing IR theories can and cannot say about this challenge, and thus how IR theory can be developed to better meet this challenge.
For most of its post-Second-World-War existence, the discipline of IR was quite content with itself. The development of IR theory strongly emphasized parsimony and universality, at the expense of empirical applicability (Wight 2002). It can be argued that empirical applicability requires a greater degree of complexity and contextually contingent thinking than has been provided by the dominant and more parsimonious IR theories (George and Bennet 2005). However, whether theories such as Kenneth Waltz’s neorealism or Keohane and Nye’s theory of complex interdependence actually gave an accurate understanding of real
IR theory and digital-age security
3
world politics (that is, external validity) was either considered irrelevant or secondary to claims of internal validity (Keohane and Nye 1977: vi; Waltz 1979: 6–7; Wight 2002). The first major sign of discomfort with this inward-looking obsession with theoretical consistency came with the end of the Cold War (Allan and Goldmann 1995; Lebow and Risse-Kappen 1995). The end of the Cold War resulted in a major crisis not only for neorealism (reputedly, the most successful of IR theories), which had failed to predict and explain that turn of events, but also for IR in general. But although much has been written about the Cold War’s end and the associated need for redefining IR theory, particularly for increasing its external validity, surprisingly little has been written about the information revolution and what challenges this implies for IR theory. We begin by reviewing three bodies of literature of ostensible relevance for understanding the impact of the information revolution for security: general theory and research on the emergence of the information society; the specific literature on information operations and cybersecurity; and lastly, security studies, a growing subfield of IR. Subsequently, three main IR perspectives are discussed in terms of what they nominally have to say about security in the digital age: realism, liberalism and constructivism.
Past research on the digital age, and security: A critical review When reviewing past research on the impact of the information revolution on security, the first observation is that the three bodies of literature which purport to have something to say about this have apparently not been informed by each other, although they deal with overlapping themes. Theory and research on the emergence of the global information society say very little about security, and when they do, the focus lies primarily on the security of firms and markets rather than the security of states and societies. There is also a specific literature on war and terror in the digital age, which typically comes in the form of idiosyncratic policy analyses, but which does not communicate with the more general theory and research, and is very weak in terms of theoretical application and development.
4
Johan Eriksson and Giampiero Giacomello
The information society literature: Security neglected It is difficult to ascertain when the expression ‘information society’ first appeared. In the early 1990s, many observers and journalists in the United States began to write and talk about the ‘information highway’, especially after US President Bill Clinton’s White House began popularizing the term. Almost accidentally (The Economist 2002), the Internet became the icon of the digital age, and particularly of ‘cyberspace’, a term coined by novelist William Gibson (1984). Marxist sociologist Manuel Castells has been among the first and most influential prophets of the digital age. As early as the late 1980s, he noted that information had become the major primary resource of material productivity in the newly emerging ‘knowledge economy’ (Castells 1989). Crucial services such as banking, air travel, water or energy distribution relied more and more on information technology (IT) to function. It was only a matter of time before information, in the 1990s, would become an indispensable cornerstone for modern, advanced societies. Castells (1996, 1997, 1998) dedicated a whole trilogy to the dawn of a global network society, pointing to the loss of sovereignty by nation-states and the emergence of alternative identities and communities. From Castells’ perspective, transnational organized crime will become the greatest potential threat to global security. Castells’ view of the force of change of information technologies is consistent with the work of IR scholars such as Hamid Mowlana. The study of the security dimension in Castells as well as in Mowlana, however, is limited to the impact of ICTs for organized crime (Castells 1997, 1998), military strategic communications, and the use of information as ‘propaganda’ (Mowlana 1997). Mowlana’s work is empirically insightful, but weak in linking the information revolution to IR theory. Political scientists have for a considerable time identified the ability to control information flows as a function necessary to preserve national sovereignty and boost national security (Agnew and Corbrige 1995; Anderson 1995; Krasner 1995). States have, however, faced multiple obstacles in this endevour, as the development and availability of communication means has been a double-edged sword. In the past, one-to-many communication systems (that is, radio and television) allowed national governments to reach out to an entire citizenry with their own message, often with nationalistic rhetoric. Increasingly in recent
IR theory and digital-age security
5
years, however, professional media organizations (such as the BBC or CNN), human rights organizations, and individuals have all learned to take advantage of the same systems to distribute nongovernmental information, counterclaims, independent reports, and so on. This international flow of messages and images has grown at an extraordinarily rapid rate, thus saturating the capabilities of a state to monitor closely what information goes in and what goes out of its territory. Moreover, this traffic flows through increasingly integrated worldwide communication systems, which are no longer dominated by national bodies (Camilleri and Falk 1992). As early as the 1970s, the new information technologies were thought to be likely to increase the vulnerability of states. A report to the Swedish government, the Tengelin Report (Tengelin 1981), emphasized the main risks of a networked society (including dependence on foreign vendors and the threat of hackers’ raids). Currently, most governments are well aware that, through the Internet, individuals and groups from all over the world can communicate information over which a single government has little or no control. This information may affect the attitude of their citizenry vis-à-vis the political and economic structures of their countries. This is not a new phenomenon, since nation-states have had a similar experience with radio and television broadcasting. What is different is the magnitude of information and the multiple entry points that have further exhausted the capabilities of states and their resources to block the penetration of that information. There are two factors that are peculiar to the global information society and are significant for appreciation of how ICTs have changed the concept of security. The first factor is the centrality of machines that communicate with each other and the psychological effects that this centrality implies. More than other machines in the past, the development of computers has resulted in optimistic visions of technical solutions to societal problems, or ‘technological fixes’, as well as in feelings of fear (Volti 1995). Movies such as 2001: A Space Odyssey, War Games, The Terminator, and The Matrix are all sagas that depict ‘evil’ computers taking over the world and are symptomatic of a culturally broad-based and profound fear of technological development. If the idea of depending on machines can be unnerving, knowing that our well-being and safety are entrusted to computers that may be required to make vital decisions is hard to
6
Johan Eriksson and Giampiero Giacomello
bear. Thus, the psychological dimension of network society matters considerably. The most famous computer network, the Internet, has a distinctive characteristic: it is at the same time an infrastructure (that is, the actual computer network) and a communications medium.3 On the same wires and with the same protocol, packets transport bytes that represent radically different information: an email to a friend, details on one’s flight itinerary, online multiplayer gaming, statistics on a municipality’s water consumption, or credit card numbers. With the exception of the last, which, like virtually all financial transactions, would be encrypted, most other communications are available in public, that is, anyone using the medium could read them. When computer networks were proprietary, for example linking together a bank with its subsidiaries or US strategic command with nuclear missile silos, they were so expensive that only a very few organizations or institutions could afford them. Furthermore, they used protocols that authorized only their legitimate users to be in each network. Today, the Internet has opened up countless communication channels, reduced the cost of networking, and allowed human rights dissidents to spread their message. The Internet was designed to maximize simplicity of communication, not security of communication. The price for this has been the increasing opportunity for criminals or wrongdoers to exploit the vulnerabilities of the network for their own ends. The literature on digital-age security: Theory neglected Whether hype or reality, cyberthreats have achieved an indisputable salience in post-cold-war security thinking, particularly among analysts and makers of defense and security policy. Critical infrastructure protection, information warfare, information operations,5 information assurance, cyberterrorism, Revolution in Military Affairs (RMA)5 and similar buzzwords are common currency in policy documents, defense bills and security doctrines of the early twenty-first century. While conventional forces and military budgets have been generally downsized following the end of the Cold War, the new emphasis on information security and cyberthreats is a noteworthy exception. In North America, Europe, Russia, China and other parts of the world, governments are setting up new units and employing
IR theory and digital-age security
7
personnel for monitoring, analysing, and countering the perceived risks and threats of the global network society. The conception of cyberthreats has grown out of the fear of increased vulnerability and loss of control that presumably is the result of moving from an industrial to an information society (Alberts 1996a, 1996b; Alberts and Papp 1997; Henry and Peartree 1998; O’Day 2004). Without the development of global computer networks and communications, cyberthreats would be difficult to imagine except as science fiction. Notions of cyberthreats have originated in both the private and public sphere, among military as well as civilian actors. In the business community and within the police, cybercrime has become a particularly salient threat image. Within the military-bureaucratic establishment, perceived threats have been framed as information warfare, information operations, cyberterrorism and cyberwar. Among computer scientists, technicians and network operators, threat images are usually much narrower, with an emphasis on computer network attacks, exploits and disruptions (implying an adversary) and on structural vulnerabilities such as software conflicts and other bugs which can lead to systems crashes (for example, the Year 2000 or ‘Y2K’ computer bug). Images of cyberthreats typically involve a very broad range of adversaries and targets, including both state and non-state actors (Campen et al. 1996; Schwartau 1996; Henry and Peartree 1998; Khalilzad et al. 1999; Herd 2000; Erbschloe 2001; Polikanov 2001; Furnell 2002; Yourdon 2002; O’Day 2004). States are still typically seen as the single most important type of potential enemy, able to neutralize effectively the critical infrastructures of another country (for example, by shutting down telecommunications), but non-state actors are gaining attention as well. A study by the National Research Council argues that ‘Tomorrow’s terrorist may be able to do more with a keyboard than with a bomb’ (Bendrath 2001; Denning 2001a: 282).6 Former Homeland Security Director Tom Ridge (2002) observed that ‘Terrorists can sit at one computer connected to one network and can create world havoc – [they] don’t necessarily need bombs or explosives to cripple a sector of the economy, or shutdown a power grid’. Such rhetorical dramatization is characteristic of the entire discourse on information security and cyberthreats. The common view is that as societies and governments are becoming more reliable with respect to information technology, they are also becoming more vulnerable to all sorts of cyberthreats.
8
Johan Eriksson and Giampiero Giacomello
The most cataclysmic dramatization in the literature is that of an ‘electronic Pearl Harbor’ (Schwartau 1997; Smith 1998; Everard 2000; Bendrath 2001; Forno 2002; O’Day 2004).7 According to the ‘electronic Pearl Harbor’ scenario, phone systems could collapse, subway cars suddenly stop, and the money of thousands of people become inaccessible as banks and automatic teller machines stop functioning. In such an apocalyptic vision, overall critical infrastructures would be disrupted to the point that society and government would lose the ability to function normally. The evocative image of an ‘electronic Pearl Harbor’ was immediately adopted in the US media and in certain circles of policy-makers (Bendrath 2003). Former Deputy Defense Minister John Hamre argued that ‘We’re facing the possibility of an electronic Pearl Harbor… There is going to be an electronic attack on this country some time in the future’ (CNN 1997). Some commentators have argued that the ‘electronic Pearl Harbor’ scenario is highly unlikely, and is more about fearmongering than sober analysis. For example, Denning (2001b) argues that cyberterrorism, defined as digital attacks causing physical destruction and human deaths, is extremely unlikely.8 Few, if any, cyberattacks could be characterized as acts of terrorism. Even the US Naval War College, in cooperation with the Gartner Group, concluded that an ‘electronic Pearl Harbor’, although theoretically possible, was highly unlikely: ‘There are far simpler and less costly ways to attack critical infrastructure, from hoax phone calls to truck bombs and hijacked airliners’ (The Economist 2002: 19). Information operations are seen not merely as a means of improving or complementing physical attack, but as a means of replacing physical destruction with electronic (Denning 1999; Harshberger and Ochmanek 1999: 12; O’Day 2004). Denial of service attacks and the defacing of web pages certainly can have material consequences. For firms operating with online transactions, the result can be huge financial losses.9 Nevertheless, the major impact is symbolic and the main effect is humiliation. To a large degree, cyberattacks are attacks with and against symbols and images. Net-defacing, in particular, is a means for attacking symbols, something which is being done on an everyday basis by ‘hacktivists’ on both sides of the Israeli–Palestinian conflict, the China–Taiwan conflict, and the Protestant–Catholic conflict in Northern Ireland.10
IR theory and digital-age security
9
Most observers focus on the transnational and network-based character of cyberthreats (Pfaltzgraff and Shultz 1997; Henry and Peartree 1998; Keohane and Nye 1998; Arquilla and Ronfeldt 1999, 2001; Deibert and Stein 2003; O’Day 2004).11 Adversaries are typically seen as operating in loosely organized networks consisting of relatively independent nodes of individuals, groups, organizations, or even states, capable of quickly assembling and dispersing, even long before an attack has been discovered. In particular, network actors capable of using such means can resort to ‘asymmetric warfare’ (De Borchgrave et al. 2000; Herd 2000; Applegate 2001; Arquilla and Ronfeldt 2001; Erbschloe 2001; Sofear and Goodman 2001; O’Day 2004). Although they might be incapable of engaging states in a conventional military conflict, they can inflict serious damage by attacking and exploiting the vulnerabilities of information systems by resorting to cyberattacks (Arquilla and Ronfeldt 1999, 2001; Cordesman 2002). The widely acknowledged framing of cyberthreats implies that boundaries are dissolved between the international and the domestic, between civil and military spheres, between the private and public, and between peace and war. If taken seriously, this framing suggests that not only the security of information systems is challenged, but also, and more fundamentally, the sovereignty of states (Rosecrance 1999; Everard 2000; Fountain 2001; Giacomello and Mendez 2001; Giacomello 2005). Cyberthreats challenge primarily internal sovereignty (effective control of the national territory and of the people living within it), but not necessarily external sovereignty (the formal recognition of independence by other states) (compare Philpott 2001). At stake are not only the tangible and intangible values of information, but also the ability of governments to control the course of events. In conclusion, while there is a growing body of specialized literature dealing with the manifold aspects of digital-age security, there is also an alarmist tendency in this literature. Furthermore, this literature is policy oriented and hardly ever involves the application or development of theory. Security studies: The digital age neglected A major issue in theoretically oriented security studies (a growing subfield of IR) is the very meaning of the essentially contested concept of security. Two contending positions can be discerned – those of traditionalists and those of wideners. Traditionalists hail
10
Johan Eriksson and Giampiero Giacomello
typically from the realist camp and practise state-centric and military-oriented ‘strategic studies’ (Walt 1994; Ayoob 1997). They maintain that despite the emergence of ethnic and religious insurgence, global terrorism, transnational crime and global warming, there is no need to broaden the definition of security. Allegedly for the sake of conceptual clarity and theoretical parsimony (Ayoob 1997; Goldmann 1999), and arguably because of their underlying ideological priorities, traditionalists continue to approach security from the viewpoint of the nation-state and interstate war. Wideners (who represent a mix of liberals and critical theorists) claim that the security concept should be broadened to encompass ‘new’ threats and challenges, spanning political, societal, economic and environmental sectors (Buzan 1991; Deibert 1997; Buzan et al. 1998; Stern 1999; Müller 2002). In addition, wideners incorporate a range of ‘new’ actors in their analyses, notably nongovernmental organizations (NGOs), social movements, terrorist organizations, private firms and individuals. The focus on the individual has spawned interest in ‘human security’, which also has had an impact on United Nations policy. Rather surprisingly in light of their broadened perspective, the wideners have only very rarely addressed the information revolution and its impact on security. Their expanded security concepts typically cover economic, ecological, political and cultural issues, but seldom address the emergence of the Internet and other elements of the information revolution. Some traditionalists have addressed the development of information technology, but only with regard to the technological improvement of military capabilities (Lonsdale 1999). Material capabilities have always played a crucial role in a state-centric and military-oriented perspective on national security (compare Van Creveld 1991; Knox and Murray 2001). Intelligence gathering and psychological warfare (which are part of information operations) are also ‘material’ capabilities and have always been important elements of warfare. Likewise, technological revolutions have always interested the military, from the invention of machine guns and airplanes to the development of radar and satellites. ‘Electronic warfare’ has been an established concept and practice within the military for several decades. But for most traditionalists (and realists imprimis), information technologies are merely a new fancy add-on (compare Lonsdale 1999; Everard 2000: 109; Biddle 2004).
IR theory and digital-age security
11
Regardless of the theoretical perspective advocated, there is obviously a gap to be filled in security studies: to address the impact of the information revolution for the general understanding of security in the contemporary world, as well for explaining variation in security relations and policies across the world.
International relations theory and security in the digital age Realism, liberalism and constructivism stand out as the main theoretical perspectives in contemporary IR. Although overlaps, linkages and internal varieties are matters of discussion, they are generally perceived and portrayed as separate perspectives. Asking what each of these perspectives can nominally say about security in the digital age will clarify the potential relevance of each perspective, and may serve as a source of inspiration for further theory building and empirical research. Realism The core assumptions of realism are: (1) the state is the primary unit of analysis; (2) the state acts in a rational way to satisfy its national interests; and (3) power and security are the core values of the state. In all versions of realism, the worldview is essentially pessimistic. Anarchy (absence of central government) characterizes the international system, which forces states to act out of their national self-interest (survival). Anarchical conditions tragically lead to the ‘security dilemma’. Power, measured primarily in terms of military capabilities and the associated striving for security, is the main driving force in world politics (Gilpin 1986; Morgenthau 1993; Schmidt 2002). Kenneth Waltz attempted to turn realism into a scientific, systemic theory of international politics, with foreign and security policy beyond its scope. In so doing, he provided a universal and parsimonious explanation of how world politics functions, but at the cost of downplaying the real-world relevance of his theory (Waltz 1979: 5–7). Mearsheimer, however, endevours in his most recent book, The Tragedy of Great Power Politics (2001), to fill the gap left by Waltz by laying the groundwork for a neorealist theory that is not only logically consistent, but also applicable to the study of foreign and security policy. In principle, realists do not see a need to revise their theories for understanding security in the digital age. The state is still seen as
12
Johan Eriksson and Giampiero Giacomello
the main and sometimes only important actor. Moreover, a narrow (military) definition of security is maintained, thus denying that non-state actors may exercise any degree of (military) power. Realists would presumably tackle the challenge of the information revolution in much the same way as they have tackled previous challenges of transnationalization, complex interdependence and globalization. These trends are seen as epiphenomena, which may very well affect the policies and domestic structures of states, but which do not undermine the anarchic system of international politics, and thus do not affect the primacy of the state as the supreme political unit. Realists might consider IT-related security threats to be largely an economic issue, not necessarily affecting the security of states and not in themselves security threats. Indeed, there are some realists, or realist-inspired theorists, who generally defend a narrow, military definition of security, but who argue that if any widening of the concept should be made, it should be in order to include the economic dimension (Buzan 1991; Walt 1994). Some realists would likely consider information warfare as relevant, if defined as a new technological component in otherwise traditional interstate conflict (Lonsdale 1999). Psychological warfare has been a central element in military thinking at least since Chinese strategist Sun Tzu wrote his famous The Art of War some 2000 years ago.12 Electronic warfare, such as the electronic jamming of radio communication, has been an element of interstate conflict for a much shorter time (since the Second World War), but is also a precursor of the much more recent talk of warfare in the digital age. The introduction of information warfare in strategic studies and military planning (which generally has been informed by realist thinking) could be seen as a marker of continuity rather than dramatic change. Some of the technology is new, as is the global capacity of resourceful digital adversaries, but the basic notions of attacking and defending information and information systems are as old as warfare itself – basically, old wine in new bottles. Liberalism Liberalism is a broad perspective which includes, inter alia, Wilsonian idealism and neoliberal theories (Walker 1993; Moravcsik 1998, 1999), democratic peace theory (Russett and Antholis 1993), interdependence theory (Keohane and Nye 1977,
IR theory and digital-age security
13
1989), second-image theory (Gourevitch 1978), the bureaucratic politics approach (Allison and Zelikow 1999) and domestic politics approaches (Snyder 1991; Risse-Kappen 1995). The most important contributions of liberal theory to the discipline of IR can thus be summarized as: (1) the emphasis on a plurality of international actors; (2) the importance of domestic political factors in determining the international behaviour of states; (3) the role of international institutions13 in establishing (although not enforcing) rules of behaviour (or regimes) for state actors; and (4) expanding the agenda of international studies (particularly in the subfield of international political economy) by focusing on a broader set of issue areas than mere ‘Hobbesian’ survival in an anarchic international environment.14 Liberals agree with realists that states are central actors in world politics, but, in contrast to realists, argue that states are by no means the only actors that play significant roles in international relations. Indeed, the most prominent change in recent years in the field of international politics has been the emergence of a wide range of new non-state international actors (transnational corporations, social movements, pressure groups, political party networks, migrants and terrorists). Thus liberalism has the potential to show awareness of the emergence of new online groups, operating in chat rooms and ‘blogs’, and through new types of audiovisual ICTs. In most liberal readings of contemporary world politics, it is argued that the sovereignty of the nation-state is being permeated and fragmented by the development of transnational relations. Though any single transnational actor is seldom able to challenge the political, military or economic power of a state, the increasingly complex and globally penetrating web of transnational relations perforates sovereign states to the extent that sovereignty is hardly more than a symbol of territorial integrity which, in reality, is no longer sustainable. Indeed, some liberals go so far as to claim that sovereignty is a burden rather than a power asset, as suggested by Rosenau’s (1990) distinction between ‘sovereignty-bound’ and ‘sovereignty-free’ actors.15 The long-standing clash between realists and liberals in IR has, to some extent, overshadowed important similarities between the two. In particular, realism and liberalism share a rationalistic epistemological approach, including an emphasis on interest-based interaction (Buzan et al. 1998; Katzenstein et al. 1998; Fearon and Wendt 2002; Schmidt 2002). This distinguishes realism and
14
Johan Eriksson and Giampiero Giacomello
liberalism from constructivism, and even more so from other ‘interpretative’ approaches such as post-structuralism and postmodernism. Liberalism, with its emphasis on non-state actors with transnational capacity and its insistence that the economy matters as much as security (the former is seen as the underlying element for the latter), broadens the definition of what international relations is about. In general, liberalism tends to emphasize the positive outcomes of interdependence and interconnectedness, rather than the increasing vulnerability and insecurity that might ensue. There are two possible reasons for this ‘optimistic’ tendency within liberalism. First, modern liberalism is influenced by Kantian and Wilsonian idealism (Duncan et al. 2003: 21–2, 32–4). Emphasis is on the possibilities of overcoming conflicts by peaceful means, in particular, by norm and institution building at an international level. In contrast to realists, liberals believe that humans are, if not inherently ‘good’, then at least morally receptive. Modernization, including technological development, is generally seen as a vehicle of enlightenment and peaceful change. Against this background, liberals have promoted notions such as collective security, and cooperative security, which, among others things, have influenced the United Nations and the Organization for Security and Cooperation in Europe. Liberalism has also responded to realist state-centric and security-oriented theories of international relations by emphasizing the significance of non-state actors and ‘non-security’ issues, such as trade and travel. Many liberals have actually taken a realist perspective of security for granted, and have taken a critical stance against addressing issues labelled ‘security’ altogether. Consequently, the liberal critique of realist security thinking has prevented liberalism from developing its own perspective on security. This problem has not gone unnoticed. Some liberals have advocated a widened perspective, which, for example, includes economic, ecological and human security concerns. Paradoxically, however, few liberals seem to have apprehended the challenge of the information revolution. Moreover, those that have are still silent on its implications for security. The influential theory of complex interdependence, initially developed in the 1970s by Joseph Nye and Robert Keohane, has recently been updated to meet the challenges of the digital age (Keohane and Nye 1998; Nye 2003, 2004b). In this updated version, the costs of interdependence
IR theory and digital-age security
15
(sensitivity and vulnerability) are added as a new component to the theory. In addition, the impact of the information revolution on international relations is analysed. It is, however, noteworthy that the costs of interdependence are framed merely in economic terms, and are not portrayed as matters of national or international security (Nye 2003: 199–202; 2004b). Nye briefly observes that national security, defined as the absence of threat to major values, can be at stake. He mentions that many nations have ‘aggressive computer-warfare programs’, and that ‘[w]ith a few keystrokes, an anonymous source anywhere in the world might break into and disrupt the (private) power grids of major cities’ (Nye 2003: 220). He does not, however, make any attempt to elaborate, critique or place images of cybersecurity threats within his own theoretical framework. Nye’s influential concept of ‘soft power’ is relevant for our topic nonetheless. Soft power is ‘the ability to get what you want through attraction rather than coercion or payments. It arises from the attractiveness of a country’s culture, political ideals and policies… Soft power rests on the ability to shape the preferences of others’ (Nye 2004a: x, 5). Nye argues that soft power is becoming more important in the digital age than ever before, mainly because of the evolving multiple channels of global communication which easily transcend sovereign boundaries (Nye, 2004b: Ch. 7). Importantly, however, soft power is more about form than content. Soft power and the global ICTs that facilitate it are not simply instruments of cooperation, democratization and peace, as Nye and other liberals would like to have it, but may just as easily be means of deception, propaganda and terror. If idealism and the fear of treading on realist ground by doing security analysis are removed, liberal theory implicitly provides insight into the nature of security in the digital age. In particular, it does so by paying due attention to the increasing plurality and significance of non-state actors, which are ‘sovereignty-free’, and to global complex interdependence, particularly its costs in terms of sensitivity and vulnerability. Two contemporary socioeconomic trends that are consistent with the dictum of liberal theory are important for our analysis: (1) the expanding partnership between the public and private sectors to provide services and (2) the merging of the civil and military spheres. Because of these trends, the distinctions in jurisdiction, competencies, duties and risks that used to pertain to different segments of societies have become blurred.
16
Johan Eriksson and Giampiero Giacomello
Governments have increasingly recognized that they alone cannot provide the growing number of public services needed by modern societies. The trend towards public–private partnership and privatization evident in, among others, the health, education and transport sectors has even extended to national security. For example, in the United States, the National Strategy to Secure Cyberspace of the President’s Critical Infrastructure Protection Board of September 2002 relies on public–private partnership, conceding that ‘Government alone cannot secure cyberspace’ (PCCIP 2000: 5). This might be seen as a ‘civilianization’ of the military or, perhaps, a ‘militarization’ of society. For instance, the recent ‘war on terrorism’ is being waged with a mix of military and law enforcement approaches. The post-9/11 reform resulting in the new US Department of Homeland Security (DHS) is yet another illustration. In a speech to the Electronics Industries Alliance, Homeland Security Director Tom Ridge (2002) argued that the DHS indeed encouraged interoperability and cooperation at all levels. The integration and complex interdependencies that follow from the information revolution are most apparent in the telecom sector. The military has always used civilian telecom networks to some extent, but currently, the vast majority of military communication is transmitted through civilian networks and is indeed dependent upon them. Computer networks have become incorporated in the development of hard military power, but they have also become the mainstay of soft power (Fountain 2001; Nye 2002, 2004a). The question remains, nonetheless, whether a theory that was originally designed for analysing actors and processes primarily in a political economy context can capture the impact of the information revolution on security. Is the development of global ICTs mainly a continuation and expansion of the transnationalization of society and economy which first began with trade and travel or is it something qualitatively different? Liberal analysts, including Nye, seem to suggest the former, but the question should remain open for further inquiry and critique. The inherent bias towards modernism and enlightenment tends to make liberals emphasize the positive rather than the negative aspects of complex interdependence and information technology.16 Cyberthreats and other challenges of the information revolution are clear and present elements of the more general trend of globalization, which arguably weakens the sovereignty and security
IR theory and digital-age security
17
of the state. Non-state actors are becoming even more numerous and powerful because of the information revolution. The emergence of the Internet made real-time global communications possible, not only for existing NGOs, but also for new, exclusively online groups. This can obviously have both positive as well as negative effects: integration, cooperation and liberation may be eased, but also terrorism, transnational crime and the destabilization of states.17 The liberal emphasis on a plurality of world actors is perhaps the most valuable contribution to theory building with regard to security in the digital age. This theme, however, is still underdeveloped. Arquilla and Ronfeldt (2001) are among the few scholars who not only adopt mainstream liberal notions of globalization and other challenges to state sovereignty, but also explicitly address the issue of actor plurality in the security problems of the digital age. They do so mainly by introducing and applying general network theory. Nevertheless, they do not make any explicit attempt to communicate with or contribute to theory. Although providing a theoretically informed analysis, their writing is most accessible to policy analysts and policy-makers, rather than to students of international relations. Constructivism In the late 1980s, social constructivism (or simply ‘constructivism’) was explicitly introduced into the IR discipline. Since then, IR constructivism has expanded enormously, making a significant impact, in particular, on meta-theoretical debates, and increasingly on theory building and empirical research in IR.18 The breakthrough for IR constructivism came partly from attacking the meta-theoretical rationalism which is common to both realism and liberalism19 and partly from providing substantive interpretations of those processes and factors downplayed by these theories. The end of the Cold War implied a crisis for both realism and liberalism, as both perspectives failed to account for this paradigmatic change. This consequentially opened a window of opportunity for constructivism. In terms of ontological and epistemological positioning, IR constructivists claim to have seized the ‘middle ground’ between rationalism and postmodernism (Adler 1997; Wight 2002: 36). Constructivists emphasize the unavoidability of the interpretation (and thus distortion) of reality, especially with
18
Johan Eriksson and Giampiero Giacomello
respect to the understanding of social and political activity. The ambition to uncover causal mechanisms and patterns is, notwithstanding, seen as entirely compatible with constructivism. Constructivists maintain that there is a material reality (for example, computers and cables) as well as a social reality (identities, interests, norms and institutions), and that it is meaningful to distinguish between the two. The argument here is that unlike material reality, social reality is socially constructed, and so is consequently always susceptible to change. Thus constructivists argue that social realities such as interests and identities can never be seen as static or be taken for granted, but should be seen as constantly produced and reproduced. Rather than asking what social realities are, IR constructivists ask how social realities become what they are (Wendt 1992; Adler 2002). Constructivists come in many forms and guises (modernist, critical and pragmatic) and advocate a very wide range of methodologies and an even wider range of particular IR theories. Some constructivists focus entirely on states and the interstate system (Wendt 1999), while others study, for example, NGOs and transnational communities (Keck and Sikkink 1998) and epistemic communities (Haas 1990; Adler 1992). Adler (2002: 108, 110) has also suggested that constructivists should focus more on the individual. In terms of providing frameworks for understanding world politics, constructivism is clearly much more heterogeneous than realism and liberalism (Checkel 1997; Fearon and Wendt 2002: 56). If there is anything resembling a core constructivist theorem on what forces shape world politics or social reality in general, it goes something like this. At the most basic level, actors have a set of norms – beliefs about right and wrong. Norms shape identities – the separation of ‘we’ from ‘them. In turn, identities shape interests. Importantly and in contrast to rationalism, all of these elements are seen as inherently dynamic. If interests change, it is because there is an underlying shift in identities and norms (Adler 2002: 103–4; compare Ruggie 1998). Not only are social factors seen as dynamic, but also as strongly conditional. Unlike realism and liberalism, constructivism does not aim for universal theory, but for conditional generalizations (Adler 2002: 101). Unlike postmodernists, however, constructivists do not resort to idiosyncratic narrations, but rather strive to uncover patterns of similarities and differences. What constructivism contributes is a pragmatic meta-theoretical stance on material as
IR theory and digital-age security
19
well as social reality, an emphasis on conditional generalizations, and a few guidelines as to what substantive IR theories should include and look at, especially the dynamic interplay between social factors such as norms, identities, interests and institutions. Constructivist security studies have contributed both with elaborations on the security concept and with more substantive analyses of security policy, as well as illuminating the relationship between security policy and national identity (Wæver et al. 1993; Katzenstein 1996; Buzan et al. 1998). When using a theoretical framework based in realism or liberalism, it is more or less prescribed as to what can or cannot be a security threat. In general, realists focus on violent actor-based threats (interstate war), while liberals tend to apply a wider perspective, including both non-state actors and structural threats (compare Sundelius 1983). Constructivism, on the other hand, does not take a general stance as to what can or cannot be framed as a security threat and how such threats can be dealt with. Constructivism focuses on the verb ‘become’ rather than ‘can’ or ‘cannot’ (Adler 2002: 95). Nevertheless, constructivist security studies tend to emphasize identity and culturally related threats, particularly as these have been downplayed in realist and liberal accounts of security (Buzan et al. 1998). The empirical openness of constructivism makes it possible to address the widest possible range of perceived security threats. In terms of threats to critical infrastructures, this could, for example, include not only digital attacks, but also technical collapses and bugs such as the infamous Y2K problem, as well as natural disasters such as earthquakes and volcanic eruptions. A noteworthy constructivist approach to security is the theory of ‘securitization’, developed by the ‘Copenhagen school’. This is about how, when, and with what consequences political actors frame something (anything) as a matter of security (Wæver 1995; Buzan et al. 1998; Williams 2003). The emphasis is on ‘speech acts’ (that is, political language) and the implications this has for political agenda-setting and political relations. Securitization implies that an ‘existential threat’ is identified, and that this speech act prioritizes the issue on the political agenda, legitimating extraordinary measures such as secrecy, the use of force and invading privacy. The Copenhagen school, while advocating a wide understanding of security, has not considered the information revolution at all.
20
Johan Eriksson and Giampiero Giacomello
Eriksson (2001a), however, has studied the securitization of information technology in Swedish politics. His analysis shows the impact of different frames of IT-related threats on whom or what is blamed, and who is allocated responsibility for dealing with the problems. For instance, framing an incident as ‘cybercrime’ implies that criminals are to be blamed, and that the police are responsible for dealing with them. In contrast, the very same incident can also be framed as an instance of ‘information warfare’, which implies that enemies to a given nation-state (other states or non-state actors) are to be blamed, and that the military has a responsibility to respond to the threat (Bendrath 2001; Eriksson 2001a). In the few additional constructivist accounts of digital-age security currently available, the emphasis is mainly on how information warfare challenges a multitude of boundaries, notably, boundaries of identity. Everard (2000) argues that information warfare is a particular kind of ‘identity warfare’ in which all kinds of boundaries are challenged, including the classical domestic–international divide. Hence, the identity of the nationstate is at stake, although it may very well adapt, rather than succumb, to the constant penetration of formally sovereign boundaries and the emergence and articulation of new identities in cyberspace (compare Saco 1999). The constructivist analysis of power and security in a virtual world implies emphasizing the significance of images and symbols in addition to the material reality of computers and cables. According to Der Derian (2000), one of many effects of war in the digital age is that it distances (some) actors from the bloody reality of war. This distancing is not about rendering geographical distance irrelevant (for example, the possibility of a hacker attacking a computer in Shanghai from a computer in Seattle, via a computer in St Petersburg). While not discounting the significance of decreasing geographical distance, what we are, rather, referring to here is how virtuality affects the perception and conduct of war. Digital war is similar to computer games, to the extent that simulation is performed and perceived in the same way, that is, by using the mouse and keyboard of a computer. Virtuality thus blurs the boundary between the real and the imagined. It is no coincidence that the entertainment industry, including the film and computer-gaming industries with their effects and tactical tools and
IR theory and digital-age security
21
software, is also an increasingly important source of inspiration and expertise for the military (Der Derian 2000; Everard 2000). The study of ‘symbolic politics’ (the use and abuse of symbols for manipulating political discourse and public opinion) is highly relevant for studying digital-age security. The symbolic politics approach, first and foremost represented by Murray Edelman, is a constructivist contribution in social science, introduced long before the information revolution (Edelman 1964, 1977, 1985, 1988; ’t Hart 1993; Merelman 1993; Sears 1993). One study has been conducted regarding the digital symbolic politics of US presidential campaigning (Klinenberg and Perrin 2000), yet the symbolic politics approach has not previously been applied in studies of digital-age security. Defacing websites is a noteworthy practice of symbolic politics, less antagonistic than, but nonetheless comparable to, the burning of an enemy’s flag. The cost of mending a website and securing a server is usually negligible in comparison with the cost in terms of lost confidence, disparagement and feelings of vulnerability. Assaults and counterattacks against US and Chinese government websites by hackers from the respective countries have transpired. Similar digital wars are going on between Israeli and Arab hackers and between Pakistani and Indian ones. A symbolic politics approach shows how and why these actions are seen as an insult, an offense to national pride (or a corporate brand). The Internet could be seen as the vast new global arena for symbolic politics par excellence. Constructivist analysis can, moreover, illustrate the function and impact of language in digital-age security. By making use of analogies to things familiar in the ‘real’ or off-line world (comparisons to ‘bugs’, ‘viruses’, ‘worms’ and ‘firewalls’, for example), the abstract and technically complex world of cybersecurity is made intelligible and indeed meaningful. The use of terms such as information ‘warfare’ and ‘electronic Pearl Harbor’ conveys a special meaning: that which is digital by nature has, nonetheless, physical consequences comparable to those of conventional war. Constructivist analysis can contribute to revealing and understanding the significance of such rhetoric and symbolic actions.
22
Johan Eriksson and Giampiero Giacomello
Applicable perspectives? A pragmatic approach In this introductory chapter, we have attempted to demonstrate the need to develop middle-range theories that integrate liberalism, constructivism and realism for understanding the impact of the information revolution on security. The specialist literature on security in the digital age is policy oriented with little or no ambition to apply or contribute to theory, and IR scholars have, with few exceptions, paid only scant attention to the security problems of the digital age. In this conclusion, we seek to provide some initial guiding direction as to how this gap between theory and research can be bridged. Liberalism and constructivism nominally seem to have more to say about our topic than is the case with realism. If stripped from its idealist and antirealist pretensions, liberalism grasps many of the elements of security in the digital age: the multiplicity of nonstate actors with transnational capacity, network economies, ‘vulnerability interdependence’, and the consequent perforation of formally sovereign boundaries. Likewise, constructivism seems apt for analysing the symbolic, rhetorical and identity-based aspects of digital-age security. In general, realism tackles the challenge of the digital age as it has tackled other features of globalization – by largely ignoring it, or by subsuming information security to either political economy or domestic politics, none of which fit comfortably in the (neo)realist field of vision. There is, however, another possible application of (classical) realist thought in strategic studies in which information warfare is a key concept. In this perspective, information warfare is the technological continuation of classical forms of psychological warfare and, more recently, of electronic warfare. Yet even in this perspective, the analysis does not go beyond a military and state-centric orientation. The foregoing analysis has shown that there are two interrelated problems in past efforts at understanding security in the digital age. First, theory and practice on this matter are so distant that they hardly ever inform each other. Second, existing IR theories are plagued by an entrenched dualism, implying great difficulties for theoretical adaptation and application in analyses of the complexities of the emerging new digital world. One possible way of overcoming these problems is by adopting a more ‘pragmatic’ approach.20 While there are several strands of pragmatist philosophy, pragmatism generally advocates bridge
IR theory and digital-age security
23
building between theory and practice, methodological pluralism, contingent generalizations, and theoretical complementarities and tolerance rather than entrenched opposition (Bauer and Brighi 2002: iii). This seems to be exactly what is needed to bridge the gap between theory and practice, and to help overcome the dualistic conflicts in academic IR. There is thus no reason why the scholar trying to understand digital-age security cannot draw simultaneously on insights from a diverse range of IR theories, unfortunately often depicted as contending or incompatible, and on insights from the policy-oriented literature. The critical reader might wonder whether ‘pragmatist’ is another word for ‘empiricist’, or more cynically worded, for ‘not smart enough for theory’ (Lewontin 1992). Indeed, pragmatism is more of an orientation, or ethos, than a theory. This is, however, a necessary first step to overcoming the chasm between theory and practice, and while a particular theory is not proffered, a fruitful starting point for the development of theory on security in the digital age is provided. With such a pragmatic approach applied to case studies and comparative analyses, it is possible to build a foundation upon which further theory building can be done, with an emphasis on middle-range theory and on conditional rather than universal generalizations.
Structure of the book The contributors to this volume were asked to address two questions: (1) What is the impact of the information revolution on security, as seen in your particular field of research, issue-area, or case study? and (2) How can international relations theory (or other relevant theories) enhance understanding of the particular issues of digital-age security that are addressed in your study? The questions are obviously interrelated. The evaluation and development of theory depends on its empirical application. Part I focuses on the politics of threats in the digital age. In Chapter 2, Magnus Ranstorp analyses how al-Qaeda and other Islamic terrorist groups make use of cyberspace. Ranstorp claims that cyberspace is not merely an add-on that facilitates mobilization and terrorist propaganda, but that it is the very nerve centre of global jihadism. This argument is pursued through an empirical inquiry which mainly makes use of network theory and social movement theory. In Chapter 3, Ralf Bendrath, Johan Eriksson, and Giampiero Giacomello analyse how the US framing
24
Johan Eriksson and Giampiero Giacomello
of cyberthreats has varied over time. It is argued that this threat framing cannot be explained by how cyberincidents have unfolded. Rather, it has been domestic and bureaucratic politics, including the ideological profile of various administrations, as well as major offline incidents (especially 9/11) that have played and continue to play important roles. In Part II, on the politics of protection, four chapters analyse how governments and international organizations have responded to the perceived threats of the digital age. In Chapter 4, Myriam Dunn critically examines what particular features and challenges a theory of ‘information age security’ would entail. It is argued that focusing on acts of securing information systems is more fruitful than trying to make sense of the essentially contested concept of security in the digital age. With an emphasis on critical infrastructure, Dunn uses complexity theory and globalization theory to making sense of the patterns of continuity and change in state power and security. In Chapter 5, Hamoud Salhi theorizes the impact of information technology (IT) on security in the contemporary Middle East. The spread of IT in the Middle East region has been comparatively slow, and so has theory building on this topic. Salhi explores the relative merits of realism, liberalism and constructivism. In contrast to the views of the editors in Chapter 1, Salhi argues that realism provides the best fit, but that one should not disregard liberalism altogether. His main argument is based on the relatively firm governmental control of the Internet in the Middle East states, which is in contrast with the development in ‘western’ liberal democracies. In Chapter 6, Lorenzo Valeri adopts a neo-institutionalist perspective to examine the consequences of an ‘information regime’ in international relations. Malicious activities and system outages affect one of the pivotal elements for the continuous success and growth of the Internet: trust in online public and private activities and overall confidence in the medium. Valeri examines how to establish an international regime for information assurance. He contends that such a regime may develop only if states and private businesses are able to cooperate. In Chapter 7, Ian Hosein and Johan Eriksson look at the interactions between domestic and international dynamics in the regulation of electronic dataflows. It is argued that this essentially transnational process involves strategies such as ‘policy laundering’ and ‘forum shopping’. The chapter traces the movement of policy
IR theory and digital-age security
25
ideas and innovations from national laws to international organizations through coalition building, and the return to national legislatures through harmonization and treaty ratification. Empirically, focus is on the regulatory processes within the Group of Eight (G8) and the Council of Europe. The concluding chapter, written by the editors, synthesizes the discrete observations and arguments in the preceding chapters in order to (1) suggest a number of propositions on the impact of the information revolution on security; (2) evaluate the utility of IR theories for understanding digital-age security; and finally (3) discuss requirements for further theoretical development on this subject matter.
Notes 1 2
3
4
This chapter is an updated, expanded and in many other ways revised version of an article that has appeared in International Political Science Review (Eriksson and Giacomello 2006). A noteworthy exception is Millennium’s special issue on IR and the digital age (vol. 31, no. 3). This issue deals primarily with IR theory and the information age in general, however. Contemporary Security Studies has also had a special issue (vol. 24, no. 1) published on national security in the information age. This special issue makes several interesting policy-relevant points, but does not tackle the question of what IR theory can or should say about the empirical puzzle. The same weakness plagues an otherwise useful volume on The Information Revolution and International Security, edited by Henry and Peartree (1998). A possible point that might be raised by the reader here is whether this is not true for nearly all information technologies. Radio, television, the telegraph, and even books and newspapers are, after all, both infrastructure and medium. This possible criticism misses the point, however. With the Internet information about the status of the network, about financial transactions, and about the functioning of other utilities travels on computer networks along with emails to friends and relatives or messages in ‘intimate’ chat groups. This is not the case with radio or television. Data on the functioning and management of a television or radio network does not travel ‘in clear’ (that is, unencrypted) on the same wavelength along with the morning news or weather forecast. The US Department of Defense has renamed Information Warfare (IW) as Information Operations (IO). NATO has also adopted the same definition. IO are ‘actions taken to affect adversary information and information systems while defending one’s own information and information systems’ (Denning 1999: 10). Hence, IO is a broad concept that includes physical means (for example, a precision bomb or a hammer) as well as digital means (a virus or a ‘hoax’) to fulfil
26
5
6 7 8
9 10 11
12
Johan Eriksson and Giampiero Giacomello that objective. If the tools used are digital, then the operation falls into the subclass of Computer Networks Operations (CNO). CNO are further divided into Computer Networks Exploitation (CNE), Computer Networks Attacks (CNA), and Computer Networks Defense (CND). CNO are also divided into nonlethal and lethal CNO. The former group is much larger and comprises the most diverse actions, ranging from propaganda and perception management to psychological operations (psychops), denial-of-service (DoS) attacks on commercial websites, web defacement, espionage, and cybercrime. The goal is to control, disrupt, alter or deny use of information, more than to cause damage or kill people. The latter class of CNO aims at destruction or disruption of information infrastructures to provoke economic damage or even casualties. RMA, which depicts a technologically driven change in military strategy, has received considerable scholarly attention both within and beyond the military. Like most other work on information security and technology, however, the RMA literature is distinctively empiricist (see Laird 1999; Gongora and Von Riekhoff 2000; Matthews and Tredderick 2001; Sloan 2002; Goldman and Mahnken 2004; Goldman 2005). See also the following statement by US Senator John Edwards (2002): ‘We live in a world where a terrorist can do as much damage with a keyboard and a modem as with a gun or a bomb’. This is a metaphor that has been circulating among so-called ‘infowarriors’ since the mid-1990s, reportedly coined by Winn Schwartau, the creator of www.infowar.com. Libicki (1997: 38) hoists a warning against equating the destruction of bits and bytes with the bloodshed of conventional war and terrorism. To some extent, the volume edited by Robert Latham (2003) inadvertently suggests that type of association. For instance, in 1994, the Russian hacker ‘Vladimir Lenin’ illegally transferred $10 million from the American Citibank (Cordesman 2002; Freedman 2000; PBS Online 2002). On this point, see, for example, Denning (2001a), DSBTF (2001: ES4), and F-secure (2003). This is illustrated by well-known incidents of cyberattacks. In 1998, three young hackers successfully intruded upon hundreds of computer systems with sensitive US armed forces information. The incident, subsequently dubbed ‘Solar Sunrise’, initially provoked fear of a possible information attack by a ‘hostile nation’, supposedly Iraq. Two of the young hackers turned out to be located in California and the third in Israel (Bendrath 2001; Cordesman 2002: 40; DSBTF 2001: 2). According to several scholars (Keegan 1993; Van Creveld 1991; Kaldor 1999), contemporary wars have rendered Clausewitz obsolete. War as a rational instrument of a state’s foreign policy is too limited a concept. Sun Tzu (1963) with his emphasis on surprise, deception, attacking weak points, and ‘unlimited war’ seems to be the theorist of modern times. Clausewitz (a romantic, dialectic, and complicated European) was much more articulate than many readers might
IR theory and digital-age security
13
14 15 16
17
18
19
20
27
imagine, however. His point was that war is policy as well as politics. There is no distinction between politics and war; they are part of the same game. Clausewitz’s conclusion is much more apt for modern network societies than many might expect. As societies grow more and more dependent on computer networks, they also increase their vulnerability. The artificial distinction between politics and war (or peace and war) that Clausewitz warned against acquires new meaning in the digital age. There are a few liberal analyses of regime building and institutionalization concerning the Internet and other elements of the digital age. Some concern mainly non-security issues (Franda, 2001; Rosenau and Singh, 2002), but Valeri (2000) and Giacomello (2005) are exceptions. For an overview of IR liberalism, see, for example, Duncan et al. (2003: 29, 32-4). On this point, see also Keohane and Nye (1977, 1989) and Camilleri and Falk (1992). Liberals would acknowledge that ‘sovereignty-free’ actors include, for example, not only General Motors, the International Monetary Fund, and Amnesty International, but also al-Qaeda, the Irish Republican Army, and Cosa Nostra. An anathema for liberalism is the contagious fear that democratically elected decision-makers cannot provide domestic security, let alone guard state and society against transnational threats. With his theory of ‘risk society’, German sociologist Ulrich Beck (1992, 1999) provides a fundamental critique of liberal, utopian visions of modernization. In Beck’s analysis, the development of and increasing reliance on modern technologies, such as nuclear power, has the effect of constantly producing new risks. In this perspective, the focus is on the side effects of new technologies for communication, energy production and commerce. In particular, Beck emphasizes the ecological risks of living with new technologies. Beck is, however, strikingly quiet on the risks of new ICTs in general, and on cyberthreats in particular. Onuf (1989) and Wendt (1992) are generally acknowledged as two of the original constructivists in contemporary IR theory. For a useful overview of how IR constructivism has developed since then, see Adler (2002). Some scholars claim that the gap between rationalism and constructivism is exaggerated and that it can and should be bridged (Checkel 1997; Katzenstein et al. 1998). This controversial argument presupposes, however, that a division of labour is made between explaining instrumental action (rationalism) based on interests and explaining the norms and identities which shape interests and thus action (constructivism). Adler (2002: 108-9) considers this a way of subsuming constructivism under rationalism, a way of seeing constructivism as merely a background theory of an otherwise rationalistic approach. Pragmatism is a philosophical orientation developed mainly by American thinkers such as Charles Sanders Peirce (1963) and John
28
Johan Eriksson and Giampiero Giacomello Dewey (1948). Recently, a handful of IR scholars have tried to restore pragmatism in IR. Millennium (vol. 31, no. 3) recently devoted a special issue to this topic.
Part I
The politics of threats
2
The virtual sanctuary of alQaeda and terrorism in an age of globalization Magnus Ranstorp
The conjunction of 21st-century Internet speed and 12th-century fanaticism has turned our world into a tinderbox. Tina Brown1
Introduction The fusion of globalization and terrorism in the twenty-first century has created a new, adaptable and complex form of ‘networked’ asymmetric adversary. For al-Qaeda and its successor affiliates, the Internet has become not just a virtual sanctuary, where every dimension of the global jihad is taking place online. In many ways cyberspace has created a virtual university of jihad with advice available anytime to any militant and it has vastly expanded the potential audience and modes of interaction. It was also always more than a functional tool to enhance communication, promote ideology, recruit, fundraise and even train new adherents. For al-Qaeda and its progeny, cyberspace constitutes a form of central nervous system as it remains critical to its viability in terms of structure and even more as a movement. Some have even argued that al-Qaeda has become the ‘first guerrilla movement in history to migrate from physical space to cyberspace’ (Coll and Glasser 2005). This virtual migration has opened up infinite and powerful avenues to project the Salafist jihadi narrative. In this virtual battlefield it is clear the militants have mastery of mechanisms to project this ‘single narrative’ in a way that carries enduring resonance and with a logic that thousands of Muslims find absolutely compelling. This allows it to regenerate and reconstitute
32
Magnus Ranstorp
endlessly and to survive, flourish and expand in the real and virtual worlds. Some argue that this new form of ‘cybermobilisation’ is ‘perpetuating a fractionation of violence, a return to individualized, mob-driven, and feudal forms of warfare’ (Kurth Cronin 2006). Thomas Friedman argues that globalization has led to the emergence of ‘super-empowered individuals’ (Friedman 2002). In this sense, these terrorist entities display a ‘global microstructural configuration […] as structures of connectivity and integration are global in scope but microsociological in character’ (Knorr Cetina 2005: 215). Other scholars have focused on the ideational dimensions of what al-Qaeda represents and emphasize the normative environment. As Marc Lynch has argued ‘al-Qaeda’s constructivism derives both from structural factors – absence of a territorial base, a globalized field of contention shaped by the new media and information technologies – and Islamist ideas themselves’ (Lynch 2006). In this constructivist terrain, ‘strategic social construction – actions oriented towards shaping the background beliefs and norms of international politics – is at the core of al-Qaeda’s strategy’ (Lynch 2005). Globalization has enabled this transfiguration of local politics into the global instantaneously in what Ulrich Beck describes as ‘a non-linear, dialectic process in which the global and the local do not exist as cultural polarities but as combined and mutually implicating principles’ (Beck 2000; Beck 2002: 17). As Jarret Brachman has argued ‘al-Qaeda’s harnessing of technology has been a calculated strategic move – the goal being to catalyze awareness of the need for Muslims to “resist” and open new ways for them to participate in that resistance’ (Brachman 2006: 158). This chapter explores this strategic move and the full spectrum of interaction between violent ‘resistance’ and cyberspace.
Understanding globalization and terrorism Al-Qaeda has been described by Francis Pisani as a ‘particularly complex organisation, halfway between a sect and a medieval military order. It is a network of networks’ (Pisani 2002). The debate on how al-Qaeda is best understood reveals the uncertainty as to whether it is an ideology, a social movement, a dark network, ‘several networks or the network of networks?’ (Milward 2006). Some have argued that it is ‘more of an ideal or social movement
The virtual sanctuary of al-Qaeda
33
that is replicated by relatively disconnected groups than a network of cells controlled by a “mother ship” ’ (Corman and Schiefelbein 2006: 4). In order for us to understand the durability and resilience of the polymorphic constellations of Salafist jihadist networks it may be useful to turn to David Ronfeldt’s analytical framework in which he advances that the strongest network rests on the integration across five levels: on the organization level (their networked design); on the doctrinal level (collaborative strategies); the technological level (particularly information systems); the social level (relationships that ensure loyalty and trust in closed systems); and on the narrative level (Ronfeldt 2003). In fact, Ronfeldt argues that ‘the strongest networks will be those in which the organizational design is sustained by a winning story and a welldefined doctrine, and is all this is layered atop suitable communications systems and strong personal and social ties at the base’ (Ronfeldt 2003). The prevalence of personal relationships have been persuasively underscored by Marc Sageman’s work, arguing in his voluminous case-study of 400 al-Qaeda members that 70 per cent were initially formed and shaped through close friendship and the remainder through family contacts or other such similar relationships (Sageman 2004, 2005). These social dimensions are difficult to penetrate but critical to understand. Again David Ronfeldt (2005) forcefully argues that al-Qaeda and its affiliates represent a global tribe waging segmental warfare upholding codes of honour – respect, pride, trust, dignity, reciprocity and revenge are powerful tribal motifs that confer legitimacy to their violent action and as a powerful instrument of mobilisation to widen their social and popular appeal. These cultural themes are recurring across many different levels of Salafist jihadist propaganda and psychological warfare, offering a remarkably revealing window into the connectivity between past battles, contemporary realities and future missions. Often skilfully choreographed in cyberspace and in Arabic, this rich figurative symbolism evokes powerful passions from within Islamic history and culture. From using the Black Flag (al-raya), the battle flag of the Prophet, and horses with riders (emphasizing the human agency in jihad) and swords to using different colours within the Islamic tradition and the iconography of martyrdom are all skilfully designed to conjure up key salafiyya notions of jihad in early Islam and to stir the passions of the heart and mind of soldiers and potential sympathizers and recruits.2
34
Magnus Ranstorp
In the mindset of Salafist jihadi adherents, 9/11 was a ghazwah, a raid following in the footsteps of the Prophet’s many raids as a warrior emir. The immediate connectivity between the sacred past and the present is at the very centre of the Salafist jihadi mindset (Wiktorowicz 2006). This cultural paradigm is critical to study and unlock in order to understand the inner landscape of jihad and Occidentalism (Raufer 2003; Devji 2005). In many ways, one could liken al-Qaeda to a band of historic ghazi ‘constantly occupied with raiding the lands of the infidel…coming under his flag of ever increasing numbers of gharibs (rootless wanderers of various origins)’ (Vlahos 2002: 13). Another cultural dimension that has remained unchanged by the forces of globalization but is little understood is the different conceptions of time and space concerning the longevity and sacred nature of the jihadi mission or its direction. Based on extensive secret contacts and inner thoughts of al-Qaeda leaders and members, Fouad Hussein (a Jordanian journalist who spent time in prison with Abu Musab al-Zarqawi) provides in his book AlZarqawi – al-jil al-jadid lil-Qa’idah (Qaeda’s Second Generation) a unique synthesis of the disparate elements making up what is essentially al-Qaeda’s grand strategy. In essence, Hussein argues that al-Qaeda views its struggle as a long-term war with seven distinct phases that are going to last at least until the year 2020: •
•
•
Phase one is the ‘awakening’ of the consciousness of Muslims worldwide following the September 11, 2001, suicide attacks to the fall of Baghdad in 2003. The aim of the attacks was multifaceted. First and foremost the attacks were designed to provoke the US into declaring war on the Islamic world in order to ‘awaken’ Muslims everywhere. The radical Salafist jihadi message would reverberate across the globe, creating the conditions for mobilizing a new generation of radicals. Phase two is known as ‘Opening Eyes’, which began in the autumn of 2003 and lasted until 2006. The underlying aim is for the terrorists to make the ‘Western conspiracy’ aware of the ‘Islamic community’ and where al-Qaeda transforms from an organization to a movement. Iraq constitutes the epicentre for the jihad and for global operations while it continues to mould secret battalions ready for battle and bases across the Arab world. Phase three, ‘Arising and Standing Up’, should last from 2007 to 2010, with a focus on attacks against Turkey and the arch-
The virtual sanctuary of al-Qaeda
•
•
•
•
35
enemy Israel and neighbouring Jordan. The focus on attacking Israel is designed to increase the legitimacy of the movement. It is also believed there will be a focus on Syria. Phase four, lasting between 2010 and 2013, will see the downfall and even collapse of hated, corrupt and ‘godless’ Arab regimes. The weakening of these Arab regimes will only strengthen the support for the movement. A primary focus will be on attacking oil suppliers and the US economy will be targeted using cyberterrorism. Phase five will be the point at which an Islamic state, or caliphate, can be declared – between 2013 and 2016. This will become possible as Western influence in the region is significantly reduced with Israel weakened. The Salafist jihadi resistance will not be feared any more and the new situation is the beginning of a new world order. Phase six, from 2016 on, will be a period of ‘total confrontation’. As soon as the caliphate has been declared, the ‘Islamic army’ will instigate the ‘fight between the believers and the non-believers’ which has often been prophesied by alQaeda’s leader, Osama Bin-Laden. Phase seven, the final stage, is described as ‘definitive victory’ because the rest of the world is worn down by and cannot resist the will of one-and-a-half billion Muslims. (Hall 2005; Musharbash 2005a)
The synthesis of these different strands provides a useful window into the multi-strand and often parallel priorities pursued by those mobilized by the global revolutionary flag of alQaedaism. In some ways it crystallizes the different instrumental dimensions of terrorism. As underscored by Khalid Sheikh Mohammad, the Chief of External Operations within al-Qaeda and the principal architect of 9/11, in the written submission of evidence at the Zaharia Moussaoui trial, the initial purpose of the attack on the Twin Towers was to ‘wake the American people up’ (‘Substitution for the Testimony’ 2006). It was also meant to create a massive American overreaction through which the powerbase of Islamist extremists could create a momentum with a self-feeding mechanism and replication power. All these different phases are strictly not meant to be a sequential blueprint for action but they reveal overlapping directives and areas of priority and concentration for subversive violent action. Collectively they also reveal the competing different
36
Magnus Ranstorp
centres of gravity within Salafist jihadi ideological circles. These differences appear either in their ideological discourse or based on geographic considerations that sharply focus where and against whom violence should be directed. At its core this divergent issue reveals the internal debates on whether to focus in the violence against the ‘near’ or ‘far’ enemy. This division of labour has always been the object of debate since Abdallah Azzam, one of the chief ideologues behind alQaeda, advanced the idea of ribat, the need for ‘enlightened’ jihadists to place themselves directly as a spearhead in defence of Muslims under siege. Answering the call for action was a sizeable contingent of foreign mujaheedin fighters flocking principally from Afghanistan and the Arabian Peninsula towards defending Muslims in the Balkan conflict in the early 1990s (Kohlmann 2004). Some of these fighters joined the call to battle, Ilhaq bi-lqafila (Join the Caravan) to martyrdom while others committed ‘war crimes.’ Many moved periodically between regional conflicts from Bosnia and Kashmir to Chechnya and of course Afghanistan. These regional conflicts crystallized the spirit of a Salafist jihadi vanguard that would later become al-Qaeda. It did, however, constitute a heterogeneous ideology as it contained a number of ‘intellectual substreams with various priorities’ (Lia and Hegghammer 2004). As globalization intensified, the local became instantaneously global, providing news of any local Muslim issue in any remote region of the world. This ‘cyberumma’ is constantly evolving and developing in all directions. It is supplemented at its base by more traditional modes of physical interaction spreading ideas, new doctrines and contacts. In particular, the role of the hajj to Mecca and Medina in Saudi Arabia can be considered the ‘mothership’ of the networking of Muslims worldwide as ideas and virtual networks spread and replicate, cross-fertilize and intensify. For the Islamist extremists, moving constantly between these spheres of virtual and physical interaction provides a high degree of interoperability and survivability in hostile environments. Fouad Hussein’s synthesis of al-Qaeda’s plan for the future not only reveals different spatial dimensions in terms of the concept of time. It also manifests itself in the form of organization. Unlike the West’s proclivity to categorize and create sharply delineated boundaries and hierarchies to achieve structure and order, the creation of al-Qaeda represented not only a ‘solid base’ but a norm, a principle to follow. As underscored by Abdallah Azzam, ‘every
The virtual sanctuary of al-Qaeda
37
principle needs a vanguard to carry it forward … this vanguard constitutes al-qaeda al-sulbah for the expected society’. This formlessness was emphasized by Khalid Sheikh Mohammad: ‘you must study these matters to know the huge difference between the Western mentality in administration and the eastern mentality, specifically at al-Qaeda’ (‘Substitution for the Testimony’ 2006: 55). The difference is also reinforced by the evolution of the revolutionary intellectual contributions by various Salafist jihadi strategists, most notably Abu Musab al-Suri and his 1,600-page treatise Da’wat al-muqawamah al-islamiyyah al‘alamiiyyah (The Call for an International Islamic Resistance). In this work, al-Suri emphasized the slogan nizam, la tanzim, ‘System, not organization.’ As perceptively argued by Brynjar Lia, this slogan meant ‘there should be an “operative system” or template, available anywhere for anybody, wishing to participate in the global jihad either on his own or with a small group of trusted associates, and there should not exist any “organization for operations” ’ (Lia 2006a). In essence, argued al-Suri, these independent and self-resurrecting cells would only be glued together by ‘a common aim, a common doctrinal program and a comprehensive (self-) educational program’ (‘Substitution for the Testimony’ 2006). This individualized and autonomous terrorism revolves around total self-reliance and self-finance for security and ‘relies on a total de-territorialisation of jihadist warfare’ with the entire globe as the theatre of war (‘Substitution for the Testimony’ 2006: 16). As underscored by Ubeid al-Qurashi, one of Bin-Laden’s lieutenants, al-Qaeda had embraced so-called fourth generation warfare (AlQurashi 2003) as these wars would, it was argued, tactically be small-scale, emerging in various regions across the planet against an enemy that, like a ghost, appears and disappears. This deterritorialization of jihadi warfare with the principle of atomization and self-initiation of terrorist cells follows some forms of order and structured pattern. As highlighted by a Dutch Interior Ministry report, new jihadist networks differed from traditional ones in that the new network Lacks a formal (hierarchical) structure, and has an informal, flexible membership and fluctuating leadership. It is incorrect, however, to conclude that such a network possesses no structure whatsoever. There is always a pattern of connections between individuals who communicate with one another with
38
Magnus Ranstorp a view to achieve a common goal. In some cases these communication lines converge in one or more core groups, which thus play a coordinating and controlling role. In other cases there are random communication patterns between all members while the network functions practically without leadership or central control. It is also possible for several groups to be active within one network. (Violent Jihad in the Netherlands 2005: 13)
As argued by Ronfeldt, the durability and strength of these networks rely on the close integration across five levels with a wellfunctioning communication system providing the essential glue for an effective projection capability of the narrative (or directives). Within this context, globalization and the revolution in information technologies have provided an infinite number of new avenues to explore and exploit for the Salafist jihadi autonomous cells. Cyberspace has provided full-spectrum capability to a degree that is almost limitless. It is abundantly clear that they have been quick to absorb these new technologies as they greatly expand the range of their operational and structural capabilities. They have also clearly shown the knowledge and determination to exploit these capabilities innovatively to enhance and protect their command and control within and between cell structures. This innovation is driven not just by their command of technology but sometimes by its intelligent simplicity in design or process. Predetermined coded messages between cell members are often transmitted through ancient personal messenger methods as a complex operation moves closer towards execution. For example, this simplicity was revealed by Khalid Sheikh Mohammad who stated that ‘I conducted the September 11 operation by submitting only oral reports. I would travel for a dayand-a-half until I reach Bin-Laden, and I inform him what was happening … (the) operation could be run successfully with simple primitive means’ (‘Substitution for the Testimony’ 2006). At the same time, the emir of the operation, Muhammad Atta, provided the initiation code to launch the 9/11 attack three weeks before the operation using an e-mail message to Ramzi bin al-Shib, the gobetween to al-Qaeda’s operational command: ‘The Semester begins in three more weeks. We’ve obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts, and the faculty of engineering’ (Fuda and Fielding 2003: 140).
The virtual sanctuary of al-Qaeda
39
The infinite variations, mixing advanced and simple low- or notech methods, create an impressive spectrum of choices. In many ways, al-Qaeda, along with other terrorist organizations, has recognized and exploited the infinite advantages that cyberspace can offer in significantly enhancing its own offensive capability in terms of intelligence, surveillance and reconnaissance (ISR) as well as its defensive capability in terms of command, control, communications, computers and intelligence (C4I). Adopting a multi-dimensional cyberapproach, combined with creative new communication technologies, allows operational agility and stealth mode far in excess of what was possible previously for terrorist organizations. It facilitates a polymorphic structure or design with multiplicity of nods or pods swarming towards a mission or resurrecting shortly before or after an operation. More fundamentally it allows survivability through a constant virtual presence with no real or tangible physical centres of gravity and in constant stealth mode and ideological motion. Having simply an online presence confers a certain degree of legitimacy which these organizations otherwise would not have. It also allows them to resurrect and reconfigure at any time. In many ways, the virtual world has become the principal vehicle through which terrorist organizations communicate with their own clandestine members, reach a broad audience of real and potential sympathizers, publish propaganda and wage a skilful auxiliary psychological warfare campaign to amplify violence on the ground. Nowhere is this more starkly illustrated than in their determination to invoke moral shock through videotaped brutal beheadings of hostages in Iraq and Afghanistan. Many of these shocking videos appear in extremist chat-rooms and websites available for anyone to access. The empowerment of the terrorists to create and distribute news themselves is evident in the explosion of Salafist jihadi websites, from below 20 before 9/11 to over 5,000 websites providing ideological tracts, discussion fora, weblogs and videos (Weimann 2006). The increase in the number of Salafist jihadi websites is only indicative of the fact that the cyberenvironments provide almost infinite tactical and strategic operational advantages. The Internet has become one of the principal means by which terrorists publish propaganda; proselytize, indoctrinate followers; recruit new members; communicate, train; engage in information gathering and reconnaissance; raise funds and other material resources;
40
Magnus Ranstorp
transfer funds; plan operations; and engage in information attacks on enemy websites or other critical information infrastructure.
Publishing propaganda and proselytizing in cyberspace Cyberspace has emerged as a principal arena for spreading Salafist jihadi ideology targeting internal and external audiences. Maintained by thousands of dedicated IT-literate activists, the jihadist Internet infrastructure is exploding in terms of size, scope and sophistication (Lia 2006b). In many ways the cyberspace is becoming a readily accessible digital library, an endless reservoir which contains a vast variety of religio-ideological tracts and texts, fatwas and khutbas (sermons) providing militant theological justification for undertaking violent actions. This virtual domain simultaneously expands and de-territorializes the social interactions between the local and global jihadist milieux. Ideological doctrines, derived and synthesized from Sayyid Qutb, Saudi neo-Tawhid, Azzam, al-Maqdisi3 and other contemporary Salafist jihadi sources and strategic thinkers, contribute to sharpening the internal ideological debate over the nature and direction of the sacred mission. Thomas Hegghammer has identified five principal categories that exert and shape the ideological tendencies and the direction of the mission: the leadership of the ‘old’ al-Qaeda (providing purpose for taking up arms against Crusaders); the religious scholars or ‘jihadi shaykhs’ (issuing fatwas and clarifying religious legitimacy of behaviour); strategic thinkers (offering advice on how best to fight the enemy through doctrines and paramilitary manuals); the active militant organizations (publishing their own texts and justifications for violence); and so-called ‘grassroots’ (radicals participating anonymously in radical Islamist discussion fora) (Hegghammer 2006). A unifying factor across all these levels is that most of this material is published and distributed on the Internet in various forms. In essence, these diverse Salafist jihadi contributors from around the globe participate in a collective ‘global brainstorming’ on how to achieve the desired effects through various action (Hegghammer 2006). Often these website contributions ‘keep ideological pace with breaking events’ (Ulph 2004). In this sphere, al-Qa’ida fi Jazirat al‘Arabiyya (al-Qaeda forces in the Arabian peninsula)iv has been particularly active, from establishing online magazines dealing in doctrinal or military instructions such as Sawt al-Jihad (Voice of
The virtual sanctuary of al-Qaeda
41
Jihad), Muaskar al-Battar (the Al-Battar Military Camp, the name of the Prophet Muhammad’s sword) and al-Neda who carry directives and interpretations by al-Qaeda-affiliated Centre for Islamic Studies and Research. A large portion of Sawt al-Jihad is dedicated to doctrinal issues and the religious justifications for waging offensive jihad and the numerous supporting fatwas supporting violence itself. There are also many first-hand jihadi battlefield accounts alongside portraits and wills of dead martyrs as well as interviews with fighters living on the run in the underground. They also demonstrate the zeal and heroism of young fighters. Many of those working ‘in the service’ of al-Qaeda utilized ‘authorized’ web sites in Arabic (rather than English sites that were primarily of propaganda value) to communicate internally and between operational and sympathetic members. A case in point is the establishment of the Yemeni wing of al-Qaeda website: ‘You ask and the jihadi base in Yemen answers’, established to counter rumours about arrests of members and to address broader queries of the jihadists (‘Al-Qa’ida Yemeni Branch’ 2003). An important Saudi-maintained website in this respect was one devoted to publishing a book on how to assist the mujahedin who are hunted down by the security organs in Saudi Arabia, Morocco and Afghanistan. Published by At-Tiby‰n Publications and entitled ‘39 ways for serving jihad and the mujahedin’, the book calls for adopting various means of publicising the ‘mujahedin news’ through Internet chatrooms and fora as well as printing and photocopying the news from websites for broader distribution, including relatives and friends; in mosques and public places and even through text-messaging (‘ProQa’ida Website’ 2003). Many of these websites are no longer just in Arabic, but in other languages also in order to reach a new generation of sympathizers and recruits living in the West. Closely associated to Sawt al-Jihad, a new publication surfaced in August 2004 dedicated solely to the female jihadists, al-Khansa, named after a famous woman poet who eulogized martyrs in the early days of Islam. Published by the Women’s Media Bureau in the Arabian Peninsula, Al-Khansa focused on practical ways in which women married to radical Islamists could provide support, especially when they faced pressure from the authorities, and how they should raise their children to become martyrs. Similarly Muaskar al-Battar offered the provision of a practical jihad culture to a new generation of youths through paramilitary guidance from the comfort of their homes. As stated in the first issue of Muaskar
42
Magnus Ranstorp
al-Battar: ‘Oh Mujahid (holy warrior) brother, in order to join the great training camps you don’t have to travel to other lands … Alone, in your home or with a group of your brothers, you too can begin to execute the training program.’ Another important website was al-Qaida’s official site Al-Neda maintained by the late Sheikh Yusuf Bin-Salih al-Ayiri, included on Saudi Arabia’s list of 19 persons wanted in connection with the Riyadh terrorist attacks on 12 May and who was killed in a clash on 31 May 2003. Sheikh al-Ayiri remains one of the most influential ideologues on the subject of the Salafist jihadi trends (especially in connection with Saudi Arabia and Iraq) and wrote around 40 books all published on the Internet (Paz 2005a). In the ‘Under the shadows of spears’ series written by Sulayman AbuGhayth, this web-site carried the news releases of Osama BinLaden for a couple of months. Al-Ayiri communicated regularly with Bin-Laden in Afghanistan using a laptop and was the main coordinator between members in Pakistan, Iran and the Arabian Peninsula (‘Fundamentalists: Al-Ayiri’ 2003). In Al-Ayiri’s possession when he died were four identity cards, a fake driving licence, a Magellan GPS system, a mobile phone with multiple SIM cards and a large amount of money (‘Fundamentalists: Al-Ayiri’ 2003). The capture of this website forced al-Qaeda-affiliated members to establish alternative ones, registering these online by email and using fake credit cards for the server fees. This specific capture of Al-Neda provided the crucial lesson for these jihadis that fixed Internet sites were exceptionally vulnerable as instead they turned more nomadic to ‘rapidly proliferating jihadist bulletin boards and Internet sites that offered free upload services where files could be stored’ (Coll and Glasser 2005). This nomadic virtual sanctuary points towards a dynamic and multilayered infrastructure of diverse functions flourishing globally. Brynjar Lia has categorized these interrelated functions as: the key nodes or ‘mother sites’; the distributors (who copy and upload jihadist material on new sites); and the ‘producers’ (reproducing raw material in sleeker form) (Lia 2006b: 17). As such, these websites constantly move their URLs and change addresses and even embed themselves within other websites to avoid detection. A recent example of this hijack was the discovery of hidden files of Abu Musab al-Suri’s 1,600-word International Islamic Resistance Call behind a password-protected US-based crafts website allowing extremists to avoid using ‘traceable data needed to start a new website’ (Levenson 2006).
The virtual sanctuary of al-Qaeda
43
Other websites and discussion fora contain key strategic texts by Salafist jihadi providing essential leadership and military principles alongside a longer-term vision. E-books are posted on various fora as exemplified by a 415-page book written by Bassam Assili and found on the al-Firdaws (Paradise) forum. This outlined the essential strategic cornerstones for success and leadership in the paramilitary arena and even stressed the necessity of having a sea presence.5 Among the most influential strategic texts distributed over the Internet is the 113-page e-book titled Idarat al-Tawahhush (Managing Savagery), written by Abu Bakr Naji who is an influential contributor to Sawt al-Jihad. Published by the al-Qaedaaffiliated Center for Islamic Studies and Research, the ten-chapterlong Managing Savagery – The Most Crucial Period to Be Faced by the Nation maps out a series of progressive stages towards empowerment and identifies suitable targets against which to direct violent attacks in order to create disorder, beginning with key targeted regimes and eventually spreading worldwide. The name itself refers to the period of ‘savage chaos’ that appears following the collapse of a superpower or an enemy regional state. Abu Bakr Naji argues that the initial focus should be on a key group of targeted states: Saudi Arabia, Northwest Africa, Nigeria, Pakistan, Jordan and Yemen, before applying the plan worldwide. This ‘path towards empowerment’ revolves around three distinct phases. First, the ‘Disruption and Exhaustion’ phase is principally geared towards the dual goal of exhausting the enemy worldwide while attracting supporters and converts. It is argued that this phase is achieved by creating maximum security disarray worldwide by disparate and uncoordinated attacks by jihadist groups. These types of attacks will also attract the jihadi youth to join the ranks. Second, ‘The Management of Barbarism’ phase refers to the control and management of the anarchy ensuing after the first phase. This phase is built around the mechanics of reIslamization and in providing governance in all spheres of public life (security, social welfare, legal system based on Sharia, education, intelligence, foreign relations, and so on) in an overall effort to establish an Islamict state. Lastly, Abu Bakr Naji presents the third phase, ‘Empowerment’, which focuses on extending ‘Management’ by continued disruption and exhaustion attacks against the West and Israel worldwide, forming logistical lines between liberated territories under ‘Management’. Furthermore he favours targeting tourist and oil facilities, focusing on the
44
Magnus Ranstorp
tremendous value and effect of economic targeting. This last phase does, however, require a well-developed and sophisticated media and propaganda strategy for its success, specifically geared towards attracting military officers to join the jihadi ranks. The abrupt disappearance of Muaskar al-Battar after 22 issues in November 2004 and of Sawt al-Jihad after 29 issues in April 2005 can probably be attributed to an accelerated Saudi security success on the ground within the Kingdom. It is also largely due to the fact that the Iraqi conflict has become the principal ideological vortex of Salafist jihadi currents and spawns a number of important web-based publications which are used to legitimate the intensity and direction of the insurgency tactics. A major new jihadi magazine and successor to Sawt al-Jihad is Dhurwat alSanam (the highest or most virtuous belief/insight), providing critical ideological and doctrinal guidance motivating violence, especially focusing on the Iraqi theatre (Worth 2005). Not all focus is on Iraq, as a new successor publication appeared in May 2006 dealing with the Arabian Peninsula. Ansar alMujahideen fi Bilad al-Haramain (the Supporters of Mujahideen in the Land of the Two Holy Places) provides standard doctrinaire ideological and political content. The authors provide countersurveillance security advice using the Internet and recognize that it offers invaluable avenues when pressured. As stated in the first published issue: ‘the governments have coiled around the field of Dawa and Jihad and have narrowed the trenches that can be used. But God has opened a new, great, and hugely valuable door, and that is the Internet’ (TRC TWW Report 2006: 5). This plethora of Salafist jihadi publications was complemented by the As-Sahab Foundation for Islamic Media Publication, a clandestine in-house media/video production company affiliated to al-Qaeda and based somewhere in Afghanistan/Pakistan, that periodically released communiqués and threats by Bin-Laden and Zawahiri and choreographed testimonies of the 19 hijackers in the 9/11 attacks as well as a range of statements by jihadis on the run or ‘martyred heroes’. These videos appeared in hard-copy form distributed to al-Jazeera or on the As-Sahab website. Perhaps among the most surprising appearances was the As-Sahab video release of the ringleader behind the 7/7 London bombings, Muhammad Siddique Khan, especially as the investigation pointed to the cell’s autonomy from external direction.
The virtual sanctuary of al-Qaeda
45
Another recent media development is the advent of Internet streaming video news programmes, most notably Sawt al-Khilafah (Voice of the Caliphate), which provides a 15-minute news roundup covering various conflict zones with Mujahideen successes. This new web-cast method allows the extremists to bypass mainstream media outlets to shape more effectively their anti-Western and anti-Zionist ideological messages. It also allows them to act directly as a counterweight to Western propaganda efforts (Musharbash 2005b). In its inaugural broadcast Sawt alKhilafah even veiled itself as a charity organization, urging supporters to boycott support for the victims of Hurricane Katrina and instead ‘pay more attention to the victims of famine in the Muslim parts of Niger’ (Musharbash 2005b). The literal explosion in the growing number of web-based messages, articles and videotaped lectures is dramatically expanding the scope of internal and external audiences and affecting violent radicalization locally, instantaneously linking the global with the local. While much new material is appearing daily in an uncontrollable fashion, a variety of Internet discussion fora, message boards and websites are busy circulating old materials from recent years to instil a culture of Salafist-jihad martyrdom to a new generation of potential activists. Along several battlefronts, this exclusionary ideological force has skilfully established ‘new “command headquarters” on the Internet to spread fear among its adversaries and boost its men’s morale’ (Trabelsi 2005). Radicalization and recruitment The proliferation of extremist literature and doctrines in a new digital frontier has reshaped the social spaces and boundaries for interaction linking simultaneously terrorist strategists and recruiters with their sympathizers and potential recruits as well as the enemy audience. As Brynjar Lia perceptively argues, ‘online jihadism brings geographically scattered and isolated militants together in virtual transnational extremist communities that bind the global jihadist movements together’ (Lia 2006b: 17). The Dutch security and intelligence service, AIVD, identified early the growing trend of so-called ‘self-radicalization’ or ‘autonomous radicalization’ among Muslim youths occurring increasingly through the virtual world which increases the ‘risk of ideological ghettoization’ (Violent Jihad in the Netherlands 2006). These autonomous radicalization processes, combined with
46
Magnus Ranstorp
deculturalization (alienation of individuals trapped between two cultures), provide for the susceptibility to more radical, dialectic and emotionally appealing ideological force projected by a cadre of Salafist jihadi scholars (Violent Jihad in the Netherlands 2006). Through web-based interaction, radical youths can identify with, connect to and emotionally share the intensity of suffering of fellow Muslim victims and the cause of the Mujahideen around the globe. The importance of these virtual platforms has not been lost on al-Qaeda-affiliated strategists: We should direct some of these efforts to other targets that could serve another goal, namely to promote the glory of the Muslims, especially the youth, who are swimming in the oceans of pleasures and lust. Those youth are in fact unused petrol, while many efforts are dedicated to confront those clerics who are selling their minds to the dictatorships, and who are useless too. These moral attacks would leave in the souls of the defeated youth a tremendous impact. Many idle youngsters were motivated to join the Jihad by a photo or a video such as of the USS Cole, or Badr al-Riyadh, or by watching the crash of the planes into the high buildings. Those youngsters, even though they were not fully aware of the impact of the attacks upon them, turned their minds and bodies towards the Jihad. Here comes the role of indoctrination and developing the thinking of these people. It is a mistake to leave these youngsters with their superficial understanding of the nature of the war. Whoever listens to the calls of Osama bin Laden senses in his words his care for the indoctrination of the supporters of the Jihadi current, like for example in the Gulf States, in order to target the oil fields. The Sheikh, I think, could direct the Mujahidin by personal messages. Yet, he wanted to do it in public, in order that the crowds of people, who wait for the speeches of the Sheikh through the TV channels or the Internet, would internalize his targets and follow them.6 Professionally choreographed video productions create a blurring effect between the real and virtual worlds, producing an artificial high degree of intimacy with the battlefield. The process can also contribute towards moral disengagement, gradually breaking down any inhibitions of newly recruited members to use violence. As underscored by Scott Atran, ‘the semi-anonymity of
The virtual sanctuary of al-Qaeda
47
Internet communication, which lessens the compulsion to hedge and defend oneself, promotes self-disclosure and facilitates disregard of contextual differences that might otherwise distract from or hinder communication’ (Atran 2006: 293). It evens allows for anonymous women to participate in an otherwise exclusively male-oriented activity. Direct female activism via the Internet surfaced in connection to the Dutch Hofstad-network, where women participated in radicalization and recruitment efforts. David Cook has argued that there are visible signs that some Salafist jihadi authorities are trying to legitimize active participation by women in the actual fighting (Cook 2005a). The virtual world of Salafist jihadi extremism provides a perfect medium for some alienated Muslim youths to understand the world around them. As Peter Mandaville has observed: ‘more than anything else the Internet and other forms of information technologies provide spaces where Muslims, who often find themselves to be a marginalized or extreme minority group in many western communities, can go in order to find others “like them” ’ (Mandaville 2001: 183). This virtual world is also perfectly suitable for the self-anointed Salafist jihadi religious authorities that bridge time and space; that combine religious dogma with contemporary political realities to appeal to their audiences and to compensate for a lack of traditional or prestige filled clerical education. In the words of Oliver Roy, these are ‘Islamist new intellectuals’, and each is ‘a tinkerer; he creates a montage, as his personal itinerary guides him, of segments of knowledge, using methods that come from a different conceptual universe than the segments he recombines, creating a totality that is more imaginary than theoretical’ (Roy 1994: 96–7). The mechanisms or processes of violent radicalization in the virtual sphere do not substantively differ from those occurring in the radical mosque, garage mosque (informal study-groups) or prison environments. The Internet has revolutionized the collective actors’ ability to create as well as frame new opportunities for mobilization of contentious politics ‘as it offers a diverse menu of options to those seeking new channels of protest’ (Ayres 1999: 137). Here social movement theory (SMT) is particularly useful to explain the processes and framing strategies underpinning the role of charismatic leadership and authority struggles within Salafist jihadi circles. As Wiktorowicz reminds us, ‘a movement group – a faction, clique, submovement, network cluster, organization, etc. – asserts its authority to speak on behalf of an issue or constituency
48
Magnus Ranstorp
by emphasizing the perceived knowledge, character, and logic of its popular intellectuals while attacking those of rivals’ (Wiktorowicz 2004b). Moreover, Wiktorowicz provides a convincing theoretical pathway as to the processes that explain the attraction of the ideology and specific factors enabling engagement: through cognitive openings, religious seeking and constructing sacred authority (Wiktorowicz 2004a). Within the context of creating cognitive openings, he emphasizes the importance of catalysts inducing a sense of moral shock or crisis to create receptivity for influence and for frame manipulation. Cyberspace is an ideal vehicle for creating a wide range of intensely emotional and powerful visual messages to prospective recruits and current fighters. The real world influence of clandestine face-to-face contact in a back room of a mosque with emotionally stirring stories and videos from the battlefield has been replaced with professionally edited CD-roms, websites and discussion boards filled with thousands of clips of Muslim massacres and suffering in Bosnia, Chechnya, Iraq and elsewhere which are stark and overpowering in content and form, leaving no one exposed unaffected. As recognized by Cetina, ‘the information transmitted between Al Qaeda participants is not only cognitive or symbolic in nature, but has strong sensory and motivating components’ (Knorr Cetina 2005: 223–4). Essentially the virtual-based Salafist jihadi ideological currents demonstrate a built-in capacity to achieve ‘frame resonance’, where ideology is ‘always balanced by factors such as the political and cultural environment and resource mobilization and leadership’ (Meijer 2005b: 282). Additionally, this ‘frame resonance’ is facilitated by the doctrine known as al-wala’ wa-l-bara’ (loyalty or fealty and disloyalty or disassociation) whose polarity enables the extremists to maintain control over the definition of being authentic or true Muslim (Cook 2005b: 141). The Internet has also empowered the activist in terms of reaching new audiences worldwide in an instant and in anonymous mode. It has also generated new spatial forms of interaction between the recruiters and the targets as well as potential sympathizers. It has allowed for asynchronous communication between the centre and periphery, between activists and sympathizers. In other fora it has promoted immediate synchronicity and efficiency in securely communicating through encryption or password protected channels. In essence it has
The virtual sanctuary of al-Qaeda
49
provided infinite recruitment possibilities and configurations as well as interactive channels to distribute their ideas and calls for action. Heroism, martyrdom and the historic mission and vanguard role of the Mujahideen are skilfully choreographed for maximum effect and cascade across the web. Chat fora and weblogs (Muntadayat) have exponentially revolutionized the scope of actual and potential audiences and forms of interaction. For example, one of the most popular jihadist fora, al-Hesbah (www.alhesbah.org), had almost 60,000 postings under the sub-forum for communiqués (archives for different communiqués) with a couple of million visitors according to the webpage count (Rogan 2006). This forum facilitates fluidity in communication, provides a panoply of multi-layered screening processes against infiltration, and reduces vulnerability against the potential shutdown of official, static websites. These blogs have also resulted in a highly specialized fusion of Arabic and extremist phraseology with computer lingo, greatly complicating intelligence efforts to effectively penetrate and participate in these jihadist fora. Enhancing command, control and communication Al-Qaeda and other Salafist jihadi-affiliates have shown a remarkable degree of ingenuity in recognizing the operational advantages of interfacing with new information technologies. They have shown quick adaptability in absorbing cutting-edge solutions and the latest gadgets while integrating them into their command, control and communication repertoires, expanding their own operational security requirements while minimizing the possibilities of detection. A uniform trademark is their relatively advanced awareness of Western counter-surveillance techniques and technologies as they continue to reduce and limit any electronic footprints whether in cyberspace or over the phone. To avoid being pinpointed, each of these networks used to ‘vary its methods and never use one system too long’ (Evans 2004). Varying operational security increased after Bin-Laden stopped using his Compact-M satellite phone in October 1998 with a majority of calls (260 out of 700) being made to 27 numbers in the United Kingdom (Fielding and Gadhery 2002). Al-Qaeda itself demonstrated an early awareness of cyberspace and the Internet as a convenient form of communication. While Ramzi Yousef, the convicted mastermind of the 1993 World Trade Center bombing, used sophisticated encrypted files to conceal a
50
Magnus Ranstorp
plan to destroy 11 aircraft flying over the Pacific (Operation Boijinka), Wadih El Hage, one of the suspects in the 1998 bombing of two US embassies in East Africa, sent encrypted e-mails to other al-Qaeda associates (Kelley 2001). Similarly, Khalil Deek, involved in the so-called 1999 ‘millenium plot’ in Jordan, used encrypted CD-roms to conceal an electronic version of the 11-volume, 7,000page Encyclopedia of Jihad and his plans for multiple bomb attacks in Amman (Fielding 2001). Evidence even exists that Ayman alZawahiri, Bin-Laden’s deputy, used a stationary computer since 1997 with over 1,700 password-protected or encrypted documents (written in Arabic, French, Farsi or Malay) containing a treasure trove of communications, training manuals and targeting information for future operations. In order to ensure the secrecy of communication, al-Qaeda discouraged the use of e-mail or phones and favoured faxes and personal couriers (Cullison 2004). Sensitive messages were encoded using ‘one-time pad’ systems that paired individual letters with randomly assigned numbers and letters and produced messages readable only by those who knew the pairings (Cullison 2004). These so-called ‘laundry lists’ were found in many training camps in Afghanistan. No uniform standard codes exist but instead they were naturally individualized and frequently changed to suit the operational as well as security circumstances. Often the actual coding assumed simple forms linked with word association, using so-called ‘idiot-codes’ in intelligence terminology (Koprowski 2003) or pre-determined ‘code’ words, like ‘apples’ (grenades), ‘seven Seas’ (EU entry visa) and ‘red training shoes for runs’ (EU red passports) (Butler and Van Atta 2003). At other times they used number systems as in the case of Andrew Rove, who spoke only about mobile phone models. ‘Money was “Nokia 3310”; troublepolice was “3410”, weapon was “3610”; airport “3310” and army base was “3331” ’ (McGinty 2005). Another case is Pakistani militant Mohammed Naeem Noor Khan who ‘protected cellphone numbers by copying them down in a code that did not use the digits zero, two or three’ (Fielding 2004). The beauty of this system was its simplicity and the infinite range of combinations available to the operatives. This extended to Al-Qaeda’s use and distribution of so-called ‘laundry-lists’ of chemicals available on the open market, which it used in combination with ‘how-to’ videos in the construction of improvised explosive devices.
The virtual sanctuary of al-Qaeda
51
Advanced knowledge of counter-surveillance techniques became manifest, ranging from the encryption of computer files and CDroms to using untraceable SIM or pay-as-you-go telephone cards (‘Swiss SIM Cards Slammed’ 2003), single use of Thurayya satellite phones (as reported in Al-Sharq Al-Awsat, 20 November 2003) and mobile phones before they were discarded, to the employment of coded ‘flagged’ spam e-mails, common chat rooms and simple electronic dead drops to communicate between cell members and between the operational centre and the periphery. The genius of alQaeda could be seen in the creative shell game techniques used, as exemplified by the establishment of yahoo or hotmail accounts with prearranged shared usernames and passwords. The operational cells would communicate by lodging a draft message – a dead drop – on the server without ever having to send or receive electronic mail. Just like the one-time use of mobile phones, anonymous e-mail accounts were established for one-time purposes. This familiarity with electronic intelligence measures was evident in the field survival kit distributed during the American military campaign in Afghanistan, where it urged fleeing members: If you use a cell phone, use one obtained under fake name and address. Never use a phone provided by your ‘nazm’ for calling a friend or relative. If you ask your friends to call you, give them a specific time and keep your phone open only when you are expecting a call. For using the Internet, you must go to an internet café. Never visit a site that can reveal your identity … when opening an e-mail account, go to an Internet café, never do it at home. Never use the same Internet café again and again. (‘An Al Qaida Blueprint for Terror’ 2004) In order to ensure continued and easy and anonymous means of communication, al-Qaeda and its affiliates employ the spectrum of wireless networks, private mobile phones, instant messaging and remote access email accounts to enhance digital coordination and to circumvent security procedures and detection. The arrest of Khalid Sheikh Muhammed in Rawalpindi in 2003 revealed a trove of material identifying the Internet cafés in Quetta used by his couriers to send coded messages to sleeper terror cells in Europe, America and Asia (Sunday Telegraph, 9 March 2003).
52
Magnus Ranstorp
Pornographic images were used to hide coded messages or explosives recipes. In November 2001 police conducted a raid on the Via Quaranta mosque in Milan, seizing 11 computers with pictures of the Twin Towers (created on 4 November 2001) and hundreds of pornographic images, some with hidden messages using stenography (Corriere della Sera, 5 May 2003). Equally, alQaeda developed and improved on basic cryptography methods as illustrated by the various spin-off versions from Mawsu’at al-jihad (the Encyclopaedia of Jihad) and other so-called ‘military manuals’ found around the world. Al-Qaeda has even established the socalled ‘Al-Qaidah University for jihad sciences’ imparting advice through speciality subjects such as ‘electronic’ and ‘media’ jihad alongside the technology of explosive devices and the operational art of terrorism in all its facets (Al-Sharq Al-Awsat, 20 November 2003). For example, Al-Firdaws website contained 80 pages of detailed instructions on how to make a nuclear or ‘dirty’ bomb and biological weapons (Mahnaimi and Walker 2005). This training material is not just consigned to being downloaded from the web, through services like YOUSSENTIIT.COM, but also on to mobile phones and other mobile devices (Brachman 2006: 153). Even Department of Homeland Security briefings can provide a treasure trove on new means of clandestine communication or FBI suspect lists with known addresses within the US and their e-mail addresses. For example, one of the Saudi nationals on this FBI suspect list had the ominous e-mail address <LAST_DAY_11@ hotmail.com>. It is also clear that the digital sphere is providing new ways for terrorists to raise and transfer funds in technologically creative and clever ways. New digital online banks provide useful anonymity and it is feared that Internet-based alternative value transfer processes such as Paypal, E-Gold and other similar services are providing auxiliary avenues for concealed and highly mobile financial transactions. In some investigations of Salafist-jihadi cells there is even evidence that terrorists are using small credit card transactions to purchase goods which in turn are resold on E-Bay and other similar commercial sites. There is growing concern that Salafist jihadi cells are familiar with virtually untraceable real-time communication methods such as IP telephony and Skype, PalTalk, alongside social networking services such as Orkut (Hunt 2006), and other new collaborative social software tools such as KaZaA’s P2P networking or Morpheus. Additionally Salafist jihadi circles are beginning to
The virtual sanctuary of al-Qaeda
53
circulate interactive videogames to extol the heroism, martyrdom and virtues of the Mujahideen in Iraq. A recent emerging trend is the creation of ‘virtual cells’, where like-minded extremists meet online anonymously until bonds of trust are sufficiently established, at which point the group meets in person to conduct an operation. Additionally there are some signs that the Internet has been used to plan operations remotely. Bruce Hoffman astutely underscores that: ‘The 9/11 Commission Report cites four specific instances in which KSM and the 19 hijackers accessed information from the Internet to plan and facilitate the 9/11 attacks’ (Hoffman 2006: 11–12). Investigators found also nearly 2,300 encrypted messages and data files on the computer of Abu Zubayda (Bin-Laden’s operational chief) in a password-protected section of an Islamic website. Sent primarily from Internet cafés in Pakistan and public libraries around the world, ‘the messages began in May 2000, peaked in August 2001 and stopped Sept. 9, two days before the attacks, (and) al-Qaeda operatives have been sending hundreds of encrypted messages that have been hidden in files on digital photographs on the auction site eBay.com’ (Kelley 2002). As revealed in a recovered al-Qaeda manual in Afghanistan in January 2003, ‘using public sources openly and without resorting to illegal means, it is possible to gather at least 80 percent of all information required about the enemy’ (Carment 2006). Al-Qaeda has also demonstrated an ‘offensive’ capability in terms of surveillance and reconnaissance of targets. For example, in the conduct of surveillance of a US diplomat in Saudi Arabia, alQaeda managed to break into the targeted diplomat’s e-mail account and retrieve his bank statements and from this deduce his general and specific pattern of location and movement.7 Towards these ends, al-Qaeda employed simple hacking tools such as LophtCrack and other available hacking tools to penetrate simple eight-digit passwords (‘What Are Al Qaeda’s Capabilities?’ 24 April 2003). This incident demonstrated the sophisticated ability of the network to locate the e-mail addresses of highly protected targets as well as to use semi-advanced hacking tools freely available on the Internet. Al-Qaeda went beyond using publicly available hacking tools. An al-Qaeda safe house in Pakistan was reportedly devoted solely to training operational members for computer hacking and cyberwarfare. This ‘cybertraining’ facility was devoted to ‘basic training’ as well as more advanced cyberreconnaissance of both
54
Magnus Ranstorp
infrastructure and SCADA systems, probing the control mechanisms of numerous electricity grids and dam structures within the United States. In the aftermath of 9/11, the FBI identified multiple casings of sites nationwide by ‘anonymous’ suspected al-Qaeda sources routing themselves through Saudi Arabia, Indonesia and Pakistan, studying emergency telephone systems, water storage sites and distribution (including pipelines and dams), electricity grids, nuclear power plants and gas facilities. A worrying sign of this was the discovery in one of al-Qaeda’s computers in Kabul of an engineering program simulating the sequences of a catastrophic breach of a dam and advanced computer programs simulating the direction of flow of bursting dam water (NIPC 2002b). In addition, there seem to be worrying signs that al-Qaeda was interested in targeting specific fibre-cables underpinning large sections of the entire Internet system.
Fitting al-Qaeda to international relations theory? In July 2005, Ayman al-Zawahiri announced that ‘we are in a battle, and more than half of this battle is taking place in the battlefield of the media […] we are in a media battle for the hearts and minds of our umma’ (Lynch 2006). Understanding how alQaeda and its progeny shapes the narrative and worldview and delivers it innovatively through modern technologies has become a major strategic challenge for the West. The de-territorialization of violent Salafist jihadi extremism has been achieved by the simultaneous fusion of local and global contention. In essence, al-Qaeda’s success is derived from its ability to fuse the war against the ‘near’ and ‘far’ enemy into parallel and mutually supporting battlefronts through the globalization of the local jihad. The Pentagon’s 2006 Quadrennial Defense Review described it as a ‘long war struggle against Islamist terrorism […] against global terrorist organizations that exploit Islam to achieve radical political aims’. Hence, constructivism constitutes the core theoretical lens for effectively waging this battle for ideas against a religious, transnational movement. International relations theory has traditionally struggled to fit or include non-state actors as significant players shaping the international system. The sheer scale of the 9/11 attacks and al-Qaeda have forced most of us to rethink our theories.
The virtual sanctuary of al-Qaeda
55
As Robert Keohane has argued, ‘the globalization of informal violence’ has undermined our assumptions about security threats and reconceptualizes the notion of geographic space and sovereignty. ‘Most problematic’, according to Keohane, ‘are the assumptions in international relations theory about the role played by states […] as states no longer have a monopoly on the means of mass destruction’ (Keohane 2002). Similarly, Joseph Nye has argued that the recent ‘confluence of globalization, mass destruction, and extremism amounts to the “privatization of war” ’ (Fukuyama and Ikenberry 2005). While many theorists argue that the 9/11 events did not fundamentally change the international system, some acknowledge that the statecentric underpinning of international relations theory has difficulty in accounting for the growing influence of transnational and networked non-state actors. Deibert and Gross Stein have argued that not only are actor models misleading in an age of networks but so too is the traditional concept of power in international relations theory (Deibert and Gross Stein 2002). This is particularly the case as ‘al-Qaeda refuses a sharp distinction between “hard” and “soft” power with the matter in a supporting role; instead, it sees ideational and material power as intimately connected and mutually constitutive’ (Lynch 2006). As underscored by Fiona B. Adamson, there is a ‘lack of theory regarding the relationship between individual agents and global ideological structures – a disconnect between the structural theories of the international system and the micro-practices of individual actors engaged in the promotion of normative agendas […] who are deeply embedded within particular ideological and geopolitical configurations in world politics’ (Adamson 2005: 547–8). Constructivism seems to offer a valuable pathway out of this conundrum. As persuasively advanced by Lynch, ‘al-Qaeda’s actions, both terrorism and rhetoric, can be conceptualized as a series of “arguments” directed primarily toward the Islamic world about the interests inherent to a Muslim identity’ (Lynch 2006). As such, a focus on interpreting al-Qaeda’s frames and their resonance offer another lens into their ‘life-world’ and a deeper understanding of its durability and longevity both as a network and as a movement. In our understanding of these ideational packages, frames and repertoires as well as processes of violent radicalization, it is useful to turn towards social movement theory. This theory focuses on how these social movements ‘frame’ their arguments effectively to persuade audiences and guarantee support
56
Magnus Ranstorp
and participation. As argued by David Leheney, ‘the sheer variety of studies of social movement theory provides a rich portfolio from which to analyze terrorist organizations like Al Qaeda’ (Leheney 2005: 88). The relationship between symbolism and strategy, meaning and action in contentious politics, requires a more sophisticated theoretical approach achieving ‘a synthesis of rationalist and culturalist approaches in international security’ (Leheney 2002). In this new global ‘neomedieval’ order, Philip G. Cerny argues that terrorist groups today can easily ‘extraterritorialize their very identities’ and in essence constitute a global tribe that advocates violence as an individual obligation in communicating ‘orders of battle’ (Cerny 2005). Hence, it is critical, as argued by Quintan Wiktorowitcz, to emphasize a wider theoretical ‘role for ideas’ in the task of examining transnational Islamic activism and extremism (Wiktorowitcz 2005).
Notes 1 2 3 4 5 6 7
From Tina Brown’s article ‘Death by Error’, Washington Post, 19 May 2005, quoted by Hoffman in a testimony to the House Permanent Select Committee on Intelligence (Hoffman 2006). For an excellent overview, see <www.ctc.usma.edu/imagery.asp>. For an excellent biographical sketch of Maqdisi and his influence and disagreement with Abu Musab al-Zarqawi, see Brooks (2005). For further information about the Saudi dimension, see Meijer (2005a). This book contained the e-mail address <ZUBEIDDAH1417@ hotmail.com> on the front cover. Al-Faruq website quoted in Paz (2005b: 4). Al-Qaeda operational blueprint entitled ‘Relief Operation’ in author’s possession.
3
From ‘cyberterrorism’ to ‘cyberwar’, back and forth How the United States securitized cyberspace Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
Introduction1 Threats and risks from cyberspace have become a popular theme in the mass media, the security policy community, and the risk consultant and IT industry. Probably everybody with some interest in computers and politics has already heard of the hackers, cyberterrorists or foreign intelligence agencies electronically breaking into computers that control dams or air traffic control systems, wreaking havoc and endangering not only thousands of lives, but national security itself. A good indicator of the popularity of these scenarios is the fact that the entertainment sector has already capitalized on this, producing movies like the 1995 James Bond Goldeneye 2 or novels like Tom Clancy and Steve R. Pieczenik’s Netforce (Clancy and Pieczenik, 1999). Sometimes it is hard to tell what is science and what is fiction. Winn Schwartau, for example, the rock managerturned-preacher of ‘information warfare’, runs the famous website infowar.com, has testified several times as an IT security expert before Congress, and has written two fiction books on cyberterror (Schwartau 1991, 2002). Even renowned cyberwar theoreticians like John Arquilla have not hesitated to publish thrilling cyberterror scenarios for the general audience (Arquilla 1998). But these works are not only made for entertainment. They produce certain visions of the future and of the threats and risks looming there. In doing so, they can be aligned with the works of serious scientific groups or professional intelligence agencies that produce threat warnings and trend estimates, like the National Academy of Sciences or the National Intelligence Council.
58
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
The whole debate started around 1990, when the Soviet Union had collapsed and the threat estimation professionals in the security community were looking for new ideas. The rise of widespread Internet use and the debate on the emerging ‘information society’ sparked several studies on the risks of the highly networked, high-tech-dependent United States. The National Academy of Sciences as early as 1990 began a report on computer security with the words: ‘We are at risk. Increasingly, America depends on computers. [...] Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb’ (National Academy of Sciences 1991: 7). At the same time, the prototypical term ‘electronic Pearl Harbor’ was coined,3 which linked the whole debate to a historical trauma of US warfare. It did not take very long until the highly technical problems of IT security – encryption, password protection or intrusion detection systems, to name but a few – were framed in terms before known only in military policy statements. ‘Password security’ became ‘computer security’, then ‘information systems security’, ‘information protection’, and then ‘information warfare’ (Dornheim 1998: 60). Some people have likened cyberthreats to weapons of mass destruction. When asked by the US Senate in 1996 to compare the magnitude of the cyberthreat with nuclear, chemical or biological weapons, then CIA director John Deutch answered, ‘It is very, very close to the top’ (‘Cyberspace attacks…’ 1996). Others, like Deutch’s successor George Tenet, used the term ‘weapons of mass disruption’ (Tenet 1997), suggesting that in the information age an electronic attack might be as dangerous to the fabric of society as an attack with intercontinental missiles would have been in the nuclear age. Others doubted this perception. George Smith, the editor of the Crypt Newsletter for example, published a widely read article in Issues in Science and Technology under the headline ‘An Electronic Pearl Harbor? Not likely’ (Smith 1998). Many of the more technically educated political advisors and journalists wrote about the practical difficulties of a serious cyberattack or the inability of bureaucracies like militaries or intelligence agencies to really acquire the skills needed to become successful hackers. Others saw a hidden agenda behind all the fuss they preferred to call ‘fear mongering’.4 They suspected it to be a pretext for the security agencies to obtain greater powers for surveillance, oppression or censorship in cyberspace, which in the early 1990s was seen – and praised – by many as the land of total freedom, with little or no
From cyberterrorism to cyberwar
59
government intervention (Barlow 1996). As we can see, the cyberthreat assessment is far from being agreed upon by different experts, government agencies or scholars working in this field. As David Gompert wrote in the RAND Review: ‘How grave is the threat from cyberspace? […] is information war being oversold? We don’t know’ (Gompert 1995). How was cyberspace made a priority in US security policy? In answering this question, we will apply a ‘threat politics’ approach (Eriksson 2001a, 2001b), which is elaborated in the following section. The ensuing analysis will consider how cyberthreats have been framed in US security policy, what actors have been pushing these threat frames onto the security agenda, and what are the implications of these framing actions. The analysis is focused particularly on patterns of continuity and change. It does so by comparing threat framing during the Clinton years with those of the Bush regime prior to, and after, the events of September 11, 2001.
Threat politics: A framework for analysis To characterize a cyberincident as ‘cybercrime’ or as an ‘information warfare attack’ are competing ways of framing the very same incident, but with quite different connotations and consequences. The cybercrime frame makes the incident a case for the police, while the warfare frame legitimates a role for the military. Clearly, the words and symbols we use for characterizing a problem have tremendous importance for how it is understood, and what actions are considered necessary or relevant. The concept of framing thus ‘refers to an interpretive schemata that simplifies and condenses the world out there by selectively punctuating and encoding objects, situations, events, experiences, and sequences of actions within one’s present or past’ (Snow and Benford 1992: 137; cf. Goffman 1974: 21; Entman 1993). Framing is one of those heuristics people employ to make sense of the complex world they live in. In short, a framing perspective implies taking seriously those things that are always interpreted as something. Moreover, Schön and Rein (1994: 29) see framing as ‘symbolic contests over the social meaning of an issue domain, where meaning implies not only what is at issue, but also what is to be done’ (cf. Fischer and Forester 1993: 146). The concept of framing emphasizes the interpretative and representative aspects of security. Threats, risks, dangers – or
60
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
whatever those things we fear are called – are social constructions. Events, conditions, and actors can be framed in different ways, and different frames may have different effects on policy choices and outcomes (Tversky and Kahneman 1981; Rochefort and Cobb 1994: 26).This corresponds to how threats are understood in securitization theory, developed by the ‘Copenhagen school’5 of security studies: In security discourse, an issue is dramatized and presented as an issue of supreme priority; thus, by labelling it as security, an agent claims a need for and a right to treat it by extraordinary means. For the analyst to grasp this act, the task is not to assess some objective threats that ‘really’ endanger some object to be defended or secured; rather, it is to understand the processes of constructing a shared understanding of what is to be considered and collectively responded to as a threat. […] The securitization approach serves to underline the responsibility of talking security, the responsibility of actors as well as analysts who choose to frame an issue as a security issue. They cannot hide behind the claim that anything in itself constitutes a security issue. (Buzan et al. 1998: 26, 34; cf. Wæver 1995) ‘Security’ can be framed in other ways than the specific frame implied by securitization. The Copenhagen school assumes that the connotations of security are givens (existential threats requiring emergency measures), and that only the threats and the core values of security are variables. There are indeed cases in which threat framing has exactly these consequences, especially when issues are perceived as threats implying hostility and antagonism. Theoretically, however, there is reason to expand the conception of possible connotations beyond the negative and limited ones associated with securitization. The need for doing so is evidenced by the political success of alternative concepts like ‘common security’ and ‘cooperative security’ (Chilton 1996; Stern 1999: 133–4; Wyn Jones 1999: 157–8). Not all threat frames fall into the life-and-death category of existential threats, and extraordinary ‘hard power’ measures that sidestep democratic procedures are not always legitimized by a certain threat frame. The ‘threat politics’ framework (Eriksson, 2001a, 2001b) we apply draws on, but also goes beyond the securitization approach. More specifically, our framework focuses on frame characteristics,
From cyberterrorism to cyberwar
61
framing actors, and contextual conditions. For each of these aspects, we are concerned with patterns of continuity and change. Frame characteristics concern what is considered a threat, what is considered to be threatened (core values and referent objects), and what connotations are implied by both of these aspects. A threat frame, like any frame, can be restricted as well as elaborated (Snow and Benford 1992), specific and diffuse, and be about antagonistic actors, structural problems, or particular events (Eriksson 2001b). It can be expected that the securitization hypothesis about legitimating extraordinary measures is more likely to be valid when an antagonistic threat is identified than when a threat is characterized as a structural problem. Feelings of fear are greater when we perceive that someone intentionally wants to harm us, in comparison with threats associated with structural conditions or accidents (Dewey 1929; Johnson 1997). This is probably an important reason why war and terrorism gain such prominent positions on the policy agenda, although health problems and traffic accidents kill more people. Yet even fearing the unknown is about some imagined danger, though in this case it is the very diffuse or unspecific nature of this that produces the sense of threat (Dewey 1929; Johnson 1997: 13â&#x20AC;&#x201C;15). If we are not certain about the ways in which a newly discovered pandemic is transmitted, then panic is not far away. It does not seem too far-fetched to suggest that images of cyberthreats may bear a resemblance to those of pandemics, due to the combination of immediate global reach and their mystifyingly faceless and complicated nature. Cyberspace is a landscape where every action is only possible because the technical systems provide an artificial environment that is built to allow it. The means of an attack therefore change from system to system, from network to network. This makes threat estimation and attack recognition a much more difficult task. Instead of an easy-to-see exploding bomb, you have to look for the values in the registers of the computer and interpret their patterns. To detect a virus on your hard drive, you need a virus scanner as a sensory tool; to find out if there is a cracker in your network, you need an intrusion detection system or a good systems administrator with some spare time. For the average user, an intentional hacker attack is difficult to distinguish from a technical failure, like a hardware defect, a software malfunction or a normal system crash. In the case of denial-of-service it is not obvious at all if the computer that is not providing its service any more has just crashed, if the cable
62
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
connecting it to the Internet has been physically damaged, or if the computer is the victim of a targeted flood of packets and requests. Considering the dynamics of computer development, the whole threat perception/estimation problem gets even worse when you have to predict the future development of these threats. Framing actors are essential for putting issues on the policy agenda and removing them. Issues do not take on political salience by themselves. Theoretically, anyone can be a framing actor, but since policy-making is a matter for societal elites, it is the politicians, bureaucrats, experts, media, pressure groups, and academics who tend to be more influential than others. If threat images are to take on political salience, they have to be articulated by influential actors. This idea corresponds to the Copenhagen school’s notion of ‘securitizing actors’ (Buzan et al. 1998: 40–42) and to the concept of ‘policy entrepreneurs’ in agenda-setting theory (Kingdon 1995; Birkland 1997). It is commonly argued that governmental elites maintain a dominant position when it comes to framing threats and risks of common interest (Hermann 1990: 11–12, 17–18; Kingdon 1995: 68–70, 199–200; Buzan et al. 1998). In particular, the realm of security is often strongly institutionalized, thus privileging the government and special security institutions such as the intelligence community and the military. Contextual conditions include both the structure and culture of policy establishments, and window-opening processes. While established structures tend to function as gatekeepers and prevent major institutional change, focusing events (Birkland 1997) and processes often provide the necessary push for reform. The literature on bureaucratic politics shows how turf battles and other instances of interest conflicts influence policy-making, especially by hampering new ideas (Halperin 1974; Allison and Zelikow 1999). Path dependence is an important element in institutional inertia. Hammond clarifies how bureaucratic actors manoeuvre under such circumstances: ‘Strategic behavior by subordinates – bargaining, coalition formation, and the dissemination of supposedly secret information – enables them to circumvent constraints placed on them by their positions and jurisdictions, thereby making the structure largely irrelevant’ (Hammond 1986: 416). By contrast, dramatic events may, if skilfully seized upon, turn the tables and open the window for new items on the agenda, and also for institutional reform (Keeler 1993; Kingdon 1995: 94–100; Birkland 1997). Harrisburg, Pennsylvania and Chernobyl, Ukraine
From cyberterrorism to cyberwar
63
are key examples of focusing events (Birkland 1997) that pushed the problems of nuclear safety into a top position on national agendas. But the salience of focusing events is usually only temporal. Accordingly, the media are often the most significant framing agents of events (Tuchman 1978; Entman 1993; McQuail 1994: 335). It is difficult to challenge institutionalized threat frames, such as the established connotations of ‘national security’ as having to do primarily with state sovereignty and foreign military aggression. The widespread breakthrough for the broadened concept of security required nothing less than the end of the Cold War – a major window of opportunity. When framing actors disagree either on the meaning or the application of a frame, turf battles and ‘forum shopping’ can be expected.
The Clinton years’ heritage: ‘Cyberterrorism’ The basic question for security policy makers, since the debate over cyberthreats started, has always been: Are the most dangerous actors terrorists, enemy states, or just criminals? In other words: Will we have to deal with ‘cyberterrorism’, ‘cyberwar’, or just ‘cybercrime’? This debate has, naturally, never really been solved. But the Clinton administration chose to focus on cyberterrorism. Security analysts perceived terrorists, sometimes connected with ‘rogue states’, as the main danger. Allan B. Carroll from the National Infrastructure Protection Center, for example, in December 1999 warned of Osama bin Laden possibly planning a computerized version of the Oklahoma bombing (Smith 2001). Others even saw juvenile hackers as a serious threat, too. Jacques Gansler, then Assistant Secretary of Defense for Acquisition and Technology, for example, in 1998 called teenagers a ‘real threat environment’ for national security (Madsen 1998). This view was influenced by the idea that information technology is the great equalizer. This fed into the general trend in the security policy community not to talk any more about whole threats (which would consist of an actor, his intention, and his capabilities), but to focus just on the technologies needed to start an attack: Today, however, malefactors are no longer necessarily nationstates, and expensive weapons of war are joined by means that are easier to acquire, harder to detect, and have legitimate
64
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello peacetime applications. The tools designed to access, manipulate, and manage the information or communications components that control critical infrastructures can also be used to do harm. They are inexpensive, readily available, and easy to use. (PCCIP 1997: 14)
Clearly, the US framing of cyberthreats under Clinton was about antagonistic actors, and not only about some vaguely defined vulnerability in IT systems. More importantly, the type and range of antagonistic actors went far beyond the more traditional and much more limited notion of states as actors. Bringing transnational non-state agents into view implied that Pandora’s box of horrors was opened. In James Rosenau’s terminology, these innumerable individuals and more or less organized groups – ‘sovereignty-free actors’ – are not limited by the territorial or judicial boundaries of formally sovereign states (Rosenau 1990). One main reason for choosing to frame problems as ‘cyberterrorism’ was the experience of the first World Trade Center attack in 1993 and the Oklahoma City bombing in 1995. The foundations for the National Infrastructure Protection Center (NIPC), located at the FBI, were in fact laid as a reaction to the Oklahoma City bombing in April 1995. In terms of agenda-setting theory, these dramatic incidents were important windows of opportunity that helped push cyberterrorism into the policy limelight (cf. Birkland 1997). The inter-agency Critical Infrastructure Working Group (CIWG), set up by President Clinton and Attorney General Janet Reno in June 1995, two months after this event,6 was tasked with studying the infrastructural vulnerabilities of the United States by terrorist attacks. The CIWG issued its report in January 1996, and this in turn led to the establishment of the President’s Commission on Critical Infrastructure Protection (PCCIP 1997; cf. Tritak 1999). The PCCIP report of 1997 finally led to Presidential Decision Directive NSC-63 in May 1998 and its more elaborated version, the ‘National Plan for Information Systems Protection’ in January 2000 (White House 1998; Clinton 2000). This threat framing also shows how the US defined the referent object of cybersecurity: infrastructure. Thus, it was not national identity, national sovereignty, or any other possible target that came into focus, but the critical infrastructures of IT, communications, electricity and so forth. On a more general but
From cyberterrorism to cyberwar
65
more vaguely defined rhetorical level, however, cyberterrorism was often considered a threat to ‘national security’. Only on occasion, however, was this explicitly interpreted as an existential threat, as for instance when compared to weapons of mass destruction. Who, then, helped to put cybersecurity on the national policy agenda? Who were the framing agents? In the context of the debate about the new ‘international terrorism’ and the other new fear in security policy thinking – ‘asymmetric warfare’ – the concept of ‘homeland security’ or ‘homeland defense’ was developed by American think tanks in the late 1990s. The basic idea was the end of the American invulnerability based on its special geographical position. Possible enemies, the security analysts feared, would no longer try to attack the United States by conventional means and tactics of warfare, but by terrorist attacks from the inside – or from borderless cyberspace. Indeed, the idea of homeland security, including protection against cyberterrorism, was taken up by the new government under George W. Bush in May 2001 (White House 2001a). The media took up these debates in the security community. CNN for example, in April 1999, brought a headline about ‘guerrilla warfare in cyberspace’ (Christensen 1999). This cyberterrorism discourse had gained enough momentum in the Clinton years to even persist for a while after the conservative government under George W. Bush came into office in January 2001. The newspaper USA Today is probably the best indicator for the general threat perception in the mass media. In February 2001, the newspaper published a story about Osama bin Laden’s alQaeda using a special form of encryption called steganography, where messages are hidden in the least significant bits of electronic pictures, audio or video files. This case is especially interesting, because the cyberthreat was not only combined with the terrorist threat, but as well with pornography, which for many makes it look even worse. One day after the discursive connection between bin Laden, cyberterror and pornography had been published by USA Today (and immediately quoted in many other newspapers), the conservative Congressmen Saxton and Chambliss introduced a bill in the House of Representatives that would make the United States Congress declare cyberterrorism ‘an emerging threat to the national security of the United States’ (US Congress, 2001a). Although more serious research showed that the alleged al-Qaeda technical skill with steganography was only a rumour (Provos and
66
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
Honeyman 2002), we would soon see more examples of this close connection between headlines in the mass media and a political initiative along the same lines. If terrorists are able to use encryption, they are not far from planning cyberattacks. This assumption7 was repeated a month later by the new director of the National Infrastructure Protection Center, Ronald Dick. Already on his first day in office, he warned of a possible cyberattack by bin Laden and other terrorists (Spiegel, 2001). In sum, at the end of the Clinton years cyberterrorism was clearly established as one of the new security policy threats of the twenty-first century. Clinton himself made this very clear in December 2000 in his foreign policy farewell lecture at the University of Nebraska at Kearney. In this speech, he named five principles for future US foreign policy: strengthen alliances like NATO; pay attention to Russia and China; confront local conflicts in other parts of the world; pursue global trade with a ‘human face’; and finally, face new security challenges like cyberterrorism and infectious diseases like AIDS (Lacey 2000). He went on to say that one of the biggest threats to the future would be cyberterrorism, that is, people ‘fooling’ with computer networks, trying to shut down phones, erase bank records, mess up airline schedules, and generally do things to interrupt the fabric of life (Bowman 2000). The government response to this threat had been twofold: On the one hand, the intelligence community together with the law enforcement agencies tried to build up capacities for cyberinvestigations, like computer forensics tools or close surveillance of the hacker community. Then, this debate was used by the FBI and others to ask for more surveillance powers on the Internet (see Rotenberg 2003). On the other hand, because of the amorphous nature of these non-state and unknown enemies, a lot of effort was put into hardening the critical infrastructures and making the private companies who run most of them work together with the government (Bendrath 2001). In conclusion, did the US framing of cyberthreats during the Clinton years imply securitization, or did it imply some other kind of threat framing? It would be wrong to conclude that the whole debate was characterized by the panic politics, fears of existential threats, and calls for extraordinary measures implied by securitization theory. Indeed, there are several instances of ‘speech acts’ which certainly fall into the securitization category, such as when cyberthreats were compared to weapons of mass destruction,
From cyberterrorism to cyberwar
67
or through the fear-mongering analogy of ‘electronic Pearl Harbor’. However, there were not many calls for extraordinary measures. A lot of money and energy was spent on analysis and rhetoric, and also on technologically minimizing vulnerability of critical infrastructure against attacks. But there was not much panic politics that moved beyond democratic procedures, increased secrecy, or implied the use of violence. The US government did talk the talk of securitization, but they did not really walk the walk – not yet.
The Bush regime before 9/11: Sovereign states in the limelight Shortly after George W. Bush came into office in January 2001, the debate about the cyberthreat changed quite radically. ‘Cyberterrorists’ were still taken into account, but the new government focused much more strongly on foreign governments as possible attackers. Not only did this imply a noteworthy change in the framing of cyberthreats; it also made some framing actors in the security establishment more influential than before. The turn towards more traditional state-oriented threat conceptions made the National Security Council, the Armed Forces, and the intelligence community more relevant and thus more influential in the debate. These institutions were still very much living in the state-centric world of classic security policy. Rather than changing their analytical frameworks, cyberthreats were interpreted to fit into their traditional state-centric models for threat assessment. A linkage between the ‘cyberterrorism’ perception of the Clinton years and the ‘cyberwar’ fears of the first Bush year was the concept of ‘rogue states’. This term, which had been abandoned by Clinton8 but was quickly revived by Bush, implies that some states will use terrorist means to attack the United States. Surprisingly, the first ‘rogue state’ to be accused of planning cyberattacks against the US was not Iraq, Iran, China or North Korea, but Cuba (cf. McCullagh 2001). During the hearing of the Senate Select Committee on Intelligence on ‘The Worldwide Threat in 2001’ in February 2001, Defense Intelligence Agency director Thomas R. Wilson identified Fidel Castro’s autocratic regime as a possible cyberattacker. ADM. WILSON:
Cuba is, Senator, not a strong conventional military threat. But their ability to ploy asymmetric tactics
68
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
against our military superiority would be significant. They have strong intelligence apparatus, good security, and the potential to disrupt our military through asymmetric tactics. And I think that is the biggest threat that they present to our military. SEN. WYDEN: What would be an example of an asymmetric tactic that you’re speaking of? ADM. WILSON: Using information warfare or computer network attack, for example, to be able to disrupt our access or flow of forces to the region. SEN. WYDEN: And you would say that there is a real threat that they might go that route? ADM. WILSON: There’s certainly the potential for them to employ those kind of tactics against our modern and superior military. (US Senate 2001) Within a month, though, not only were these traditional ‘enemies’ of the US identified as possible cyberthreats, but as strategic rivals as well. In March 2001, the Defense Science Board issued a report on the United States’ vulnerability from cyberattacks. According to this study, already more than 20 states were supposed to have information warfare capabilities or to have started developing them (Tiboni 2001: 1; Office of the Undersecretary... 2001: ES-2). Especially interesting is the perception of China. The chairman of the DSB study group explicitly warned that China made clear its intention to use Information Operations (warfare) as an asymmetric response in any conflict with the United States (L. Wright 2001). Even by the most hawkish politicians, China is not considered a rogue state, but rather a strategic rival. From this new perception of the possible cyberenemy as another state it is only a short way to related strategic thought. Here as well, analogies to the traditional state-against-state military and security policy thinking can be found. The above-mentioned March 2001 Defense Science Board report, for example, called the Pentagon’s ‘Global Information Grid’ a weapons system, and concluded that the United States was in an ‘arms race’ over information systems for warfare (Office of the Undersecretary 2001: ES-2). This development is not only a clear departure from the ‘cyberterror’ warning of the Clinton administration, but also showed how the new government moved towards a much more significant securitization, implying existential threat and
From cyberterrorism to cyberwar
69
extraordinary measures. Cyberthreats were now framed in familiar military and state-centric categories, which put them at the very top of the national security agenda. The classical security policy idea of the Cold War – deterrence – was about to come back, as Bush’s national security advisor, Condoleezza Rice, noted a few weeks later in her speech at the second Internet Security Policy Forum (Poulsen 2001a). The commander of the US Space Command, General Eberhardt, publicly renewed the warnings of China as a possible cyberattacker at the end of March 2001. This is even more important because ‘SpaceCom’ is responsible for the coordination of cybersecurity and computer network attacks within the whole US military (Gertz 2001). In April 2001, an American spy plane was forced to land in the People’s Republic of China. This focusing event implied a noteworthy policy window (Kingdon 1995; Birkland 1997), which was capitalized on both by the media and by hacker communities in both China and the US. A Chinese–US hacker conflict commenced, and became aggravated by the upcoming first anniversary of the US bombing of the Chinese embassy in Belgrade. Though this was not at all comparable to a real war, the media called it the first US–Chinese ‘cyberwar’ (Delio 2001a, 2001b; Rötzer 2001). In this case it is especially hard to tell what was reality and what was media invention. Some insiders even warned that the media stories about the ‘coming cyberwar’ between the US and China had started the whole problem, because they gave the juvenile hackers an excuse for attacking the other side. The hacker’s documentation group Attrition.org, for example, issued a press release titled ‘Cyberwar with China: Self-fulfilling prophecy’ (Attrition.org 2001). Even so, the FBI’s National Infrastructure Protection Center issued a threat warning, and the Pentagon raised its cyberthreat level from ‘Alpha’ to ‘Bravo’ and prepared for ‘Charlie’, which would have pulled all government and military computers offline (Delio 2001a, 2001b). This escalation clearly implies a securitization move – not only in rhetoric, but also in practice, i.e., leading to the implementation of extraordinary measures. Moreover, this episode shows how a focusing event, though not a cyberincident, may have secondary effects also on the framing of cyberthreats, given that framing actors seize the temporary window of opportunity. By the end of spring 2001, the new threat perception was established in the media and the security policy community. In early summer it had its first international political impact.
70
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
Secretary of Defense Donald Rumsfeld in his speech at the NATO Council in Brussels on 6 June 2001 told the allies that not only the US was threatened by attacks from cyberspace, but the other NATO countries and therefore the alliance as a whole. As ‘future challenges’ for NATO, Rumsfeld named traditional terrorism, high-tech weapons, and missiles with weapons of mass destruction, but also ‘cyberattacks’ (Gilmore 2001). Less than half a year after the new government came into office, the new threat perception had gained enough ground in Washington to be discussed with the NATO allies at ministerial level for the first time. Nevertheless, Defense Secretary Rumsfeld merely laid the grounds for the president. One day later, on 7 June 2001, George W. Bush in his Iowa speech talked about the ‘true threats of the twenty-first century’, among them ‘informational warfare’ (Bush 2001a) – again a clear securitization move. USA Today again is a good indicator of this change in threat perception. While the paper published a story about the possible use of computer technology by Osama bin Laden in February 2001, only four months later it had a front-page article about the threat from foreign governments in cyberspace. Citing anonymous ‘military analysts’, USA Today in its 19 June 2001 edition reported that 20 states were preparing for cyberattacks, among them the usual ‘rogue states’ and China, but also Russia, France, Great Britain and Israel (Stone 2001: 1; Greene 2001). In this case, again, a political event on Capitol Hill was prepared by this story. This tabloid article influenced the public opinion before the event – the expert hearing in Congress – had taken place. Two days later, CIA technology analyst Lawrence K. Gershwin told Congress that non-state actors were not really dangerous in cyberspace, but that foreign governments were (Gershwin 2001: 8f; Greene 2001). After the quality of the threat had been changed in public and political perception, the next step was to increase its quantity. In a hearing in the House of Representatives in August 2001, Keith Rhodes, Chief Technology Officer of the General Accounting Office, stated that: Over 100 countries already have or are developing computer attack capabilities. [...] NSA has determined that potential adversaries are developing a body of knowledge about US systems and methods to attack them. (Dizikes 2001)
From cyberterrorism to cyberwar
71
Compared with the 20 countries the Defense Science Board had mentioned in its report just five months earlier, this was an increase of 400 per cent. So either the criteria for estimating the cyberwar capabilities of other countries had been changed, or the numbers were deliberately made this high to make the threat look more serious. By early September 2001, the new US government had established a new, state-centric discourse on cyberthreats. These observations and threat frames were not completely novel (Minihan 1998). Only under the new administration, however, would this view gain support in the highest positions in Washington and in the media. Terrorism in cyberspace was no longer considered an urgent threat. It was not really a case of desecuritization, however, since the former Clinton administration only securitized the issue in rhetoric, but not in practice. It was, nevertheless, moved further down on the policy agenda. Leslie G. Wiser, Jr., the NIPC’s Training, Outreach and Strategy Section chief, in his testimony on ‘CyberSecurity’ before the House of Representatives in late August 2001 (less than two weeks before the September 11 attacks) mainly mentioned terrorists’ use of IT for communication and organizational purposes (Wiser 2001). Though he called cyberterrorism ‘a very real threat’, he cited estimates made earlier that year by the intelligence community. This shows the importance of specific texts that could be called ‘canonical’. They become standards for the threat perception and are repeated again and again. In late August 2001, states were clearly established as the main cyberthreat.
9/11 and the renewed focus on cyberterrorism The attacks on September 11, 2001 obviously led to a complete reprioritization of official threat perceptions. This was true for the general policy debate, as well as the more specific cyberdimension. The ‘9/11’ attack was not only a catastrophe of cataclysmic proportions, but also opened a major policy window for reform (Birkland, 2004). This major crisis not only implied urgency and threatened core values, but also presented a new opportunity for policy reform (cf. Boin et al. 2005: 122–9). This is what experts had forecast for a while: a hacker attack against the emergency communications systems, and a large-scale conventional attack at the same time. IT and security policy magazines were the first to start articles on cyberterrorism as soon
72
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
as 9/11 happened. At this time, of course, no leads at all were available in this direction. Nevertheless, Federal Computer Week (FCW) already on the evening after the attacks on 9/11 published an article about the US Space Command, whose Joint Task ForceComputer Network Defense (JTF-CND) is responsible for the cyberdefense of the US armed forces. There were no special events to report from the generals, but the usual threat warnings and cyberwar game scenarios from the Pentagon-funded think tank, RAND, were presented as a real possibility (Seffers 2001). The National Infrastructure Protection Center (NIPC) on 12 September issued a threat warning for the members of the InfraGard program,9 recommending them to shut down all nonessential computer systems or at least to take them offline – a small but noteworthy extraordinary measure. All this happened in spite of the fact that any evidence for looming cyberterrorist acts was still missing, as the vice chairman of InfraGard, Phyllis Schneck, had to admit (Verton 2001). In short, the massive securitization that followed immediately after 9/11, epitomized in the new ‘war on terrorism’, implied an increased sense of insecurity, which also affected assessments of cyberthreats. Though 9/11 was a brutally physical offline attack, images of cyberthreats were swept along with the general securitization of US policy and reform post-9/11. The media were among the first actors to frame cyberthreats in terms of securitization, implying existential threat and call for extraordinary measures. Following 9/11 many papers published articles about the looming ‘cyberdanger’, and USA Today again was one of the first. Two days after the attacks, on 13 September , the paper wrote about coming cyberattacks in the near future – ‘another wave of terrorism’ – and quoted a former Pentagon official’s warning of an ‘electronic Pearl Harbor’ (Schwartz 2001a) – a clear instance of securitizing rhetoric. The government agencies as well were somehow helpful for this new fear of ‘cyberterrorists’. NIPC, for example, on 14 September issued another ‘Cyber Awareness’ warning, this time for the general public. They warned especially of politically motivated website defacements and some modified computer viruses and worms.10 This of course posed no real danger, especially not one at all comparable to terrorism. But still the context in which this warning was issued made it look like a warning of cyberterrorism to people who were not IT security experts.
From cyberterrorism to cyberwar
73
Even organizations that before September 11 had mostly dealt with technical and economic aspects of IT security were now talking about foreign and/or Islamic terrorists. The West Virginia Information Assurance and Computer Security Alliance, for example, which since its establishment in the summer of 2002 had been concerned more about insider sabotage and disgruntled IT employees, on its first meeting after September 11 warned only of ‘outsiders’ attacking computer systems (NIPC 2001a). By the end of the month, this debate already had created enough pressure to force the government to move. On 8 October, President Bush set up an ‘Office of Cyberdefense’ at the White House, as part of the new Homeland Security Office at the National Security Council (Bush 2001b, 2001c, 2001d). The former coordinator for counter-terrorism and critical infrastructure protection at the NSC, Richard A. Clarke, was given this office (White House 2001b). This was mainly a symbolic act, as the job had been there since the Clinton administration established it in 1998 – it just had been called by another name.11 Nevertheless, this shows how important it seemed to the government to at least give the impression of doing anything it could to prevent cyberterrorist attacks. The first draft by the Justice Department of a new AntiTerrorism Act (ATA), which had been presented on 23 September, accordingly treated most cases of computer crime as ‘terrorism’ and proposed lifelong imprisonment as the appropriate punishment. Even harmless teenager activities like defacing websites would have been treated as cyberterrorism under this act (Poulsen 2001b). The USA Patriot Act that finally became law on 26 October followed this definition of cyberterrorism, but reduced the maximum penalty for hacking to ten years in jail for a damage of at least $5,000. But it now criminalized break-ins into any computer outside the United States ‘that are used in a manner that affects interstate or foreign commerce or communication of the United States’ (US Congress 2001b). This is clearly the cyberequivalent of the worldwide ‘war on terrorism’ the US government has been fighting since September 11, 2001, as it systematically expands beyond the American territory. While so far the debate had been mostly abstract, in November 2001 it became more focused on Osama bin Laden, who by then had clearly been established as the public enemy number one. A member of the ‘Cyber Crime’ group in the CSIS’s project on Homeland Defense testified in a hearing before Congress that
74
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
‘while bin Laden may have his finger on the trigger, his grandson might have his finger on the mouse’ (Schwartz 2001b). In terms of framing theory, this implied not only that that the frame become more restricted and specific, but also that the focus was strongly on the threat itself rather on the threatened core values or referent objects. The way these conclusions were drawn is quite telling. Sometimes it seemed that anybody who could book a flight ticket online was suspected of being able to start cyberattacks. Newsbytes, for example, a normally well-informed news service on IT issues, quoted the Georgetown University computer security professor Dorothy Denning pointing out that terrorists use the Internet to send email and book airline tickets, and that many groups have websites (Daukantas 2001). This is nothing extraordinary, since almost everybody with Internet access has shopped or booked flights online. But mentioning this in an article generates the impression of a particular cyberterrorism danger, especially when, as in this case, the story has ‘cyberterrorism’ in the headline. In December 2001, an alleged member of al-Qaeda who had been caught in India was quoted by Newsbytes as saying his organization had infiltrated Microsoft and manipulated the source code for their new operating system Windows XP (McWilliams 2001). This report quickly made its way around the world, though it relied on only a single and somewhat sketchy source. The information came from the Indian IT security businessman Ravi Visvesvaraya Prasad, who among information warfare experts was already known for his sensationalist op-eds on the ‘threat’ of Chinese information warfare in Indian newspapers (Visvesvaraya Prasad 2001). The fear of al-Qaeda led to some peculiar ways of handling news even within the big news networks, including CNN which in January 2002 ran the headline ‘Al Qaeda may have probed government sites’ (‘FBI: Al Qaeda…’ 2002). Indeed, during the months following 9/11 there was an abundance of fear-mongering items in the news media that framed al-Qaeda as the main threat, also in cyberspace. An example of this is a Newsweek article entitled ‘Islamic Cyberterror. Not a matter of if but of when’ (Newsweek 2002; cf. McAlearney 2001; Manjoo 2002; ‘Government Not Ready… 2002; Kelley 2002; Trabelsi 2002; Trendle 2002). Several polls also showed that IT experts increasingly believed that the US would face a major cyberattack
From cyberterrorism to cyberwar
75
within the very near future (‘Is Online Terrorism a Legitimate Threat?’ 2002; Business Software Alliance 2002). It is noteworthy, however, that the respondents were experts on computers rather than on terrorism or war. Particularly influential was an article written by retired Air Force General and Kosovo veteran Wesley Clark and ITentrepreneur Bill Conner. Clark had led the campaign against Serbia and still is an influential man in Washington security policy circles. Conner in turn is president and CEO of the IT-security company Entrust Inc. This joint venture of framing actors – an experienced general who knows how to win a war, and a trustworthy IT security expert – was enough for the Washington Times to print their op-ed. One of their key sentences was: ‘The next battle in the war on terrorism may be on the cyber front’ (Clark and Conner 2002). Now, the US government found this threat perception serious enough to try to convince its international allies of it. Defense Secretary Donald Rumsfeld at the NATO Council meeting on 18 December warned of terrorism as one of the new ‘asymmetric threats’ (Rumsfeld 2001). Half a year before, the same thing had happened at the NATO Council. The only difference was the complete change in the concept of the potential attacker. While it had been foreign countries in June 2001, in December it was terrorists. The same could be seen in other parts of the US government (Watson 2002). In December 2001, Congress had already approved the establishment of a Cyber Division at FBI Headquarters that was tasked with coordinating, overseeing and facilitating FBI investigations into computer-related crime and foreign intelligence (Mueller 2002). In March 2002, the intelligence community’s new ‘global threat’ estimate was presented to Congress. CIA director George J. Tenet, when discussing possible cyberattacks, mostly talked about terrorists (Tenet 2002: 3). Defense Intelligence Agency director Thomas R. Wilson, who one year before had warned of Cuba’s potential cyberwar capabilities, now as well called cyberterrorism the clear and present danger (Wilson 2002: 14f). Among the many new measures introduced in the wake of 9/11, there was a new category of information that was not secret or classified but ‘sensitive classified’ and much of that information was deleted from government and private websites.12 With 9/11 the US federal government launched a new wave of securitizing the Internet, mainly as part of the new ‘war on terrorism’. The
76
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
Pentagon had found the enemy it had been searching for since the end of the Cold War (Kaldor 2001; Barnett 2004). In conclusion, post-9/11 cyberthreats were once again framed in terms of cyberterrorism rather than in terms of interstate cyberconflict. In contrast to the Clinton administration however, which had also focused on cyberterrorism, the Bush government now framed cyberterrorism with obvious securitizing implications of existential threat and legitimizing extraordinary measures. Now they meant serious business: the government both talked the talk, and walked the walk of securitization. The media and the government walked hand in hand in this endeavour. The 9/11 attack also shows how a focusing event (Birkland 2004), which had nothing to do with cyberterrorism as such, nevertheless opened a window for pushing this particular threat frame.
Back to states as cyberenemies Though the ‘war on terrorism’ dominated the entire security policy discourse in the US, in mid- to late 2002 a noteworthy change could be observed in the framing of cyberthreats. In August 2002, the Naval War College conducted an exercise called ‘Digital Pearl Harbor’. The simulation brought together a team of experts from the Department of Defense and the Gartner Group to assess the vulnerabilities and threats related to critical infrastructures. The outcome was in stark contrast to the fears discussed since September 2001. While local attacks were taken seriously, the experts agreed it would be virtually impossible to bring off any lasting, nationwide damage. Even more, the threat by cyberterrorists was not considered high at all. If anybody should be considered as dangerous to the slightest degree, only nation-states would have the capability to at least attempt large-scale attacks. But even governments with all the resources at their hands would not be able to inflict serious damage (Greene 2002). If anything, this was an attempt to desecuritize cyberterrorism. Richard Clarke, head of the White House Office for Cyber Security, told the press that the government had begun to regard nation-states rather than terrorist groups as the most dangerous threat. He mentioned even more reasons for this latest change in the cybersecurity discourse. Not only simulations, but as well realworld observations and experiences now seemed to be behind it because the government, according to Clarke, had changed its threat assessment after several suspicious break-ins into federal
From cyberterrorism to cyberwar
77
networks. He noted that there were terrorist groups interested in conducting cyberattacks in five or six countries (Eunjung Cha and Krim 2002). The focus on states as cyberenemies remained at least until the second term of George W. Bush (Jehel and Ranger 2004). Clarke did not make clear which countries now were considered ‘real threats’. But the number he mentioned – five or six countries – is remarkably lower than the 20 to 100 states the government had considered as cyberthreats one year before (cf. Verton 2002a). Since then, official reports have continued to quote various numbers of potential cyberenemies. It might simply be a confusion of capacity with intent to do harm, at least against the US. In 2002, Riptech’s annual ‘Internet Security Threat Report’ added a section called the ‘Cyberterrorism Watch List’. The analysts specifically analysed the data on countries on the State Department’s list of ‘State Sponsors of Terrorism’ and some other countries known for terrorist activities. But the results were not showing any link between so-called ‘rogue states’ or terrorism and cyberincidents. About 90 per cent of the activities from countries on the watch emanated from Iran, while the remaining 10 per cent was split evenly between Cuba and Sudan. But more importantly, ‘countries on the Watch List generated less than 1 per cent of all attacks detected during the past six-month period. More than twothirds of all incidents originated in Europe or North America’ (Riptech 2002: 15). Cyberterrorism is still on the agenda, but with a considerably lower priority than during the Clinton administration and in the months immediately following 9/11. Cyberterrorism is still considered more of a potential than an immediate threat. One important reason why cyberterrorism again became deprioritized is that none of the alarmists’ fear-mongering scenarios came even close to be realized.13 Incident statistics were often looking more alarming than warranted.14 In some cases even Internet ‘pings’ were categorized as possible cyberattacks. Computers viruses and worms continued to plague cyberspace, which certainly cost a lot of time and money to combat. The increasingly available easy-to-use automatic attack tools implied that advanced hacking skills were no longer necessary, which in turn increased the number of Internet incidents dramatically. But none of this warranted the rhetoric of cyberterrorism and cyberwar. Computer attacks by foreign governments and non-state actors continued to plague cyberspace, with more or less costly losses of information, money and confidence. Yet the destruction of
78
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
bits and bytes never directly killed anybody or destroyed any buildings. In the words of Professor Denning: Few if any [cyberattacks] can be characterized as acts of terrorism: fraud, theft, sabotage, vandalism, and extortion – yes, but terrorism – no. Their effect, while serious and not to be taken lightly, pales in comparison to the horror we witnessed on September 11. (Denning 2001; cf. Dornheim 1998; Libicki 1997: 37–38) The return of states as enemies in cyberspace coincided with the launching of the first National Strategy to Secure Cyberspace (PCCIP 2002), which was updated less than a year later (White House 2003). This was the work of the President’s special advisor for cybersecurity, Richard Clarke, together with representatives from the private sector. Importantly, this document not only laid the ground for the official US policy on cybersecurity, but also showed that focus was not so much on the intentions and strategies of real or potential adversaries, but rather on ‘malware’ technologies and on vulnerabilities (US Department of Defense 2001: iv; Fordahl 2002; Verton 2002b). A headline in the chapter on ‘Threats and Vulnerabilities’ explicitly reads: ‘Reduce Vulnerabilities in the Absence of Known Threats’ (PCCIP 2002: 4). Thus, emphasis was more on ‘weapons’ and referent objects, rather than on enemies. It is also noteworthy that although 9/11 is mentioned (PCCIP 2002: 14), this policy document is more concerned with cyberincidents proper. An explicitly discussed instance is the worldwide spread of the Nimda computer virus, which was activated a week after 9/11. This incident is explicitly referred to as ‘a wake-up call’ (PCCIP 2002: 3). In theoretical terms this event was a policy window that planners and analysts used for pushing cyberthreats on to the agenda.
Conclusion Since George W. Bush became president, three sharp changes of direction in the framing of cyberthreats have been observed. The first change took place immediately after the new administration came into office. The ‘cyberterrorists’ of the Clinton era were replaced by ‘strategic rivals’, ‘rogue states’, and other countries preparing for ‘cyberwar’. Then, after 9/11, this state-centred threat
From cyberterrorism to cyberwar
79
perception was quickly but temporarily replaced again by the fear of ‘cyberterrorism’, emphasizing transnational networks rather than states. The last turn came in the late summer of 2002, when attention was again shifted to nation-states, but with a significantly lower threat estimate than a year before. This master frame still seems to dominate the US government’s understanding of cyberthreats, particularly as the ‘war on terrorism’ is increasingly and explicitly compared to the Cold War, with its emphasis not only on a known enemy and a long-term perspective, but also on states as the sources of evil, and the core role given to the military. The Bush administration contains some people in important offices who had already served in former governments before 1989, including Secretary of Defense Rumsfeld. He has repeatedly framed the new ‘war on terrorism’ in Cold War terms. Likewise, Secretary of State Condoleezza Rice, who had in the mid-1980s worked on nuclear strategy planning for the Joint Chiefs of Staff, has compared ‘cyberwar’ with nuclear deterrence – a clear securitization move (cf. Jehl and Sanger 2004: A1). Not only is threat framing the same old wine, but now it also comes in the same old bottles. Securitization theory is clearly relevant for analysing the politics of setting the agenda of cyberthreats. However, its hypothesis on existential threat and extraordinary measures covers only a part of threat framing. Securitizing moves can be observed both in rhetoric and action in the Bush years, but mainly in rhetoric during the Clinton years. The securitization move of the 2001 Republican administration was more successful than the similar move attempted by the Clinton administration in the 1990s, which targeted individuals’ use of strong encryption software. In that instance, using a powerful combination of freedom of speech discourse and in-depth technical expertise, an ‘odd alliance’ of ICT companies and civil liberties NGOs successfully shelved the move to securitize encryption software (Giacomello 2005). US actors have also framed cyberthreats in several other, less panicky ways than that assumed by the securitization logic. Except for some scare-mongering scenarios like ‘electronic Pearl Harbor’, cyberthreats such as viruses and hacking are often considered as non-lethal, not being of existential significance, and not requiring extraordinary measures such as the use of force. Securitization theory thus fails to grasp the breadth of perceptions and positions on cyberthreats.
80
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello
Therefore, the more comprehensive threat politics approach adopted here (cf. Eriksson 2001a, 2001b), which incorporates but goes beyond securitization, is a more useful analytical tool. This approach focuses on frame characteristics, framing actors, and contextual conditions (structures and focusing events). Frame characteristics may, but do not necessarily, include an identification of existential threat and a legitimization of extraordinary measures. Threat framing may be elaborated or restricted, specific or diffuse, and focus on antagonistic actors, structural phenomena or particular events. The foregoing analysis of post-9/11 responses shows that the US framing of cyberthreats has waxed and waned between more alarmist scenarios of ‘electronic Pearl Harbor’ and more realistic analyses of the actual but non-lethal cyberplagues, whether the culprits are states or non-state actors. Likewise, this case study has shown the value of considering a wide range of framing actors. Analysts and decision-makers within the government’s security policy establishment, including the intelligence community, certainly have played key roles, but so have the media and a great many business actors (Schwarz 2002; Delio 2002; Rotenberg 2003). It is the combined or coinciding efforts of governmental actors, the IT business and the media that have pushed and changed the framing of cyberthreats in US security policy discourse. Certain contextual conditions have also facilitated the prioritization of some threat frames over others. The change in administration from Clinton to Bush implied an ideological shift which among other things affected foreign and security policy in general, including the official understanding of global cyberthreats. The more confrontational, state-centred and military-oriented approach of the two consecutive Bush administrations contrasts starkly with the Clinton administration’s multilateralism, networkoriented and soft power approach. This difference remains even though the Bush administration immediately after 9/11 temporarily focused on (non-state) cyberterrorism. As has been argued elsewhere (Birkland 2004), the events of 9/11 had a tremendous impact as a pivotal policy window, opening for reforms that would have otherwise not been on the agenda. Indirectly it affected also the framing of cyberthreats, as analysts immediately began asking how al-Qaeda was using the Internet, spurring thinking on cyberterrorism. More important, however, were various cyberincidents proper, such as the Nimda virus and computer attacks by other governments, some of which were
From cyberterrorism to cyberwar
81
considered ‘rogue states’ or ‘strategic rivals’. Nevertheless, it is obvious that not only do the great majority of cyberincidents originate from within the United States but also the US government is the only superpower in cyberspace.
Notes 1
2 3 4 5
6 7
8
This chapter is an updated and considerably revised version of a chapter by Ralf Bendrath that appeared in Robert Latham (ed.) Bombs and Bandwidth: The Emerging Relationship between IT and Security, New York: The New Press, 2003, pp. 49–73. In particular, the present chapter develops and applies a theoretical approach that was not used in the original paper. United Artists, starring Pierce Brosnan as James Bond and directed by Martin Campbell. Winn Schwartau of <www.infowar.com> used the term ‘electronic Pearl Harbor’ in June 1991 in a testimony before Congress (Schwartau, 1994: 43). There is even a special term nowadays for the typical overblown threat warnings: ‘FUD, for fear, uncertainty, and doubt’. Since the late 1980s, Barry Buzan, Ole Wæver, and their colleagues have developed a creative research agenda of security studies, with emphasis on a widened security concept. The ‘Copenhagen school’ – a label suggested by one of their critics (McSweeney, 1996) – has attained noticeable interest within the academic International Relations community, as witnessed in the series of reviews, critiques and amendments (for overviews, see Huysmanns, 1998; Williams, 2003). The most important contribution of the Copenhagen school is the development of Ole Wæver’s securitization theory (Buzan et al. 1998). See also the section on constructivism in the introductory chapter in the present volume. It was established by Presidential Decision Directive 39, ‘US Policy on Counterterrorism’, 21 June 1995; see also Freeh (1997). ‘Hidden in the X-rated pictures on several pornographic websites and the posted comments on sports chat rooms may lie the encrypted blueprints of the next terrorist attack against the United States or its allies. It sounds far-fetched, but US officials and experts say it’s the latest method of communication being used by Osama bin Laden and his associates to outfox law enforcement. Bin Laden, indicted in the bombing in 1998 of two US embassies in East Africa, and others are hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other websites, US and foreign officials say’ (Kelley, 2001). Currently, encrypting files is very simple and only requires the use of publicly available programs (see for example <http://www.pgpi.com>) whereas a digital break-in, especially into computers critical for security, requires years of experience in systems and network programming. Additionally, only very few critical systems are
82
9 10 11 12 13
14
15
Ralf Bendrath, Johan Eriksson and Giampiero Giacomello connected to public networks. Furthermore, the defacement of websites and the construction of computer viruses is relatively easy to accomplish with only limited experience, especially because there are instructional tools available for this on the Internet. However, this does not pose a serious danger, but rather an annoyance, and real hackers ridicule it as ‘script-kiddie’ behaviour. The Clinton government later decided to call them ‘states of concern’, which was immediately revised by George W. Bush when he became president. InfraGard is a locally based public–private partnership run by the FBI and the private sector. See <http://www.infragard.net>. For example, the old virus ‘life_stages.txt.shs’ had been renamed ‘wtc.txt.vbs’, alluding to the World Trade Center. See NIPC (2001b). Earlier the post was called ‘Senior Director for Critical Infrastructure Protection’ and had been held from 1998 until the end of the Clinton administration by Jeffrey Hunker. The website of the highly regarded Federation of American Scientists is such an example: see <www.fas.org/terrorism/is/index.html>. The US President’s order (executive order) is available from <www.fas.org/sgp/bush/eoamend.html>. Despite widespread fears of cyberterrorism and virus attacks, September 11, 2002 passed almost without incident in the online world. A pro-Islamic hacking group, the ‘Unix Security Guards’, hacked into three AOL Time Warner computers three days earlier and kept them down until September 11. Though the analysts at mi2g had predicted even more attacks, nothing else happened. According to the website defacement archive Zone-H, only a few dozen websites were hacked, but with practically no references to September 11. The only things that made the cyberthreat news over September 11 were two poorly written computer viruses that did not spread very far. One of them was even broken and crashed regularly (Middleton 2002). For some statistics from the studied period, see mi2g Digital Solutions Engineering, Link with Terrorism Affects Global Hacking, press release, London, 2 February 2002, <http://www.mi2g.com/cgi/mi2g/ press/020102.php>. See <www.mi2g.com/status> for detailed statistics since 1995. The different measuring standards therefore could explain changes and differences in quantitative measures (like the number of countries actually preparing for cyberwarfare). But there is no evidence of specific changes in the criteria before the threat perception changed. More importantly, this does not explain the qualitative changes in the discourse that changed from ‘terrorist’ to ‘states’. For discussions on the varying and often very encompassing criteria of Internet incidents, see McKay (1998), Clark (2000), Aldrich (2001) and Lemos (2002).
Part II
The politics of protection
4
Securing the digital age The challenges of complexity for critical infrastructure protection and IR theory Myriam A. Dunn
Introduction By aiming to evaluate the strengths and limits of international relations (IR) theory in order to gain an understanding of security in the digital age, we take on an exceedingly difficult task. Not only has this issue hardly ever been addressed before, leaving us with barely any literature to base our analysis on – we also enter a realm of vast extent, indistinct boundaries, and a sloppy conceptual arsenal. There are more basic questions than answers: What is digital-age security and how might it be defined in a meaningful way? Is there really anything new about digital-age security that clearly sets it apart from more traditional security matters? Which specific aspects of digital-age security do we want to explain and why? And, maybe the most challenging question in the context of this project: Is a theory of digital-age security needed at all? Because of the vocabulary of clichés that inhabits the digital-age debate, we must place particular emphasis on conceptual precision in order to achieve a substantial theoretical analysis. Absent any satisfactory definition of ‘digital-age security’, we must bring meaning to the concept by designating issues that could form part of a valid definition. It is sensible to discern two categories: offensive activities such as information warfare, cybercrime or cyberterrorism (Parker 1983; E. Cohen 1996: 39; Cooper 1997; David 1997; Pollitt 1997; Libicki 1999; Lewis 2002); and defensive activities such as defensive information operations, information assurance or critical information infrastructure protection (CIIP) (Libicki 1995; Dunn and Wigert 2004; Dunn 2006). The common denominator of these issues is their unspecified connection to the so-called ‘information revolution’
86
Myriam A. Dunn
and ‘cyberspace’, or, more specifically, their connection to the ‘information infrastructure’. However, it is not easy to understand what exactly the information infrastructure is. This is because it has not only a physical component that is fairly easily grasped – such as highspeed, interactive, narrow-band and broadband networks; satellite, terrestrial and wireless communications systems; and the computers, televisions, telephones, radios and other products that people employ to access the infrastructure – but also an equally important immaterial, sometimes very elusive (cyber)component, namely the information and content that flows through the infrastructure, the knowledge that is created thereby, and the services that are provided (Dunn and Wigert 2004: 19–20). Furthermore, it would be misguided to restrict ‘digital-age security’ to cyberattacks or incidents or, conversely, to cybertargets, because the means of attack can be either physical (such as a backhoe to sever a telecommunications cable, or explosives) or virtual (such as electromagnetic pulse or hacker tools) (Devost et al. 1997: 76; OCIPEP 2003: 12). It is striking that all the issues we have named are very ambiguous concepts, each one with its own string of varying definitions. As a basis for theorizing, this situation is not satisfactory. In fact, it is doubtful whether the label ‘digital-age security’, or any similar term, is practical at all due to its imprecision. In order to lay the foundations for theorizing, therefore, we must first carefully identify what precise aspects of the phenomenon we want to explain, and for what reasons. It is clear, furthermore, that the scope and nature of a possible theory for aspects of the digital age depend on how we perceive and interpret the magnitude and depth of the current transformations. Such theorizing might either aim to be thoroughly ‘new’ if the current transformation is thorough and sweeping – or it might be considered satisfactory to adapt old approaches to specific circumstances if changes are less thorough. By setting out to answer what IR theory has to offer in terms of explanations for the concept, one might assume that ‘digital-age security’ is automatically and uncritically regarded as a specific phenomenon – that it establishes a specific context with a specific impact and thus creates the need for new approaches. However, it is doubtful whether this is actually the case. Instead, therefore, in this chapter we first set out to understand what makes the digital age special and what its defining features are. From there, we go on
Securing the digital age
87
to describe what this means for international relations. We will show that states mainly focus their attention on the protection of critical (information) infrastructures due to a very particular information-age threat image. Notwithstanding this trend, we argue that the forces of the information revolution have not changed the conditions of security, defined in an objective sense as the absence of threat to a societyâ&#x20AC;&#x2122;s core values and in a subjective sense as the absence of fear that these values will be attacked (Wolfers 1962; Baldwin 1997). What have changed significantly due to the particularities of the digital age, however, are some of the conditions for securing. The distinction between security and securing is slight but pivotal; while security is a momentarily static condition, securing has a somewhat different connotation: it includes the act of making something safe or secure and thus of actively thwarting possible threats to any given referent object of security, implying actors, politics and policies. As an outcome of the information revolution, we can observe a qualitatively significant change in the (perceived) nature of threats or risks to security, a change in some of the means to achieve the goal of security and a change in the constellation of actors involved in the securing process. We then show that the defining key feature of the digital age, underlying all of these observations, is the predominance of complexity and change on two levels: (1) on the level of technological systems and (2) on the level of the international system. From the field of complexity studies, a research area belonging to the natural sciences, we learn about the behaviour of systems in general, and speculate on the consequences of this in the latter part of this chapter. However, while complexity theory offers answers to certain questions concerning the technical systems, we argue that the applicability of these ideas is somewhat limited for the political realm. The main reason is that from a constructivist vantage point, the information revolution and ensuing complexity only matter when they are perceived to matter. They are nothing more than conditions that shape the threat perception of key decision-makers and thus have an impact on their thoughts and actions.
Digital-age literature scrutinized There is little doubt among experts that the basic conditions of international relations have changed in the last decade, with the information revolution often named as one major driver of change
88
Myriam A. Dunn
(Zacher 1992; Castells 1996). But what is this famed information revolution, and what makes it so special? It is common knowledge that the significance of information is not unique just to our time, but that it has always been vital to humankind. It is also commonly understood that throughout history, advances in scientific-technical fields have played major roles in changing human affairs, and that there have been other information and communication revolutions, all of which significantly shaped history, human activities and their institutions (Deibert 1997; Papp et al. 1997; Waldrop 1998; Borgmann 1999; Hobart and Schiffman 2000; Freeman and Louca 2002). When probing phenomena that have been drained of meaning by overuse, researchers must be particularly careful not to fall into the trap of re-inventing the wheel or calling everything ‘new’ just because it appears so at first sight. They should rather strive to see things in their proper historical context and advance to the core of things by meticulously analysing what exactly sets this development apart from other developments. Such an undertaking is hampered by imprecision in terminology: ‘information revolution’ and ‘information age’ are terms currently used by many different parties for many different facets of an elusive phenomenon, leaving the researcher with a confusing diversity of usually poorly defined concepts). The nature of these terms is such that they have never been precise – nowadays, however, they have been used so extensively that they can basically signify anything or everything, and are thus ultimately devoid of meaning altogether. But even though the terms have become mere catchphrases, there is simply no alternative to their use. In our view, the current ‘revolution’ concerns a special set of technologies, often subsumed under the heading of information and communication technologies (ICTs) (Alberts et al. 1997). In particular, the marriage of computers and telecommunications and the ongoing, dynamic integration of these technologies into a multimedia system of communication with global reach are defining features of the current technological development. This adds a great deal of speed, capacity and flexibility to the gathering, processing and transmission of data into knowledge, and enhances humankind’s ability to communicate, to utilize information and to overcome obstacles earlier presented to communication by distance, time and location (Dunn 2002).
Securing the digital age
89
To advance from here and begin to interpret what this technological expansion actually means for the individual, society, the state, or international relations implies a great deal of speculation. Even if certain ramifications seem evident, there is almost no empirically grounded research that would allow us to convincingly move beyond the anecdotal evidence that is frequently offered. Nonetheless, in order to determine what the international community believes to be the key characteristics of the current revolution, we will recapitulate the main arguments from the information revolution literature. The changing nature of power At the core of these writings lies the notion that we face changes in the nature and quality of power. Power in politics is often divided into three subsections: economic, military and political power. These are the three ‘pillars of power’ on which rests the ability of nation-states to achieve their goals. Economic power is derived from the resources within a state’s borders and the aptitude to trade them; military power comes from the availability of people and material; and political power is drawn from the potency of leaders and institutions, the people’s support and endorsements from other nation-states (Rothkopf 1999). The traditional view of realist political science, in a basic form, is that military power dominates other forms of authority, and that the states with the most military power therefore dominate world affairs. This interpretation of the realist school was critically confronted as early as 1977, mainly as a reaction to observations about a changing economic world (Keohane and Nye 1977). Since then, the resources that produce power capabilities have become even more complex; today, the three pillars of power are being shaken by the growing influence of ICTs on international relations. Control over knowledge, beliefs and ideas is increasingly regarded as a complement to control over tangible resources such as military forces, raw materials and economic productive capability. Often, one hears that ‘information is power’ (Nye and Owens 1996). In a political-science view, this is the case because information reduces uncertainty and can result in an asymmetrical advantage over others who have less information at their disposal. ICTs, which help to accumulate information that can be turned into knowledge, are therefore today’s ultimate and most important power resource. Economic instruments, too, have gained
90
Myriam A. Dunn
importance for the exercise of power, mainly by multinational corporations and other business entities. The most influential and most frequently cited article on the topic is Keohane and Nye’s ‘Power and Interdependence in the Information Age’ (Keohane and Nye 1998; Nye 1990). The relative power loss of state actors It is frequently argued that the main locus of power resources has shifted from military, to economic, and now to informational resources, as noted in the previous chapter. Transfer of authority occurs in diverse directions through ‘fragmegrative’ dynamics (Rosenau 1998), while creation of wealth today occurs through ideas, knowledge and opportunity. Power increasingly flows to centres of innovations and technological know-how, and on the individual level to a new kind of technological elite – those specialists who control or master ICTs through extraordinary skills or ideas. Two central conflicts reveal the nature of the ongoing redistribution of power: first, the idea that the emergence of a global electronic marketplace will bring about the inevitable collapse of the state’s economic pillars of power, as companies increasingly become global citizens and economic boundaries no longer correspond to political ones (Rosecrance 1999); and second, the notion that the information revolution empowers new forms of international actors, thus challenging the state’s position as the major player in the international system (Papp and Alberts 1997). The information revolution is seen to affect not only the role and position of states, but also the position and influence of other actors in international affairs. These are mainly international governmental organizations (IGOs), multinational corporations (MNCs) and non-governmental organizations (NGOs). It further exerts considerable influence on the role of the individual: the strengthened position of the individual can be explained by the expansion of the individual’s diagnostic capabilities thanks to the advance of ICTs, which allow citizens to become more competent and enhance their analytical skills. This development has been labelled ‘the skill revolution’ (Rosenau 1998: 42). The outcome of this rearrangement will likely be a skewed, complex and volatile pattern of power distribution, as transfer of authority occurs in diverse directions, and as changes are absorbed and operationalized by different actors, at different levels, in different ways and at different speeds. The final result of such a
Securing the digital age
91
development, it is assumed, will be a ‘bifurcation’ of global structures into state-centric and multi-centric subsystems where states are no longer the only key actors (Rosenau 1990; Nye 1998). In order to express the complex and ambiguous nature of the development, neologisms like ‘fragmegration’ (fragmentation/ integration) or ‘glocalization’ (globalization/localization) have been created (Rosenau 1998). From quantitative change to qualitative consequences Even though many of the claims concerning changing power structures ring true in some way, most of them are based on the premise that more ICTs automatically imply a qualitative difference. However, even if we count the numbers of computers connected to the Internet, the use of mobile phones in percentage of the overall population of a country, or the amount of information available on the World Wide Web, no convincing conclusion is possible as to their impact. Quantities are undoubtedly important, but it is only our attribution of meaning to them that will allow us to truly theorize about the digital age. As Holsti (1998) notes, significance is the link connecting quantitative changes (causes) to qualitative changes (consequences). Unless we attribute meaning to quantities, we have no way of knowing when change becomes significant, or when it is or becomes truly transformational. In fact, one could argue that a new theory is only required if we establish that there is such a fundamental change in the environment that old approaches no longer hold true. When we turn to IR theory, we find that even though the arguments about the nature of change, its possibilities and its consequences are implicit in the great debates among theorists of IR and thus constitute a major area of disagreement, the issue has been largely neglected in the mainstream literature in this field (Buzan and Jones 1981; Ruggie 1993; Holsti 1998). However, (new) institutionalist approaches offer an interesting approach to the topic of change. If we view the international system as an ensemble of institutions, which can be defined as practices constituted by norms or rules (Kratochwil 1989), we might argue that a fundamental change in the international system occurs when a significant part of its constitutive norms or rules are altered. Strange (1988) has argued similarly, stating that technological changes only change power structures if they are accompanied by changes in the basic belief systems which underpin or support the
92
Myriam A. Dunn
political arrangements acceptable to society. The key question in connection with our topic can therefore be rephrased as follows: Have quantitative changes induced by the information revolution produced a significant number of new patterns, norms, practices or institutions so as to cause a fundamental qualitative change in the international system? There is no simple answer to this question, for a number of reasons that are conceptual as well as empirical: First, these developments are recent and ongoing, and difficulties in grasping their true proportions are inevitable, because we are in the midst of the process ourselves. Second, the implications are far from straightforward; many observers have pointed out that complexity and change are the two defining characteristics of the digital age, since the present epoch is marked by persistent opposites and derives its order from episodic patterns with very contradictory outcomes (Rosenau 1990; CSIS 1996). It is therefore very difficult to produce stringent empirical evidence for or against the claim that international institutions have changed. Third, our key question refers to a systemic and sweeping phenomenon, a fundamental type of change that transforms the practices and constitutive conventions of the entire system. This universalism is the hallmark of almost every conventional international relations theory. However, in the light of the fact that developments are not only ongoing, but also very ambiguous, a context-dependent approach is more appropriate. Fourth, and most importantly, we believe that the perception of these changes is what truly matters, and not their objectively measurable reality. Hence, in the following discussion, we focus on qualitative consequences with empirically observable effects on securing practices.
Broadening the threat spectrum First and foremost, the information revolution is directly responsible for the rapidly increasing number of forewarnings in the 1990s concerned with digital-age security (Eriksson 2001a, 2001b). There are two sides to the particular information-age threat image: a new kind of vulnerability due to the dependency of modern society on inherently insecure information systems on the one hand, and the aforementioned redistribution of power on the other:
Securing the digital age •
•
93
Due to falling costs, increased and large-scale availability, greater utility and ease of use, ICTs have propagated into all aspects of life, with the result that societies in developed countries are becoming increasingly dependent on them for their well-being, every-day life, work, economic transactions, comfort, entertainment and many personal interactions (Dunn 2002). The perception today is that there are a variety of actors in the cyberenvironment who are willing to contravene national legal frameworks and hide in the relative anonymity of cyberspace. The growing prevalence and adaptability of these cyberbased threat actors is seen as a considerable threat to national security, because they seem to have the capacity to inflict significant damage through tools that are readily available and relatively easy to use by those with even a cursory knowledge of, and skill in using, computer technologies (PCCIP 1997).
These two aspects together feed the fear of severe asymmetrical vulnerabilities, a concept extensively discussed in the United States (Metz and Johnson 2001; Berkowitz 2003; Blank 2003; Husain 2003). The word ‘asymmetry’ is used to describe a broad range of threats and tactics; at the core of the term is the intention to circumvent the opponents’ advantage in capabilities by avoiding their strengths and exploiting their weaknesses (Kolet 2001). The concept of asymmetric threat or vulnerability connotes that ‘the enemy’, clearly doomed to fail against the mighty US high-tech war machine in any conventional conflict, will instead plan to bring the US to its knees by striking at vital points at home (Berkowitz 1997) – these points being fundamental to the national security and to the essential functioning of industrialized societies as a whole, and not necessarily to the military in particular. These vital points are called ‘critical infrastructures’ (CI) in today’s security debate. The concept of critical infrastructures usually includes sectors such as information and telecommunications, financial services, energy and utilities, transport and distribution, plus a list of additional elements varying across countries and over time (Moteff 2002; Dunn and Wigert 2004; Abele-Wigert and Dunn 2006). Attacking infrastructure has a ‘force multiplier’ effect, allowing even a relatively small attack to achieve a much greater impact. Because the CI delivers a range of services that individuals, and society as a whole, depend on, any damage to or interruption of the CI causes ripples across the technical and the societal systems. For
94
Myriam A. Dunn
this reason, CI structures and networks have historically proven to be appealing targets for a whole array of actors (OCIPEP 2003). In fact, protection concepts for strategically important infrastructures and objects have been part of national defence planning for decades, though at varying levels of importance. Towards the end of the Cold War and for a couple of years thereafter, the possibility of infrastructure discontinuity caused by attacks or other disruptions played a relatively minor role in the security debate â&#x20AC;&#x201C; only to gain new impetus around the mid-1990s, due to the information revolution (Luiijf et al. 2003). Since then, critical infrastructure protection (CIP) as a policy issue has risen to the top of the security agendas of many countries in the last couple of years. The information infrastructure plays a very special role in the CIP debate. Vulnerabilities in critical infrastructures are believed to be on the rise mainly because the information infrastructure underpins many elements of the critical infrastructure, which therefore become dependent on a spectrum of highly interdependent national and international software-based control systems for their smooth, reliable and continuous operation (Rathmell 2001; Moteff 2003). This, in turn, leads to increasingly complex interdependencies. This part of the global or national information infrastructure, which is essential for the continuity of critical infrastructure services, is called critical information infrastructure (CII) in the debate. The increasing value of information and the availability of electronic means to manage its ever-growing volume have made information and information systems not only an invaluable asset, but a lucrative target, too. Information systems are exposed to failures, are attractive targets for malicious attacks, and are susceptible to cascading failures. The interdependency factor implies that critical infrastructures do not need to be attacked physically, but may be targeted through electronic or virtual means, the worst-case scenario being a concerted action by qualified hackers with hostile intentions that could force a whole nation to its knees (PCCIP 1997). This is seen as a particularly worrying prospect because the â&#x20AC;&#x2DC;enemyâ&#x20AC;&#x2122; becomes a faceless and remote entity, a great unknown that is almost impossible to track and that opposes security institutions and legal systems that are ill-suited to counter or retaliate against such a threat. As a qualitative consequence of the second order within the information revolution, this particular threat image causes very
Securing the digital age
95
specific reactions in the form of critical infrastructure protection policies. This circumstance, in turn, has led to the situation where CIP or the securing of the digital age lies at the heart of the ‘digitalage security’ debate.
Complexity as a key feature of systems A second qualitative consequence of the information revolution is complexity. It is an uncontested assumption that complex problems are on the rise and are due to the digital age. One possible explanation for complexity in the technical world can be found in the combination of two laws of technical innovation, namely Moore’s Law and Metcalfe’s Law, which are widely credited as having provided the stimulus that has driven the stunning growth of Internet connectivity (G.E. Moore 1965; Metcalfe 1995; Downes et al. 1998): •
•
Moore’s Law states that the number of transistors per square inch on integrated circuits will double approximately every 18 months, that is, computing power rises exponentially over time. Metcalfe’s Law states that the value of a communication system grows as the square of the number of users of the system, which implies an increasing number of networks, nodes and links.
According to one simple but straightforward definition, complexity is the sum of interdependencies plus change (cf. Gomez 2001). Complexity in information infrastructure systems is thus increasing, as an exponential technological development leads to change and brings forth an increasing number of networks, nodes and links to growing interdependencies. In addition, the complexity of these systems grows with the extension of the geographical reach and the expansion of the services provided, the introduction of new components with richer functionality using diverse technologies, and the layering of systems over systems (Kyriakopoulos and Wilikens 2000; Masera and Wilikens 2001). Mainly as a consequence of their interactions with the information infrastructure, the critical infrastructures are being composed into networks-of-networks of different sizes. Three main, interrelated trends affect these infrastructures: 1) their increasing complexity, with an acceleration that reflects the general
96
Myriam A. Dunn
evolution of technology; 2) their interconnectedness, put into practice at different layers: organizational, procedural, informational, material; and 3) a growing reliance on ICTs, both for internal use and for interaction with external systems (Masera and Wilikens 2001). Therefore, infrastructures are complex and interdependent systems, and it is not possible to control their full range of interaction with the surrounding, pre-existing technical and social environments. System complexity has two immediate consequences for the topic of critical infrastructure protection. First, a well-known theory claims that technological systems that are interactively complex and tightly coupled will be struck by accidents that cannot be prevented. Because of the inherent complexity, independent failures will interact in ways that can neither be foreseen by designers nor comprehended by operators. If the system is also tightly coupled, the failures will rapidly escalate beyond control before anyone understands what is happening and is able to intervene (Perrow 1984; Turner and Pidgeon 1997). This overall pessimistic perspective on accidents and the limited possibilities of preventing them and coping with them resonates in much of the digital-age security debate. Second, the dynamic interactions of complex, decentralized, open, unbounded (technical) systems amounts to an overtaxing of abilities to articulate and evaluate the problem, thus creating a practical challenge for those involved in drafting measures for securing. As Forrester showed back in the early 1960s, complex systems behave contra-intuitively due to parallel occurrences happening at different speeds, irregularities and non-linear cause/effect relationships, with the result that the human brain is unable to ‘read’ these systems correctly (Forrester 1961). Besides, the tools currently available for evaluation of these systems are inadequate; the ‘methodological toolbox’ in use is filled with old tools that have, in some cases, been hurriedly adapted to a new set of problems (Dunn and Wiegert 2004; Dunn 2005, 2006). However, both the systems and the risk environment have become qualitatively different in a way that demands new analytical techniques and methodologies for their evaluation (Allen and Sledge 2002). Furthermore, it has become almost conventional wisdom today that ‘the world’, or to put it in IR terms, the international system, has also become more complex. The main reason usually given for this change is the growing number of independent international
Securing the digital age
97
and transnational actors playing power games on multiple levels evolving around national, regional and global dynamics (Jervis 1997a and 1997b). Complexity is thus seen as a consequence of there being more actors in the international system. In addition, the observation that the present epoch is marked by persistent opposites and derives its order from episodic patterns with very contradictory outcomes is seen as a sign of increasing complexity (Rosenau 1990). The feeling of increasing complexity on a higher system level is closely linked to the fact that the intellectual tools at present available to probe the pervasive uncertainty underlying our emergent epoch are not sufficient to the task. In that sense, complexity and the overtaxing of our abilities are more than a mere practical problem for those involved in the securing of the information infrastructure. In fact, we can argue that the world has always been complex, but it has been one of the aims of IR theory to render it more intelligible by simplifying it. The most nefarious consequence of Waltz’s legacy of an uncompromising search for a universal, parsimonious theory has in fact been that mainstream IR theory cannot account for complexity and the closely connected concept of change.
Theoretical and practical implications At least since the development of Shannon and Weaver’s information theory (1949), formal, semi-formal or informal notions of ‘complexity’ have been used to express properties of objects and processes in a variety of fields. Despite or perhaps because of the diversity of scientific efforts involved in this work, little agreement has been reached on what, precisely, complexity entails, or how a general notion of complexity may be systematically applied to various fields of research (Çambel 1992; Butts 2001). In addition, many different kinds of complexity, such as logical, relational, semiotic, or computational complexity, are distinguished (Casti 1979; Biggiero 2001), so that the problem does not end when appropriate definitions are found, but extends to the issues of measurement and the understanding of implications. One prominent field of research that suggests itself for determining how complex systems behave is that of complexity studies, a branch of ‘chaos theory’. Chaos theory is a grab-bag expression for a whole set of studies, an amalgam of different
98
Myriam A. Dunn
techniques of mathematics and science concerned with order and pattern where formerly only the random, erratic and unpredictable had been observed (Gleick 1987; Kellert 1995). The difference between chaos theory and complexity theory is not entirely clearcut, but we can state that chaos theory mainly deals with situations such as turbulence that rapidly become highly disordered and usually unmanageable, whereas complexity studies deal with systems whose behaviour may be hard to predict, but which have a good deal of structure (Axelrod and Cohen 1999). The notion of systems is the founding stone of the ‘new sciences’, and the larger framework that brought forth chaos theory is the so-called theory of dynamical systems (Crutchfield et al. 1986). Complexity studies are in fact applicable to all kinds of systems, regardless of their size or nature, so that the following description is universally applicable both to technological (sub-) systems and to the international system. Complexity studies and the behaviour of complex systems According to the usual definitions, complex systems are complex insofar as they incorporate a number of variables that simultaneously play many different roles in the system’s evolution and follow many different laws of behaviour (Cohen 1995). Complexity is expected to arise as a natural development when a system reaches a certain level of variety and diversity because of many simple components interacting simultaneously. The complexity is thus actually in the organization, or more precisely, in the myriad possible ways that the components of the system can interact. Therefore, its behaviour is not predictable from knowledge of individual elements but can only be discovered by studying how these elements interact and how the system adapts and changes throughout time (Waldrop 1992). Complex phenomena can also occur in relatively simple systems with very few variables. Or, put differently, simple rules and simple initial conditions can give rise to the most complex behaviour (Merry 1995). One of the fundamental issues of complexity is the ‘nature of order and organization’ (Bossomaier and Green 2000: 6). In complexity theory, the appearance of new order is explained through the concept of self-organization, which connotes a spontaneous formation of a stable, but complex pattern out of seemingly random entities (Ashby 1962; Foerster and Zopf 1962;
Securing the digital age
99
Bak 1996). In general, self-organization refers to an evolutionary process in which the internal organization of a system increases automatically without being guided or managed by an outside source. Self-organization is triggered by internal variation processes, which are called ‘fluctuations’: Over time, complex systems become increasingly sensitive to internal and external fluctuations – and the more complex a system is, the more sensitive and vulnerable to fluctuations it becomes (Prigogine 1981; Merry 1995). At a certain point, these fluctuations pass a critical threshold, also called a bifurcation point, and then, following a transitional stage of chaotic fluctuations, completely reorganize the entire system (Laszlo 1991). The ability of a system to evolve in such a way as to approach a critical point and then maintain itself at that point is called selforganized criticality. Bak, who coined the term, argues that complex behaviour in nature reflects the tendency of large systems with many components to evolve into a poised, ‘critical’ state, highly imbalanced, where minor disturbances may lead to events, called avalanches, of all sizes (Bak 1996). Complex systems tend to adapt to, or are themselves on, the edge of chaos, and most of the changes take place through catastrophic events rather than by following a smooth gradual path – that is, the new path the system will take cannot be predicted and controlled. Complex systems further show surprising and unexpected behaviour that is a property of the system as a whole. Often, they self-organize in an evolutionary process in which the internal organization of a system increases automatically without being guided or managed by an outside source (Crutchfield 1994). Structures can emerge both through the influence of emergent phenomena on the various parts of a system, such as the effect of norms on individuals, and through the ‘emergence of entirely new dynamics within the system’ (Mihata 1997: 33). Due to the emergent behaviour, the complex system cannot be understood by reducing it to its parts; moreover, the behaviour we are interested in evaporates when we try to reduce the system to a simpler, betterunderstood one (Bar-Yam 1997). That complexity theory, highly relevant to the CIP debate, is clearly discernible from the fact that multi-million-dollar efforts are currently under way at the US National Infrastructure Simulation and Analysis Center (NISAC) to develop computer simulation tools that can predict, in real time, the consequences of disruptive events on a nation’s critical infrastructures. The modelling approach uses
100
Myriam A. Dunn
an agent-based methodology to predict critical infrastructure interactions. It treats infrastructures like Complex Adaptive Systems (CAS), which are populations of interacting agents where an agent is an entity with a location, capabilities and memory (Rinaldi et al. 2001). From this perspective, each component of an infrastructure constitutes a small part of the intricate web that forms the overall infrastructure. This viewpoint incorporates benefits for modelling and simulation, and it is hoped that such approaches will be able to explain (some) emergent behaviour of large-scale critical infrastructures. Limits of the complexity paradigm Apart from being directly applied to the modelling of complex interdependencies, chaos theory and its various strands, developed in a natural sciences context, are also increasingly being applied to the social sciences. What the new science seems to have done is to place within our grasp a set of very powerful intellectual tools and concepts to think with, which appear to be free of many of the limitations of the traditional approaches. New concepts, such as emergence, become conceivable, and new methods, such as nonlinear computer modelling, suggest themselves as legitimate modes of study (Alberts and Czerwinski 1997; Cederman 1997; Eve et al. 1997; Byrne 1998; Cederman and Gleditsch 2004). Given the fundamental differences between physical and social systems, various authors have explored the validity of applying the conceptual and methodological tools of chaos theory to social systems (cf. Albert 1995b; Eve et al. 1997; Turner 1997). Most of these writings come to the conclusion that this exchange can be very fruitful if one is aware of the dangers of abusing concepts from other disciplines, such as chaos theory, or extending them by false and far-fetched analogy to support existing theories or normative views (Albert 1995; Michaels 1995). However, the hopes that complexity theory may somehow point the way to a course of action which can ameliorate the uncertainties inherent in a complex world have been disappointed, mainly because the benefits have been exaggerated (Bak 1996; Rosenau 1997). Another major problem is that the application of the mathematics of chaos, of genetic algorithms that manipulate precise numerical data through explicit operational rules, and of nonlinear dynamics requires quantification and availability of lengthy time-series data (Kellert 1995). Since human actions and
Securing the digital age
101
cultures can never be so clearly encapsulated, the question is whether the chaos paradigm is even methodologically accessible at all to scholars in the humanities (R.S. Cohen 1995). In addition, there are severe limitations to the system paradigm that the whole construct of the new sciences depends on. One problem is the inherent automaticity in systemic thinking. To see a system as if it were a living organism in which things happen without outside influence fails to take into account the most central parameter of the social world: the actor, or, more explicitly, the freedom of the actor to act. The main problem, however, is one of system ontology: calculation and modelling inherently rely on our ability to define the variables of the system. This is dependent on our ability to describe the system, or more specifically, on our ability to describe the system boundaries. However, the designation of factors as being external (exogenous) or internal (endogenous) with regard to a system ‘depends largely on the viewpoint of the observer’ (Bertalanffy 1968: 141). Ultimately, all boundaries are dynamic rather than spatial. Hence, an object – and in particular, a system – is definable only by its cohesion in a broad sense, that is, by the interactions of the component elements (Bertalanffy 1975). But how can we know whether a variable is present in a system, unless we already know all the variables it interrelates with? Interactions or interrelations are never directly seen or perceived; they are always conceptual constructs. Hence, no meaningful distinctions can be drawn between ‘real’, observable objects and systems on the one hand, and ‘conceptual’ constructs and systems on the other. Lessons and implications of the complexity paradigm Even though we might not be able to define system boundaries, we can draw some lessons for digital-age security from the complexity paradigm. Complex systems exhibit a number of specific, nonexclusive features and behaviours, from which lessons may be learned without falling into the trap of domesticating ‘real-world demons in ill-fitting complex cages’ (Bowker 1993) or of abusing metaphors. As described earlier, both the inner workings and the external manifestations of systems are characterized by interrelation. Complex systems cannot exist in isolation – by their very nature, they are tied to and connected to other systems, and couple together to create higher order systems. Results cannot be
102
Myriam A. Dunn
predicted from the separate actions: the effect of one variable depends on the state of another. We can also argue that strategies depend on the strategies of others. Interactions between strategies occur when actors consciously react to others and try to anticipate what others will do. Both the success and failures of policies are therefore determined interactively (Axelrod 1997; Jervis 1997a). Furthermore, non-linear behaviour is one of the cornerstones of complexity, as it creates unpredictability, uncertainty and volatility in the system. Cause and effect, or inputs and outputs, are not proportional; the whole does not correspond to the sum of its parts, and is not even qualitatively recognizable in its constituent components. Indeed, behaviour changes the environment: initial behaviour patterns and outcomes often influence later ones, producing powerful dynamics that explain change over times and that cannot be captured by labelling one set of elements ‘causes’ and the other ‘effects’ (Jervis 1997b). In other words, initial conditions have an impact on the outcome of the events. Tiny causes can have enormous effects. Small uncertainties are amplified, so that even though the behaviour is predictable in the short term, ‘it is unpredictable in the long term’ (Merry 1995: 26). Extreme sensitivity to initial boundary conditions or historical paths makes detailed prediction impossible (Mihata 1997). Because specific dynamic system outputs cannot be predicted (in the long run), it is not possible to plan, via prediction, ‘the outcomes of an intervention in a social system’ (Michaels 1995: 23). The first implication of the complexity paradigm is therefore mainly methodological by nature, since the underlying assumption, which views the current environment as being interactive to a degree such as to inhibit the tracing of causal sequences, obviates the framing of hypotheses that link independent and dependent variables. The presumption that certain phenomena (the independent variables) are prior in time to those they affect (the dependent variables) may be valid in a short-term context, but it may not hold in a stretched-out time perspective (Rosenau 1992). We should therefore switch our attention from outcomes to processes (Michaels 1995), which is also the remedy proposed by some constructivists to overcome the agent–structure problem (Kratochwil 1989). Nevertheless, complexity, whether on the technical system level or on a higher, international level, is, again, inherently a matter of
Securing the digital age
103
perceptions. Views that abolish the concept of objective reality also dissolve the idea of intrinsic complexity, meaning that complexity is not an intrinsic property of an object, but rather depends on the observer (Casti 1996). Consequently, no matter whether or not an objective reality exists, it is approachable only through social definitions. Individuals do not respond to the (probably existing) objective reality directly, but through socially constructed thought frameworks. In theoretical terms, if decision-makers or other influential actors perceive complexity to be a problem, they will influence the threat perception of key actors and their subsequent actions (Eriksson 2001a). The same is true for the previous observation that there are more actors on the international stage today, wielding more influence due to the skill revolution, and with more knowledge at their disposal. Based on the premise that decentralized networkbased soft power structures have gained in importance, the argument runs that the state’s monopoly on authority has become fragmented, and a plethora of non-governmental organizations, social movements and other transnational non-state networks are now competing with states for influence (Nichiporuk and Builder 1997; Papp et al. 1997). In CIP, we can observe that governments can no longer ‘go it alone’: in securing the digital age, governments are challenged to operate in unfamiliar ways, sharing influence with experts in the IT community, with businesses and with non-profit organizations, because the ownership, operation and supply of the critical systems are in the hands of a largely private industry, which is diverse, intermixed and relatively unregulated (Baird 2002). Collectively, this industry has far more technical resources and operational access to the infrastructures than the government does, so that ultimately, the private sector will have to do most of the work and must bear most of the burden to make infrastructures more secure (Bosch 2002; Goodman et al. 2002). As a result, the process of policy making is becoming more and more open and is being transformed from a single-entity phenomenon to a multi-entity one, as it has become customary to involve representatives of all major stakeholders in the policy preparation process (O’Brien et al. 2003). Clearly, what matters is not whether the change in power is objectively ‘true’ or not, but whether states are willing to include non-state actors in the policy process. Such changes in the prevailing ideas about security practices challenge the state-centric
104
Myriam A. Dunn
perspective on international relations and its attendant notion of a distinction between domestic and foreign policy. Consequently, the principles of the Westphalian order are not valid as a starting point for analysing security in the digital age. Approaches are required that focus on sub-units of the state, but also take into account specific traits of the international system as changed by the information revolution. For our purposes, actors and their respective values, interests and beliefs should be the main unit of research. It is crucial to understand the way individuals adopt changed practices arising from new conceptions of identity and political community, thereby altering interactions among states, or, conversely, the way in which changes in interactions among states lead to changes in practices among individuals (Koslowski and Kratochwil 1996; Braumoeller 2003). Specific actor constellations will develop specific interpretations of information-age security threats and necessary countermeasures. Depending on the ‘winning’ actor constellation and its influence in the policy domain, these interpretations will dominate the threat debate at given points in time and will be responsible for specific countermeasures.
Conclusion The broad, overarching research question addressed in this publication is what the impact of the information revolution is on security and what IR theory can say about these issues. At the beginning of this chapter, a few critical questions were raised concerning this task. We asked ourselves what information security is and how it might be defined in a meaningful way, and came to the conclusion that the term is not precise enough to be useful. For one thing, many of the anticipated changes seem apparent, but just as many have yet to come into the open, as transformations are ongoing. Statements about the implications of the information revolution on security must be seen in much more relative terms than generally suggested, especially because the outcome of change is truly contradictory and a lot less explicit than some scholars like to envisage. The complexity paradigm further turns one’s attention to the concept of the inherently unpredictable situation – a situation that is unpredictable in and of itself, not just by virtue of the limitations of the observer. This resonates well with the general postmodernist approach, in which no objective determination is possible. The new sciences confirm the message that the observer
Securing the digital age
105
and the observed cannot be detached from each other, and that observation itself is an ontological event. Additionally, the complex is assigned a specific epistemological meaning: It shows the limits of knowledge due to complexity and unpredictability. Further, if we take the twin forces of complexity and change seriously, we must reject the notion of a â&#x20AC;&#x2DC;grandâ&#x20AC;&#x2122; theoretical project that attempts to distil complexity, paradox and change into neat theoretical packages and categories. The positivist-empiricist idea, which still dominates the discipline, that a trained observer can encapsulate the amazing complexity of the world into grand theoretical projects through a variety of rigorous procedures, is antithetic to the current circumstances. While looking at grand theories may have heuristic value, we should acknowledge that everything is in flux and that paradox and uncertainty prevail in todayâ&#x20AC;&#x2122;s security environment. Hence, even though we might aim to reflect on theoretical premises, any theorizing will be limited in scope, and generalizations might be conditional rather than universal. So, is a theory of the digital age really needed? All things considered, the information revolution is a very important variable in the equation of the modern world, with the ability to truly change some aspects of international relations. But more importantly, information-age security is not something that can be objectively identified and analysed, but rather an ever-changing construct. What it does, however, is to change the perception of security and security practices. To study security in the digital age thus means to focus on the process by which key actors subjectively arrive at a shared understanding of what is to be considered and collectively responded to as a security threat in the digital age. Even if we conclude that this observation makes a specific theory for information-age security redundant, the forces of the digital age are still very poorly understood. Because there is very little exchange between information-age research and the IR community in general, we thus believe that the information revolution and its impact on various aspects of IR should continue to be studied in much more depth.
5
Assessing theories of information technology and security for the Middle East Hamoud Salhi
The spread of information technology (IT) in the Middle East region1 has been too slow in evolving, and so has theory. Much of what has been written in recent years has focused on case studies and has been overly descriptive, highly prescriptive, and with little or no emphasis on theory. Specifically, most scholarly preoccupations have examined Internet infiltration across the region while measuring the degree of its impact on stateâ&#x20AC;&#x201C;society relations and assessing the merits of government policies as they pertain to democratic change, security and the survival of regimes in the Middle East. This has resulted in an almost total neglect of theory building as well as the absence of well-integrated middle range theories. IT is still controversial in the Middle East, perhaps for many solid reasons. While the region is pursuing development to achieve e-readiness, scholars and observers are continuing to debate the role of IT in society. Can IT take root in societies that have not yet attained the post-industrial stage from which the Westâ&#x20AC;&#x2122;s modern IT transformation originated? Will IT be the locomotive of political and social change with power to radically transform the Middle East? What are its effects on the social fabric and politics of the state? Will IT be the missing link that could enable the Middle East to make the transition to democracy? Can IT bring an end to fanaticism, including religious extremism and gender exploitation? And, how will the governing and economic elite react to IT? Will it be fully endorsed and popularized? Will it be used to maintain the status quo or establish another order? It is such questions that are generating active debate among scholars, policymakers, researchers and think tank specialists who are striving to formulate a best practice and best theory to use in examining IT in the Middle East.
IT and security for the Middle East
107
Optimists (Fink and Kenny 2003; World Bank 2003) point to what has occurred in Western societies in order to illustrate passionately how IT can replicate the same progress while similarly benefiting the people of the Middle East. Scholars note that the movement of IT firms to the region is a strong indicator that the Middle East is right on track (Corporate Location 2001; Gulf News 2005; Elkady 2006). Given improved political representation and economic infrastructure, an optimistic scholar might forecast that the Middle East would experience a better future and that IT would make the difference by enabling its potential as a fully developed and integrated region (Rohozinski 2004). However, there have been many doubters and sceptics. Some believe that the region is simply not ready for such a transformation, citing weak economic infrastructure, prevailing authoritarianism and widespread corruption (Burkhart and Older 2003). Others simply believe that the transformation would threaten the cultural and social fabric of society by spreading values and morals deemed unacceptable in the Middle East. To these observers, the expansion of IT is merely another means of maintaining Western culture and dominance (Kirat 2005). Between these two perspectives exists a third group which perceives IT as neither all that good nor all that bad, and they argue that the choice is not as absolute. The region can have both: it can take advantage of new technologies while ensuring full compatibility with its own culture (Hudson 2000). Theoretically, scholars have actively engaged in debating the cultural context of the Middle East and whether cultural norms can be a predictor of ITâ&#x20AC;&#x2122;s integration into society. Additionally, they have devised new models, enhanced old ones and prepared new explanations with the aim of producing sound generalizations that explain IT in the Middle East. Scholars have worked through various phases of active theorizing while setting the tone (mostly optimistic) and the stage (mostly descriptive) as they gather data and assess the state of theory and practice. During these phases, scholars have encountered challenging roadblocks resulting from poor methodology and incomparable data. Early studies have measured the social and political impact of IT in the Middle East by the size of its diffusion without acknowledgment that these two variables are not equal. Consequently, scholars have cautioned against viewing IT as a magic wand while warning against high expectations and suggesting that IT be seen as a tool of liberation. As a result, the road of research is still long and bumpy, as well as replete with obstacles. On the ground, IT is still in the building
108
Hamoud Salhi
stage. In theory, scholars are continuing to contemplate the best comprehensive approach to explain this phenomenon. The region itself remains either aloof or sceptical for key reasons. Some citizens are illiterate and cannot understand or use IT, whereas others are simply too economically disadvantaged to purchase a computer or obtain Internet access. Just recently, Algerian authorities allegedly complained that citizens were not using low-interest government loans available to assist individuals in the purchase of a computer. In a sense, access to a computer today in the Middle East is no different than access to a typewriter in the past. Simply put, there is little excitement about the Internet because it has become like any other tool. Ironically, even people who have access to a computer seem more excited about their mobile phones than the Internet. Therefore, this study has two objectives. The first is to analyse the state of International Relations theory and security in the Middle East during the digital age. This will be achieved by evaluating current theoretical literature with an emphasis on its direction, problems of theory building and theory applications. This study proposes that current theory is in the early developmental stage. Scholars are creating a solid foundation for conceptual clarity, data gathering, model building and the identification of causal relations. Such a foundation will continue its evolution into stronger theories of international relations and security, specifically in the area of middle range theory. The second objective is to assess the applicability of international relations and security theories in the Middle East as influenced by the digital age. This will be achieved by exploring the relative merits of Realism, Liberalism and Constructivism in regard to theory construction and knowledge building in the Middle East. This study proposes that Realism is the best fit, but Liberalism or Constructivism should not be disregarded altogether. Although the states maintain a monopoly over the spread and content of IT, there are many challengers worthy of investigation. This enables the possibility of testing the applicability of the liberal and constructivist models with a focus on concepts such as interest groups, interdependency, globalism, shared values and emerging subnational identities.
IT and security for the Middle East
109
IT penetration in the Middle East Most indicators rank the Middle East among the least ITpenetrated societies worldwide, with governments that are among the least technologically prepared. Table 5.1 shows that Internet usage in the Middle East is less than 10 per cent. Israel is the highest penetrated state in the region with nearly half of its population using the Internet. Among the rest, the UAE ranks second at 35.8 per cent. This is to be expected, for the UAE has placed a heavy emphasis on marketing new technologies, supposedly taking advantage of its strategic geographical location. However, towards the end of the spectrum, Iraq (at war), Yemen, and Syria appear to be among the least penetrated societies in the region. To a large degree this is a reflection of their level of economic development â&#x20AC;&#x201C; poorly developed and with inadequate IT infrastructure. But it is worth noting that economics alone may not accurately explain why certain states have fared better than others Table 5.1 Internet diffusion in the Middle East and population estimates
Bahrain Iran Iraq Israel Jordan Kuwait Lebanon Oman West Bank (Palestine) Qatar Saudi Arabia Syria UAEmirates Yemen Total
Population (2006 est.)
Usage in December 2000
Internet % usage population latest (penetration) data*
723,000 69,442,905 26,628,187 7,109,929 5,282,558 2,630,775 4,509,678 2,424,422
40,000 250,000 12,500 1,270,000 127,300 150,000 300,000 90,000
152,700 7,500,000 36,000 3,200,000 600,000 600,000 600,000 245,000
21.1 10.8 0.1 45.0 11.4 22.8 13.3 10.1
3,259,363 795,585 23,595,634 19,046,520 3,870,936 20,764,630
35,000 30,000 200,000 30,000 735,000 15,000
160,000 165,000 2,540,000 800,000 1,384,800 220,000
4.9 20.7 10.8 4.2 35.8 1.1
190,084,161
3,284,800
18,203,500
9.6
* According to the website, the data were last updated on 31 March 2006. Source: Internet World Stats, Usage and Promotion Statistics. Available on 12 May 2006. <www.internetworldstats.com/stats5.htm>.
110
Hamoud Salhi
in the Middle East. The fact that countries with high gross national products, like Saudi Arabia, are also among the least IT penetrated, as the data show, suggests that other variables, such as political priorities and relative openness of a society, may play a role in determining the extent to which IT is incorporated in the Middle East. Also, most revealing from these data is that IT appears to be concentrated in a very few countries. Tables 5.2 and 5.3 show that without the top five countries the average Internet usage in the region drops significantly from 9.6 to 7.42 per cent. On the other Table 5.2 Internet penetration in the most penetrated states in the Middle East as of March 2006 Country
Penetration (percentage of population)
Israel UAE Kuwait Bahrain Qatar Average
45.0 35.7 22.8 21.1 20.7 29.06
Source: Adapted from Internet World Stats, Usage and Promotion Statistics. Available on 12 May, 2006, <www.internetworldstats.com/stats5.htm>.
Table 5.3 Internet penetration in the least penetrated states in the Middle East as of March 2006 Country
Lebanon Jordan Iran Saudi Arabia Oman Palestine Syria Yemen Iraq Average
Penetration (percentage of population) 13.3 11.4 10.8 10.8 10.1 4.9 4.2 1.2 0.1 7.42
Source: Adapted from Internet World Stats, Usage and Promotion Statistics. Available on 12 May, 2006, <www.internetworldstats.com/stats5.htm>.
IT and security for the Middle East
111
hand, Israel, UAE, Kuwait, Bahrain and Qatar comprise 29.06 per cent of usage in the Middle East. This shows that IT is contributing to regional disparities that reduce the likelihood of full regional integration so paramount for growth in todayâ&#x20AC;&#x2122;s global economy. Additionally, in terms of e-government readiness, Table 5.4 shows that most, if not all, Middle Eastern governments are still not ready for these technologies. According to the United Nations Global E-Government Readiness Report 2005, the highest-ranking country in e-government readiness (apart from Israel) was the UAE with a ranking of 45, followed by Bahrain at 53, slipping from 46 in the previous year. Although the data show that most states in the Middle East have made progress towards e-government, it is obvious that the region as a whole is still struggling in its attempt to catch up with the rest of the world. While many factors, including a lack of adequate economic infrastructure can be responsible for this lack of preparedness, corruption can be a contributing problem as well. For example, some officials in the Table 5.4 Ranking e-government readiness in the Middle East in 2004â&#x20AC;&#x201C;2005 Country Israel UAE Bahrain Turkey Qatar Jordan Lebanon Kuwait Saudi Arabia Oman Iraq Syria Yemen Egypt Tunisia Algeria Morocco Libya PA
Index
2005 ranking
2004 ranking
Change
0.6903 0.5718 0.5282 0.4960 0.4895 0.4639 0.4560 0.4431 0.4105 0.3405 0.3334 0.2871 0.2125 0.3793 0.3310 0.3242 0.2774 n/a n/a
24 42 53 60 62 68 71 75 80 112 118 132 154 99 121 123 138 n/a n/a
23 60 46 57 80 68 74 100 90 127 103 137 154 136 120 118 138 n/a n/a
-1 18 -7 -3 18 0 3 25 10 15 -15 5 0 37 -1 -5 0
Source: United Nations (2005) Global E-Government Readiness Report 2005. From E-Government to E-Inclusion, New York: United Nations, pp. 51 and 65.
112
Hamoud Salhi
Algerian Ministry of Finance have resisted IT because, allegedly, it would undermine their authority to freely override higher taxes or penalties for non-payment of taxes levied against their relatives, friends, or whoever is willing to reward them with a handsome bribe. Apparently, establishing an electronic system would require them to be transparent in their actions, and consequently less likely to abuse the system for their own profit. Socially, the Middle East has yet to reach the era of ‘electronic populism’, as it has been dubbed by Theorode Roszak (discussed in Jordan and Taylor 2004: 13), in part because of what the region is missing: a real electronic culture that transcends political change, using computers and IT as a vehicle for social and political transformation. To a large degree, the Middle East has not experienced a flourishing of information societies in the same manner as other regions. This is due in part to historical reasons rooted in colonization and a long cycle of authoritarian rule. In their seminal work Hacktivism and Cyberwars, Tim Jordan and Paul Taylor detail how generations of hackers revolutionized IT and allowed it to become what it is today: an e-populist culture. In this book, the authors identify seven types of hackers and explain how each group has contributed to electronic populism while discussing how the culture of electronic activism evolved over two succeeding generations, each with a different goal in mind. The first generation pushed for the democratization of the Internet by popularizing the concept of access for everyone and using this belief in certain cases as a method for pressuring the government to reverse policy on issues critical to their causes. However, this generation also struggled with balancing its obsession and love for technological innovation with its passion for political causes. The second generation was less political and more professional in its outlook on information technology. Jordan and Taylor believe that it was even co-opted by big business and its entrepreneurial business goals. It seems that this generation lost most of its drive for political causes in favour of material gains. Computers have become user friendly, easy and affordable for the vast majority living in advanced societies. Consequently, ‘hacktivists’ (or computer activists) have found themselves in a rather ironic situation, having to choose between celebrating their success in reaching the ultimate goal or mourning their fate after realizing they had become obsolete without any cause to defend. Hence, one may argue that the second generation has been apolitical out of necessity rather than choice.
IT and security for the Middle East
113
The development that is vital to the growth of IT has been missing in the Middle East for two reasons. First, IT has not developed a class of its own similar to previous growth patterns in the West, nor is it a manifestation of post-industrialism. IT has been introduced to the region as a globalization force designed to promote Western products and, some would say, a Western way of life. In this context, the expansion of IT across the Middle East is a natural outcome of globalism. Second, just as the decision to adopt IT was political, it was motivated by fear as well as economic gain. Politically, elites were threatened by the prospect that a free and transparent IT would expose notorious violations of human rights, and the deliberate decision was made to adopt IT while simultaneously monitoring it under existing rules of censorship and information control.2 Political control was then followed by economic hegemony. The established elite knew the economic potential that IT would bring and made it an exclusive part of their own business interests, preventing the emergence of a new class of IT entrepreneurs and business professionals. In a related point, scholars are correct in treating the lack of adequate economic infrastructure as an impediment to IT’s growth. It remains a matter of failed economic policy that is not just specific to IT, and it would be wrong to assume that the government would solve the IT problem ahead of other pressing policy issues. To put it bluntly, people’s needs in the Middle East are far greater than going online to chat, order pizza or shop (Rostamani 2006); only a few have the luxury to do just that. In this context, the Middle East’s economic needs are basic: shelter, food and clothing. Despite a huge potential for economic growth, the region is still considered among the poorest in the world. For example, in Algeria, an oilpoducing country, it still takes at least 10 days’ salary for a professor at a university, an elementary school teacher or a journalist to purchase a kilogram of meat. For a security guard (a highly dangerous job in a country ravaged by terrorism) it requires at least 15 days’ salary to make the same purchase with nothing left over for other needs. This is not exclusive to Algeria. It is a way of life for many people in the Middle East, including Mauritania, Morocco, Yemen, and even Egypt. Hence, it is far more likely that the masses in the Middle East will be impassioned and motivated by economic conditions and human rights.3 Third, universities in the Middle East have played a minor role in the growth of the Internet because of a lack of government
114
Hamoud Salhi
support. In the United States, the efforts of the Department of Defense to expand the Internet to the academic sphere allegedly were considered critical to its development into a mass movement. This factor is missing in the Middle East. There is no specific time frame during which the Middle East discovered IT, but it is safe to suggest that universities began offering classes in computer technology in the early 1980s (J. Anderson 1998). Because the field was still new, universities relied on foreign expertise and hired nationals returning from universities abroad to teach courses and build academic programmes. In many countries, faculty and students did not receive the support they needed to be successful. Universities did not provide enough computers for everyone to use at their leisure or outside class, so students had to complete less than adequate practical training with minimal hands-on exposure to these technologies. This is an example of what the 2002 United Nations Development Program Report has described as a weak scientific base in the Middle East. Report statistics show that the regional average participation rate for university students specializing in scientific fields in the Arab world is less than 10 per cent, with a majority of students pursuing majors in the social sciences and humanities. Though many states have established scientific and IT institutes, they still lack adequate services and resources, and teaching methods are considered mediocre. As a result, universities have played only a minor role in pioneering and popularizing information technology. Therefore, given these conditions, how does the theoretical literature approach the state of IT?
Empirical research and theory Most IT studies have been journalistically driven by policy outcome, both speculative and descriptive in nature, with some focused primarily on US national security and cyberwars from the perspective of the ongoing war on terrorism (Weimann 2006, 2004). Others have addressed social and political change while viewing the expansion of IT as a source of instability that has facilitated a post-9/11 cyberterrorist war led by Islamist organizations such as al-Qaeda (Bunt 2003: 67â&#x20AC;&#x201C;123). On the basis of the regionâ&#x20AC;&#x2122;s poor economic conditions, traditional cultures and authoritarian regimes, scholars have reasoned that IT would undermine existing conditions, including regimes, and that IT would enable non-state actors to expose corruption to the masses,
IT and security for the Middle East
115
thereby leading to popular revolt. It is assumed that the people would use the Internet to discover how democratic countries live, and it would be only a matter of time before they would rise against their government, ushering in a new era of democracy and freedom (Parry 1999). Studies have also argued that the governments of the Middle East would resist any e-technology import for fear that it would enable the opposition to challenge their authority (Human Rights Watch Report 2005). This body of literature has produced inconclusive evidence, and there have been as many studies to support the argument as to reject it. The discussion that follows will focus on the theoretical debate as it relates to theory and theory building, emphasizing the areas scholars and researchers have investigated and the hypotheses and propositions they tested. Applicability In the initial stage of ITâ&#x20AC;&#x2122;s expansion to the Middle East, scholars examined the feasibility of IT integration within the region. Specifically, they compared socioeconomic and political conditions in the Middle East with the countries where IT had experienced rapid growth. IT was believed to be a better fit for post-industrial societies, having been the product of their own development.4 At issue was (and still is) whether IT can spread across societies with weak economic infrastructures, prevailing authoritarian governments and traditional cultures. Proponents of IT see no reason why it cannot and seemingly argue that the Middle East has the drive and desire to be part of this revolution with everything else being equal. In this regard, IT affords the Middle East an opportunity to catch up with the rest of the world while promoting its own culture and religion appropriately. Even though Jon Anderson makes the point that the Middle East may not replicate the post-industrial transitions that have occurred in Western societies (J. Anderson 1998: 10â&#x20AC;&#x201C;12), he observes in another work (J. Anderson 1997) that IT offers tremendous possibilities for the region, and he believes that it will be embraced with open arms: The desire to be part of the information revolution is all the stronger because of widespread perception in the region that the Middle East missed the industrial revolution leading not only to its eclipse, but also to its domination by Western countries. Interestingly, the Internet is not widely perceived as
116
Hamoud Salhi an example of ‘Americanization’ or ‘McDonaldization’ but is seen rather as a once-in-a-lifetime opportunity. This vision includes the opportunity to be on a par with other countries, or with firms in other countries, to get access to information and markets, and to participate in something that is not just new but that Middle Eastern people can command from the outset, and upon which they can put a distinctively Middle Eastern mark, from Arabization technologies to national and Islamic content. (Anderson 1997: 10–12)
Concentrating on the media, Jon Alterman has noted in his article on the ‘Information Revolution and the Middle East’, published by Rand Corporation (Alterman 2004) that major progressive changes have occurred in the Middle East during the last decade because of changes in the information environment. He predicts that advances in what he terms ‘mid-tech’ technologies such as satellite televisions, videocassettes and photocopies will ‘affect the region in the most profound manner’ (Alterman 2004: 227). To Alterman, technology has forced the media, including newspapers, to make improvements in the ‘quantity, quality and variety of information’ that is made available (Alterman 2004: 228). As an example, he shows how satellite technology has helped create a ‘vibrant and viable’ Arab press in the Western world, beginning with Asharq Al-Awsat, a Saudi newspaper founded by Saudi investors in London and built around the same concept as USA Today, setting the stage for later newspapers such as Al-Hayat and Al-Quds Al-Arabi (Alterman 2004: 229). Other scholars have approached the transfer of IT to the Middle East from a sociological and psychological perspective that examines how interpersonal communication among individuals is affected. Applying E.T. Hall’s model of intercultural communication (Hall 1976) and Fons Trompenaars’ cultural modes, Norhayati Zakaria and co-authors find that IT has facilitated communication among individuals in the Middle East (Zakaria et al. 2003). Citing other supporting studies, Zakaria et al. find evidence that the basic traditional cultural values of collectivism, honour and hospitality in the Middle East can be predictors that explain individual reactions to IT applications. However, a Rand study suggests otherwise and explains that the region will miss the technological revolution. According to Grey E. Burkhart and Susan Older, ‘there are simply too many
IT and security for the Middle East
117
impediments, and the impediments are rooted in the conservative, even when the resources, investments funds, technical know-how, etc. are reasonably available’ (Burkhart and Older 2003: 53). Alon Peled could not agree more: To him, the region is simply wasting its time by diverting attention from real problems. He states: In all, the Internet revolution highlights and extenuates the political, economic, and technological backwardness of Arab countries of the Levant. Rather than boast about how the Internet will change the fortune of their countries, political leaders, businessmen, and scholars should address the real problems that inhibit growth and prosperity in their region – political restrictions on free speech and economic entrepreneurship, corrupt and wasteful bureaucracies, and collapsing education systems. Technological dreams must not be encouraged if they distract attention from these more urgent problems that require immediate attention and a great deal of hard work. Regrettably, all too many people conjure up unattainable Internet dreams as a way to escape the real problems of the Levant. (Peled 2000) A core problem remains in this debate: unwarranted generalization and relevancy. It is evident that IT scholars are influenced by post-industrial literature since they believe that it can be replicated in an underdeveloped setting and that communication can transcend social and political change (Garner 1996), irrespective of the extent of political and economic development. At times, these scholars have used previous literature only partially, perhaps just enough to support their point. For example, scholars have extensively used Habermas’ work as a reference to highlight the importance of communication and technological innovation in creating the Western civil society (Habermas and Seideman 1989). Habermas also identified the dominant upper class as controlling the flow of communication to serve its own interests (as discussed in Tehranian 1999). That point seems to be missing from the Middle East’s literature, or at least simply glanced over. Additionally, scholars seem to leave out the issue of relevancy and fail to recognize how the region perceives the import of IT and how it has dealt with the media historically. Writer Said Essoulami (Essoulami 2000) has addressed the role of communication in the Arab world. Writing on the evolution of the press in the region
118
Hamoud Salhi
during the last 100 years, Essoulami depicted the Arab press as always being in the hands of the dominant class. During the colonial and post-colonial period, the press was subjected to state supervision. While discussing the impact of oil revenues on the press in recent years, Essoulami (2000) observed also that journalists acquiesced for personal and seemingly unethical reasons: they â&#x20AC;&#x2DC;fell over themselves to offer their services to the rich and draw on the benefits due to them, such as cars, houses, or gold watchesâ&#x20AC;&#x2122;. A critical press was confined to the limits of the Arab community abroad. Measurements The second research question that scholars have addressed in their studies about IT involves proper measures for adequately explaining IT as a predictor of change in the region. Initially, scholars used the size of IT penetration as a key determinant in its ability to promote change. Later studies used different measures, focusing on impact and producers to size up IT and its effect on the Middle East, socially, economically and politically. Diffusion Early on, many IT scholars and researchers interested in the Middle East approached the diffusion of IT as way to revolutionize the Middle East. Writing at a time of increased global interdependence and IT expansion, research predicted that the growth of IT was uncontrollable, and that it would change the dynamics of local politics in the Middle East while setting the stage for liberation. Hence, researchers hypothesized that the extent of IT penetration, measured by the total number of users among other indicators, would correlate with the readiness of a state to be technologically apt. Based on this, researchers would then deduce whether or not a state was prepared to be democratic. It was assumed that states with more computers and a higher number of users would be more ready for democratic change than countries with fewer computers and users. To a large degree, the emphasis on diffusion as a criterion of democratic change is reminiscent of the modernization theory in the 1950s which measured the level of development of a Third World country by the size of what was perceived at the time as indicators of modernity, such as ownership of transistor radios and
IT and security for the Middle East
119
cars. As documented by many studies elsewhere, this theory has been severely criticized, most notably by Samuel Huntington who suggested that the theory failed to distinguish between economic (modernization) and political (institutionalization) development. Much the same criticism has been levelled against the proponents of IT diffusion, faulting them for wrongly concluding that computer accessibility is linked to political and social change. Specifically, another group of researchers and scholars argue that greater accessibility to IT may not necessarily translate into political action. To assume that it does underestimates the supremacy and influence of states and the potential for retaliation, which is an unlikely scenario since states are the primary actors in the process of IT development. McLaughlin (2003) is on point when he observes that ‘the Internet and other information technologies provide a broad theoretical framework but do little to assess how this framework relates to the Middle East’. Also, McLaughlin has doubts that this approach will work due to practical constraints: ‘In a region where Internet access is often limited by infrastructure constraints or governmental censorship, the theoretical power of the Internet may face serious practical challenges.’ In this regard, McLaughlin finds the literature to be lacking in theoretical sophistication and analytical insights. According to him, there have been improvements in analysis compared to the initial stage when most IT studies were overly descriptive. His suggestion is for scholars to move ‘into more specific analytical frameworks that are explanatory and predictive rather than merely descriptive’. Impact Along with McLaughlin’s critique, researchers and scholars soon discovered that diffusion alone does not adequately measure change; accessibility to the Internet does not necessarily result in political action. Diffusion measures fail to convey an accurate picture of what states are doing to become e-ready. According to a World Bank study, the use of macro-analytical data such as gross domestic product (GDP) produces an obvious bias: that advanced countries will always fare better than poor countries for the simple reason that they generate a higher GDP. A more relevant indicator is the amount of IT investment compared to other sectors in the
120
Hamoud Salhi
country. This shows the importance of IT to state policy and may predict its potential to be e-ready (World Bank Report 2003). Other researchers are also critical of the diffusion model for being too descriptive and lacking proper tools for prediction. To this end, McLaughlin introduces an Internet-based model which he tests against the cases of three non-state actors: the Muslim Brotherhood in Jordan, the Muslim Brotherhood in Egypt and the Movement for Islamic Reform in Arabia (McLaughlin 2003). His goal is to explain why and how non-state dissident actors resort to political actions. McLaughlin builds his model around a rather simplistic set of assumptions that the Internet is a tool that is used because of the advantages offered to users and because it is cheaper and more efficient than other communication tools. But to capitalize on these advantages, the Internet must first be accessible and free of any control. Second, it must have an audience willing to use the tool by surfing websites and writing e-mails. McLaughlin develops three typologies and applies them to the cases of Jordan, Egypt and Saudi Arabia. These are internationalization, mobilization and support erosion (McLaughlin 2003). Still, there are scholars who simply prefer to measure the impact of IT as it evolves in the Middle East. IT has created new spheres of public discourse and has been thought to have ignited a new form of social and ethnic conflict. Hence, it has enabled individuals and groups to challenge the social and political order using Internet-based strategies never seen before. For example, in Gulf region newspapers and even bridal magazines, clothing is drawn to cover womenâ&#x20AC;&#x2122;s bodies, because of a social taboo that views exposure of arms, breasts, midriff or legs as culturally inappropriate. However, the same level of exposure appears to be acceptable on the Internet with users easily able to find photographs of women in a variety of apparel which is not compliant to these standards. Discussion and information on social issues such as marriage, dating, contraception, menstruation, sexuality and pornography, which have long been considered acceptable only in the private sphere, are now freely available in the public domain on websites that are accessible by everyone, albeit checkable by law enforcement. Similarly, dating has also been considered taboo. But more and more young men and women are now seen together in public spaces, and it is becoming increasingly likely that couples may get married after meeting in a chat room or through a website. An anonymous Web blogger cited in an article by Vesely describes her feeling that she â&#x20AC;&#x2DC;can talk very
IT and security for the Middle East
121
freely and very frankly about things I can never talk about in any other place, about subjects that are banned […] It is liberating’ (Vesely 2004: 25). At the lowest level of political interaction, individuals have become familiar with IT and acquired the skills to surf the Internet for a variety of reasons, including research, entertainment and friendship. Hence, the Internet has enabled individuals in the Middle East to join transnational organizations or groups to learn more about themselves and the outside world. In a Haverford College IT programme, adolescents from Morocco are now able to share experiences with adolescents in the US (Barrow 2004: 52). Similarly, many academicians in the region are engaged in collaborative learning with their counterparts in the US via websites designed to improve curriculum development and teaching skills. Hundreds of Iranian women are joining and forming blogs, while finding ‘the Web particularly liberating.’ (Vesely 2004: 25) A recent study on emergency contraception has found that Arab women are increasingly seeking information on feminine health issues from the World Wide Web. For example, in May 2003 the Arabic-language website created by Ibis Reproductive Health and the Office of Population Research at Princeton University registered about 40,000 visits and over 78,000 pages requests in 19 months (Foster et al. 2005: 134). Contemplating this phenomenon, University of Cambridge researcher Rafal Rohozinski noted that Internet cafés, some containing only a few computers, are in evidence from the refugee camps of Gaza to the suburbs of Tehran, each with their teeming mass of young men hunched over computer screens, downloading the latest music MP3s, playing video games, chatting with unseen others, or, when no one is looking, surfing porn. (Rohozinski 2004: 2–3) Focusing on the Coptic minority in Egypt, Paul S. Rowe concludes that IT has ‘facilitated a revolution in political dissent and debate’ (Rowe 2001: 91). IT has provided the Coptic diaspora with a new means to lobby their cause while making political activism ‘safer and more effective’ and has ‘encouraged a more individualist approach to political protest, integrating a traditional human rights discourse with the more traditional communal solidarity practiced by Copts in their home setting’ (Rowe 2001:
122
Hamoud Salhi
91). What is significant in Rowe’s analysis is the role played by the external Coptic community in Washington D.C. and its ability to influence legislature in ways that have captured the attention of Egyptian authorities (Rowe 2001: 90). Needless to say, this area has attracted the most research, in part because it makes good journalism. In this sense, scholars have relied heavily on the media to illustrate the impact of IT, without pursuing the next step of testing propositions or building a theoretical framework for comparative analysis. Additionally, scholars have concluded that the emphasis on endusers has made the diffusion of technology appear ‘passive’ and ‘the region primarily as a receiver or consumer of technology’ (J. Anderson 2000: 419). Thus, they recommended examining the producers of IT through a solid case analysis with measures to test real-time impact (McLaughlin 2003). Producers Recent developments in IT studies indicate that a new focus is emerging. Anderson suggests that we shift our attention to production because ‘production rather than the consumption, is what shapes environments, use, economics, politics and the cultural register of the Internet there [Middle East]’ (J. Anderson 2000: 420). Anderson surveys the users of technology, and the problems associated with the Internet both nationwide and internationally, including proper technical standards. Anderson’s approach improves the quality of research because it deals with specific actors and mechanisms involved in the process of acquiring and integrating IT in the Middle East.
Theories of international relations and IT Scholars in the field of international relations have afforded little importance to IT, except for studies on terrorism and cyberwars. Most IT studies, as shown previously, have been in comparative politics (social movements) (Keck and Sikkink, 1998);5 sociology (culture studies); and psychology (intercultural communication). However, theories of international relations are quite relevant for IT, particularly in explaining the role of governments in acquiring, promoting and controlling this medium (cf. Giacomello 2005) or (not) managing information regimes (Bessette and Haufler 2001; Herrera 2002). This part of the chapter will show just that by
IT and security for the Middle East
123
highlighting how Realists, Liberals and Constructivists approach IT.6 It will be followed by an examination of the best theoretical fit for understanding IT, and the chapter will conclude with an assessment of current research and trends. It is argued that advocates of Realism and Liberalism have dominated research agendas by framing the debate around the general proposition of whether or not IT has the ability to radically transform the Middle East through democratic change. On the other hand, Constructivists have held their own and brought a new research focus that is centred on normative principles and identity formation, including ethnic bonding and religious activism. The state Researchers and scholars from the three theoretical paradigms discussed in this book are unanimous in their conclusion that the state remains the most important agent of social, political and economic change in the Middle East. Hence, they believe that the states have the ultimate power to promote, manage or completely derail IT development. However, scholars disagree in their assessment of whether states will withstand continued domestic and external pressure emanating from pro-IT groups pushing for freedom from government control and interference. Proponents of Realism argue that states have survived much bigger challenges in the past, such as the wave of Arab nationalism in the 1960s and religious fundamentalism in the 1980s and 1990s, and they are already equipped with the necessary tools to deter any threat. China is the ultimate example of this capability to stay in control (The Economist 29 April 2006). Liberals are not convinced, however. They believe that states are trapped in a web of international transformation beyond their control (cf. Deudney and Ikenberry 1999), namely globalization, which will ultimately force even the Middle East to open its societies and polities to the opposition. Short of this, the states of the Middle East risk being left behind the rest of the world, facing the high probability of regional political instability and violence. In simple terms, the Middle East will have no choice but to democratize. In contrast to the Realists and Liberals, Constructivists have taken a middle-of-the-road approach (Adler 1997). While recognizing states as the most important actors of political and social change, they underscore the power of transnational ideas,
124
Hamoud Salhi
such as democracy, Islam and ethnicity, in rallying groups across the Middle East and the world to promote change. Accordingly, Constructivists have pushed the theoretical debate among the three schools of international relations a step further because of a focus on ideas that naturally transcend borders in a manner much bigger than Realism or Liberalism. From a Constructivist perspective, IT has connected people who share similar values and outlooks. As a result of IT, for example, Muslims in South Africa and the Middle East are regularly interacting and assisting each other in understanding their religion. The same can be said about ethnic communities living in a worldwide diaspora; IT has enabled them to foster an ethnic bond and strengthen unity. Considering such developments, the states appear to be irrelevant and in no position to stop change. Constructivists are quick to point out that states have devised their own norms by dictating what is socially and politically inappropriate, thus keeping their power almost intact (cf. Wendt 1992; Buzanet al. 1998). Non-state actors Scholars, such as Keck and Sikkink (1998) for example, have placed heavy emphasis on non-state actors using IT as a tool of mass political mobilization, including moves against regimes in the Middle East. Studies have predicted a collapse of authoritarianism that would usher in a new era of democratic change, courtesy of information technology (Moore 1997; Maynes 1998; Friedman 1999). Within the region, many intellectuals and human rights activists believed they had finally found a winning formula for influencing government policy. Speaking with Human Rights Watch, a Syrian defence lawyer claimed that ‘human rights organizations can now send out calls for help whenever the rights of a citizen have been violated’, and ‘that they can now launch online campaigns directed at individuals, officials and ministers by sending out e-mails accompanied by activists’ signatures to the president, the attorney general, or the minister of the interior’ (Human Rights Watch Report 2005: 21). Moreover, even a Baath Party loyalist, Abd al-Nur, shared the same view and was convinced that the Internet would change the way in which the Syrian government operated. He noted how the government already ‘has expanded the range of topics people can read about. It has created a new, open atmosphere’ (Human Rights Watch Report 2005: 68). Abd al-Nur, who lives in Syria and
IT and security for the Middle East
125
manages a website, <www.All4Syria.com>, believes that he has survived government censorship and been treated less harshly than others because his site provides accurate and specific information instead of general accusations. The content of his site mentions officials by name, presents specifics regarding their errors, and shows the impact on specific government sectors (Human Rights Watch Report 2005: 68). Not far from Syria, Iran is experiencing the same trend, and scholars are also just as optimistic. Analysing the situation in Tehran, Human Rights Watch predicted that Iran would be a world leader in information technology The report explained that: Iran has the potential to become a world leader in information technology. It has a young, educated, computer-literate population that has quickly taken to the Internet. It is rapidly developing its telecommunication infrastructure. Attempts to restrict Internet usage violate Iranâ&#x20AC;&#x2122;s obligation to protect freedom of expression and foster popular mistrust of the government. (Human Rights Watch Report 2005: 43) Realists have a different view, arguing that the states can undermine any challengers by virtue of their hegemony. In addition, Realists doubt that non-state actors would use IT to mobilize the masses since they may not even have access. Realists argue that politicians in the Middle East still rely on traditional methods for rallying the masses, such as personal contact, tribal relations and face-to-face interactions. Constructivists also agree while highlighting how states have infiltrated several societies to watch these groups and later prosecute them. This approach, however, assumes that the same theories applied elsewhere in the world may be replicated in the Middle East simply by treating non-state actors in the Middle East as if they operated in a pluralistic environment conducive to democratic change. Moreover, critics disagree with the assertion that non-state messages featured on websites and contained in e-mails will be read and will positively influence individual mindsets. In doing so, critics charge that this approach ignores the predispositions of states to retaliate, and it overestimates the power of the masses by mistakenly assuming that they have the ability and literacy to access websites and receive e-mails.
126
Hamoud Salhi
Shared values The relationship between IT and cultural identities, including religious groups, gender and ethno-nationalism, has been discussed by many social scientists in recent years. Questions of Muslim identities, religious duties and even attire have been dominant themes on many websites designed specifically to promote a version of Islam consistent with cultural and religious norms and values. In general, sites offer content ranging from traditional to militant forms of Islam in addition to a plethora of websites created by different sources, including governments, non-state actors and individuals. (Anderson 2003; Tadros 2005) While each of the three international relations perspectives has examined these issues, the recent trend, based on the number of studies published in major international relations journals, appears to be moving towards Constructivism (cf. Adler 2002; Fearon and Wendt 2002). The danger of this newfound emphasis is that it concentrates heavily on Islamist movements perceived as a threat to Western security and focuses on the conditions of women and minorities which support the prevailing image of authoritarianism in the Middle East. In this sense, additional problems are presented. Though a constant in many studies, there has been no clear consensus as to what culture can do for the Middle East, without the threat of an Islamist movement. Specifically at issue is whether shared cultural values are a hindrance or an asset to IT. Those who believe that culture is problematic for ITâ&#x20AC;&#x2122;s development have argued that the culture of the Middle East is inherently anti-change and would oppose IT on the grounds of being Western and anti-Islamic. To this group, such an attitude could only leave the Middle East behind and cause long cycles of economic underdevelopment, poverty and instability. Prudent Realists have a different take on culture. While they believe that globalization makes culture highly susceptible to change, they have cautioned about the speed of change, which the state may be unable to absorb without the risk of political and social instability. Studies have yet to show what constitutes a rapid social change, but already leaders in the region are using speed of change as a way to control IT. Both Saudi Arabia and Iran have issued legislation to ban websites deemed culturally inappropriate. In retrospect, the prudent Realists seem to have given the states a much-needed reason to justify what amounts to a violation of basic freedom of
IT and security for the Middle East
127
speech. Even more, the fact that Islamist organizations and other groups in society have endorsed this move has served to legitimize such actions. This has not stopped or slowed the spread of Islamist websites, nor has it discouraged scholars from studying them, especially after the 9/11 terrorist attacks on the United States, which created concern that Islamic norms and values can now be a rallying force for militants eager to generate anti-Western feelings and recruit involvement in terrorist movements. Considering how the Islamist movement has shaped the politics and societies of the Middle East, it is critical to ask if Constructivism and Liberalism are better suited than Realism to explain IT.
The best theoretical fit Middle Eastern states have been the dominant agents of political, economic and social change, enabling them to monopolize IT from the inception. For example, while the Internet was made available to the government of Saudi Arabia in 1994, it reached the public in 1999 only after the Kingdom obtained a technological tool which filtered and controlled information. Furthermore, once the Internet became publicly available, the Council of Ministers passed legislation in 2001, which affirmed state control and made it illegal for users to access or publish what the Kingdom considers forbidden materials. Saudi Arabia is not the sole example; other countries have also pursued the same path. States have successfully controlled IT through the Internet service provider (ISP). In theory, it is generally believed that states with multiple ISPs have a more tolerant attitude towards information gathering and dispersal. However, this is not always the case, particularly in the Middle East. Although states have used different strategies to provide cyberservices to the public, the end result has been nearly the same. States with multiple ISPs control the flow of information just as much or even more than states with a single ISP. In 2000, Saudi Arabia had 30 ISPs serving over 130,000 users and monitored by a team of technicians from Finland based in King Abdul Aziz City of Science and Technology. While Tunisia has multiple ISPs, licensing is owned and controlled by the daughter of the president. Because IT has developed as a commercial activity and not as a university programme, the state incorporated IT within the public sector in the absence of deregulation. Consequently, the governing elite awarded the right of licensing and ownership of IT businesses
128
Hamoud Salhi
to political allies, social peers and family members, further enabling the state to uphold the status quo. For example, in the UAE, the government has made the city of Dubai a hub of ecommerce which has attracted major global technology companies, such as Microsoft and Intel. Egypt is following the same course and has established a goal of becoming the Japan of the Middle East in the category of IT development. Finally, even socially and morally, the state seems to have taken protection of what it deems morally, religiously and politically correct as its sole responsibility. States have passed legislation to sanction such control, even though there has been no public debate. Accordingly, the states have used blocking, controlling and censoring technologies to prevent Internet users from accessing inappropriate sites. For those who attempt and actually succeed in surfing such websites, punishment can be harsh, including imprisonment without due process. This is the context in which the state remains the most important actor in the Middle East. Because of the role it has played in IT, Realism, with its emphasis on the state as the most important actor, is best suited for explaining the phenomenon of IT, both theoretically and in practice.
Conclusions and directions To a large extent, the state of IT and its theory and research agenda are continuing to emerge. Evaluation of IT in the Middle East shows that states have made significant progress in accessibility and affordability, but critical variables are constraining efforts to integrate the region fully, and these variables include high illiteracy, low economic development, persistent authoritarian rules and a lack of government tolerance for e-democracy. From a theoretical standpoint, IT has created avenues for empirical research testing and theory and model building. The theoretical approaches examined in this study have broadened the scope of empirical research and increased understanding of the Middle East in an era of constant IT expansion. Within this context, these three approaches have met the challenge by formulating new models and frameworks supported by sound analysis for improving the understanding of social, political and economic dynamics affecting IT in the Middle East. Still, more must be done. Generalization remains an issue for a variety of reasons. Initially, scholars overstated the idea that IT
IT and security for the Middle East
129
would be a driving force of social and political change that would radically transform the Middle East. Later, they underestimated the role of IT, arguing that the region was unprepared for its benefits and that the Middle East would be better off by shifting its focus elsewhere. In the same vein, the issue of applicability remains very relevant, and it has continued to provide for an interesting debate (while, in this authorâ&#x20AC;&#x2122;s opinion, continuing far too long). As a phenomenon, IT has been studied from contrasting angles, and there has been little interest in developing comprehensive studies which examine IT using a social science approach within the fields of economics, sociology, psychology and political science. In this context, there is no doubt that multidisciplinary studies can enrich our understanding of the role of IT in the Middle East while placing it in the proper developmental context. For IT to play an effective role in the economy, polity or society, other factors must be present. Since social conditions are never equal, it is reasonable to assume that the role of IT differs among Middle Eastern countries. Any theory in this regard should consider variations and differences in socioeconomic conditions and levels of IT penetration. For example, IT might function more effectively in the United Arab Emirates than in Syria or Mauritania, even though all of these countries are located in the same region. This distinction may pose a serious challenge for theorists as they dig deeper to uncover similarities and differences among societies. It is a known rule that deep analysis of social science phenomena can only produce the obvious: more differences than similarities â&#x20AC;&#x201C; which render generalization more difficult. However, such analysis should add value rather than undermine research. Similarly, studies involving IT in the Middle East continue to struggle with a sampling issue. Scholars have been more interested in IT at the macro-analysis level, and they have provided sound comparative analytical data not necessarily reflective of IT as a predictor of change. For example, it was appropriate in the early stage for scholars to concentrate on end-users as an indicator of IT progress. But, as the World Bank (2003) reported, these indicators revealed the obvious: that economically advanced countries will always perform better than those that are less advanced. What needs to be done could take the World Bank report to another level. Scholars must focus on effects of IT on end-users because this is the key indicator. For example, researchers should concentrate on whether the use of IT in universities has increased scholarship quantitatively and qualitatively; or, for example, how the
130
Hamoud Salhi
introduction of computers in schools has affected learning. This is quite relevant in the Middle East because many complain that the region’s educational systems remain weak because of an emphasis on memorization rather than analytical thinking. Then there is the question of political agendas that may compromise the efforts of the academician. Much has been written about the threat of the Islamist movement and cyberterrorism, but the issue of the authenticity of websites can be problematic. In measuring the impact, knowing the true location of ISPs and site owners can be challenging. Additionally, scholars should not always assume that an Islamic-oriented website will automatically produce an impact in the Middle East, because there is a chance that it may not. Hence it is in this context that the theoretical debate must be framed in the Middle East. As many contributors to this volume have shown, theory must be linked to practice.7 So far, studies have successfully advanced several theoretical propositions and identified cultural, political and economic variables in IT transformations. Studies have also shifted away from an emphasis on end-users and moved towards an examination of the effect of IT in order to understand the slow progression and potential for growth. All this suggests that IT is but a product of its environment and as such it must be studied in the context of the Middle East’s own environment, economically, politically, socially and culturally. Because of these conditions, even in the digital age, the state (with its ‘favourite’ theory, Realism) will remain the unmatched actor in the Middle East.
Notes 1 2
3
Because of its highly advanced technological development, Israel is not included in this study. A groundbreaking work on social control on information is Buchner (1988). For a more in-depth analysis on the issue of state control of IT, and more specifically on the Internet, see S. Wright, (2000) and Giacomello (2005). There is plenty of historical evidence to support this point: to cite a few, the bread riots in Tunisia and Egypt in the 1970s and those in Algeria and Jordan in the 1980s. Such riots were the result of the austerity measures that these governments took to fulfil the International Monetary Fund’s requirements for acquiring financial assistance. The consequences were many but suffice to say that they led in Tunisia to the collapse of Prime Minister Bin Salah, who adopted a socialist planned economy, and who was replaced by Hedi
IT and security for the Middle East
4
5 6 7
131
Nouira, the head of the National Bank, and a favourite at the time of the IMF. In Algeria, the 1988 bread riots brought to an end the oneparty rule and socialism. This question is not unique to scholars in the Middle East, but was also asked across Western countries, including Japan, France and Germany. Scholars studying these countries examined the extent to which the Silicon Valley model designed for the US can be replicated in other advanced countries, including Japan which has a culture not similar to that of the US. The conclusion drawn from several studies in this regard is that advanced societies other than the US adapted IT in ways that conformed to their cultures (cf. Kogut 2003 and Kambayashi 2003). See also Ranstorpâ&#x20AC;&#x2122;s chapter in this volume. For a more detailed analysis of the relevant IR literature see Eriksson and Giacomello (2006). On this point, see the chapters by Dunn, Valeri, and Hosein and Eriksson in this volume.
6
Publicâ&#x20AC;&#x201C;private cooperation and information assurance A liberal institutionalist approach Lorenzo Valeri
Introduction The Internet is rapidly changing the way services and goods are delivered. State institutions are increasingly using this medium to improve the efficiency and effectiveness of their services. Businesses also have been at the forefront in exploiting the financial and economic potential of the Internet, as exemplified by the success of many e-commerce operations. The Internet, however, has also become the venue for criminal activities by many malicious actors. The negative effects of these malicious activities have been compounded by the many outages and failures that have hindered the delivery of Internet-based services and goods by public and private organizations. The global nature of the Internet does not allow for simply domestic responses to cybercrimes and malicious outages, but calls for an international solution that can protect the confidentiality, integrity and availability of global IT systems, while also fostering the privacy of the data exchanged through them. This chapter proposes a theoretical framework explaining why states and businesses need to work together to develop an international regime for information assurance. It opens with an overview of the notion of an â&#x20AC;&#x2DC;international regimeâ&#x20AC;&#x2122; and its constitutive elements. It then argues that an international regime for information assurance needs to reflect the principles of openness that form the essence of the global success of the Internet. The framework demonstrates that, unlike the case in other sectors, states and businesses have the same power in the development of Internet-related policies, including those associated with information assurance.
Public–private cooperation
133
Nevertheless, even if states and businesses are the two main sets of actors, their interests may conflict in the matter of information assurance. Therefore, they need to overcome self-interest to work together in devising an international regime for information assurance – one that can counter the negative impact of cybercrime and other online malicious activities to create an environment in which the global online society can grow and prosper.
Defining the constitutive elements of an international regime for information assurance The definition and constitutive elements of an international regime have been the subjects of lengthy discourse among scholars of international relations since the 1970s. Any research project on international regimes, nevertheless, must open with Stephen Krasner’s ‘consensus’ definition. According to Krasner, international regimes are implicit and explicit principles, norms, rules and decision-making procedures around which actors’ expectations converge in a given area of international relations. Principles are beliefs of facts, causation and rectitude. Norms are standards of behaviour defined in terms of rights and obligations. Rules are specific prescriptions or proscriptions for action. Decision-making procedures are prevailing practices for making and implementing collective choice (Krasner 1983). Among the major accomplishments of this definition is the distinction between international regimes and the notion of ‘international organization’. Puchala and Hopkins (1983) have argued that an international regime exists whenever there is regularity in states’ behaviours. Conformity of behaviour envisions the existence of principles, norms and rules. This approach, however, is far too comprehensive since it seems to indicate that states’ behaviour patterns are characterized by a specific regime. Haggard and Simmons (1987: 493) have argued that ‘the term “regime” is sometimes used in a purely descriptive way to group a range of state behaviours in a particular issue-area, but since the potential for tautology is high, this approach has largely been abandoned’. International regimes involve principles, norms, rules and decision-making processes that do not exclusively relate to the behaviour patterns of states, especially when referring to the dynamic socio-political and commercial environment created by the Internet.
134
Lorenzo Valeri
International regimes are also distinct from international organizations. The latter relate mainly to physical organizations made up of buildings, budgets and secretariats. This confusion arises from the fact that international organizations are often the consolidation of an international regime. However, this has not always been the case. Although it allows us to differentiate between states’ behaviour patterns and international organizations, Krasner’s definition has been criticized for its vague description of the characteristics and components of an international regime. The first critique led to the drafting of a framework highlighting the diverse character of international regimes by combining the formality of their constitutive elements and the convergent expectations of the actors involved (Levy et al. 1995). There is no international regime when low formality is matched by low expectations. However, a combination of high formality and high expectations indicates the presence of a classic regime like those created by the Bretton Woods agreements. Between these two extremes, there are two middle-ground possibilities: dead letter regimes and tacit regimes. Dead letter regimes have extended formality matched by very low expectations. Tacit regimes combine a high level of convergence of actors’ interests matched by limited formality or none at all. The balance of power that guided European inter-state relations during the second half of the nineteenth century is an example (Luard 1992). How exactly do states and businesses work together towards one ‘classic’ international regime for information assurance to counter the negative implications brought forward by online crimes and malicious activities? A dead letter regime would not support the attainment of this objective. The principal characteristic of this type of regime is that the involved actors do not recognize its principles, norms, rules and decision-making processes and do not feel the need to respect them. Consequently, with regard to information assurance, a dead letter regime cannot be considered an ‘external safeguard’ to allow the establishment of ‘fragile trust’. Before discussing the nature of a ‘classic’ international regime for information assurance, it is necessary to look in some detail at the relationships between the four constitutive elements: principles, norms, rules and decision-making processes. Krasner’s characterization of international regimes provides only an initial definition of these elements without examining their interdependence. In his work on international regimes, Keohane
Public–private cooperation
135
(1984) seems to have overcome this limitation. While principles indicate the general aims of an international regime, according to Keohane, norms contain somewhat clear injunctions to members about legitimate and illegitimate behaviour, still defining responsibilities and obligations in relatively general terms. Rules indicate in more detail the specific rights and obligations of members. Principles, therefore, act as a ‘guide’ for norms, which then may be translated into appropriate rules and decision-making procedures. Keohane emphasizes this relationship between the various elements since they are perceived to be at the heart of the legitimacy of any international regime. In his more recent analysis of international environmental and technological regimes, Vogler has espoused an approach similar to Keohane’s. He defines principles as ‘shared scientific understanding as to the nature of the physical world, upon which many common regimes rest’ (Vogler 2000: 25). Vogler implies that principles reflect the attributes of the physical environment or phenomenon that a specific international regime aims to address. Norms indicate the rights and obligations related to activities carried out in that specific environment and ‘stem directly from principles’. The third element, rules, is conceived as the application of the principles and norms of an international regime. Their implementation is carried out through ad hoc mechanisms such as decision making processes. Building on the approaches developed by Keohane and Vogler, it is possible to graphically reproduce the interdependence among these four elements through concentric circles (with principles being the most inclusive circle, followed by norms, rules, and as the most limited inner circle, decision-making procedures). Another approach, by Young (1985: 32) complements those of Keohane and Vogler by creating a connection between international regimes and the notion of institutions. Young defines institutions as ‘recognized practices consisting of easily identifiable roles, coupled with collections of rules or conventions governing relations among the occupants of these roles’. Young, therefore, seems to compare international regimes to agreements from an international legal point of view. Elements of an international regime regulate relations among clearly identifiable actors or entities that, in the context of the Internet and information assurance, are states and businesses. By combining Keohane and Vogler’s specifications of the constitutive elements of international regimes with Young’s notion of institutions as recognized practices among concerned actors, it is possible to define international
136
Lorenzo Valeri
regimes as recognized practices based on principles, norms, rules, decision-making procedures that allow identified actors to interact and achieve their mutual interests in specific issue-areas. The specific references to ‘recognized practices’ and ‘actors’ interactions’ are the pillars of this definition. They underline the importance of reciprocal understanding among the actors concerned in devising the constitutive elements of an international regime. Still, specific attention should be directed also to the term ‘mutual interests’ since it emphasizes the need for cooperative approaches instead of the imposition of elements of an international regime by one of the ‘concerned actors’. This last eventuality becomes extremely difficult in an Internet environment. Although international regimes may arise from a hegemon, it is unrealistic to expect this eventuality, given the Internet’s dynamic environment (Kindleberger 1981). The success of this medium outside North America suggests that the initial dominant position of the United States is being challenged by other states. This challenge results from states becoming extremely active in exploiting the socio-political and commercial functionalities provided by the Internet. The same dynamism applies to the business community, as indicated by the number of antitrust cases mounted against large IT conglomerates like Honeywell and Microsoft. Businesses are able to devise new software or hardware applications, as well as innovative business models, to secure a dominant position in the short and medium term. However, maintaining dominance becomes a difficult undertaking due to the constant rise of new competitors and advances in information and network technologies. To summarize the foregoing, I have provided a definition of an international regime and examined the relationship between its four constitutive elements. In particular, I have argued that an individual actor cannot impose its own principles, norms, rules, or decision-making procedures for the long term. The initial hegemonic position is challenged by the intervention of national and international authorities and the dynamic nature of Internetrelated technologies and services. How does this analysis relate to the notion of information assurance? An international regime for information assurance is made up of state and business practices aimed at establishing fragile trust and online relational exchanges; it achieves this through principles, norms, rules and decision-making procedures for the protection of confidentiality, integrity and availability, non-
Public–private cooperation
137
repudiation, authentication, and privacy. This definition, first, emphasizes the equal role of states and businesses in devising the regime, an aspect discussed in detail later in this chapter. Second, it highlights the relation between the four constitutive elements of the international regime. An analysis of the Internet and its related technologies and services seems to suggest that there is already a set of principles that reflect the ‘shared understandings’ upon which this information and communication medium rests. Norms, rules and decision-making procedures need to reflect these principles, given the connection among the elements of an information assurance regime. Devising these norms requires states and businesses to cooperate by overcoming their specific interests in the individual elements of information assurance: confidentiality, integrity and availability, non-repudiation, authentication, and privacy.
Preserving the positive network externalities of the Internet: Principles of an international regime for information assurance The previous section concluded that the Internet embodies a set of principles which need to be reflected in the other elements of an international regime for information assurance, such as norms, rules and decision-making processes. This section describes these principles by exploring the Open Communication Infrastructure (OCI) model drafted by researchers at the Massachusetts Institute of Technology (MIT) Research Program on Communications Policy and relates them to the notion of ‘positive network externalities’ (Neuman et al. 1997). The open communication infrastructure (OCI) model This model rests on four elements: open architecture, open access, universal access and flexible access. Open architecture indicates policy and technological solutions facilitating interconnectivity and interoperability among telecommunications and information system services. Open access calls for the removal of barriers to the entrance of new commercial actors to the markets created by information and communication media like the Internet and its related network and information solutions. Proponents of the OCI model believe that open access means that the presumption should be in favour of interconnection and the elimination of regulatory
138
Lorenzo Valeri
barriers, not the opposite. Public policy should be oriented towards encouraging open access as a critical goal. Universal access indicates those regulatory and legislative initiatives aimed at fostering the use of information and communication media like the Internet by as many actors as possible. Flexible access refers to those initiatives that permit access to information and communication media through different media such as personal computers, wireless devices and similar instruments. The OCI model can be extended for the development of an international regime for information assurance. The Internet has embodied these principles through a set of technological and regulatory developments. Consequently, any norms, rules, or decision-making processes involving the Internet, such as the present case of information assurance, need to take these principles into consideration. With the aim of validating this assumption, the next section provides an overview of Internet-related regulatory and technical developments. Regulatory and technological developments supporting the principles of the OCI model The Internet embodies the principles of the OCI model not only by the open nature of its protocols such as TCI/IP, but also as a consequence of regulatory decisions taken by government bodies and international institutions, as well as several groundbreaking technological developments. These developments have fostered a dynamic environment where it is possible to participate and interact through this information medium (Cohen 1992). In conjunction with these regulatory developments, technological advances in the provision of satellite, cable and wireless communications have furthered the Internetâ&#x20AC;&#x2122;s embodiment of each of the four OCI principles. Since the middle of the 1990s, a large number of commercial operators have invested in the exploitation of satellites for the delivery of Internet access. Meanwhile, the cable television industry has been expanding its services by providing access to telecommunications services and information networks such as the Internet. Moreover, services such as Asymmetric Digital Subscriber Line (ADSL) have permitted public and private companies, as well as individuals, to have constant access to the Internet at relatively low cost. Telecommunications and information technology firms have also been working together to bring the functionalities of the Internet to
Public–private cooperation
139
the user through media such as mobile phones and personal digital assistants. These instruments are seen not as mere communication tools, but as new venues for information and commercial services. In conjunction with developments in satellite and wireless technologies, the explosion of cheap Internet services has made universal and flexible access a reality for many. This trend is epitomized by initiatives like city-wide Wi-Fi networks, where people can freely access the Internet while on the move. To fully appreciate how and why the OCI principles have fostered the socio-political and economic success of the Internet, it is necessary to introduce the notion of ‘positive network externalities’ and relate it to the consequences of malicious activities and outages. The concept of positive network externalities and its relation to information assurance The concept of network externalities is essential to understand the relationship between the four principles of the OCI model and state–business interaction under an international regime for information assurance. Networks such as the Internet are an assembly of multiple components. Navigating the World Wide Web, for example, requires the simultaneous combination of an Internet service provider (ISP), telephone access, hardware and software. The essential element of a network is its accessibility through the necessary hardware and software tools. As indicated previously, developments in wireless, cable and satellite technologies have allowed access to the Internet and its related services either via a fixed telephone line or through mobiles and satellite links. The use of these diverse access instruments depends on the objectives and desires of the user. These, nevertheless, are subjective factors, since they depend on individual requirements and expectations of whoever is using the Internet. Some may just want the Internet in order to communicate, while others may be interested in leveraging it as a new online marketing and distribution channel. The two possibilities require the use of different combinations of hardware, software and communication tools that the Internet permits through open architecture and increasingly open, flexible and universal access. The most important aspect, nevertheless, is that these four principles allow
140
Lorenzo Valeri
the Internet to experience ‘positive network externalities’ (Katz and Shapiro 1985; Economides 1996). The term ‘externalities’ refers to a situation where the value of a particular good or instrument is assessed not only according to its features and qualities, but also by the number of its users. A network or a product experiences positive externalities when its value increases exponentially as more users connect and interact through it. For example, when A decides to use the same spreadsheet package used by B and C, then A benefits from the fact that A’s documents can be read immediately by B and C. Furthermore, B and C profit from the situation since they now have another potential user of their files and, consequently, their services or products. Due to its open architecture and capacity to offer open, flexible and universal access, the Internet has been experiencing positive network externalities. Every new entrant, whether an individual or an organization, can take advantage of the numerous services and tools already available on the Internet, while the incumbents have a new potential recipient of their services and goods. This ‘positive’ condition can be undermined if the Internet stops attracting enough new users and/or if incumbent users have difficulty in delivering their services and goods. Illegal misuses or systems outages may lead to such scenarios. The statistics presented in the previous chapter about users’ fears in making online transactions seem to confirm this assumption. An international regime for information assurance, therefore, is the possible answer to the situation. It may foster relational exchanges among new and incumbent Internet users. Essentially, norms, rules and decision-making processes for information assurance may assist in establishing the necessary trust which allows for both the creation of relational exchanges and the preservation of the positive network externalities of the Internet. To conclude, the Internet embodies the four principles of the OCI model, which explains why this medium has been experiencing conditions of positive network externalities. Illegal misuses and system outages may affect these pivotal characteristics since they may undermine the arrival of new users and the activities of the incumbent actors on the Internet. Since the Internet reflects the four OCI principles, it is necessary to translate them into the remaining elements of an international regime and, in particular, into norms which indicate the rights and obligations of states and businesses operating over the Internet. Because of this
Public–private cooperation
141
interconnection, rules and decision-making processes should derive from these norms. This transposition, however, can only be accomplished through international cooperation among the two main players – states and businesses. States and businesses: Main players in an international regime for information assurance The academic literature on international regimes has a propensity to focus on states as the principal actors. Vogler (2000: 25) has noted that this is because ‘governments are able to cohesively represent the diverse demands and interests within society and, at the same time, exercise real authority over global events and situations like environmental damage’. This state-centrism, however, does not provide the necessary framework for an examination of the Internet’s socio-political and economic implications and, in particular, the consequences of cybercrimes and system outages. The state is just one of two principal players, the other being the business community. The call to look beyond state-centrism in studying international regimes is not a recent phenomenon. Keohane and Nye (1972) and others have acknowledged the growing importance of non-state actors, such as multinational corporations, in the international arena since the beginning of the 1970s. Risse-Kappen (1995) and Vogler (2000) reached similar conclusions in the 1990s. It is possible to argue that, in examining international regimes, it is unquestionable that private sector organizations and, especially, large transnational corporations are actors of first importance. In her contribution to Regime Theory and International Relations, Haufler (1995) has taken the analysis further by indicating that businesses themselves devise their own corporate private regimes, when firms cooperate over issues beyond price, supply and market share. Likewise, it is conceivable that these private international regimes collide with those sustained and supported by states. Haufler, moreover, has observed that when interests of government policy makers and influential non-state actors come into direct conflict, government leaders may not always prevail in determining the final outcome. The Internet has made the need to overcome the general statecentrism of the international regime literature imperative with the insertion of businesses as equal actors. This is mainly a consequence of a series of historical events and transformations,
142
Lorenzo Valeri
both in the United States and Western Europe, which have seen the Internet move from being a combination of state-controlled networks to one privately managed and held (Abbate 1999). Despite the fact that from the mid-1990s, the Internet went through a phase of privatization, the central role of the state has not been undermined. The Internet could not have developed without the financial and technical support of state organizations. States, individually or through international institutions, still provide fundamental investment and research support for the better information and communication technologies. Meanwhile, many national and international research networks still carry commercial Internet traffic. Finally, as discussed later in this chapter, states have specific interests, since the Internet has become the focus of new social issues involving privacy, intellectual property, censorship, indecency, cybercrimes and system outages. How do inter-state and inter-business cooperation relate to each other? Do international regimes and standards facilitate this? An international regime for information assurance would assist both actors in accomplishing their individual objectives while exploiting the potential of the Internet. Nevertheless, this can only happen if states and businesses can converge their specific interests in relation to each individual element of information assurance. If this communion of interests were to be accomplished, the end-result would be a set of norms and related rules and decision-making processes that would not only reflect the interests of the two actors, but also respect the principles of open architecture and open, universal and flexible access, which are at the very heart of the Internet.
Cooperation among states: Neo-realism and neo-liberal institutionalism Scholars of international relations disagree in explaining cooperation among states and the function of international regimes. As argued later, this chapter embraces the neo-liberal institutionalism approach to inter-state cooperation. The main reason for this is its appreciation of interdependence and focus on â&#x20AC;&#x2DC;absolute gainsâ&#x20AC;&#x2122; as the outcome of cooperative arrangements. Nonetheless, this approach builds on the axioms of neo-realism about the anarchical nature of the international system and the egoistic and rational nature of the Internet. Differing from neorealism, neo-liberal institutionalism allows for a higher possibility
Public–private cooperation
143
of cooperation among states and confirms the importance of international institutions and international regimes. Before introducing each perspective and linking it to the Internet and information assurance, it is important to define the notion of ‘cooperation’ and how it is distinct from ‘harmony’ and ‘discord’. The existence of cooperation, harmony and discord is primarily related to the preferences and interests of the involved actors. If a state can achieve its interests by itself, it does not need to engage in cooperative activities. However, these three possibilities refer to situations where states have to coordinate since they cannot achieve their interests individually. In the case of harmony, the individual policies of one state are perceived by others as supporting their own objectives. Therefore, there is no need for policy coordination since individual aims are achieved automatically with no changes in the policies of the other states. ‘Discord’ refers to the case where the differences in the policies of the single state are so divergent that it is not possible to coordinate policy. These states may lose the benefits of coordinating their actions. Cooperation refers to a situation where states actually resolve differences between their respective domestic policies in order to achieve specific goals. Anarchy and interdependence: Two distinct but related concepts The existence of harmony, cooperation and discord is directly related to the anarchical character of the international system, which neo-liberal institutionalism and neo-realism both assume. Authors writing about international relations define anarchy as the lack of a governmental authority in the international system. Scholars compare the anarchical nature of the international system (high politics) with domestic politics (low politics). As Wight (1994: 156) has stated, ‘anarchy is the characteristic that distinguishes international politics from ordinary politics. The study of international politics presupposes absence of government, as the study of domestic politics presupposes the existence of one.’ The presumption of anarchy in the international system, nevertheless, has been criticized as being too reductive (Wendt 1992). Milner (1993: 116), in particular, has argued that ‘the current tendency to over-emphasize the centrality of anarchy to world politics may not be the most useful way to conceptualize international politics […] Such reductionism overlooks another
144
Lorenzo Valeri
central fact about international politics – namely the interdependence of actors.’ According to Keohane and Nye (1977: 9), interdependence refers to ‘situations characterized by reciprocal effects among countries or among actors in different countries’. This approach is similar to the notion of strategic interdependence, which indicates a situation when ‘the ability of one participant to gain his ends is dependent to an important degree on the choices or decisions that the other participant will make’. The most important characteristic of interdependence is the allocation of costs and benefits among the actors involved. The attainment of a particular interest is dependent on the other actors’ perceptions and capabilities. Therefore, each one of them has to quantify these costs and compare them with the potential benefits originating from international cooperation in those areas where they are interdependent. The Internet may be considered an anarchical system where the two primary sets of actors, states and businesses, are interdependent. There is no central governmental authority to regulate activities over the Internet. The interdependence among states and businesses, therefore, may create the conditions for overcoming the Internet’s anarchical nature. This relationship is even more crucial in making the case for a regime of information assurance, which aims to counter the negative consequences of misuses and malfunctions of Internet-based information systems. The anarchical nature of the Internet and the notion of interdependence among states and businesses are the two conditions sine qua non for interpreting international cooperation, not only among states but also among businesses.
The debate between neo-realism and neo-liberal institutionalism Neo-realism and neo-liberalism are state-centric approaches to international relations. Together with the assumption about the anarchical nature of the international system, both approaches consider states as rational egoists. Rationality refers to the capacity of states to have stable preferences and calculate the costs and benefits of different options in order to maximize their utility. Egoism describes the capacity of states to focus on their own interests independently of all the other actors (Van WalsumStachowicz 1999). Neo-realism and neo-liberal institutionalism
Public–private cooperation
145
thus present divergent perspectives on cooperation among states and the function of an international regime, as will be illustrated in the next section. Neo-realism and its pessimism towards international cooperation The anarchical nature of the international system is the starting point of neo-realist thinking on international cooperation. According to neo-realism, anarchy refers not only to a lack of central government, but also to the risk of a state becoming the target of violence since there is no overarching authority to prevent it. Realists have proposed that international anarchy makes cooperation difficult because agreements cannot be centrally enforced. Due to this fear of violence, states are constantly assessing their position in the international system while deciding whether to embark on cooperative arrangements. Essentially, they are interested in achieving a ‘relative gain’ in comparison with the other states. This focus on states’ positions creates a difficult environment when it comes to inter-state cooperation. A state, in fact, may decide to cooperate only when ‘it does better, or at least no worse, than the other state’ (Mearsheimer 1995b: 339). Although this neo-realist approach seems to exclude interstate cooperation and international regimes or organizations, this is not really the case. Realists, in fact, believe that international regimes and organizations are the mirror image of the distribution of power inside the international system. Examining the North Atlantic Treaty Organisation (NATO), Mearsheimer (1995a) argues that it was a manifestation of the bipolar distribution of power in Europe during the Cold War, and it was the balance of power, not NATO per se, that provided the key to maintaining stability on the continent. Organizations, therefore, are mainly the expression of powerful states, and NATO was essentially a US tool for managing power in the face of the Soviet threat. Although it may prove useful in the field of military and security studies, the neo-realist focus on relative gains and its pessimism regarding international institutions make its direct applicability to issues of information assurance and the Internet in general unfeasible (Moravcsik 1999; Waltz 2000). It is interesting to note Krasner’s (1991) examination of the issue of international regimes in the realm of global communications. His neo-realist analysis starts with the presumption that states’ relations in these issue-
146
Lorenzo Valeri
areas centre on the distribution of national power capabilities and are not concerned with solving problems of common interest. In particular, technological innovation gave some private actors, primarily domiciled in the United States, an incentive to press for a more competitive telecommunications regime both domestically and internationally. Therefore, the US has pressed for changes in telecommunications regimes by using a series of threats and unilateral actions. Krasner’s approach can be justified by the fact that he focuses on the notion of power in terms of technology and market size, membership in international organizations, and control over territorial access provided by juridical sovereignty. Although Krasner’s analysis might have proven correct in the 1980s and the beginning of the 1990s (when state monopolies still controlled the provision of telecommunications services), the Internet environment today is profoundly different due to the growing number of states involved, and more importantly, the number of businesses. Hence, an analysis based on power cannot be transferred to this environment since it would prove difficult to define who has it and at what level. As mentioned earlier in this chapter, in an Internet environment it is highly difficult to consider the eventuality of a hegemon being either a business or a state. This multiplicity of actors and the Internet’s dynamism do not allow the possibility of an international regime in information assurance based on the power of the players. Therefore, the negative impact of relative gains on cooperation among different actors is reduced (relative gains have the greatest impact when the number of states is small or there are asymmetries between them, a situation which does not reflect the reality of the Internet). Deudney and Ikenberry (1999: 191) have indirectly argued a similar point by stating that in a world of advanced industrial capitalist states, ‘the absolute gains to be derived from economic openness are so substantial that states have a strong incentive to abridge anarchy so that they do not have to be preoccupied with relative gains considerations at the expense of absolute gains’. Nevertheless, this situation does not mean that inter-state cooperation is made easier. The difficulties, however, may be overcome if the analysis concentrates on the role of international regimes, as championed by neo-liberal institutionalism. These instruments enhance information sharing concerning present and prospective partners and allow for the identification of so-called ‘obedient’ states.
Public–private cooperation
147
Neo-liberal institutionalism and its positive approach towards international cooperation Although it starts with the same assumptions as neo-realism, neoliberal institutionalism has a more positive attitude towards interstate cooperation. This position arises from the fact that its analysis concentrates mainly on states’ interests in economic and environmental affairs, although military and security arguments are not ignored. Due to its economic focus, neo-liberalist scholars affirm that states want to improve their own individual positions independently of the other actors. They are more concerned with enhancing their own position than comparing it with those of other states, as argued by neo-realism. However, even if states concentrate on achieving absolute gains, several factors inhibit inter-state cooperation. States are afraid of the non-compliance of partners and, in particular, the possibility of being cheated and, consequently, receiving a low payoff from their cooperative efforts. In this context, international regimes play an important role. International regimes provide the necessary instrument for (a) assessing the reliability of information and (b) overcoming the fear of cheating by other states involved in cooperative arrangements. While engaging in cooperative engagements, actors measure their position in relation to other states and hope to predict how future developments will affect their own interests. In this setting, information is crucial because it correlates actors’ previous activities with the level of present and future commitment to specific cooperative engagements. This correlation is only possible if the necessary information is both reliable and timely. International regimes permit the sharing of reliable information among actors, and thus aid in fostering individual interests via cooperation. The importance of international regimes as supportive instruments for inter-state cooperation can also be assessed in terms of costs and reciprocity. They provide information about the actors’ present involvement and forecast their future commitment to these arrangements. It is possible to value each actor’s actions according to the principles, norms and rules of an international regime. States, therefore, may uncover and eventually take action against uncooperative behaviour that may hamper the achievement of their individual gains. Meanwhile, potential defectors may also quantify the consequences of their uncooperative behaviour in terms of failure to fulfil their individual preferences and interests.
148
Lorenzo Valeri
Since states are rational actors, they may move away from uncooperative behaviour and readjust their policies accordingly to avoid reciprocal disapproving responses from other actors. Having assessed the role of international regimes as facilitators of interstate cooperation, it is necessary to relate them to the issue of information assurance and the Internet in general. Illegal misuses and systems outages may originate in one specific geographical area, but their effects may rapidly spread around the globe. Individual states, therefore, need to cooperate among themselves and with businesses to counter these threats. An international regime for information assurance may facilitate this cooperation. States may establish â&#x20AC;&#x2DC;Internet relationshipsâ&#x20AC;&#x2122; to share information about the negative uses of this medium and coordinate commercial and political engagements. At the same time, these international cooperative measures may affect those actors that do not support information assurance. Through the establishment of and participation in this international regime, a state can demonstrate its commitment to the development of an international environment that is conducive to countering the negative implications brought forward by online cybercrime and other malicious activities. According to neo-liberal institutionalism, international regimes allow individual states to achieve absolute gains by cooperating with the other members of the international community. Principles, norms, rules and decision-making processes play an important functional role since they permit actors to overcome fears about any lack of reliable information concerning the othersâ&#x20AC;&#x2122; commitment to a specific cause, which in this case is the promotion of fragile trust and Internet-based relations exchanges. Although in a different setting, similar concepts can be found in the literature discussing cooperative activities among businesses.
Cooperation among businesses: The case of strategic alliances The examination of issues concerning information assurance and the Internet in general requires going beyond the state-centric nature of these approaches and must include the role of businesses. Technical and management standards are among the enabling factors for cooperative arrangements and, in particular, strategic alliances (Tucker 1991). Businesses need a common framework in which to assess the level of their partners.
Public–private cooperation
149
Strategic alliances have become one of the most interesting recent developments in the business world and have proven to be extremely successful in terms of return on investments and shareholder value. Indeed, ‘since the early 1990s, the percentage of revenue that the one thousand largest companies in the United States have earned from alliances has more than doubled, to 21 per cent in 1997. By 2002, the successful alliance builder expects about 35 per cent of revenues to come from alliances’ (Harbison and Pekar 1998: 33). Strategic alliances are complex arrangements among independent partners involving financial integration of ownership as well as extensive data sharing about business practices, research and development, and clients (Nooteboom 1999). The two main elements of differentiation are the continued independence of the involved partners, coupled with an expected level of commitment to the success of the alliance. The need for strategic alliances arises from companies’ perception of their incapacity to accomplish their financial and commercial objectives independently and, therefore, the need to cooperate with other businesses. Nevertheless, in order to achieve these goals, companies have to demonstrate a high level of commitment to the alliance. Although strategic alliances may be found in almost every sector of business, such arrangements have been most noticeable in the financial industry and in the information and telecommunication technologies. Several factors may explain the large numbers of strategic alliances in these sectors. The issue of risk sharing associated with product or business research and development (R&D) presents many dangers in terms of financial returns and market acceptance (Celeste 1996). As they aim to achieve higher returns and profits, companies are very wary of costs and would rather share them with partners. There are also uncertainties about technology and market access for new products and services. As customer demands constantly evolve, companies find it extremely complicated to maintain a competitive edge in multiple technology fields. Moreover, companies are constantly looking for new sources of revenue through market expansion. They want to gain rapid access to better and more cost-efficient supplies and market outputs. However, some lack the necessary financial and management skills; they focus on specific internal capabilities and gain the required knowledge through strategic alliances. Finally, firms may establish alliances to satisfy government restrictions
150
Lorenzo Valeri
concerning imports or ‘local content’ or even to favour important customers. Strategic alliances are not only being formed among noncompetitors. Scholars have examined the rise in the number of cooperative arrangements among competing companies. Companies may contribute complementary but different assets to the production, distribution and sale of each other’s products and services. Or they may share the necessary technical and physical supply to produce goods and services that are, in the end, marketed and sold by each firm individually. Finally, companies may distribute, market and sell products and services jointly. Similar to strategic alliances between non-competitive firms, each company wants to increase its revenues, profits and share value. Nevertheless, it is also possible that competitors decide to cooperate to raise the ‘value-added’ requirements for introducing new products and services and, consequently, raise the entry barriers to new competitors. Strategic alliances and the functional role of standards Strategic alliances present strong parallels with interstate cooperation along the lines of neo-liberal institutionalism. As emphasized by alliances among competitors, individual firms are rational actors engaging in strategic alliances to improve their absolute gains, such as financial returns and commercial objectives (Ciborra 1991: 58). These cooperative arrangements, in particular, are expected to bring competitive advantage to each individual member. Strategic alliances, moreover, involve costs that need to be quantified and, more importantly, offset by the outcomes of cooperative relationships. This quantification, consequently, may involve specific measures to gauge the level of financial and management commitment of those prospective partners, as well as possible scenarios of reciprocity in case of non-compliance. International commercial and technological norms, rules and decision-making processes may aid in the assessment of a potential partner’s overall commitment towards a specific strategic alliance. As an interesting example, the International Accounting Standards make it possible to conduct an audit and due diligence analysis among companies operating in different countries. In terms of information assurance, one of the most interesting cases is British Standard (BS) 7799 concerning information security management. When companies are certified as BS7799-compliant, they can claim
Public–private cooperation
151
to have internal management procedures for preventing or, at least, containing the potential negative implications of misuses or outages. These technical, accounting and managerial standards may play a pivotal role in assurance, as long as they are generally accepted by each potential partner. Similarities between standards and international regimes The operational importance of standards in fostering inter-business cooperation can be compared to the functional role of international regimes as described by the dicta of neo-liberal institutionalism. They facilitate the sharing of information among the various businesses and assist in the defining of partners’ commitments to cooperative agreements such as strategic alliances. The process leading to the creation of a standard is very similar to that of an international regime. There are ‘de facto standards’ that originate ‘with the arrival and acceptance of a standard in the market and apply to standards affecting a product or system that has captured a large market segment’ (Bonino and Spring 1991: 98). The Internet’s dynamism allows neither software and hardware products nor specific business processes to dominate in the long term. New and improved ones developed by other commercial operators may undermine this dominance. Similar arguments can be presented for de jure standards that derive authority from some legal base or treaty. Unless they fulfil the interests of all concerned actors, they run the risk of being either similar to the de facto counterparts or becoming dead letter regimes that neither party sees the necessity to implement or utilize. Most technical and managerial standards are based on consensus since they are developed through interactions among the actors concerned. Standards and international regimes are both instruments to assist the involved actors, which in this case are states and businesses, to achieve their objective as long as these instruments echo their interests. Because the Internet already embodies the four OCI principles, the remaining elements of an international information assurance regime need to arise from overcoming individual interests and creating consensus.
152
Lorenzo Valeri
States’ interests in information assurance An international information assurance regime may be conceived as an ‘external safeguard’ for countering the negative implications of cybercrime and other online malicious activities. In order to exploit the potential of the Internet, the state has a central role to devise international instruments to counter misuses and accidental outages. To appreciate how international regimes may assist in achieving this objective, it is necessary to move beyond the Weberian conception of the state, which claims the monopoly of the legitimate use of physical force within a given territory. The limitations of the notion of sovereignty over a territory become evident when we examine how neo-realism and, to a certain extent, neo-liberalism tend to conceive the survival or destruction of the state in physical terms. As Paul (1999: 221) argues, they ‘imply that the physical parameters of a state, its territory and population, define existence, just as (from a materialistic perspective) the destruction of the human body marks the boundary of an individual person’s existence’. This ‘physical’ classification of the state, nevertheless, becomes complicated to translate into the global nature of the Internet, although it should not be discarded. A possible solution is to extend the definition of the state by considering it as a ‘social actor’ (with a physical component), capable of knowing, learning and doing things through an inter-subjective process of socialization. The state needs to structure itself to understand the pervasive economic, political and social changes brought by the Internet and foster them accordingly. This extension of the definition is consistent with the notion of the state in an era of financial and communication globalization according to the international political economy and business literature. The state should promote economic activities to make firms and sectors located within its territory competitive in international markets (Cerny 1996). Similarly, it should establish an environment where businesses can gain competitive advantage (Porter 1990). This competitiveness may be achieved through a ‘macro-organisational strategy’ that calls ‘actions taken by governments to optimize the modality by which resources and capabilities within the jurisdiction are created, upgraded and allocated among different uses, and the efficiency at which these are developed for any given use’ (Dunning 1992: 10).
Public–private cooperation
153
Notwithstanding these specific economic and commercial functions, a state continues to be engaged in addressing concerns for the safety and well-being of individuals and enterprises in terms of regulations and monitoring. Health care, environmental protection, traffic regulation and product safety are just a few examples of these functions (Goldring 1997). This role is also particularly relevant in relation to the Internet, even if the functions are global and owned and managed by businesses. V. Wright (1994: 156), in particular, has argued that ‘as long as competition is not fair, supply of telecommunications services is expected to be just, and privacy has to be protected; a complete retreat of the state from telecommunications is a romantic, and sometimes dangerous illusion’. This idea becomes even more illusionary when referring to issues of cybercrime and national security. The fight against malicious actors operating illegally through the Internet is a central function of states. Actually, it may represent the cornerstone for establishing an Internet macro-strategy aimed at fostering the necessary ‘fragile trust’ which permits public and private organizations to form Internet-based ‘relational exchanges’. This struggle, however, may undermine the interaction between states and businesses in defining the content of norms, rules and decision-making processes of an international regime for information assurance that still needs to reflect the principles embodied by the Internet. States, either individually or cooperating among themselves, have tended to concentrate on devising norms concerning the confidentiality element of information assurance to the neglect of the remaining elements of information assurance. The protection of data and information confidentiality through specific technologies and management procedures has been a primary concern for state organizations, especially with reference to defence and police activities against criminal activities. States fear that classified or sensitive data might leak, favouring the illegal activities of malicious actors. The complexity associated with the protection of data and information confidentiality during multi-partner military operations is an interesting example in this sense. Therefore, specific confidentiality-enhancing managerial and physical procedures have been devised. At the same time, confidentialityenhancing technologies, such as symmetric or asymmetric cryptography, have been shown to be instruments that hackers and criminal organizations may exploit to safeguard their own activities and data from the eyes of police and defence and
154
Lorenzo Valeri
intelligence organizations. Government institutions, consequently, have considered these technologies as obstacles in the way of law enforcement and national security objectives. While trying to devise the contents of an information assurance regime, states have tended to support norms concerning the protection of the confidentiality of their information in an attempt to prevent malicious actors obtaining analogous technological capabilities. This assumption does not mean that states are not interested in enhancing the integrity and availability elements of information assurance. It only suggests that they consider these two elements to be put on a lower level of importance than issues related to confidentiality when devising an international regime for information assurance, as part of their Internet macro-strategy. In addition, there are certain state activities where these two elements are as important as confidentiality. The case of online tax collection is a prime example. Clearly, in this area there is a need for the information systems of the internal revenue services to be available to individual and commercial operators, while protecting the integrity of the collected data.
Conclusion: Business interests in information assurance Businesses have a keen interest in devising an international regime for information assurance to achieve their commercial and financial ‘absolute gains’. Norms echoing the four principles of the Internet may assist in these commercial and financial efforts which are centred on the functional role of ‘fragile trust’ in establishing ‘relational exchanges’. This situation becomes even clearer when examining some of the activities of businesses enhanced by the Internet. Since the beginning of the 1990s, they have been rapidly moving away from vertical integration and embracing horizontal management procedures. Production and services are increasingly executed through Internet-based data-sharing infrastructures (Pasternak and Visco 1998). Moreover, they have also been setting up ad hoc, geographically dispersed teams for developing specific products and services whose critical data is also dispersed in information systems over a variety of different locations (for example, US and European information and network technology companies using the services of software development houses based in the Indian region of Bangladore). The Internet has also been one of the enhancing elements for inter-business cooperation in devising new services and goods, as
Public–private cooperation
155
suggested by the cases of strategic alliances in the information and telecommunication sectors. Individual companies have opened their Internet-based information networks to allow third parties and partners to tap into their information and coordinate production and management activities. This opening of access becomes even more evident in situations where different companies merge their products and services into a single solution or offering. The case of the Internet’s search engine companies and online financial services is illustrative in this regard. After having directed business and individual users through the maze of Internet-based services, search engine companies have started to differentiate their business focus by adding features like news, financial services, travel information and auctions. These new services are provided mainly through contracts with third parties. Similar scenarios apply to the case of online financial institutions. Some of the institutions do not even have regular ‘physical’ infrastructures such as branches, and they often provide their services by repackaging financial services provided by a third party. Nevertheless, the financial and commercial success of these online operations is based on the fact that, no matter what, customers may access these services knowing that their requests will be fulfilled in the same manner as in the physical world. If events such as malicious activities and system outages undermine these operations, the expected revenue and financial success may be greatly hampered. Hardware and software companies also have a strong interest in information assurance. Their sales and support services are directly connected to the rise of the commercial and social potentialities of the Internet. If misuses and system outages affect the establishment of profitable ‘relational exchanges’, the delivery of services and goods online, and the sale of hardware and software may become more complicated. This state of affairs emphasizes the specific interest of the international business community in information assurance. However, unlike states, businesses have a tendency to focus on integrity and availability. Their services need to be constantly available, and the data and information need to be precise and unmodified. The previous cases of Internet-based just-in-time production and online banks are good examples of this requirement. Nevertheless, the preservation of these two elements of information assurance is complicated by the fact that businesses usually operate in very competitive environments that compel them
156
Lorenzo Valeri
to constantly review their information security postures by adding new products and systems. The goal of these efforts is to acquire additional functionalities and capabilities in order to offer new services to their partners and clients. Moreover, it is important to emphasize that the operational environments of businesses are often extremely different from those of government institutions, particularly in defence and intelligence settings. The former usually involve mobile employees and authorized external users such as contractors and consultants. These users require flexible access to information and network systems that are constantly available and whose data are not compromised. An interesting example in this sense is the need a salesperson might have to access a company database to check prices and availability via a wireless modem linked to a laptop while concurrently trying to persuade a potential buyer. The situation is made even more complicated by the fact that an increasing number of internal businesses have been opening their internal data and networks to their partners and clients, who want this service to provide unmodified data and to be constantly available. This focus upon integrity and availability does not mean that businesses are not concerned with confidentiality. Actually, they need to protect their data and information to avoid the loss of technical and commercial secrets to their competitors. Moreover, this requirement may be directly stated in contractual and regulatory acts. They call for easy access to those confidentialityenhancing technologies which states would like to control in their fight against Internet-based criminal activities. But, unlike states, businesses are prone to balance their confidentiality needs with the need to ensure the integrity and availability of their information infrastructures and services in order to establish Internet-based relational exchanges. Consequently, businesses have tended to prioritize their integrity and availability interests when devising the elements of an information assurance regime. By espousing the theoretical approach of liberal institutionalism, this chapter has demonstrated the need for states and business to overcome their individual interests in developing an international regime for information assurance. This theoretical framework goes beyond the mere use of international regime literature and inserts into the analysis approaches taken from business and standardization studies. More importantly, the aim of this chapter has been to demonstrate the analytical complexity of studying the
Publicâ&#x20AC;&#x201C;private cooperation
157
security and policy implications of the Internet and its many facets. This is particularly relevant for the case of information assurance, where policies need to take into consideration the interests and objectives of the two main stakeholders: states and businesses. As information and communication technologies evolve, the Internet will continue to be exposed to new online threats and vulnerabilities. States cannot address these by themselves. Businesses will always need to be involved.
7
International policy dynamics and the regulation of dataflows Bypassing domestic restrictions Ian Hosein and Johan Eriksson
Introduction1 The basic contention of this chapter is that though states are certainly challenged by the twin forces of globalization and privatization, they may under some circumstances bypass domestic restrictions and regain power and control through international arrangements. Of this an illustration is how governments regulate the security and privacy of international dataflows through the Group of Eight (G8) and the Council of Europe. In particular, we focus on how states use international cooperation for escaping domestic legal restrictions (so-called ‘policy laundering’), how strategic shifting between policy-making arenas may open windows of opportunity (‘forum shopping’), and how states selectively imitate policy frameworks from other countries (‘blueprinting’). This chapter does not formally apply a single theoretical framework, but rather draws on a number of bodies of literature, both from within and outside the realm of International Relations (IR). Some observations are inspired by parts of the literature on international cooperation (Keohane 1984; Ikenbery 1989, 1996; Alvarez 2002), while others draw on the policy studies literature on regulation (Baldwin and Cave 1999; Thatcher 2002), and policy diffusion (Rogers 1962; Dolowitz and Marsh 1996). However, the policy diffusion approach has to a limited extent also been applied within IR (Risse-Kappen 1994).
Technology and globalization: A regulatory challenge Transborder activity challenges the ability of sovereign nations to enact and enforce laws within their own jurisdiction. Data flows
Bypassing domestic restrictions
159
within transnational digital networks are a case in point. Action may occur from a distance, where the overflow of activity can occur without an individual having to physically enter the jurisdiction. Whether it is the penetration of computers or the downloading of pornography, this conduct can occur across borders, preventing law enforcement agencies, with their traditionally bordered jurisdictions, from conducting investigations and generating evidence. From a technological perspective, the challenges are already numerous. Identifying and tracing an individual behind conduct on the Internet is non-trivial, as is identifying the alleged perpetratorâ&#x20AC;&#x2122;s geographic location. Identifying the location of evidentiary information is also difficult: identifying which Communication Service Providers hold customer data, emails and transactional data regarding an incident, and ensuring that the information is available to law enforcement officials. This is presuming, of course, that the law enforcement agencies conducting this investigation have the appropriate investigatory capabilities with appropriate authorization and oversight procedures, enshrined in law and made possible by technology. Resolving national policy challenges is no easier. Criminalizing conduct, through substantive law, such as hacking or downloading child porn may seem trivial but the process of drafting bills and testing laws through court decisions has proven to be difficult for many countries either due to vagaries in definitions, contentious updates due to new technologies and techniques, or legal challenges on constitutional values. This all presumes constitutional protections, and an active non-governmental sector including industry lobbyists and human rights organizations. Establishing state powers of investigation is also non-trivial; once it is decided, technologically, that investigative information may exist in the form of computer data, allowing for lawful access to this data usually requires new laws of interception, search and seizure, and production and preservation by third parties. This all presumes that law enforcement agencies have procedures and knowledge to deal with these situations. Finally, when information exists within other jurisdictions, countries may be required to preserve and access the information. Much of this, arguably, needs to occur quickly in order to begin real-time access, or access to stored data before the data is deleted. This all presumes that such regimes for international co-operation exist.
160
Ian Hosein and Johan Eriksson
National governments are usually entitled to enact and enforce laws within their jurisdiction; it is, after all, their sovereign right to do so. There are conditions that arise where this sovereign right is questioned, or where conflicts arise. One such conflict arises when there is transborder activity: where activity occurs beyond the jurisdiction that affects the ability of the sovereign jurisdiction to enforce its laws. This renders the viability of potential laws to solve this very problem as doubtful. Enforceability becomes immediately questionable: activity may occur beyond the jurisdiction of national law, regulating national activities are fruitless and hazardous economically (Sun and Pelkmans 1998). With data flows within transnational digital networks and the associated products and services, the transborder problems are exacerbated. Action may occur at a distance, where the overflow of activity can occur without an individual having to physically enter the jurisdiction. Whether it is the penetration of computers or the downloading of pornography, this conduct can occur across borders preventing law enforcement agencies, with their traditionally bordered jurisdictions, from conducting investigations and generating evidence. Establishing national policies amid transnational data networks and flows is a pressing technology policy issue. It is not new, nor as infeasible as often presumed, or argued legally (cf. Johnson and Post 1996). These presumptions and arguments have been responded to by legal theory and in practice. Theoretically, it is now argued that the infeasibility arguments exaggerated the problems and promises of data flows (Goldsmith 1998b). In so doing, the arguments failed to recognize that there have been many multijurisdictional regulatory problems involving transnational transactions in other fields of law (Goldsmith 1998a). The debate has long moved on beyond the halls of academia, however. There are continuous calls for solutions to the challenges of transborder data flows, transborder criminal activity and transborder terrorist activity. The solutions that are preferred are not distinct from the seemingly national laws that have been established in response to national data policies (for example, data protection and privacy, electronic commerce), criminal policies (for example, investigatory powers and capacities), and anti-terrorism policies (for example, blanket surveillance, immigration procedures). Nor are the relationships between international and national solutions necessarily clear-cut.
Bypassing domestic restrictions
161
International regularity activity is ever-increasing. From 1970 through to 1997, the number of international treaties more than tripled, with the US concluding over 10,000 treaties in that period (Alvarez 2002). The number of intergovernmental organizations (IGOs), often the fora for treaty activity, has doubled in the past 20 years (Drezner 2001). While decisions made in other jurisdictions and fora have always affected national policies, in areas such as trade (e.g. WTO and GATT), standards (e.g. ISO and IETF), defence (e.g. NATO and the UN Security Council), attention to the influence of these decisions upon national policies is lacking. In the domain of law enforcement and national security policy developments there have been concerns, usually stated by governments, about the creation of â&#x20AC;&#x2DC;safe havensâ&#x20AC;&#x2122; for criminality. Governments fear that their failure to have adequate laws to combat criminality will result in criminals selecting their jurisdictions as bases for anti-social activities. Similarly, governments continue to alter their technology policies to cater for new forms of criminality. Various policies on cryptography, censorship, freedom of information and surveillance can all be attributed to such concerns. The success of these policies, in a preterrorism world, often depended on the responses from other actors, including industry, civil society, the courts and epistemic communities (Haas 1992). Previous national discourses surrounding these policies sometimes resembled battlegrounds. Concerns would arise that new regulations to enhance the power of the state would create a burden too great for industry to survive (cf. Hosein and Whitley 2002). Opposition was mounted often by an organized civil society lobbying, educating and influencing parliamentarians, the media and mass publics. Courts decided the legality of these rules, sometimes in favour, sometimes not. Epistemic communities, like experts and specialists, argued that proposed regulations would likely harm infrastructure, markets, and social frameworks and practices (e.g. Abelson et al. 1998). In the language used by Braithwaite and Drahos, actors pursued principles while employing mechanisms to construct or destroy alliances and policies (Braithwaite and Drahos 2000: 9). Put simply, and overly so perhaps, national discourse in deliberative democracies gives rise to rich discussions, negotiations and policy regimes that are openly deconstructed. Apparently governments have learned from earlier failures to address safe havens, jurisdictional arbitrage and regulatory
162
Ian Hosein and Johan Eriksson
competition. Terrorism and high-tech crime have given rise to increased activity in international policy-making. Discourse may indeed be changing on a national level, due to other dynamics too. Courts may be less likely to interfere with the executive arm of government and defer on issues relating to national security and terrorism; industry is less likely to reject government surveillance proposals; and epistemic communities may become more fragmented. International regulation may in some instances further reduce the role of national policy discourse, as governments adopt international agreements through various strategies, such as ‘policy laundering’, ‘forum shopping’ and ‘blueprinting’ which we will return to in a minute.
Regulatory strategies: Implications for power and security With the increased movement of peoples (Alvarez 2002), the growth of IGOs (Perritt 1998), the growth of civil society (Drezner 2001), free trade (Henkin 1995), globalization (Slaughter et al. 1998) and advances in communications (Nagle 2000), many argue that we are now facing a radically new set of circumstances. International solutions are often promoted to counter the economic, social and geographical distribution of contemporary problems (Slaughter 1997). Thus, studying the dynamics of modern policy development increasingly has to be done with an eye to international activities. This may involve focusing on the mechanisms used within international policy dynamics, including policy laundering, blueprinting and forum shopping. Policy laundering is a practice where policy-makers make use of other jurisdictions to further their goals, and in so doing they circumvent national deliberative processes.2 Blueprinting occurs when governments, overtly through calls of harmonization or subtly through quiet influence and translating of concepts, shape their laws based on laws developed in other jurisdictions. Forum shifting occurs when actors pursue rules in intergovernmental organizations (IGOs) that suit their purposes and interests, and, when opposition and challenges arise, shift to other IGOs or agreement-structures. One of the leading reasons for the political viability for such international solutions is the perceived notion of international cooperation as a good in itself. With backlashes against failing to ratify international conventions on courts, environmental protocols and proceeding through intergovernmental organizations
Bypassing domestic restrictions
163
such as the United Nations, it is wrongly assumed by many that international agreements are inherently good (Keohane 1984: 73). Similarly, international cooperation and other initiatives in national security and law enforcement are also seen as benign. The trend of multilateralism (Henkin 1995), and associated calls for ‘harmonization’ and articulations of ‘international obligations’ continue unabated, as part of these international dynamics. When governments realized the challenges and new threats involving terrorism committed by sub-state actors and action-at-adistance involving high-tech crime, international solutions were immediately sought. Although these mechanisms were all used in other times, their frequency is increasingly leading to policies being adopted and the laws being transformed. Failing to adhere to these pressures and agreements becomes more costly (Henkin 1995), often intentionally so (Keohane 1984: 73). Failing to comply with international covenants and pressures may result in becoming safe havens to criminality, being out-ed and shamed by the international community (Drezner 2001), being unable to co-operate in international investigations, being unable to conduct national investigations due to insufficient capacity, or even being unable to conduct commerce due to resultant trade and border restrictions. The trick is that national governments often do not need their arms twisted over some of these changes. Arguably, adopting these changes and participating in these agreements helps by enhancing their domestic powers, and minimizing deliberative discourse. International dynamics to promoting policy change are studied within the regulation literature under concerns of regulatory competition. Differences in policies in various countries give rise to competition. Then regulatory competition may occur, consisting of a competitive adjustment of rules, processes, or enforcement regimes in order to secure an advantage, usually attracting investment with a more favourable environment (Baldwin and Cave 1999: 180). So long as regulatory competition exists, countries are inhibited from establishing overly restrictive policy (Sun and Pelkmans 1998: 457). Regulatory fora: G8 and the Council of Europe For a number of years, two international bodies were developing agreements for international co-operation for ‘high-tech’ or ‘cybercrime’. The Group of Eight industrialized countries (G8) has been meeting regularly to discuss harmonizing methods, creating
164
Ian Hosein and Johan Eriksson
new investigative powers and means of co-operation, formally since 1995. Similarly, the Council of Europe (CoE), the international treaty-making body with 43 member states has laboured to create the Convention on Cybercrime since 1997. The high-tech crime policies developed at the Council of Europe and the Group of 8 point to the dynamics of international policy development in intergovernmental organizations. Different rules of engagement led to different policies being pursued at each forum. With regard to jurisdiction, high-tech crime is analogous to transnational organized crime. According to Zagaris: The continued review and strengthening of global and domestic financial supervisory mechanisms has become more urgent in a globalized world in which transnational crime and organized groups operate. Increasingly, international organizations and groups, such as the Basle Committee, the FATF, the World Bank Group, and Interpol, are exchanging information and cooperating among themselves to complement their regulatory and enforcement frameworks. (Zagaris 1998) The work product of the CoE in cybercrime and the G8 on hightech crime are worthy of deeper analysis, and this is done elsewhere (Hosein 2004). A quick rendition of the story is provided here. The CoE convention on Cybercrime (2001) consists of three components: a set of substantive crimes to be enshrined in law that includes hacking, child pornography and copyright circumvention; a set of surveillance capacities that ratifying countries are expected to enable for use by their law enforcement authorities; and a regime for mutual legal assistance and extradition among ratifying countries. This last component of the CoE convention is noteworthy: the creation of a broad mutual legal assistance agreement. Cooperation is particularly problematic as the convention tries to do away with traditional concerns for dual criminality; in fact, it dissuades and sometimes prevents countries from refusing assistance to another country on these grounds. The convention may create situations where a country will be required to collect evidence on an individual without any contravention of domestic law. The convention was drafted by a group of representatives from national departments of justice and home affairs, most notably
Bypassing domestic restrictions
165
Canada, France, Germany, the United Kingdom and the United States. It is worth noting that two of these countries (Canada and the US) are merely observer nations to the CoE. As a result of the formulation and consultation processes, the convention represents the interests of law enforcement agencies while all but ignoring privacy and civil liberties protections. Drafted in relative secrecy from 1997 to 2000, a consultation process was opened in April 2000. Few changes were achieved in the consultation stage, however, despite the activities of representatives from industry and civil society. Both industry and civil society organizations loudly opposed the convention on a number of grounds, including the formulation process, invasiveness, costs and burdens, lack of due process provisions and the presence of ambiguous language within the body of the convention. The CoE responded to these appeals by promising repeatedly that the opportunity for consultation and democratic participation would arise on a case-by-case basis at the national level at the time of signing and ratification. At the same time as the convention was being negotiated, the G8 Lyon Group on Transnational Organised Crime was working on high-tech crime. Meetings began in 2000 to consult with industry in the G8 countries on proposed investigative powers. The conclusions of the first meeting in Paris, in May 2000, were uncertain, as industry and governments diverged in their interests and statements. The final communiquĂŠ articulated some of these concerns, including civil liberties and privacy, maintaining the powers of law enforcement agencies, defining a clear and transparent regime to combat â&#x20AC;&#x2DC;cybercriminalityâ&#x20AC;&#x2122;, and ensure free and equitable market development to ensure good conditions for industry, while evaluating the effectiveness and consequences of the policies (G8 Lyon Group 2000). In high-tech crime policy, the G8 and the CoE have been the most active fora. The G8 has been meeting regularly to discuss harmonizing methods, creating new investigative powers, and means of co-operation, formally since 1995. Similarly, the Council of Europe, has laboured to create the Convention on Cybercrime since 1997. Previously these bodies focused on economic policies and human rights, respectively.
166
Ian Hosein and Johan Eriksson
Bypassing domestic restrictions: International ‘policy laundering’ International policy dynamics are increasingly affecting national policy, mainly because of complex interdependencies and transborder activities (Alvarez 2002). Ikenberry observes that this should not be surprising: By relaxing the divisions between domestic and international political processes, and appreciating the special position state officials occupy at the intersection of these spheres, political outcomes within each become more explicable. (Ikenberry 1989) Governments are in a position to play at both the national and international levels. It was inevitable that international policy dynamics would affect domestic policy discourse. One implication of international policy dynamics is that it is increasingly difficult to identify the sources of laws. Sometimes it can be said that the policies are homegrown, negotiated and deliberated needs of government agencies. This is a simplistic view of policy, however; policies are not immune to other influences. These include the activities of intergovernmental organizations, and the conduct of national governments while negotiating agreements. Intergovernmental organizations and other institutions ‘channel and circumscribe the way state power is exercised’ (Ikenberry 1996: 62). International institutions may reduce transaction costs for developing norms, reduce ambiguity surrounding compliance, and provide high quality information to policy makers (Perritt 1998). Smaller states may participate in these fora, leading to the democratization of international policy and treaties (Alvarez 2002). The dynamics (Ikenberry 1989: 399) at this international level involve power and selection, however. Cooperating internationally and establishing international agreements are not neutral activities. Power politics may prevail, as countries may use international institutions to further their own ends when they find it convenient and disregard them when they do not (Slaughter 2000). This ‘convenience’ arises particularly when it serves a domestic political purpose (Goldstein 1996). Goldstein notes how the Canada–US free trade agreement actually served the interests of the Reagan administration in circumventing domestic institutions, i.e. an instance of policy laundering.
Bypassing domestic restrictions
167
In their review of global business regulation, Braithwaite and Drahos (2000: 482â&#x20AC;&#x201C;3) find that some countries (notably the US and the UK) conduct policy laundering, i.e. pushing for certain regulatory standards in international bodies and then bring those regulations home under the requirement of harmonization and in the guise of multilateralism. In fact, the expression of policy laundering was first used to describe the activities of the US government regarding intellectual property in 1996. The US was taking the concepts of its domestic policies to the World Intellectual Property Organization in order to get them approved abroad by other countries so that they could be re-presented to the American people as a fait accompli. The same was attempted with cryptography policy at the Organization for Economic Cooperation and Development (OECD). Instead of envisioning domestic politics as a constraint upon those nations that enter into international agreements, signing an agreement is suggested to be a strategy whereby domestic actors further their own interests. [...] International institutions [...] may serve a number of specific political purposes for policymakers at home. [...] Nations that are constrained by domestic institutions may not only have an international bargaining edge, but, as well, international bargains can be a means of empowering particular domestic actors. (Goldstein 1996) As a result, these international agreements and commitments may be sought after by some government officials as means to â&#x20AC;&#x2DC;loosen domestic obstacles and impedimentsâ&#x20AC;&#x2122; (Ikenberry 1989). A noteworthy instance of policy laundering is the following one. In August 2000, a number of United Kingdom law enforcement agencies submitted a proposal to the UK Home Office to require the retention of communications traffic data for up to seven years by a central government authority (Gaspar 2000), as such information may be useful for investigations. This retention of sensitive information, including telephone traffic data, Internet email traffic data, and perhaps even website viewing data, encountered significant resistance from NGOs, industry organizations and the media. In particular, it was arguably contrary to data protection principles, in accordance with the EU Data Protection Directive 1995 (European Union 1995) as enshrined into UK law under the Data Protection Act 1998, that
168
Ian Hosein and Johan Eriksson
calls for the destruction of personal information when it is no longer required for the purposes for which it was collected. At about this time, the EU was working on ‘updating’ its data protection directives to cater for electronic commerce and transactions. In this forum the United Kingdom began calling for a change to the Data Protection Directive on Electronic Communications; a change that would permit member states to allow for data retention. There was some discussion, but not much progress. There was discussion of including data retention in the CoE convention, but the CoE did not accept that. The G8 also discussed data retention, but industry originally rejected the proposals. In October 2001 President George W. Bush wrote a letter to the President of the European Commission recommending changes in European policy, to ‘[c]onsider data protection issues in the context of law enforcement and counterterrorism imperatives’, and as a result to ‘[r]evise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period’ (Bush 2001e). This was building from previously articulated concerns that ‘[d]ata protection procedures in the sharing of law enforcement information must be formulated in ways that do not undercut international cooperation’ (US Government 2001). Very similar language later appeared in the G8 documents from the May 2002 summit, even though the G8 government–industry meetings, for instance, had previously rejected it in the preSeptember 11 era. Ensure data protection legislation, as implemented, takes into account public safety and other social values, in particular by allowing retention and preservation of data important for network security requirements or law enforcement investigations or prosecutions, and particularly with respect to the Internet and other emerging technologies. (G8 Justice and Interior Ministers 2002) Over these ensuing months, EU law was changed to allow for retention. In December 2001 data retention was introduced and passed under the United Kingdom’s anti-terrorism law in response to the events of September 2001. A significant number of other member states have since passed similar retention laws.
Bypassing domestic restrictions
169
There was consideration at the EU that the Directive did not go far enough. The 2002 Directive allowed for countries to pass retention laws. Now, however, the situation in Europe is fragmented where some countries have retention, others do not. There is some pressure on the EU from the Justice and Home Affairs ministers to finalize a Framework Decision on data retention that would require all member states to have policies allowing for retention. This policy laundering is noteworthy for a number of reasons that are beyond the scope of this study. One particular concern, however, is that the US itself does not have a policy on data protection, nor in turn, a policy on data retention; regardless, it asked the EU to change its privacy practices. Meanwhile, the United Kingdom failed with its original policy nationally and so shifted to the EU to allow the UK to pass such laws. Now that the EU has allowed for retention, there are calls for standardization and harmonization across Europe to ensure that other countries adopt similar laws. The confusing fact here is that policy laundering is indeed going on, but it is hard to see who exactly is doing the laundry. Forum shopping and blueprinting Not all institutions are ideal, and intergovernmental organizations function differently. Alvarez (2002) argues that â&#x20AC;&#x2DC;[t]he choice of organizational venue speaks volumes concerning the intent of principal treaty backersâ&#x20AC;&#x2122;. For example, the US pursued antiterrorism rules in the 1970s through the International Civil Aviation Organization (ICAO). The US chose the ICAO over the United Nations General Assembly in order to avoid the latterâ&#x20AC;&#x2122;s inefficiencies. Determining which organization and which sub-organ ought to be the venue in which to initiate a treaty process may determine whether the process will involve time-consuming and exhaustive analysis of the current state of the law by general legal experts, more superficial examination of the need for a treaty by those attentive to the political desires of states, or thorough examination of the need for a treaty relegated to technical experts in relatively narrow specialities (Alvarez 2002). Both the EU and the US have been shifting between fora for selected policies (Braithwaite and Drahos 2000). According to Drezner (2001):
170
Ian Hosein and Johan Eriksson In the past fifteen years, the United States and European Union have displayed an impressive dexterity in using international law to advance their interests on the world stage, even if doing so violates the sovereignty of other nations. Across several issue areas, the United States has mixed treaty, custom, and coercion as means of pushing international law towards desired ends. Furthermore, the United States is adept at ‘forum-shopping’ among different international governmental organizations to advance its preferred set of international laws. The European Union and its members are latecomers to these practices, but have eagerly embraced them.
This dynamic is practised by the US particularly in the globalization of US criminal law, bending the forces of globalization to internationalize US laws (Tuerkheimer 2002). This is a development from the US’s prior expertise within the war on drugs in internationalizing US law enforcement agencies (compare Nadelmann 1993). This shift from internationalizing law enforcement to globalizing criminal law is noted by Alvarez: This is a world that has the Security Council (most recently in resolution 1373 of September 28, 2001 barring and freezing financial transactions of undefined terrorists) assuming roles once reserved to the US Treasury Department under the International Emergency Powers Act. (Alvarez 2002) Alvarez concludes that the lines between domestic and international rule making ‘are as porous as the borders between nations’. To be fair, governments are not alone in pursuing policies outside national deliberative processes. International civil society has been accused of using international law and institutions to achieve results that have been rejected by national democratic political processes. In other words, international law and international agreements are seen as a means of doing an endrun around domestic democratic processes. (K. Anderson 2001) Forum shopping thus embodies the method of ‘if it does not work here, then try it elsewhere’. It is not simply a matter of
Bypassing domestic restrictions
171
moving an issue from one forum to another, however. Forum shifting is often easier to accomplish if the issue is reframed (Rein and Schön 1993), to make it more applicable in the new context. For example, by reframing the European defence industry from a defence policy to a market issue, and thus moving it from one pillar to another, a joint European regulation was greatly facilitated (Mörth 2000). International policy dynamics do not infer an immediate flight risk of producers, technology and consumers. Indeed, ‘ideas do not float freely’ (Risse-Kappen 1994; see also Rogers 1962; Dolowitz and Marsh 1996). Regulators may find it in one another’s interests to collaborate to manage externalities, or may collude to limit competition (Baldwin and Cave 1999: 184). This leads to the harmonization of policies in order to remove distortions in business uncertainty across borders (Sun and Pelkmans 1998: 461). Harmonization is the process through which a common set of policies is established across jurisdictions to remove irregularities. Regulations can change in any direction, however: regulations may be pushed to the lowest common denominator, but may equally benefit from the ‘California effect’, where one regulator pushes for the highest standards, setting blueprints for others to follow (Baldwin and Cave 1999: 188).
Conclusion The policy landscape is being transformed in the digital age, and not always in a shape favourable for national deliberation. Policy laundering is occasionally used to promote policies at international fora, only to bring them back home for ‘ratification’ or ‘harmonization’ with minimized debate. National governments push ideas in international fora, and then are seen to pursue these policies actively at home, without claiming responsibility in the first place. Blueprinting is used to copy laws and international agreements and treaties, incorporating the language used abroad into national law without adequate consideration. Merely copying the language of ‘traffic data’ in the CoE Convention on Cybercrime may involve a radical re-consideration of national laws on due process and law enforcement powers, but this debate may never occur. Finally, forum shifting is used to pursue policies across IGOs until adequate homes are found. Data retention was pursued at the G8, and then pushed at the EU where it found its natural home for
172
Ian Hosein and Johan Eriksson
EU member states that wished to find the path of least resistance in passing national laws. The regulation of dataflows can certainly be approached from a variety of perspectives, including those found in the literature on regulation, and international cooperation. If anything, this chapter has demonstrated that the regulation of cyberspace does not necessarily deviate from policy dynamics observed in other issueareas. The argument that cyberspace regulation is â&#x20AC;&#x2DC;idiosyncraticâ&#x20AC;&#x2122; because of the global, abstract and technical nature of the subject matter cannot be corroborated. In contrast, cyberspace regulation seems to resemble many of the patterns that characterize other international and technically oriented issue-areas, which bypass domestic restrictions and imply a particularly powerful position for technical experts (compare Fischer 1990; Haas 1992).
Notes 1
2
This chapter partly draws on past published and unpublished work by Ian Hosein (especially Hosein 2004). The text presented here is unique in that it contains theoretical discussions not present in past works, and by being substantially restructured and edited. The Canadian government policy officer who first coined the term in 1996 was Stephanie Perrin of the Canadian Department of Industry, a well-known privacy advocate. She is renowned for her activities at the OECD meetings on cryptography policy.
8
Conclusion Digital-age security in theory and practice Johan Eriksson and Giampiero Giacomello
Linking IR theory to evidence has always been challenging, as Hermann (2002) correctly observed. All the more so in the digital age, we would add. In this concluding chapter, by drawing on the previous case studies and theoretical elaborations, we will suggest a few synthesizing observations and propositions on how the information revolution impacts on the security of states and societies. These can be seen as contributions to theory building which take into account the implications of the digital age. Second, we will discuss how existing IR theories fared in the empirical applications. Finally, we will comment on some specific requirements for further theory building on digital-age security.
What is the impact of the information revolution on security? This overarching question can be divided into two parts â&#x20AC;&#x201C; one concerning security problems as such, including the development of threats and vulnerabilities, and the other concerning the politics of security, including competing interests and ideas in agenda setting and problem definition. Our main propositions on both of these topics are presented and discussed in this section. P1: Cyberthreats are mainly intelligence problems, not physical threats, but like any intelligence challenge they may facilitate or obstruct physical attacks. Cyberthreats are mainly problems in terms of loss or distortion of information, but despite the scare-mongering scenarios of â&#x20AC;&#x2DC;electronic Pearl Harborâ&#x20AC;&#x2122;, they are not direct physical threats
174
Johan Eriksson and Giampiero Giacomello
comparable to missiles or electromagnetic weapons (cf. Libicki 1997; Denning 2001b; Chapter 5 in this volume). With the information revolution, intelligence and counter-intelligence have grown vastly both in terms of opportunities and problems. The fact that cyberspace allows global communication with text, images and sound in real time, regardless of geographical distance, is a double-edged sword. Terrorists, organized criminals and other culprits can use cyberspace for mobilization and coordination, harassment, theft and fraud (Chapter 2 in this volume). Such attacks, however, only very rarely have effects other than the loss, distortion, or obliteration of information.1 This is serious enough, as such attacks may exact enormous costs in terms of time, money and credibility. Like any other intelligence operation, they may also have secondary effects, for instance by providing information that increases the accuracy and effectiveness of physical attacks. Cyberspace also provides a new arena and technology for psychological operations on a global scale. Nevertheless, it is still easier and more effective to detonate a regular bomb than to write a malicious code to be sent over the Internet. Cyberattacks can destroy bits and bytes, but it is highly unlikely and extremely difficult to achieve the same effects in terms of fear and destruction produced by a bomb or a missile. P2: If cyberthreats are to take on direct physical effects, then (1) a technological leap in attack tools is required, as well as (2) a greatly increased dependency on globally connected information and communications technologies (ICTs). Rather than speculating wildly about what the situation will ‘actually’ or ‘probably’ be like in the future, or cowardly refraining from saying anything of value for preparing for the unknown future, we suggest the following. If cyberthreats are to take on direct physical effects, two changes are required. First, a technological leap is necessary in the development of software and hardware that can be used for attacking information systems. Though technological development is already developing at a very rapid pace, it is not enough to have more of the same – more viruses, worms, Trojan horses, denial-of-service attacks and so forth. A qualitative and not merely a quantitative change is required. Tools have to become a lot more aggressive and farreaching in their ability not only to penetrate and manipulate ICTs, but to directly control (including the possibility of shutting down)
Digital-age security in theory and practice
175
other functions and infrastructures, and indeed human beings, which depend on these ICTs. There is certainly much research and development which points in this direction, including advances in artificial intelligence, biotechnology and the next generations of Internets which will greatly increase interactivity, in effect expanding cyberspace to encompass all electronic communications, across the terrestrial and the extraterrestrial. Also with the development of quantum computing, computers are not only able to store and logically connect huge amounts of data, but also to analyze them and suggest synthesizing conclusions.2 On the extraterrestrial challenge, one example is the work of Vint Cerf and Robert Kahn, who in 1973 invented the TCP/IP technology on which Internet communication is built; they are currently working with the NASA Jet Propulsion Laboratory to develop a communications protocol to link satellites orbiting around Mars and other planets.3 Second, and even more importantly, the dependency on ICTs has to increase dramatically, to such a level that societal functions and infrastructure would not be able to function in case of an ICT system breakdown. The contention behind this observation is uncontroversial: the more a country depends on ICTs for vital functions (e.g. electricity, government, communications, financial transactions), the more vulnerable it is to technical systems failures, and attacks against those ICTs. True, this development is already under way. Many societies are extremely dependent on ICTs for their function and well-being. Yet the development is extremely uneven, as shown by several authoritative sources on how national network societies are emerging (IDC 2003; ITU 2003; WEF 2004). While the technological leap would imply a new revolutionary step, the increasing dependency on (and thus vulnerability of) ICTs is an evolutionary development. While a technological leap is very difficult to foresee â&#x20AC;&#x201C; in terms of how, when and with what effects â&#x20AC;&#x201C;the evolutionary development of ICT dependency is growing generally in a global perspective, but highly unevenly in different countries and sectors of society. In the absence of a combined technological leap and a greatly increased ICT dependency, cyberattacks are thus most effective if combined with offline attacks. From the attackerâ&#x20AC;&#x2122;s perspective, the choice of using cyberattacks is mainly a question of opportunity. If the necessary skills and technology are available, and the target has ICT systems that can be attacked, then a perpetrator may try computer attacks alongside other available means.
176
Johan Eriksson and Giampiero Giacomello
Moving now from the substance of security issues to the politics of digital-age security, a useful distinction can be made between the politics of threats and the politics of protection. These are obviously interconnected, however, as they both concern agenda setting, framing, cooperation and conflicts of interests. A variety of public and private actors are involved, including intelligence communities, military bureaucracy, politicians, think tanks, university scholars, business actors, NGOs and – not least – the media. P3: Threat framing and policy responses cannot be explained by technological developments and cyberincidents themselves, but are rather shaped by psychological, bureaucratic-political, and mass media mechanisms. To be sure, technological determinism must be avoided at all costs; cognitive and political factors are ubiquitous, which implies a great deal of complexity and variety across time and space (Chapter 4 in this volume). As shown in the study of US cybersecurity discourse (Chapter 3), the framing of cyberthreats has changed more dramatically than the nature and experience of actual incidents. Threat framing shifted back and forth between cyberterrorism and cyberwar (non-state enemies or states as enemies). Only temporarily, in the wake of 9/11, did the Bush administration focus on cyberterrorism, however. Before, and not long after, this focusing event the Bush government prioritized interstate conflict in cyberspace. P4: In the absence of catastrophic cyberincidents, a ‘crying wolf’ syndrome may appear in the digital-age security discourse. Information warfare and cyberterrorism do not gain the same kind of attention and hype as they did some 10 or 15 years ago. Indeed, a certain weariness can be perceived among experts and policy makers. Importantly, there has not been any major drama in cyberspace that has had significant salience and cascading effects also in the offline world. Thus it has become hard to sustain the fear-mongering rhetoric that dominated the cybersecurity debate in the 1990s. This implies a risk of the ‘crying wolf’ syndrome (Betts 2001: 159; Parker and Stern 2005) – that is, if threatening scenarios never come true, people stop paying attention to them and to the associated alerting calls. Yet the development of
Digital-age security in theory and practice
177
technology and incidents is merely a background factor, albeit an important one, which is interpreted and exploited or downplayed by policy-making actors. Turning now to how governments respond to the security challenges of the digital age, a number of observations can be made. When discussing the politics of protection, one may ask how experts and policy makers perceive what it is that has to be protected – the systems that communicate information, the information as such, or perhaps the more abstract core values such as sovereignty or identity? P5: Understanding digital-age security arguably requires a combined social and technological approach, yet the politics of protection is dominated by thinking in which technology is seen as both the solution and the problem. This domination, which emanates from the prevailing US discourse on digital-age security, is illustrated by the widespread use of acronyms and terms such as CIF – ‘critical infrastructure protection’ and CII – ‘critical information infrastructure’ (see Chapters 3 and 4 in this volume). Another widely used frame – ‘information assurance’ – suggests, however, that information rather than infrastructure is the focus of concern (Chapter 6 in this volume). Nevertheless, even in discussions on information assurance, the focus is on how software and hardware can be used to improve the security of information and communication. These observations apply to many Western countries, including the United States and Sweden. This infrastructural or more general technological framing has also influenced which protective measures are being prioritized. There is a clear tendency to emphasize technological solutions: firewalls and antivirus products for cybersecurity, and surveillance cameras and biotechnical tools for the offline world. Social and political factors – for instance ideology, leadership and organizational culture – tend to be ignored or subsumed under a generally technological paradigm. Yet such factors have a tremendous significance for how well states and other organizations can protect themselves against threats, including those of the digital age. By contrast, in Russia infrastructure is downplayed, and emphasis in information security policy is rather on the cohesion and stamina of the national community. Russian identity and national psyche are seen as threatened by, for example, psychological warfare, which has
178
Johan Eriksson and Giampiero Giacomello
gained a new impetus through the information revolution (cf. Weimann 2006). P6: The emergence of digital-age security problems has opened an entirely new field for bureaucratic turf battles, and opportunities for business and research. The information revolution and the new vulnerabilities that follow from increasing dependence on ICTs, as well as the scaremongering scenarios of the 1990s, have been helpful in creating a new market for digital-age security. Of importance is also the USled ‘war on terrorism’ and the ‘homeland security reform’, both of which have an explicit focus on ICTs, as means of attack and as infrastructure to be protected. Within public administrations across the world, bureaucratic turf battles on ICT-related security issues have emerged. This new policy area potentially implies opportunities for new budgetary and organizational resources, attracting actors from all levels and sectors of government, especially the military, the police and the intelligence community. Particularly in countries which have experienced significant downsizing of (conventional) military forces, cyberspace has attracted a considerable interest in the new opportunities for the military to play in what has become framed as ‘information warfare’ and ‘information operations’. Moreover, the private sector has a tremendously important role to play. Research and development in computer software and hardware is unquestionably led by the private sector. In addition, in many countries, much of the ICT infrastructure is operated and owned by private companies. P7: The dependency on the private sector for governmental information security implies both opportunity and organizational complexity, which in turn implies vulnerability. The leading role of the private sector in ICT development also implies that the information security of government and public administration depends greatly on stable and fruitful relationships with the private sector. When such relationships are established, they imply not only governmental access to recent technological advancements, but also an organizational complexity that might be interpreted in terms of vulnerability.
Digital-age security in theory and practice
179
P8: Regime building on digital-age security issues implies a resurgence of the classical dilemma of security vs. freedom. Regulation of cyberspace and other elements of the digital age are still mainly taking place on a domestic level, with significant differences among countries. Increasingly, however, regulation is also taking place on an international level, exemplified by the European Convention on Cybercrime (see Chapter 7 in this volume). On the one hand, such regulations reflect an increased awareness among governments about the downsides of the information revolution – dependency spelled ‘vulnerability’. States seek to protect themselves not only by developing a policy and organization for information assurance, but also by participating in international regulatory efforts, establishing principles, rules, norms and procedures for protection against cyberattacks (see Chapter 6). International regimes play an important functional role since they permit actors to overcome fears about any lack of reliable information concerning the others’ commitment to a specific cause, which in this case is the promotion of fragile trust and Internet-based relations exchanges. On the other hand, such cooperative policy-making efforts have also spurred an international critique, mainly from NGOs, which see such measures as an invasion of privacy (see Chapter 7 in this volume). The securitizing politics which followed the events of September 11, 2001 have also facilitated the implementation of tougher regimes on digital-age security, including increased monitoring of electronic communications, whether by e-mail, Internet chat, mobile phones or any other means of electronic communication. This development is observable not only in the United States, but also in the European Union and in Russia.
IR theories: How applicable are they? The contributions to this volume have applied and discussed a wide range of IR theories.4 Among general IR perspectives, the following have been employed: realism (Chapters 1 and 5); liberalism (Chapters 1, 4, 6 and, implicitly, Chapters 2 and 5); and constructivism (Chapters 1 and 3 and, implicitly, Chapters 2 and 5). Several theories with a more limited scope than the general IR perspectives have also been used: globalization theories (Chapters 2 and 5); institutionalism (Chapter 6); complexity theory (Chapter 5); network theory (Chapter 2); social movement theory
180
Johan Eriksson and Giampiero Giacomello
(Chapter 2); framing theory and securitization theory (Chapter 3); and theories on regulation (Chapter 7). These theories have mostly been used as sources of inspiration, but occasionally they have also been applied more comprehensively and formally. Liberal and constructivist approaches are clearly the dominant ones in this volume, with the exception of Salhi’s chapter on the Middle East, in which Realism is credited as having a greater applicability. Salhi’s argument is that in that geopolitical context, state control over the Internet and other ICTs is generally much greater than in most Western countries, wherefore the common liberal assumptions about the loss of sovereignty, and the challenge of non-state actors cannot be taken for granted.5 Nevertheless, the picture is not black-and-white. Even in a country like China, in which the government maintains a strict control of Internet usage, globalization and the asymmetric power of non-state actors cannot be dismissed. Indeed, China’s Internet filters have been produced in close cooperation with powerful private actors such as Google and Yahoo (Economist, 29 April 2006). Moreover, if there is a general lesson to be learned here, it is that in the digital age, power and security varies greatly over time and space. Thus, patterns of continuity and change are extremely difficult to generalize about. With this caveat in mind, the preceding applications nevertheless suggest that theory building takes seriously the following elements: •
•
Offline–online interaction. Digital-age security cannot be understood by considering cyberspace as a confined arena – a lesson learned from theories of networks and globalization. An ‘IT security’ perspective is far too limited to make sense of the intermeshed offline and online worlds. From a terrorist’s perspective, the use of cybertools is a matter of opportunity and capability, which is pragmatically combined with other means of communication and attack. For the coming ‘digital generation’ the offline–online boundary is porous, if not insignificant. Easy-to-use ICT tools such as pods, mobiles, palm computers – or whatever gadgets lie in the future – are increasingly considered an integral part of life. Complexity in both physical and social systems. Complexity theory teaches us that not only are physical systems and social systems increasingly interconnected through the Internet and other elements of the digital age; they are also increasingly complex. Technological approaches need to take into account the complexity of social systems, and social science approaches
Digital-age security in theory and practice
•
•
•
181
need to take into account the complexity and change in technology. Determinism and simplicity must be avoided in both camps. Public–private and domestic–international interactivity. Insights from liberal and institutionalist perspectives show how the domestic–international divide, as well as the state–society divide, is increasingly being narrowed or even bridged. The information revolution has not only reinforced but also moved transnationalization and complex interdependence to an increasingly globally interconnected level. Symbols, rituals and framing. The constructivist turn in social science shows us that such ‘ideational’ elements need to be taken into consideration a lot more in IR theory in general, and in analyses of digital-age security in particular. If anything, cyberspace provides a new global arena and a great variety of means for real-time communication of symbols, rituals and frames – mediated through text, graphics, video and audio. ‘Soft power’ is amplified, and it can be exploited for ‘fundamentalist’ as well as ‘liberal’ purposes. Process tracing has to come into focus, rather than static systems analysis (cf. George and Bennett, 2005). This is the only way to capture patterns of continuity and change, which are essential for understanding both physical and social systems. Process tracing is also most fruitful if done on a contextually limited or issue-oriented level, as it involves identifying and analyzing decision points and other focusing events.
It should be clear by now that we do not advocate a separate theory on digital-age security (see also Chapter 4). Such an endeavour seems utterly unfruitful, especially because it would miss the significant linkages between the offline and the online world. But IR theory in general and security studies in particular does need to take digital-age issues into account, something which has been the exception rather than the rule. In addition, as we argued in the introductory chapter, the mostly policy- and technically-oriented literature on information warfare and cybercrime needs to apply and contribute to theory building. Otherwise generic knowledge on digital-age security will be lost in a sea of constantly changing details.
182
Johan Eriksson and Giampiero Giacomello
Moreover, theories that take digital-age security into account cannot be of a general nature, but should take change, context and complexity into account. In the words of Haas and Haas (2002: 574), ‘We do not aspire to a grand synthesis, but we do believe that a pragmatic engagement may contribute to stronger and more confident knowledge claims within delimited domains of mid-level theorising.’6
Further theory building: Some requirements We have repeatedly argued that the complexity and contextuality of the subject matter requires that theory building on digital-age security is based on a pragmatic approach aiming for typological (middle range) rather than universal propositions (cf. George and Bennett 2005; Chapter 4 in this volume). A few further requirements need to be stressed. If the gap between various approaches and their mutual ignorance of either theory or the digital age is to be overcome, it is important but not sufficient to suggest pragmatic syntheses. In particular, computer scientists and social scientists need to make a combined effort to reach a more comprehensive understanding. Without such a joint venture, computer science will continue to produce weak analyses of the context and consequences of threat analyses, and social scientists will continue to lag behind and misinterpret technological development. Furthermore, case studies must move from anecdotal story telling to penetrating investigations. This requires, on the one hand, systematic methodology and theory, and, on the other, access to accurate and comprehensive data on threats, vulnerabilities and – not least – incidents. This approach in turn requires openness on behalf of the system administrators of targeted networks, whether private or public. There are two main reasons why getting access to such data can be difficult: the double risk of losing credibility and of revealing security weaknesses which can be seized upon by cunning culprits. Nevertheless, getting access to data on the intrasystem level is vital for moving forward in the analysis of digital-age threats and security. One way of making this advance possible and minimizing the risk of leaking sensitive information is to involve system administrators in the research process from a very early stage. This way, system administrators can help to make sure that sensitive but highly interesting data is being generalized, abstracted or otherwise
Digital-age security in theory and practice
183
presented in such a way that specific details are not revealed. Moreover, by working closely together with system administrators, researchers will get a much more accurate and in-depth understanding of how cyberthreats, vulnerabilities and countermeasures actually work. In addition to studying actual instances of cyberattacks, scenario building is a fruitful theory-building technique. Scenarios are vital in preparing for the unknown. Even though scenarios may not come true or even come close to how the future actually unfolds, they help to prepare analysts and decision makers to adapt to changing circumstances, and to continually think in terms of ‘if–then’. In turn, this makes it necessary to clearly distinguish between probability and consequence. This necessity comes without saying in scientific risk analysis, but has surprisingly often been confused in policy and scholarly debates on cyberthreats. But by clearly making such a distinction, not only will scenarios gain a much better credibility and realism, they will also minimize the fear-mongering effects of unlikely but highly consequential scenarios such as ‘electronic Pearl Harbor’. Finally, we conclude that despite the much-vaunted superiority of politics over technology, politics is doomed to lag behind, and international relations theory almost always comes second within political studies. This work is also an attempt to alert the attention of IR scholars to concentrate on research topics that, much as they may seem bizarre or marginal today, might become central and crucial tomorrow. Forecasting in the social sciences is not so much about guessing correctly what will happen, but rather to project ‘on the radar’ what issues might be relevant tomorrow and, if so, under what circumstances.
Notes 1
2
This also includes attacks that collapse cyber-infrastructures, such as ‘denial-of-service’ attacks which make targeted websites inaccessible – a type of attack which has increased considerably in the early twentyfirst century. For example, the websites of both the Swedish government and the Swedish police were temporarily shut down in early June 2006, allegedly because of concerted denial-of-service attacks. It was suggested in the Swedish media that the (then unknown) culprits were doing this as revenge for a Swedish police action against ‘The Pirate Bay’, an online file-sharing community. This has made, for instance, The Economist (25 March 2006) suggest that another Kuhnian paradigm shift is under way in the practice of science .
184 3 4
5 6
Johan Eriksson and Giampiero Giacomello On this topic see an interview with Robert Kahn and Vint Cerf in the Italian daily La Repubblica (Balbi 2006). IR theory is defined here in a broad sense, incorporating all theories which claim to say something about world affairs, intergovernmental as well as transnational relations, including also foreign policy analysis. It has been neither a possibility nor a goal to develop a comprehensive overview of the very rich field of IR theories and their applicability to digital-age issues. Yet the theories that have been used in this volume represent a sufficient variety to make for a meaningful discussion of the empirical applicability of IR theory. It should also be noted that the term ‘IR theory’ is somewhat misleading, as many of the theories have been developed and elaborated in other disciplines (e.g., framing theory and social movement theory, both of which have roots in sociology). The exception is perhaps the embattled but still highly influential paradigm within IR – political realism. According to Valeri, however, liberalism gains stronger support in his analysis of international regime-building, as he observes behaviour that seeks absolute rather than relative gains (cf. Giacomello 2005). Ironically, the search for ‘a theory of everything’ is increasingly being abandoned also in the natural sciences – which for such a long time have provided the standard of scientific inquiry for the social sciences. It might even be the case that, this time, the ‘messy’ social scientists ‘got there’ before their rigour-bounded colleagues in the natural sciences (Bernstein et al. 2000).
Bibliography
Abbate, J. (1999) Inventing the Internet, Cambridge, MA: The MIT Press. Abele-Wigert, I. and Dunn, M. (2006) The International CIIP Handbook 2006: An Inventory of Protection Policies in 20 Countries and 6 International Organizations, vol. I, Zurich: Center for Security Studies. Abelson, H. et al. (1998) Risks of Key Recovery, Key Escrow and Trusted Third Party Encryption, Washington, DC: Center for Democracy and Technology. Adamson, F.B. (2005) ‘Global Liberalism Versus Political Islam: Competing Ideological Frameworks in International Politics’, International Studies Review, 7(4): 547–69. Adler, E. (1992) ‘The Emergence of Cooperation: National Epistemic Communities and the International Evolution of the Idea of Nuclear Arms Control’, International Organization, 46(1): 101–45. —— (1997) ‘Seizing the Middle Ground: Constructivism in World Politics’, European Journal of International Relations, 3(3): 319–63. —— (2002) ‘Constructivism and International Relations’, in W. Carlsnæs, T. Risse and B.A. Simmons (eds) Handbook of International Relations, London: Sage, 95–118. Agnew, J. and Corbrige, S. (1995) Mastering Space: Hegemony, Territory and International Political Economy, London: Routledge. Albert, A. (1995a) ‘Chaos and Society: An Introduction’, in A. Albert (ed.) Chaos and Society: Frontiers in Artificial Intelligence and Applications, vol. 29, Amsterdam: IOS Press, 1–14. —— (ed.) (1995b) Chaos and Society: Frontiers in Artificial Intelligence and Applications, vol. 29, Amsterdam: IOS Press. Alberts, D. (1996a) The Unintended Consequences of Information Age Technologies, Washington, DC: National Defense University Press. —— (1996b) Defensive Information Warfare, Washington, DC: National Defense University Press. Alberts, D.S. and Czerwinski, T.J. (1997) Complexity, Global Politics, and National Security, Washington, DC: National Defense University Press.
186
Bibliography
Alberts, D.S. and Papp, D.S. (eds) (1997) The Information Age: An Anthology of Its Impacts and Consequences, vol. I, Washington, DC: National Defense University Press. Alberts, D.S., Papp, D.S., and Kemp W.T, III (1997) ‘The Technologies of the Information Revolution’, in D.S. Alberts and D.S. Papp (eds) The Information Age: An Anthology of its Impacts and Consequences, vol. I, Washington, DC: National Defense University Press. Aldrich, R. (2001) ‘CNA and Law Enforcement’, Staff Judge Advocate of the Air Force Office of Special Investigations, Presentation at the InfowarCon in Washington, DC, 6 September. Allan, P. and Goldmann, K. (eds) (1995) The End of the Cold War: Evaluating Theories of International Relations, The Hague: Kluwer Law International. Allen, J.H. and Sledge, C.A. (2002) ‘Information Survivability: Required Shifts in Perspective’. The Journal of Defense Software Engineering, available on 19 October at <http://www.cert.org/archive/pdf/ CrossTalk_Shifts_7-02.pdf> Allison, G.T. and Zelikow, P. (1999) Essence of Decision: Explaining the Cuban Missile Crisis, 2nd edn, New York: Longman. ‘Al-Qa’ida Yemeni Branch Opens Chat Channel for Members’ (2003) AlSharq Al-Awsat, 24 October. Al-Qurashi, A-U. (2003) ‘Fourth Generation Wars’, Al Ansar: For the Struggle Against the Crusader War, February. Alterman, Jon B. (2004) ‘Information Revolution and the Middle East’, in N. Bensahel and D.L. Byman (eds) The Future Security and Environment in the Middle East: Conflict, Stability, and Political Change, Santa Monica, CA: RAND. Alvarez, J.E. (2002) ‘The New Treaty Makers’, Boston College International and Comparative Law, 25: 213. ‘An Al Qaida Blueprint for Terror’ (2004) Hindustan Times, 15 February. Anderson, C. (1995) ‘The Accidental Superhighway: A Survey of the Internet’, The Economist, 1 July. Anderson, J. (1997) ‘The Internet and the Middle East: Commerce Brings Region O-Line’, Arab Information Project, Georgetown University, available on <www.georgetown.edu/research/arabtech/ meer97.html>, (originally published in Middle East Executive Reports, vol. 20, no. 12) (accessed 12 June 2006). —— (1998) ‘Arabizing the Internet’, Occasional Papers, Emirates Center of Strategic Studies, Number 30. —— (2000) ‘Producers and Middle East Internet Technology: Getting Beyond “Impact” ’, The Middle East Journal, 54(3). —— (2003) ‘New Media, New Publics: Reconfiguring the Public Sphere of Islam’, Social Research, 70(3): 887–906.
Bibliography
187
Anderson, K. (2001) ‘The Limits of Pragmatism in American Foreign Policy: Unsolicited Advice to the Bush Administration on Relations with International Nongovernmental Organizations’, Chicago Journal of International Law, 2 (L 371). Applegate, M. (2001) Preparing for Asymmetry: As Seen Through the Lens of Joint Vision 2020, Carlisle, PA: Strategic Studies Institute. Arquilla, J. (1998) ‘The Great Cyberwar of 2002: A WIRED Scenario’, WIRED 6(February): 122–27, 160–70. Arquilla, J. and Ronfeldt, D. (1999) The Emergence of Noopolitik: Toward an American Information Strategy, Santa Monica, CA: RAND. —— (eds) (2001) Networks and Netwars: The Future of Terror, Crime, and Militancy, Santa Monica, CA: RAND. Ashby, W.R. (1962) ‘Principles of the Self-organizing System’, in H. von Foerster and G.W. Zopf (eds) Principles of Self-Organization, New York: Pergamon Press, 255–78. Atran, S. (2006) ‘Commentary: A Failure of Imagination (Intelligence, WMDs, and “Virtual Jihad”)’, Studies in Conflict & Terrorism, 29. Attrition.org (2001) ‘Cyberwar with China: Self-fulfilling Prophecy’, Press release, 29 April, available on <http://attrition.org/commentary/cn-uswar.html> (accessed 6 June 2006). Axelrod, R. (1997) The Complexity of Cooperation: Agent-Based Models of Competition and Collaboration, Princeton, NJ: Princeton University Press. Axelrod, R. and Cohen, M.D. (1999) Harnessing Complexity: Organizational Implications of a Scientific Frontier, New York: Free Press. Ayoob, M. (1997) ‘Defining Security: A Subaltern Realist Perspective’, in K. Krause and M.C. Williams (eds) Critical Security Studies: Concepts and Cases, London: UCL Press. Ayres, J.M. (1999) ‘From the Streets to the Internet: The Cyber-Diffusion of Contention’, The Annals of the American Academy of Political and Social Science, 566(1): 132–43. Baird, Z. (2002) ‘Governing the Internet: Engaging Government, Business, and Nonprofits’, Foreign Affairs, 81(6): 15–20. Bak, P. (1996) How Nature Works: The Science of Self-organized Criticality, New York: Copernicus. Balbi, A. (2006) ‘Portiamo Internet su Marte’, La Repubblica, 41: 26 May. Baldwin, D.A. (1997) ‘The Concept of Security’, Review of International Studies, 23(1): 5–28. Baldwin, R., and Cave, M. (1999) Understanding Regulation: Theory, Strategy, and Practice, Oxford: Oxford University Press. Barlow, J.P. (1996) A Declaration of the Independence of Cyberspace, 8 February, available on <http://www.eff.org/~barlow/DeclarationFinal.html> (accessed 6 June 2006). Barnett, T. (2004) The Pentagon’s New Map: War and Peace in the Twenty-First Century, New York: Putnam and Sons.
188
Bibliography
Barrow, D. (2004) ‘Networked Collaboration Transforms Curricula: The Case of Arab Culture and Civilization’, Liberal Education, Spring: 49–53. Bar-Yam, Y. (1997) Dynamics of Complex Systems, Reading, MA: Addison-Wesley. Bauer, H. and Brighi, E. (2002) ‘Editorial Note’, Millennium: Journal of International Studies, 31(3): iii-iv. Beck, U. (1992) Risk Society: Towards a New Modernity, London: Sage. —— (1999) World Risk Society, London: Polity. —— (2000) What is Globalization? translated by Patrick Camiller, Cambridge: Polity Press. —— (2002) ‘Cosmopolitanism and its Enemies,’ Theory, Culture & Society, 19(1–2): 17–44. Bendrath, R. (2001) ‘The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection’, Information and Security, 7: 80–103. —— (2003) ‘American Cyberangst and the Real World: Any Link?’, in R. Latham (ed.) Bombs and Bandwidth: The Emerging Relationship between IT and Security, New York: The New Press, 49–73. Berkowitz, B.D. (1997) ‘Warfare in the Information Age’, in J. Arquilla and D. Ronfeldt (eds) In Athena’s Camp: Preparing for Conflict in the Information Age, Santa Monica, CA: RAND, 175–90. —— (2003) The New Face of War: How War will Be Fought in the 21st Century, New York: Free Press. Bernstein, S. et al. (2000) ‘God Gave Physics the Easy Problems: Adapting Social Science to an Unpredictable World’, European Journal of International Relations, 6: 43–76. von Bertalanffy L. (1968) General Systems Theory: Foundations, Development, Applications, New York: George Braziller Publishing. —— (1975) Perspectives on General System Theory: ScientificPhilosophical Studies, New York: George Braziller Publishing. Bessette, R. and Haufler, V. (2001) ‘Against All Odds: Why There is no International Informational Regime’, International Studies Perspectives, 2: 69–92. Betts, R.K. (2001) ‘Intelligence Test: The Limits of Prevention’, in J.F. Hodge, Jr. and G. Rose (eds) How Did This Happen? Terrorism and the New War, New York: Public Affairs, 145–61. Biddle, S. (2004) Military Power: Explaining Victory and Defeat in Modern Battle, Princeton, NJ: Princeton University Press. Biggiero, L. (2001) ‘Sources of Complexity in Human Systems’, Nonlinear Dynamics, Psychology, and Life Sciences, 5(1): 3–19. Birkland, T.A. (1997) After Disaster: Agenda Setting, Public Policy, and Focusing Events, Washington, DC: Georgetown University Press. —— (2004) ‘“The World Changed Today”: Agenda-Setting and Policy Change in the Wake of the September 11 Terrorist Attacks’, Review of Policy Research, 21(2): 179–200.
Bibliography
189
Blank, S.J. (2003) Rethinking Asymmetric Threats, Carlisle, PA: Carlisle Strategic Studies Institute. Boin, A., ’t Hart, P., Stern, E.K. and Sundelius, B. (2005) The Politics of Crisis Management: Public Leadership Under Pressure, Cambridge: Cambridge University Press. Bonino, M. and Spring, M. (1991) ‘Standards as Change Agents in the Information Technology Market’, Computer Standards and Interface, 12(2). Borgmann, A. (1999) Holding on to Reality: The Nature of Information at the Turn of the Millennium, Chicago, IL: University of Chicago Press. Bosch, O. (2002) ‘Cyber Terrorism and Private Sector Efforts for Information Infrastructure Protection’, paper presented at the ITU Workshop on Creating Trust in Critical Network Infrastructures, Seoul, 20–22 May. Bossomaier, T.R.J. and Green, D.G. (eds) (2000) Complex Systems, Cambridge: Cambridge University Press. Bowker, G. (1993) ‘How to be Universal: Some Cybernetic Strategies 1943–1970, Social Studies of Science, 23(1): 107–28. Bowman, L.M. (2000) ‘Cybercrime Fighters: The Feds Want You!’, ZDNet News, 11 December, available on <http://www.zdnet.com/ zdnn/stories/news/0,4586,2663288,00.html> (accessed 6 June 2006). Brachman, J.M. (2006) ‘High-Tech Terror: Al-Qaeda’s Use of New Technology’, The Fletcher Forum of World Affairs, 30(2). Braithwaite, J. and Drahos, P. (2000) Global Business Regulation, Cambridge: Cambridge University Press. Braumoeller, B.F. (2003) ‘A Dynamic Solution to the Agent-Structure Debate in International Relations’, paper presented at the CEEISA/ISA International Convention, Budapest, Hungary, 26–28 June. Brooks, D. (2005) ‘The Zarqawi Rules’, New York Times, 14 February. Brown, T. (2005) ‘Death by Error’, Washington Post, 19 May. Buchner, B. (1988) ‘Social Control and the Diffusion of Modern Telecommunications Technologies: A Cross National Study’, American Sociological Review, 53(3): 446–53. Bunt, G.A. (2003), Islam in the Digital Age: E-Jihad, Online Fatwas and Cyber Islamic Environments, London: Pluto Press. Burkhart, G. E. and Older, S. (2003) The Information Revolution in the Middle East and North Africa, Santa Monica, CA: RAND. Bush, G.W. (2001a) Remarks by the President in Tax Celebration Event, Des Moines, IA: Office of the Press Secretary, 8 June. —— (2001b) Executive Order, Establishing the Office of Homeland Security and the Homeland Security Council, Washington, DC: The White House, 8 October. —— (2001c) Homeland Security Presidential Directive-1: Organization and Operation of the Homeland Security Council, Washington, DC: The White House, 29 October.
190
Bibliography
—— (2001d) Executive Order. Critical Infrastructure Protection in the Information Age, Washington, DC: The White House, 16 October. —— (2001e) Letter from President George W. Bush to Mr Romano Prodi, President, Commission of the European Union, Brussels. Business Software Alliance (2002) Government at Risk for Major Cyber Attack in Next 12 Months, IT Pros Say, Press Release, 25 June. Butler, D. and Van Atta, D., Jr. (2003) ‘Al Qaida Informer Helps Investigators Trace Group’s Trail’, New York Times, 17 February. Butts, C.T. (2001) ‘The Complexity of Social Networks: Theoretical and Empirical Findings’, Social Networks, 23: 31–71. Buzan, B. (1991) Peoples, States and Fear: An Agenda for International Security Studies in the Post-Cold War Era, 2nd edn, Boulder, CO: Lynne Rienner. Buzan, B. and Jones, R.J.B. (eds) (1981) Change and the Study of International Relations: The Evaded Dimension, London: Frances Pinter. Buzan, B., Wæver, O. and De Wilde, J. (1998) Security: A New Framework for Analysis, Boulder, CO: Lynne Rienner. Byrne, D. (1998) Complexity Theory and the Social Sciences: An Introduction, London: Routledge. Çambel, A.B. (1992) Applied Chaos Theory: A Paradigm for Complexity, Boston, MA: Academic Press. Camilleri, J.A. and Falk, J. (1992) The End of Sovereignty? The Politics of a Shrinking and Fragmenting World, Aldershot: Edward Elgar. Campen, A., Dearth, D. and Goodden, T. (1996) Cyberwar: Security, Strategy and Conflict in the Information Age, Fairfax, VA: AFCEA International Press. Carment, D. (2006) ‘A Framework for Understanding Terrorist Use of the Internet’, vol. 2, CCISS-ITAC Trends in Terrorism. Castells, M. (1989) The Informational City: Information Technology, Economic Restructuring, and the Urban–Regional Process, Oxford: Blackwell. —— (1996) The Information Age: Economy, Society and Culture, vol. 1: The Rise of the Network Society, Malden, MA: Blackwell. —— (1997) The Information Age: Economy, Society and Culture, vol. 2: The Power of Identity, Malden, MA: Blackwell. —— (1998) The Information Age: Economy, Society and Culture, vol. 3: End of Millennium, Malden, MA: Blackwell. Casti, J.L. (1979) Connectivity, Complexity, and Catastrophe in LargeScale Systems, Chichester: Wiley and Sons. —— (1996) ‘The Great Ashby’, Journal of Complexity, 2(1): 7–9. Cederman, L-E. (1997) Emergent Actors: How States and Nations Develop and Dissolve, Princeton, NJ: Princeton University Press. Cederman, L-E. and Gleditsch, K.S. (2004) ‘Conquest and Regime Change: An Evolutionary Model of the Spread of Democracy and Peace’, International Studies Quarterly, 48(3): 603–29.
Bibliography
191
Celeste, R. (1996) ‘Strategic Alliances for Innovation: Emerging Models of Technology-based Twenty-first Century Economic Development’, Economic Development Review, 14(1): 4–9. Cerny, P. (1996) ‘What Next for the State?’, in E. Kofman and G. Young (eds) Globalisation: Theory and Practice, London: Pinter. —— (2005) ‘Terrorism and the New Security Dilemma’, Naval War College Review, 58(1). Checkel, J. (1997) Ideas and International Political Change: Soviet/Russian Behavior and the End of the Cold War, New Haven, CT: Yale University Press. Chilton, P.A. (1996) Security Metaphors: Cold War Discourse from Containment to the Common House, New York: Lange. Choucri, N. (2000) ‘Introduction: CyberPolitics in International Relations’, International Political Science Review, 21(3): 243–63. Christensen, J. (1999) ‘Bracing for Guerrilla Warfare in Cyberspace’, CNN Interactive, 6 April, available on <http://www.cnn.com/TECH/ specials/hackers/cyberterror> (accessed 18 March 2006). Ciborra, C. (1991) ‘Alliances as Learning Experiments: Co-operation, Competition and Change in High-tech Industries’, in L. Krieger Mytelka (ed.) Strategic Partnerships, London: Pinter Publishers. CIPEP (2003) ‘Threats to Canada’s Critical Infrastructure’, Threat Analysis TA03-001, Office of Critical Infrastructure Protection and Emergency Preparedness, 12 March. Clancy, T. and Pieczenik, S.R. (1999) Netforce, Berkeley, CA: Berkeley Publishing Group. Clark, W. and Conner, B. (2002) ‘Vulnerability on the Cyber Front’, Washington Times, 19 August. Clarke, R.A. (2005) Memorandum: Implementation of PDD 63 Through Project Matrix, Critical Infrastructure Assurance Office, 19 July, Washington, DC. Clinton, W. (2000) ‘Defending America’s Cyberspace. National Plan for Information Systems Protection Version 1.0: An Invitation to a Dialogue’, Washington, DC: The White House, 7 January. CNN (1996) ‘Cyberspace Attacks Threaten National Security, CIA Chief Says’, 25 June, available on < http://www.cnn.com/TECH/9606/25/ comp.security/index.html> (accessed 18 March 2006). —— (1997) ‘Experts Prepare for an “Electronic Pearl Harbor” ’, 7 November, available on <http://www.cnn.com/US/9711/07/ terrorism.infrastructure> (accessed 27 February, 2003). —— (2002) ‘FBI: Al Qaeda May Have Probed Government Sites’, 17 January, available on <http://archives.cnn.com/2002/TECH/ internet/01/17/fbi.alert/index.html> (accessed 9 June 2006). Cohen, E. (1996) ‘A Revolution in Military Affairs’, Foreign Affairs, 75(2): 37–54. Cohen, J. (1992) The Politics of Telecommunications Regulation, Armonk, NY: M.E. Sharpe.
192
Bibliography
Cohen, R.S. (1995) ‘How Useful Is the Complexity Paradigm Without Quantifiable Data? A Test Case: The Patronage of 5th–6th Century Buddhist Caves in India’, in A. Albert (ed.) Chaos and Society: Frontiers in Artificial Intelligence and Applications, vol. 29, Amsterdam: IOS Press, 83–99. Coll, S. and Glasser, S.B. (2005) ‘Terrorists Turn to Web as Base of Operations’, Washington Post, 7 August. Cook, D. (2005a) ‘Women Fighting in Jihad?’, Studies in Conflict & Terrorism, 28: 375–84. —— (2005b) Understanding Jihad, Berkeley, CA: University of California Press. Cooper, J.R. (1997) ‘Another View of the Revolution in Military Affairs’, in J. Arquilla and D. Ronfeldt (eds) In Athena’s Camp: Preparing for Conflict in the Information Age, Santa Monica, CA: RAND, 99–140. Cordesman, A. (2002) Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the US Homeland, Westport, CT: Praeger. Corman, S.R. and Schiefelbein, J.S. (2006) Communication and Media Strategy of the Jihadi War of Ideas, Report No.0601, Arizona State University. Corporate Location (2001) ‘IT Firms Seek Middle Eastern Sales Support’, 12, May/June. Council of Europe (2001) Council of Europe Convention on Cybercrime, Explanatory Report, 8 November, Strasbourg. Crutchfield, J.P. (1994) ‘Is Anything Ever New? Considering Emergence’, in G. Cowan, D. Pines and D. Melzner (eds) Complexity: Metaphors, Models, and Reality, SFI Series in the Sciences of Complexity XIX, Redwood City, CA: Addison-Wesley, 479–97. Crutchfield J.P., Farmer, J.D., Packard, N.H. and Shaw, R.S. (1986) ‘Chaos’, Scientific American, December, 46–57. CSIS (1996) The Information Revolution and International Security: Robert F. McMormich Tribune Foundation Report, Washington, DC: Center for Strategic and International Studies. Cullison, A. (2004) ‘Inside Al-Qaeda’s Hard Drive’, The Atlantic Monthly, September. ‘Cyberspace attacks threaten national security, CIA chief says’ (1996) CNN.com, available on <http://www.cnn.com/Tech/9606/25/ comp.security/index.html> (accessed 20 October 2006). Daukantas, P. (2001) ‘Professors Hash out Emergency Response, Cyberterrorism Strategies’, GovernmentComputer News, 14 December, available on <http://www.gcn.com/vol1_no1/daily-updates/176421.html> (accessed 25 January 2006). David, N.C. (1997) ‘An Information-Based Revolution in Military Affairs’, in J. Arquilla and D. Ronfeldt, (eds) In Athena’s Camp: Preparing for Conflict in the Information Age, Santa Monica, CA: RAND, 79–98.
Bibliography
193
De Borchgrave, A., Cilluffo, F.J., Cardash, S.L. and Ledgerwood, M.M. (2000) Cyber Threats and Information Security – Meeting the 21st Century Challenge, Washington, DC: Center for Strategic and International Studies. Deibert, R. (1997) Parchment, Printing and Hypermedia, New York: Columbia University Press. Deibert, R.J. and Gross Stein, J. (2002) ‘Hacking Networks of Terror’, International Organisation, Spring: 1–14. —— (2003) ‘Social and Electronic Networks in the War on Terror’, in R. Latham (ed.) Bombs and Bandwidth, New York: New Press. Delio, M. (2001a) ‘It’s (Cyber) War: China vs. US’, Wired News, 30 April, available on <http://www.wired.com/news/print/0,1294,43437,00. html> (accessed 30 April 2006). —— (2001b) ‘FBI Warns of Chinese Hack Threat’, Wired News, 27 April, available on <http://www.wired.com/news/politics/ 0,1283,43417,00.html> (accessed 18 March 2006). —— (2002) ‘MS Refocuses on Software Pirates’, Wired News, 22 January, available on <http://www.wired.com/news/print/0,1294,49856,00. html> (accessed 30 April 2006). Denning, D.E. (1999) Information Warfare and Security, Boston, MA: Addison Wesley. —— (2001a) ‘Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy’, in J. Arquilla and J. Ronfeldt (eds) Networks and Netwars: The Future of Terror, Crime, and Militancy, Santa Monica, CA: RAND. —— (2001b) ‘Is Cyber Terror Next?’, Essays on September 11, Social Science Research Council, available on <http://www.ssrc.org/ sept11/essays/denning.htm> (accessed 9 June 2006). Department of Defense (1998) Joint Doctrine for Information Operations. 9 October, available on <http://www.dtic.mil/doctrine/jel/new_pubs/ jp3_13.pdf> (25 January 2006). Der Derian, J. (2000) ‘Virtuous War/Virtual Theory’, International Affairs, 76(4): 771–88. Deudney D. and Ikenberry, J. (1999) ‘The Nature and Sources of Liberal International Order’, Review of International Studies, 25(2). Devji, F. (2005) Landscapes of the Jihad, London: Hurst. Devost, M.G., Houghton, B.K. and Pollard, N.A. (1997) ‘Information Terrorism: Political Violence in the Information Age’, Terrorism and Political Violence, 9(1): 72–83. Dewey, J. (1929) The Quest for Certainty: A Study of the Relation of Knowledge and Action, New York: G.P. Putnam Capricorn Books. —— (1948) Reconstruction of Philosophy, Boston, MA: Beacon Press. Dizikes, P. (2001) ‘Clear and Present Danger? Government Warns that its Computer Systems Need Security Improvements’, ABC News, 29 August.
194
Bibliography
Dolowitz, D. and Marsh, D. (1996) ‘Who Learns What From Whom: A Review of the Policy Transfer Literature’, Political Studies, 44: 343–57. Dornheim, M.A. (1998) ‘Bombs Still Beat Bytes’, Aviation Week & Space Technology, 19 January. Downes, L., Mui, C. and Negroponte, N. (1998) Unleashing the Killer App: Digital Strategies for Market Dominance, Cambridge, MA: Harvard Business School Press. Drezner, D.W. (2001) ‘On the Balance Between International Law and Democratic Sovereignty’, Chicago Journal of International Law, 2 (L 321). DSBTF (2001) ‘Protecting the Homeland: Report of the Defense Science Board Task Force on Defensive Information Operations’, vol. II, Washington, DC: Department of Defense. Duncan, R.W., Jancar-Webster, B. and Switky, B. (2003) World Politics in the 21st Century, New York: Longman. Dunn, M. (2002) Information Age Conflicts: A Study on the Information Revolution and a Changing Operating Environment, Zürcher Beiträge zur Sicherheitspolitik und Konfliktforschung, no. 64, Zurich: Center for Security Studies. —— (2005) ‘The Socio-Political Dimensions of Critical Information Infrastructure Protection (CIIP)’, International Journal for Critical Infrastructure Protection, 1(2/3): 58–68. —— (2006) ‘Understanding Critical Information Infrastructures: An Elusive Quest’, in M. Dunn and V. Mauer (eds) The International CIIP Handbook 2006: Analyzing Issues, Challenges, and Prospects, vol. II, Zürich: Forschungsstelle für Sicherheitspolitik, 27–53. Dunn, M. and Wigert, I. (2004) The International CIIP Handbook 2004: An Inventory of Protection Policies in Fourteen Countries, Zurich: Center for Security Studies. Dunning, J. (1992) ‘The Global Economy, Domestic Governance, Strategies and Transnational Corporations: Interactions and Policy Implications’, Transnational Corporations, 1(3). Economides, N. (1996) ‘The Economics of Networks’, International Journal of Industrial Organization, 14(6): 673–93. Economist, The (26 October 2002) ‘A Survey of Digital Security’. —— (25 March 2006) ‘Computing the Future’, 79–80. —— (29 April 2006) ‘The Party, the People and the Power of Cyber-talk’, 25–26. Edelman, M. (1964) The Symbolic Uses of Politics, 2nd edn, Urbana, IL: University of Illinois Press. —— (1977) Political Language: Words that Succeed and Policies that Fail, New York: Academic Press. —— (1985) The Symbolic Uses of Politics: With a New Afterword, Urbana, IL: University of Illinois Press.
Bibliography
195
—– (1988) Constructing the Political Spectacle, Chicago, IL: Chicago University Press. Edwards, J. (2002) Press release for the Cybersecurity Preparedness Act, January, available on <http://edwards.senate.gov/press/2002/jan28pr.html> (accessed 12 June 2006). Elkady, N. (2006) ‘Reaching for Digital Sky’ Gulf News, 11 January, available on <http://archive.gulfnews.com/articles/05/30/10001589. html> (accessed 12 June 2006). Entman, R.M. (1993) ‘Framing: Toward Clarification of a Fractured Paradigm’, Journal of Communication 43(4): 51–58. Erbschloe, M. (2001) Information Warfare: How to Survive Cyber Attacks, Berkeley, CA: Osborne and McGraw Hill. Eriksson, J. (2001a) ‘Introduction’, in J. Eriksson (ed.) Threat Politics: New Perspectives on Security, Risk and Crisis Management, Aldershot: Ashgate Publishing. —— (2001b) ‘Cyberplagues, IT and Security: Threat Politics in the Information Age’, Journal of Contingencies and Crisis Management, 9(4): 211–22. —— (2006) ‘Power Disparity in the Digital Age’, in O.F. Knudsen (ed.) Security Strategies, Power Disparity and Identity: The Baltic Sea Region, Aldershot: Ashgate. Eriksson, J. and Giacomello, G. (2006) ‘The Information Revolution, Security and International Relations: (IR)relevant Theory?’, International Political Science Review, 27(3): 221–44. Essoulami, S. (2000) ‘The Press in the Arab World: 100 Years of Suppressed Freedom’, available on <http://www.cmfemena.org/ magazine/feature/100years.html> (accessed 6 June 2006). Eunjung Cha, A. and Krim, J. (2002) ‘White House Officials Debating Rules for Cyberwarfare’, Washington Post, 22 August. European Union (1995) Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L281, 23. Evans, M. (2004) ‘Al-Qaeda Agent’s Laptop Yields Vital Intelligence Clues’, The Times, 7 August. Eve, R.A., Horsfall, S. and Lee, M.E. (eds) (1997) Chaos, Complexity, and Sociology: Myths, Models, and Theories, Thousand Oaks, CA: Sage Publications. Everard, J. (2000) Virtual States: The Internet and the Boundaries of the Nation-state, London: Routledge. ‘FBI: Al Qaeda may have probed government sites’ (2002) CNN.com, 17 January, available on <http://archives.cnn.com/2002/TECH/ internet/01/17/fbi.alert/index.html> (accessed on 20 October 2006). Fearon, J. and Wendt, A. (2002) ‘Rationalism and Constructivism: A Skeptical View’, in W. Carlsnæs, T. Risse and B.A. Simmons (eds) Handbook of International Relations, London: Sage, 52–72.
196
Bibliography
Fielding, N. (2001) ‘Revealed: The Bloody Pages of Al-Qaeda’s Killing Manual’, Sunday Times, 4 November. —— (2004) ‘Al-Qaeda Betrayed by Its Simple Faith in High-Tech’, The Times, 8 August. Fielding, N. and Gadhery, D. (2002) ‘Al-Qaeda’s Satellite Phone Records Revealed – No Calls To Iraq’, Sunday Times, 24 March. Fink, C. and C. J. Kenny (2003) ‘W(H)Iter the Digital Divide’, Washington: ITU, available on <http://www.itu.int/wsis/docs/ background/themes/digital_divide/fink-kenny.pdf> (accessed on 22 October 2006). Fischer, F. (1990) Technocracy and the Politics of Expertise, Newbury Park, CA: Sage. Fischer, F. and Forester, J. (1993) The Argumentative Turn in Policy Analysis and Planning, London: UCL Press. Foerster H. von and Zopf, G.W. (eds) (1962) Principles of SelfOrganization, New York: Pergamon Press. Fordahl, M. (2002) ‘White House Cybersecurity Plan Avoids Calls for New Rules’, Associated Press, 18 September. Forno, R. (2002) Quotes on ‘Electronic Pearl Harbor’, 25 July, available on <http://www.soci.niu.edu/~crypt/other/harbor.htm> (accessed 12 June 2006). Forrester, J. W. (1961) Industrial Dynamics, Massachusetts: Productivity Press. Foster, A. M., Wynn, L., Rouhana, A., Polis, C. and Trussell, J. (2005) ‘Reproductive Health, the Arab World and the Internet: Usage Patterns of an Arabic-Language Emergency Contraception Web Site’, Contraception, 72: 134. Fountain, J.E. (2001) Building the Virtual State: Information Technology and Institutional Change, Washington, DC: Brookings Institution. Fradkin, H., Haqqani, H. and Brown, E. (eds) (2002) Current Trends in Islamist Ideology, vol. 1, Washington, DC: Hudson Institute. Franda, M.F. (2001) Governing the Internet: The Emergence of an International Regime, Boulder, CO: Lynne Rienner. Freedman, D.H. (2000) ‘How to Hack a Bank’, available on <http://www. forbes.com/asap/2000/0403/056.html> (accessed 9 June 2006). Freeh, L.J. (1997) Statement Before the Senate Appropriations Committee Hearing on Counterterrorism, Director, Federal Bureau of Investigation, 13 May. Freeman, C. and Louca, F. (2002) As Time Goes By: From the Industrial Revolutions to the Information Revolution, Oxford: Oxford University Press. Friedman, T. L. (1999) The Lexus and the Olive Tree, New York: Farrar, Strauss & Giroux. —— (2002) Longitudes and Attitudes: Exploring the World After September 11, New York: Farrar, Strauss & Giroux.
Bibliography
197
F-secure (2003) ‘Iraq War and Information Security’, available on <http://www.f-secure.com{virus-info/iraq.shtml> (accessed 27 March 2003). Fuda, Y. and Fielding, N. (2003) Masterminds of Terror, London: Mainstream Publishing. Fukuyama, F. and Ikenberry, G.J. (2005) Report of the Working Group on Grand Strategic Choices, Princeton, NJ: The Princeton Project on National Security, September. ‘Fundamentalists: Al-Ayiri was in charge of “Al-Neda” Internet web site, Al-Qa’idah’s mouthpiece’, Al-Sharq Al-Awsat, 4 June 2003. Furnell, S. (2002) Cybercrime: Vandalizing the Information Society, Edinburgh: Pearson Education. G8 Justice and Interior Ministers (2002) Principles on the Availability of Data Essential to Protecting Public Safety, Mont-Tremblant: G8 Summit, 13–14 May. G8 Lyon Group (2000) Un dialogue entre les pouvoirs publics et le secteur privé sur la sécurité et la confiance dans le cyberespace communiqué du G8 (Groupe de Lyon), Paris: G8, 17 May. Garner, R. and Gillingham, M.G. (eds) (1996) Internet Communication in Six Classrooms, Mahwah, NJ: Lawrence Erlbaum Associates. Gaspar, R. (2000) ‘Looking to the Future: Clarity on Communications Data Retention Law’. A submission to the Home Office for Legislation on Data Retention, on behalf of ACPO and ACPO(S), HM Customs & Excise; Security Service; Secret Intelligence Service; and GCHQ, 21 August. George, A. and Bennett, A. (2005) Case Studies and Theory Development in the Social Sciences, Cambridge, MA, and London: MIT Press. Gershwin, L.K. (2001) Cyber Threat Trends and US Network Security, Statement for the Record, United States Congress, Joint Economic Committee Hearing ‘Wired World: Cyber Security and the US Economy’, 21 June. Gertz, B. (2001) ‘Military Fears Attacks from Cyberspace’, Washington Times, 29 March. Giacomello, G. (2005) National Governments and Control of the Internet: A Digital Challenge, London: Routledge. Giacomello, G. and Mendez, F. (2001) ‘Cuius Regio, Eius Religio, Omnium Spatio? State Sovereignty in the Age of the Internet’, Information and Security, 7: 15–27. Gibson, W. (1984) Neuromancer, New York: Ace. Gilmore, G.J. (2001) ‘Rumsfeld To NATO: Prepare Now for Emerging Threats’, American Forces Press Service, 7 June. Gilpin, R. (1986) ‘The Richness of the Tradition of Political Realism’, in R.O. Keohane (ed.) Neorealism and its Critics, New York: Columbia University Press. Gleick, J. (1987) Chaos: Making a New Science, New York: Penguin Books.
198
Bibliography
Goffman, E. (1974) Frame Analysis: An Essay on the Organization of Experience, Boston, MA: Northeastern University Press. Goldman, E. (2005) Information and Revolution in Military Affairs, London: Routledge. Goldman, E. and Mahnken, T.G. (eds) (2004) The Information Revolution in Military Affairs in Asia, Basingstoke: Palgrave Macmillan. Goldmann, K. (1999) ‘Issues, Not Labels, Please!: Response to Eriksson’, Cooperation and Conflict, 34(3): 331–33. Goldring, J. (1997) ‘Netting the Cybershark: Consumer Protection, Cyberspace, the Nation-State, and Democracy’, in B. Kahin and C. Nesson (eds) Borders in Cyberspace, Cambridge, MA: The MIT Press, 322–54. Goldsmith, J.L. (1998a) ‘Against Cyberanarchy’, University of Chicago Law Review, 65: 1199–250. —— (1998b) ‘Symposium on the Internet and Legal Theory: Regulation of the Internet: Three Persistent Fallacies’, Chicago-Kent Law Review, 73: 1119–31. Goldstein, J. (1996) ‘International Law and Domestic Institutions: Reconciling North American “Unfair” Trade Laws’, International Organization, 50(4): 541–64. Gomez, P. (2001) ‘Vom Umgang mit Komplexität: Denkfallen und Entscheidungshilfen’, in H. Mey and D. Lehmann Pollheimer (eds) Absturz im Freien Fall – Anlauf zu Neuen Höhenflügen: Gutes Entscheiden in Wirtschaft, Politik und Gesellschaft, Zürich: Vdf Hochschulverlag AG, 151–66. Gompert, D.C. (1995) ‘Keeping Information Warfare in Perspective’, RAND Research Review, 19(Fall). Gongora, T. and von Riekhoff, H. (eds) (2000) Towards a Revolution in Military Affairs: Defense and Security at the Dawn of the Twenty-first Century, London: Greenwood Press. Goodman, S.E., Hassebroek, P.B., King, D. and Azment, A. (2002) International Coordination to Increase the Security of Critical Network Infrastructures, Document CNI/04, paper presented at the ITU Workshop on Creating Trust in Critical Network Infrastructures, Seoul, 20–22 May. Gourevitch, P. (1978) ‘The Second Image Reversed: The International Sources of Domestic Politics’, International Organization, 32(4): 881–912. ‘Government Not Ready for Cyberattacks’ (2002) Internet News, 26 June, available on 19 October 2006 at <http://www.internetnews. com/entnews/print.php/1377081>. Greene, T.C. (2001) ‘USA Today as DoD Cyber-war Propaganda Mouthpiece’, The Register, 21 June, available on <http:// www.theregister.co.uk/content/6/19884.html> (accessed 12 June 2006).
Bibliography
199
—— (2002) ‘Mock Cyberwar Fails to End Mock Civilization’, The Register, 14 August, available on <http://www.theregister.co.uk/ content/55/26675.html> (accessed 6 June 2006). Gulf News (2005) ‘Qatar and Cisco Sign Deal to Improve IP Infrastructure’, 24 November, available on <http:// archive.gulfnews.com/articles/05/09/27/184032.html> (accessed 12 June 2006). Haas, E.B. (1990) When Knowledge is Power: Three Models of Change in International Organizations, Berkeley, CA: University of California Press. —— (1992) ‘Introduction: Epistemic Communities and International Policy Coordination’, International Organization, 46(1): 1–35. Haas, E.B. and Haas, P. (2002) ‘Pragmatist Constructivism and the Study of International Institutions’, Millennium: Journal of International Studies, 31(3): 573–601. Habermas, J. and Seideman, S. (1989) Society and Politics: A Reader, Boston, MA: Beacon Press. Haggard, S. and Simmons, B.A. (1987) ‘Theories of International Regimes’, International Organization, 41(3): 491–517. Hall, A. (2005) ‘Al-Qaeda Chiefs Reveal World Domination Design’, The Age, 24 August. Hall, E.T. (1976) Beyond Culture, Garden City, NY: Doubleday. Halperin, M. (1974) Bureaucratic Politics and Foreign Policy, Washington, DC: The Brookings Institution. Hammond, A.L. (2001) ‘Digitally Empowered Development’, Foreign Affairs, 80(March–April): 96–106. Hammond, T.H. (1986) ‘Agenda Control, Organizational Structure, and Bureaucratic Politics’, American Journal of Political Science, 30(2): 379–420. Harbison J. and Pekar, P. (1998) Smart Alliances, San Francisco, CA: Jossey-Bass Publishers. Harshberger, E. and Ochmanek, D. (1999) ‘Information and Warfare: New Opportunities for US Military’, in Z.M. Khalilzad and J.P. White (eds) Strategic Appraisal: The Changing Role of Information in Warfare, Santa Monica, CA: RAND. ’t Hart, P. (1993) ‘Symbols, Rituals and Power: The Lost Dimensions of Crisis Management’, Journal of Contingencies and Crisis Management, 1(1): 36–50. Haufler, V. (1995) ‘Crossing the Boundaries between Public and Private: International Regimes and Non-State Actors’ in V. Rittberger (ed.) Regime Theory and International Relations, Oxford: Clarendon Press, 94–111. Hegghammer, T. (2006) ‘Global Jihadism after the Iraq War’, Middle East Journal, 60(1): 11–32.
200
Bibliography
Henkin, L. (1995) International Law: Politics and Values. Developments in International Law, vol. 18, Dordrecht, the Netherlands, and Boston, MA: M. Nijhoff. Henry, R. and Peartree, C.E. (eds) (1998) The Information Revolution and International Security, Washington, DC: Center for Strategic and International Studies. Herd, G.P. (2000) ‘The Counter-Terrorist Operation in Chechnya: Information Warfare Aspects’, Journal of Slavic Military Studies, 13(4): 57–84. Hermann, C.H. (1990) ‘Changing Course: When Governments Choose to Redirect Foreign Policy’, International Studies Quarterly, 34: 3–21. Hermann, R. (2002) ‘Linking Theory to Evidence in International Politics’, in W. Carlsnæs, T. Risse and B. Simmons (eds) Handbook of Political Science, London: Sage, 119–36. Herrera, G. (2002) ‘The Politics of Bandwidth: International Political Implications of a Global Digital Information Network’, Review of International Studies, 28: 93–122. Hobart, M.E. and Schiffman, Z.S. (2000) Information Ages: Literacy, Numeracy, and the Computer Revolution, Baltimore, MD: Johns Hopkins University Press. Hoffman, B. (2006) ‘The Use of the Internet by Islamist Extremists’, CT262-1. Testimony presented to the House Permanent Select Committee on Intelligence on May 4, 2006, Washington, DC. Holsti, K.J. (1998) ‘The Problem of Change in International Relations Theory’, Institute of International Relations, The University of British Columbia, Vancouver, Working Paper no. 26, December. Hosein, I. (2004) ‘The Sources of Law: Policy Dynamics in a Digital and Terrorized World’, The Information Society, 20(3): 187–99. Hosein, I. and Whitley, E. (2002) ‘The Regulation of Electronic Commerce: Learning from the UK’s RIP Act’, Journal of Strategic Information Systems, 17(1): 31–58. Hudson, M.C. (2000) ‘A “Pan-Arab Virtual Think Tank”: Enriching the Arab Information Environment’, Middle East Journal, 54(3): 362–77. Human Rights Watch (2005) ’Internet World Stats, Usage and Population Statistics’, November, 17(10), available on <http://www. internetworldstats.com/stats5.html> (accessed 6 June 2006). Hunt, K. (2006) ‘Osama Bin Laden Fan Clubs Build Online Communities’, USA Today, 8 March. Husain, Khurram N. (2003) ‘The Men Behind the Curtain’, Bulletin of the Atomic Scientists, 59(6): 62–71. Huysmanns, J. (1998) ‘Revisiting Copenhagen, or, on the Creative Development of a Security Studies Agenda in Europe’, European Journal of International Relations, 4(4). IDC (2003) IDC’s Information Society Index, IDC (International Data Corporation), available on <http://www.idc.com/groups/isi/main. html> (accessed 9 June 2006).
Bibliography
201
Ikenberry, G.J. (1989) ‘Manufacturing Consensus: The Institutionalization of American Private Interests in the Tokyo Trade Round’, Comparative Politics, 21(3): 289–305. —— (1996) ‘The Future of International Leadership’, Political Science Quarterly, 111(3): 385–402. Internet News (2002) ‘Government Not Ready for Cyberattacks’, 26 June, available on <http://www.internetnews.com/ent-news/print.php/ 1377081> (accessed 6 June 2006). ‘Is Online Terrorism a Legitimate Threat?’ (2002) Computer Economics, 20 August. ITU (2003) ITU Digital Access Index: World’s First Global ICT Ranking, International Telecommunication Union, available on <http://www.itu.int/newsarchive/press_releases/2003/30.html> (accessed 9 June 2006). Jehel, D. and Ranger, D. (2004) ‘New to the Job, Rice Focused on More Traditional Threats’, The New York Times, 5 April, A1. Jervis, R. (1997a) System Effects: Complexity in Political and Social Life, Princeton, NJ: Princeton University Press. —— (1997b) ‘Complex Systems: The Role of Interactions’, in D.S. Alberts and T.J. Czerwinski (eds) Complexity, Global Politics, and National Security, Washington, DC: National Defense University Press, 45–71. Johnson, D.R. and Post, D.G. (1996) ‘Law and Borders: The Rise of Law in Cyberspace’, Stanford Law Review, 48: 1367. Johnson, R.H. (1997) Improbable Dangers: U.S. Conceptions of Threat in the Cold War and After, London: Macmillan. Jordan, T. andTaylor, P. (2004) Hacktivism and Cyberwars: Rebels With a Cause, London: Routledge. Kaldor, M. (1999) New and Old Wars: Organized Violence in a Global Era, London: Blackwell. —— (2001) ‘Beyond Militarism, Arms Races and Arms Control’, essay prepared for the Nobel Peace Prize Centennial Symposium, 6–8 December, available on <http://www.ssrc.org/sept11/essays/ kaldor.htm> (accessed 9 June 2006). Kambayashi, N. (2003) Cultural Influences on IT Use: A UK–Japanese Comparison, Basingstoke: Palgrave Macmillan. Katz, M. and Shapiro, C. (1985) ‘Network Externalities, Competition and Compatibility’, American Economic Review, 73(3): 424–40. Katzenstein, P. (1996) The Culture of National Security: Norms and Identity in World Politics, New York: Columbia University Press. Katzenstein, P., Keohane, R.O. and Krasner, S. (1998) ‘International Organization and the Study of World Politics’, International Organization, 52(4): 645–85. Keck, M. and Sikkink, K.A. (1998) Activists Beyond Borders: Advocacy Networks in International Politics, Ithaca, NY: Cornell University Press. Keegan, J. (1993) A History of Warfare, London: Hutchinson.
202
Bibliography
Keeler, J.T.S. (1993) ‘Opening the Window for Reform’, Comparative Political Studies, 25: 433–86. Kellert, S. H. (1995) ‘When is the Economy Not Like the Weather? The Problem of Extending Chaos Theory to the Social Sciences’, in A. Albert, (ed.) Chaos and Society: Frontiers in Artificial Intelligence and Applications, vol. 29, Amsterdam: IOS Press, 35–48. Kelley, J. (2001) ‘Terror groups hide behind Web encryption’, USA Today, 6 February. —— (2002) ‘Militants Wire Web With Links to Jihad’, USA Today, 9 July. Keohane, R.O. (1984) After Hegemony: Cooperation and Discord in the World Political Economy, Princeton, NJ: Princeton University Press. —— (2002) ‘The Globalization of Informal Violence, Theories of World Politics, and the “Liberalism of Fear” ’, International Organization, Spring: 29–43. Keohane, R.O. and Nye, J.S., Jr. (eds) (1972) Transnational Relations and World Politics, Cambridge, MA: Harvard University Press. Keohane, R.O. and Nye, J.S., Jr. (1977) Power and Interdependence: World Politics in Transition, Boston, MA: Little, Brown. —— (1989) Power and Interdependence, 2nd edn, New York: HarperCollins. —— (1998) ‘Power and Interdependence in the Information Age’, Foreign Affairs, 77(5): 81–94. Khalilzad, Z., White, J. and Marshall, A.W. (1999) Strategic Appraisal: The Changing Role of Information in Warfare, Santa Monica, CA: RAND. Kindleberger, C. (1981) ‘Dominance, Leadership and the International Economy Exploitation, Public Goods, and Free Rides’, International Studies Quarterly, 25(2): 242–54. Kingdon, J.W. (1995) Agendas, Alternatives and Public Policy, 2nd edn, New York: HarperCollins College Publishers. Kirat, M. (2005) ‘The Information Technology Revolution and the Digital Divide’, Alkhabar Weekly, (Arabic), No. 336, 6/12 August: 19. Klinenberg, E. and Perrin, A. (2000) ‘Symbolic Politics in the Information Age: The 1996 Presidential Campaign on the Web’, Information, Communication and Society, 3(1): 17–38. Knorr Cetina, K. (2005) ‘Complex Global Microstructures: The New Terrorist Societies’, Theory, Culture & Society, 22(5). Knox, M. and Murray, W. (eds) (2001) The Dynamics of Military Revolution, 1300–2005, Cambridge: Cambridge University Press. Kogut, B. (ed.) (2003) The Global Internet Economy, Cambridge, MA: MIT Press. Kohlmann, E. (2004) Al-Qaida’s Jihad in Europe, London: Berg Publishers. Kolet, K.S. (2001) ‘Asymmetric Threats to the United States’, Comparative Strategy, 20(3): 277–92.
Bibliography
203
Koprowski, G.J. (2003) ‘The Web: Terrorists Prove Elusive’, UPI, 23 October. Koslowski, R. and Kratochwil, F.V. (1996) ‘Understanding Change in International Politics: The Soviet Empire’s Demise and the International System’, in R.N. Lebow and T. Risse-Kappen (eds) International Relations Theory and the End of the Cold War, New York: Columbia University Press. Krasner, S. (1983) ‘Structural Causes and Regime Consequences: Regimes as Intervening Variables’, in S. Krasner (ed.) International Regimes, Ithaca, NY: Cornell University Press. —— (1991) ‘Global Communications and National Power’, World Politics, 43(3): 336–67. —— (1995) ‘Power Politics: Institutions and Transnational Relations’, in T. Risse-Kappen (ed.) Bringing Transnational Relations Back In, Cambridge: Cambridge University Press. Kratochwil, F. (1989) Rules, Norms and Decisions: On the Conditions of Practical and Legal Reasoning in International and Domestic Affairs, Cambridge: Cambridge University Press. Kurth Cronin, A. (2006) ‘Cyber-Mobilization: The New Levée en Masse’, Parameters, Summer: 77–87. Kyriakopoulos, N. and Wilikens, M. (2000) Dependability and Complexity: Exploring Ideas for Studying Open Systems, Ispra: Joint Research Centre. Lacey, M. (2000), ‘Clinton Gives a Final Foreign Policy Speech’, The New York Times, 9 December. Laird, R.F. (1999) Revolution in Military Affairs: Allied Perspectives, Washington, DC: Institute for National Strategic Studies, National Defense University. Laszlo, E. (1991) The Age of Bifurcation: Understanding the Changing World, The World Futures General Evolution Studies, vol. 3, Philadelphia, PA: Gordon and Breach. Latham, R. (ed.) (2003) Bombs and Bandwidth: The Emerging Relationship between IT and Security, New York: The New Press. Lebow, R.N. and T. Risse-Kappen (1995) International Relations and the End of the Cold War, New York: Columbia University Press. Leheney, D. (2002) ‘Symbols, Strategies, and Choices for International Relations Scholarship After September 11’, International Organisation, Spring: 57–70. —— (2005) ‘Terrorism, Social Movements and International Security: How Al Qaeda Affects Southeast Asia’, Japanese Journal of Political Science, 6(1). Lemos, R. (2002) ‘Data On Internet Threats Still Out Cold’, CNET News, 21 January, available on <http://news.com.com/2100-1001819521.html> (accessed 6 June 2006). Levenson, M. (2006) ‘Crafts website hacked by terrorists’, Boston Globe, 7 May.
204
Bibliography
Levy, M., Young, O. and Zurn M. (1995) ‘The Study of International Regimes’, European Journal of International Relations, 1(3): 270–73. Lewis, J.A. (2002) Assessing the Risks of Cyber-terrorism, Cyber War and Other Cyber Threats, Washington, DC: Center for Strategic and International Studies. Lewontin, R.C. (1992) Biology as Ideology: The Doctrine of DNA, New York: Harper Perennial. Lia, B. (2006a) The al-Qaida Strategist Abu Mus’ab al-Suri: A Profile, Working Paper, presented at a OMS-Seminar in Oslo, Norway, 15 March 2006. —— (2006b) ‘Al-Qaeda Online: Understanding Jihadist Internet Infrastructure’, Jane’s Intelligence Review, January. Lia, B. and Hegghammer, T. (2004) ‘Jihadi Strategic Studies: The Alleged Al Qaida Policy Study Preceding the Madrid Bombings’, Studies in Conflict & Terrorism, 27: 355–75. Libicki, M. (1995) What is Information Warfare?, Washington, DC: National Defense University. —— (1997) Defending Cyberspace and Other Methaphors, Washington, DC: National Defense University. —— (1999) Illuminating Tomorrow’s War, McNair Paper 61, Washington, DC: National Defense University. Lonsdale, D.J. (1999) ‘Information Power: Strategy, Geopolitics, and the Fifth Dimension’, Journal of Strategic Studies, 22(2–3): 137–57. Luard, E. (1992) The Balance of Power, New York: St. Martin’s Press. Luiijf, E.A.M., Burger, H.H. and Klaver, M.H.A. (2003) ‘Critical Infrastructure Protection in The Netherlands: A Quick-scan’, in U.E. Gattiker, P. Pedersen and K. Petersen (eds) EICAR Conference Best Paper Proceedings 2003, Copenhagen: European Institute for Computer Anti-Virus Research. Lynch, M. (2006) ‘Al-Qaeda’s Constructivist Turn’, Praeger Security International, available on < http://psi.praeger.com/commentary/ commentary.aspx> (accessed 9 June 2006). McAlearney, A.S. (2001) ‘Cyberspace Braces For Escalation And War’, Information Security, 29 November. McCullagh, D. (2001) ‘Feds Say Fidel Is Hacker Threat’, Wired News, 9 February, available on <http://www.wired.com/news/politics/ 0,1283,41700,00.html> (accessed 12 June 2006). McGinty, S. (2005) ‘15 Years for Foiled Al-Qaeda Terrorist’, The Scotsman, 24 September. McKay, N. (1998) ‘Cyber Terror Arsenal Grows’, Wired News, 16 October, available on <http://www.wired.com/news/politics/ 0,1283,15643,00.html> (accessed 6 June 2006).
Bibliography
205
McLaughlin, S.W. (2003) ‘The Use of the Internet for Political Action by Non-state Dissident Actors in the Middle East’, First Monday, available on <http://www.firstmonday.org/issue8_11/mclaughlin/> (accessed 12 June, 2006). McQuail, D. (1994) Masscommunication Theory, London: Sage. McSweeney, B. (1996) ‘Identity and Security: Buzan and the Copenhagen School’ Review of International Studies, 22(1): 81–93. McWilliams, B. (2001) ‘Suspect Claims Al Qaeda Hacked Microsoft – Expert’, Newsbytes, 17 December, available on <http://www. newsbytes.com/news/01/173039.html> (accessed 9 June 2006). Madsen, W. (1998) ‘Teens a Threat, Pentagon Says’, Wired News, 2 June, available on <http://www.aec.at/infowar/NETSYMPOSIUM/ ARCHEN/msg00142.html> (accessed 9 June 2006). Mahnaimi, U. and Walker, T. (2005) ‘Al-Qaeda Woos Recruits with Nuclear Bomb Website’, Sunday Times, 11 May. Mandaville, P. (2001) ‘Reimagining Islam in Diaspora’, Gazette, 63(2–3). Manjoo, F. (2002) ‘The Case of the Missing Code’, Salon.Com, 17 July, available on <http://www.salon.com/tech/feature/2002/07/17/ steganography/index.html> (accessed 6 June 2006). Masera, M. and Wilikens, M. (2001) ‘Interdependencies with the Information Infrastructure: Dependability and Complexity Issues’, paper given at the 5th International Conference on Technology, Policy, and Innovation, Ispra, 26/29 June. Matthews, R. and Tredderick, J. (eds) (2001) Managing the Revolution in Military Affairs, London and Basingstoke: Palgrave Macmillan. Maynes, C. (1998) ‘The Middle East in the Twentieth-First Century’, The Middle East Journal, 52. Mearsheimer, J. (1995a) ‘The False Promise of International Institutions’, in M. Brown, S. Lynn-Jones and S. Miller (eds) The Perils of Anarchy: Contemporary Realism and International Security, Cambridge, MA: MIT Press. —— (1995b) ‘Back to the Future: Instability in Europe After the Cold War’, International Security, 19(2): 5–56. —— (2001) The Tragedy of Great Power Politics, New York: Norton. Meijer, R. (2005a) ‘Jihadi Opposition in Saudi Arabia’, ISIM Review, 15 (Spring). —— (2005b) ‘Review Essay – Taking the Islamist Movement Seriously: Social Movement Theory and the Islamist Movement’, IRSH, 50. Merelman, R.M. (ed.) (1993) Language, Symbolism, and Politics, Boulder, CO: Westview Press. Merry, U. (1995) Coping with Uncertainty: Insights from the New Sciences of Chaos, Self-organization, and Complexity, Westport, CT: Praeger. Metcalfe, B. (1995) ‘Metcalfe’s Law: A Network Becomes More Valuable as it Reaches More Users’, Infoworld, 2 October, 17.
206
Bibliography
Metz, S. and Johnson, D.V. (2001) Asymmetry and U.S. Military Strategy: Definition, Background, and Strategic Concepts, Carlisle, PA: Strategic Studies Institute. Michaels, M. (1995) ‘Seven Fundamentals of Complexity for Social Science Research’, in A. Albert (ed.) Chaos and Society: Frontiers in Artificial Intelligence and Applications, vol. 29, Amsterdam: IOS Press, 15–34. Middle East, The (2005) ‘Fujitsu Siemens Computers Appoints New Distributor for Multi$m Gulf Markets’, 41, May. Middleton, J. (2002) ‘9/11: Cyber Threats Fail to Emerge’, Personal Computer World, 13 September. Mihata, K. (1997) ‘The Persistence of ‘Emergence’, in R.A. Eve, S. Horsfall and M.E. Lee (eds) Chaos, Complexity, and Sociology: Myths, Models, and Theories, Thousand Oaks, CA: Sage Publications, 30–38. Milner, H. (1993) ‘The Assumption of Anarchy in International Relations Theory: A Critique’, in D. Baldwin (ed.) Neo-realism and Neoliberalism: The Contemporary Debate, New York: Columbia University Press. Milward, B. (2006) ‘Dark Networks as Organizational Problems’, presentation given at the Cambridge Colloquium on Complexity and Social Networks, 9 March. Minihan, K.A. (1998) ‘Prepared Statement before the Senate Governmental Affairs Committee’, Washington, DC, 24 June. Moore, C.H. (1997) ‘Promoting Democracy: USAID, at Sea or off to Cyberspace?’, Middle East Policy, 5(1): 178–89. Moore, G.E. (1965) ‘Cramming More Components onto Integrated Circuits’, Electronics, 38(8): 114–17. Moravcsik, A., (ed.) (1998) Centralization or Fragmentation? Europe Facing the Challenges of Deepening, Diversity, and Democracy, New York: Council on Foreign Relations. —— (ed.) (1999) The Choice for Europe: Social Purpose and State Power from Messina to Maastricht, London: UCL Press. Morgenthau, H.J. (1993) Politics Among Nations: The Struggle for Power and Peace, brief edn, revised by K. W. Thompson, New York: McGraw Hill. Mörth, U. (2000) ‘Competing Frames in the European Commission: The Case of the Defence Industry and Equipment Issue’, Journal of European Public Policy, 7: 173–89. Moteff, J.D. (2003) Critical Infrastructures: Background, Policy, and Implementation, Congressional Research Report for Congress, RL30153, 10 February, Washington, DC: Congressional Research Service. Moteff, J.D., Copeland, C. and Fischer, J. (2002) Critical Infrastructures: What Makes an Infrastructure Critical? Congressional Research Report for Congress, RL31556, 29 January, Washington, DC: Congressional Research Service.
Bibliography
207
Mowlana, H. (1997) Global Information and World Communication: New Frontiers in International Relations, London: Sage. Mueller, R.S. III (2002) A New FBI Focus. Statement for the Record of the Director, Federal Bureau of Investigation before the Senate Committee on the Judiciary, Washington, DC, 6 June. Müller, H. (2002) ‘Security Cooperation’, in W. Carlsnaes, T. Risse and B.A. Simmons (eds) Handbook of International Relations, London: Sage, 367–91. Musharbash, Y. (2005a) ‘What al-Qaida Really Wants’, Der Spiegel online, 12 August, available on <http://service.spiegel.de/cache/ international/0,1518,369448,00.html> (accessed 9 June 2006). —— (2005b) ‘Terror Television: Al Qaida Launches a Weekly News Show’, Der Spiegel online, 7 October, available on <http://service. spiegel.de/cache/international/0,1518,378633,00.html> (accessed 9 June 2006). Nadelmann, E. (1993) Cops Across Borders: The Internationalization of US Criminal Law Enforcement, University Park, PA: Pennsylvania State University Press. Nagle, L.E. (2000) ‘United States Mutual Assistance to Colombia: Vague Promises and Diminishing Returns’, Fordham International Law Journal, 23 (LJ 1235). National Academy of Sciences (1991) Computers at Risk: Safe Computing in the Information Age, Computer Science and Tele-communications Board, Washington, DC: National Academy Press. Neuman, W.R., McKnight, L. and Solomon, R.J. (1997) The Gordian Knot: Political Gridlock on the Information Highway, Cambridge, MA: The MIT Press. Newsweek (2002) ‘Islamic Cyberterror: Not a Matter of If But of When’, 20 May. Nichiporuk, B. and Builder, C.H. (1997) ‘Societal Implications’, in J. Arquilla, and D. Ronfeldt (eds) In Athena’s Camp: Preparing for Conflict in the Information Age, Santa Monica, CA: RAND, 295–314. NIPC (2001a) Daily Report, 9 September, National Infrastructure Protection Center. —— (2001b) ADVISORY 01-020 ‘Increased Cyber Awareness’, 14 September, National Infrastructure Protection Center. —— (2002a) Advisory 02-001 ‘Internet Content Advisory: Considering The Unintended Audience’, 17 January, National Infrastructure Protection Center. —— (2002b) ‘Terrorist Interest in Water Supply and SCADA Systems’, Information Bulletin 02-001, 30 January, National Infrastructure Protection Center. Non-state Dissident Actors in the Middle East’, First Monday, available on <http://www.firstmonday.org/issue8_11/mclaughlin/> (12 June, 2006). Nooteboom, B. (1999) Inter-Firm Alliances, London: Routledge.
208
Bibliography
Norris, P. (2001) Digital Divide: Civic Engagement, Information Poverty, and the Internet Worldwide, Cambridge: Cambridge University Press. Nye, J.S, Jr. (1990) ‘Soft Power’, Foreign Policy, 80: 153–71. —— (1998) ‘U.S. Security Policy: Challenges for the 21st Century’, USIA Electronic Journal, 3(3). —— (2002) The Paradox of American Power: Why the World’s Only Superpower Can’t Go It Alone, Oxford: Oxford University Press. —— (2003) Understanding International Conflicts: An Introduction to Theory and History, 4th edn, New York: Pearson and Addison Wesley. —— (2004a) Soft Power: The Means to Success in World Politics. New York: Public Affairs. —— (2004b) Power in the Global Information Age: From Realism to Globalization, London: Routledge. Nye, J.S., Jr. and Owens, W. (1996) ‘America’s Information Edge’, Foreign Affairs, 75(2): 20–36. O’Brien, K.A., Ligtvoet, A., Rathmell, A. and MacKenzie, D. (2003) Using Scenarios to Support Critical Infrastructure Analysis and Assessment Work, ACIP, Package 3, Deliverable D3.4. OCIPEP (2003) Threat Analysis, TBA03-001, 12 March, Office of Critical Infrastructure Protection and Emergency Preparedness, Government of Canada, available on 19 October 2006 at <http://ww3.psepcsppcc.gc.ca/opsprods/other/TA03-001_e.pdf>. O’Day, A. (ed.) (2004) Cyberterrorism, Aldershot: Ashgate. Office of the Undersecretary of Defense for Aquisition, Technology and Logistics (2001) Protecting the Homeland, Report of the Defense Science Board Task Force on Defensive Information Operations, 2000 Summer Study, vol. II, Washington, D.C. Onuf, N.G. (1989) World of Our Making: Rules and Rule in Social Theory and International Relations, Columbia, SC: University of South Carolina Press. Papp, D.S. and Alberts, D.S. (1997) ‘The Impacts of the Information Age on International Actors and the International System’, in D.S. Alberts and D.S. Papp (eds) The Information Age: An Anthology of Its Impacts and Consequences, Washington, DC: National Defense University. Papp, D.S., Alberts, D.S. and Tuyahov, A. (1997) ‘Historical Impacts of Information Technologies: An Overview’, in D.S. Alberts and D.S. Papp (eds) The Information Age: An Anthology of Its Impacts and Consequences, Washington, DC: National Defense University. Parker, C. and Stern, E.K. (2005) ‘Bolt From the Blue or Strategic Failure? Revisiting September 11 and the Origins of Strategic Surprise’, Foreign Policy Analysis, 1(3): 301–32. Parker, D.B. (1983), Fighting Computer Crime, New York: Charles Scribner’s Sons. Pasternak, B. and Visco, A. (1998) The Centerless Corporation, New York: Simon and Schuster.
Bibliography
209
Paul, D. (1999) ‘Sovereignty, Survival and the Westphalian Blind Alley in International Relations’, Review of International Studies, 25(2). Paz, R. (2005a) ‘The Impact of the War in Iraq on the Global Jihad’, in H. Fradkin, H. Haqqani and E. Brown (eds) Current Trends in Islamist Ideology, vol. 1, Washington, DC: Hudson Institute, 39–50. —— (2005b) ‘Rakan ben Williams: The Next Generation of Jihadists in Europe’, PRISM Occasional Papers, 3(8). PBS Online (2002) ‘Frontline Hackers’, available on <http://www.pbs.org /wgbh/pages/frontline/shows/hackers/whoare/notable.html> (accessed 25 July 2002). PCCIP (1997) Critical Foundations: Protecting America´s Infrastructures, Washington, DC: President’s Commission on Critical Infrastructure Protection. —— (2000) ‘Fact Sheet’, President’s Commission on Critical Infrastructure Protection, available on <http://www.info-sec.com/pccip/web/ backgrd.html> (accessed 20 June 2002). —— (2002) The National Strategy to Secure Cyberspace – For Comment, Draft, Washington, DC: The White House, The President’s Critical Infrastructure Protection Board, 18 September. Peirce, C.S. (1963) Collected Papers of Charles Sanders Peirce, vol. 5: Pragmatism and Pragmaticism, and vol. 6, Scientific Metaphysics, C. Hartshorne and P. Weiss (eds), Cambridge, MA, and London: The Belknap Press of Harvard University Press. Peled, A. (2000) ‘Debunking the Internet Myth: Technological Prophecies and Middle East Politics’, Middle East Quarterly, September, available on <www.meforum.org/pf.php?id=71> (accessed 12 June 2006). Perritt, H.H., Jr. (1998) ‘Symposium on the Internet and Legal Theory: The Internet is Changing International Law’, Chicago-Kent Law Review, 73(4). Perrow, C. (1984) Normal Accidents: Living with High-Risk Technologies, New York: Basic Books. Pfaltzgraff, R.L., Jr. and Shultz, R.H., Jr. (1997) ‘Future Actors in a Changing Security Environment’, in R.L. Pfaltzgraff Jr. and R.H. Shultz Jr. (eds) War in the Information Age: New Challenges for US Security Policy, Washington, DC, and London: Brassey’s. Philpott, D. (2001) ‘Usurping the Sovereignty of Sovereignty’, World Politics, 53: 297–324. Pisani, F. (2002) ‘How to fight the terror networks’, Le Monde diplomatique, June, available on < http://mondediplo.com/ 2002/06/02networks> (accessed 9 June 2006). Polikanov, D. (ed.) (2001) Information Challenges to National and International Security, Moscow: PIR Center. Pollitt, M.M. (1997) ‘Cyberterrorism: Fact or Fancy?’, Proceedings of the 20th National Information Systems Security Conference, 285–89. Porter, M. (1990) The Competitive Advantage of Nations, New York: Free Press.
210
Bibliography
Poulsen, K. (2001a) ‘Hack Attacks Called the New Cold War’, The Register, 23 March, available on <http://www.theregister.co.uk/ content/8/17820.html> (accessed 6 June 2006). —— (2001b) ‘Justice Department proposal classifies most computer crimes as acts of terrorism’, SecurityFocus, 23 September, available on <http://www.securityfocus.com/news/257> (accessed 9 June 2006). Prigogine, I. (1981) From Being to Becoming: Time and Complexity in the Physical Sciences, San Francisco, CA: W.H. Freeman & Co. ‘Pro-Qa’ida Website Publishes Book On “Ways For Serving Jihad” ’ (2003), Al-Sharq Al-Awsat, 14 August. Provos, N. and Honeyman, P. (2002) ‘Detecting Steganographic Content on the Internet’, paper presented at the Internet Society NDSS’02, San Diego, CA, available on <http://niels.xtdnet.nl/papers/ detecting.pdf> (accessed 18 March 2004). Puchala, D. and Hopkins R. (1983) ‘International Regimes: Lessons from Inductive Analysis’, in S. Krasner (ed.) International Regimes, Ithaca, NY: Cornell University Press, 61–91. Rathmell, D. (2001) Creating a Dependable Information Infrastructure in Europe, RAND report P-806. Raufer, X. (2003) ‘Al Qaeda: A Different Diagnosis’, Studies in Conflict & Terrorism, 26: 391–98. Rein, M. and Schön, D. (1993) ‘Reframing Policy Discourse’, in F. Fischer and J. Forester (eds) The Argumentative Turn in Policy Analysis and Planning, Oxford: Oxford University Press. Ridge, T. (2002) Remarks by Homeland Security Director Tom Ridge to the Electronics Industry Alliance, Grand Hyatt Hotel, 23 April, Washington, DC: White House, Office of the Press Secretary. Rinaldi, S., Peerenboom, J. and Kelly, T. (2001) ‘Identifying and Understanding Critical Infrastructure Interdependencies’, IEEE Control Systems Magazine, 11–25. Riptech (2002) Riptech Internet Security Threat Report Volume II, Alexandria: Symantec, July. Risse-Kappen, T. (1994) ‘Ideas Do Not Float Freely: Transnational Coalitions, Domestic Structures, and the End of the Cold War’, International Organization, 48: 185–214. —— (ed.) (1995) Bringing Transnational Relations Back In: Non-State Actors, Domestic Structures, and International Institutions, Cambridge: Cambridge University Press. Rochefort, D.A. and Cobb, R.W. (1994) ‘Problem Definition: An Emerging Perspective’, in D.A. Rochefort and R.W. Cobb (eds) The Politics of Problem Definition: Shaping the Policy Agenda, Lawrence, KS: University Press of Kansas. Rogan, H. (2006) JIHADISM ONLINE – A Study of How Al-Qaida and Radical Islamist Groups Use the Internet for Terrorist Purposes, FFI/Rapport-2006/00915, Kjeller: Norwegian Defence Research Establishment.
Bibliography
211
Rogers, E.M. (1962) Diffusion of Innovation, New York: The Free Press. Rohozinski, R. (2004) ‘ “Secret Agents” and “Undercover Brothers: The Hidden Information Revolution in the Arab World’, Papers presented at the Fifth Mediterranean Social and Political Research Meeting, Florence and Montecani Terme, Italy, 24–28 March. Ronfeldt, D. (2003) ‘Foreword: Netwar Observations’, in R.J. Bunker (ed.) Non-State Threats and Future Wars, London: Frank Cass. —— (2005) ‘Al Qaeda and Its Affiliates: A Global Tribe Waging Segmented Warfare?’, First Monday, 10(3). Rosecrance, R.N. (1999) The Rise of the Virtual State: Wealth and Power in the Coming Century, New York: Basic Books. Rosenau, J.N. (1990) Turbulence in World Politics: A Theory of Change and Continuity, Princeton, NJ: Princeton University Press. —— (1992) ‘Governance, Order and Change in World Politics’, in J.N. Rosenau and E.O. Czempiel (eds) Governance Without Government: Order and Change in World Politics, Cambridge, Cambridge University Press, 1–29. —— (1997) Along the Domestic-Foreign-Frontier: Exploring Governance in a Turbulent World, Cambridge: Cambridge University Press. —— (1998) ‘Global Affairs in an Epochal Transformation’, in R. Henry and C.E. Peartrice (eds) The Information Revolution and International Security, Washington, DC: Center for Strategic and International Studies, 31–57. Rosenau, J.N. and Singh, J.P. (eds) (2002) Information Technology and Global Politics: The Changing Scope of Power and Governance, Albany, NY: State University of New York Press. Rostamani, N. (2006) ‘The Arab World, Parasites and the E-Revolution’, Gulf News, 9 January, available on <http:// archive.gulfnews.com/ articles/05/12/06/10002838html> (accessed 12 June, 2006). Rotenberg, M. (2003) ‘Privacy and Secrecy After September 11’, in R. Latham (ed.) Bombs and Bandwith: The Emerging Relationship Between IT and Security, New York: The Free Press. Rothkopf, D. (1997) ‘In Praise of Cultural Imperialism’, Foreign Policy, Spring: 38–53. Rötzer, F. (2001) ‘Banges Warten auf den Cyberwar’, Telepolis, 1 May, available on <http://www.telepolis.de/deutsch/special/info/7513/ 1.html> (accessed 6 June 2006). Rowe, P. S. (2001) ‘Four Guys and a Fax Machine? Diasporas, New Information Technologies, and the Internationalization of Religion in Egypt’, Journal of Church and State, 43(1): 81–92. Roy, O. (1994) The Failure of Political Islam, London: I.B. Tauris. Ruggie, J.G. (1998) Constructing the World Polity: Essays on International Institutionalism, London: Routledge. —— (1993) ‘Territoriality and Beyond: Problematizing Modernity in International Relations’, International Organization, 47: 139–174.
212
Bibliography
Rumsfeld, D.H. (2001) Statement by the US Secretary of Defense at the NATO North Atlantic Council (NAC-D) NATO HQ, Brussels, 18 December. Russett, B. and Antholis, W. (1993) Grasping the Democratic Peace: Principles for a Post-Cold War World, Princeton, NJ: Princeton University Press. Saco, D. (1999) ‘Colonizing Cyberspace: National Security and the Internet’, in J. Weldes et al. (eds) Cultures of Insecurity: States, Communities, and the Production of Danger, Minneapolis, MN: University of Minnesota Press. Sageman, M. (2004) Understanding Terror Networks, Philadelphia, PA: University of Pennsylvania Press. —— (2005) ‘Understanding Jihadi Networks’, Strategic Insights, 4(4). Schmidt, B.C. (2002) ‘On the History and Historiography of International Relations’, in W. Carlsnæs, T. Risse and B.A. Simmons (eds) Handbook of International Relations, London: Sage, 3–22. Schneier, B. (2003) Beyond Fear: Thinking Sensibly About Security in an Uncertain World, New York: Copernicus Book. Schwartau, W. (1991) Terminal Compromise, Tampa, FL: Inter-Pact Press. —— (1994) Information Warfare. Cyberterrorism: Protecting Your Personal Security in the Electronic Age, 2nd edn, New York: Thundermouth Press. —— (1996) Information Warfare, New York: Thunder’s Mouth Press. —— (1997) ‘An Introduction to Information Warfare’, in R.L. Pfaltzgraff, Jr. and R.H. Shultz, Jr. (eds) War in the Information Age: New Challenges for US Security Policy, Washington, DC, and London: Brassey’s. —— (2002) Pearl Harbor Dot Com, Tampa, FL: Inter-Pact Press. Schwartz, J. (2001a) ‘Computer Network System At Risk For Terrorism’, USA Today, 13 September. —— (2001b) ‘Cyberspace Seen as Potential Battleground’, The New York Times, 23 November. —— (2002) ‘Year After 9/11: Cyperspace Door Is Still Ajar’, New York Times, 9 September. Sears, D.O. (1993) ‘Symbolic Politics: A Socio-Psychological Theory’, in S. Iyengar and W.J. McGuire (eds) Explorations in Political Psychology, Durham, NC: Duke University Press. Seffers, G.I. (2001) ‘Spacecom on alert for cyberattacks’, Federal Computer Week, 11 September, available on <http://www.fcw.com/ fcw/articles/2001/0910/web-cyber-09-11-01.asp> (accessed 9 June 2006). Slaughter, A-M. (1997) ‘The Real New World Order’, Foreign Affairs, 76 (September–October). —— (2000) ‘Building Global Democracy’, Chicago Journal of International Law, 1(233).
Bibliography
213
Slaughter, A-M., Tulumello, A.S. and Wood, S. (1998) ‘International Law And International Relations Theory: A New Generation Of Interdisciplinary Scholarship’, The American Journal of International Law, 92(367). Sloan, E.C. (2002) Revolution in Military Affairs, Montreal: McGillQueen’s University Press. Smith, G. (1998) ‘An Electronic Pearl Harbor? Not Likely’, Issues in Science and Technology, 15, available on <http://205.130.85.236/ issues/15.1/smith.htm> (accessed 12 June 2006). —— (2001) ‘Electronic Pearl Harbor’, Crypt Newsletters´s Guide to Tech Terminology, available on <http://sun.soci.niu.edu/~crypt/other/ harbor.htm> (accessed 18 March 2006). Snow, D.A. and Benford, R.D. (1992) ‘Master Frames and Cycles of Protest’, in A.D. Morris and C. McClurg Mueller (eds) Frontiers in Social Movement Theory, New Haven, CN, and London: Yale University Press, 133–55. Snyder, J. (1991) Myths of Empire, Ithaca, NY: Cornell University Press. Sofear, A.D. and Goodman, S.E. (2001) The Transnational Dimension of Cyber Crime and Terrorism, Stanford, CA: Hoover Institution Press. Spiegel, P. (2001) ‘FBI Warns on Web Terrorists’, Financial Times, 20 March. Stern, E. (1999) ‘The Case for Comprehensive Security’, in D. Deudney and R. Matthew (eds) Contested Grounds: Security and Conflict in the New Environmental Politics, Albany, NY: State University of New York Press. Stone, A. (2001) ‘Cyberspace is the Next Battlefield’, USA Today, 19 June. ‘Substitution for the Testimony of Khalid Sheikh Mohammed’ (2006) Defendant’s Exhibit 941 US v. Moussaoui Cr. No. 01-455-A. Sun, J-M. and Pelkmans, J. (1998) ‘Regulatory Competition in the Single Market’, in R. Baldwin, C. Scott and C. Hood (eds) A Reader on Regulation, Oxford: Oxford University Press. Sun Tzu (1963) The Art of War, translated by S.B. Griffith, Oxford: Oxford University Press. Sundelius, B. (1983) ‘Coping with Structural Security Threats’, in O. Höll (ed.) Small States in Europe and Dependence, Wien: Braumüller. ‘Swiss SIM Cards Slammed’, Intelligence Online, 21 March, available on <http://www.intelligenceonline.com/archives/p_som_archives.asp?num =449&year=2003&rub=archives> (accessed 10 June 2006). Tadros, M. (2005) ‘Arab Women, the Internet, and the Public Sphere’, paper presented at the Fifth Mediterranean Social and Political Research Meeting, Florence and Montecani Terme, Italy, 24–28 March. Tenet, G.J. (1997) ‘Remarks to The University of Oklahoma’, 12 September. —— (2002) Worldwide Threat – Converging Dangers in a Post 9/11 World. Testimony of the Director of Central Intelligence, before the Senate Armed Services Committee, Washington, DC, 19 March.
214
Bibliography
Tengelin, V. (1981) ‘The Vulnerability of the Computerised Society’, in H. Gassmann (ed.) Information, Computer and Communication Policies for the ‘80s, Amsterdam: North Holland Publishing Company. Thatcher, M. (2002) ‘Analyzing Regulatory Reform in Europe’, Journal of European Public Policy, 9(6): 859–72. Tiboni, F. (2001) ‘Virtually Vulnerable. Civilian Board Warns Pentagon of Gaps in Computer Security’, Defense News, 25 June. Trabelsi, H. (2002) ‘Al-Qaeda Wages Cyber War Against US’, Middle East Times, 27 June. —— (2005) ‘Al-Qaeda Takes Jihad to Media Four Years After 9/11’, Middle East online, 9 September, available on <http:// www.middleeast-online.com/english/?id=14500> (accessed 9 June 2006). TRC TWW Report (2006) 2nd edn, vol. 20, 19 May, Washington, DC: Terrorism Research Center. Trendle, G. (2002) ‘Digital Backlash to War?’, IT-Director, 12 September, available on <http://www.it-director.com/article.php?id=3191> (accessed 18 March 2006). Tritak, J.S. (1999) Statement before the Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information, Director, Critical Infrastructure Assurance Office, Washington, DC, 6 October. Tuchman, G. (1978) Making News: A Study in the Construction of Reality, London: The Free Press. Tucker, J.B. (1991) ‘Partners and Rivals: A Model of International Collaboration in Advanced Technology’, International Organisation, 45(1): 83–120. Tuerkheimer, F. (2002) ‘Globalization of US Law Enforcement: Does the Constitution Come Along?’, Houston Law Review, 39: 307–73. Turner, B.A. and Pidgeon, N.F. (1997) Man-Made Disasters, Oxford: Butterworth-Heinemann. Turner, F. (1997) ‘Foreword’, in R.A. Eve, S. Horsfall and M.E. Lee (eds) Chaos, Complexity, and Sociology: Myths, Models, and Theories, Thousand Oaks, CA: Sage Publications, xi–xxvii. Tversky, A. and Kahneman, D. (1981) ‘The Framing of Decision and the Psychology of Choice’, Science 211: 453–58. Ulph, S. (2004) ‘Al-Qaeda’s Ideological Hemorrhage’, Terrorism Focus, 1(2). United Nations (2005) Global E-Government Readiness Report 2005. From E-Government to E-Inclusion, New York: United Nations. US Congress (2001a) Concurrent Resolution, Expressing the Sense of Congress Regarding Internet Security, and Cyberterrorism, H. CON. RES. 22, introduced in the House of Representatives; Sponsors: Jim Saxton and Saxby Chambliss, Washington, DC, 6 February.
Bibliography
215
—— (2001b) Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act) Public Law 107–56, Section 814, Washington, DC, 10 October. US Department of Defense (2001) Quadrennial Defense Review Report, Washington, DC: The Pentagon, 30 September. US Government (2001) Comments of the United States Government on the European Commission Communication on Combating Computer Crime, Brussels, December. US Senate, Select Committee on Intelligence (2001) ‘The Worldwide Threat in 2001’, Hearing, Washington, DC, 7 February. Valeri, L. (2000) ‘Securing Internet Society: Toward an International Regime for Information Assurance’, Studies in Conflict and Terrorism, 23(2): 129–46. Van Creveld, M. (1991) The Transformation of War, New York: Free Press. Van Walsum-Stachowicz, J. (1999) ‘Corporate Diplomacy and European Community Information Technology Policies: The Influence of Multinational and Interests Groups’, unpublished PhD dissertation, London School of Economics and Political Science. Verton, D. (2001) ‘FBI Issues Cyberthreat Advisory’, Computer World, 12 September. —— (2002a) ‘White House Cybersecurity Chief Defines Cyberthreat’, Computer World, 9 June. —— (2002b) ‘Feds Plan Cybersecurity Center’, Computer World, 2 September. Vesely, M. (2004) ‘www.irantopsites.com’, The Middle East, 25 November. Violent Jihad in the Netherlands: Current Trends in Islamist Terrorist Threats (2005) Netherlands Ministry of the Interior, The Hague, November. Visvesvaraya Prasad, R. (2000) ‘Hack the Hackers’, Hindustan Times, 19 December. —— (2001) ‘Generation Gap’, Hindustan Times, 24 December. Vlahos, M. (2002) Terror’s Mask: Insurgency Within Islam, Baltimore, MD: Johns Hopkins University, Applied Physics Laboratory. Vogler, J. (2000) The Global Commons: Environmental and Technological Governance, 2nd edn, Chichester: John Wiley and Sons. Volti, R. (1995) Society and Technological Change, 3rd edn, London: St. Martin’s Press. Wæver, O. (1995) ‘Securitization and Desecuritization’, in R.D. Lipshutz (ed.) On Security, New York: Columbia University Press. Wæver, O. et al. (1993) Identity, Migration and the New Security Agenda in Europe, New York: St. Martin’s Press. Waldrop, M.M. (1992) Complexity: The Emerging Science at the Edge of Order and Chaos, New York: Simon and Schuster.
216
Bibliography
—— (1998) ‘Is There an Information Revolution?’, in C.R. Henry, and E.C. Peartree, (eds) Information Revolution and International Security, Washington, DC: Center for Strategic and International Studies Press, 1–9. Walker, R.B.J. (1993) Inside/Outside: International Relations as Political Theory, Cambridge: Cambridge University Press. Walt, S. (1994) ‘The Renaissance of Security Studies’, International Studies Quarterly, 35(2): 211–39. Waltz, K. (1979) Theory of International Politics, New York: McGraw Hill. —— (2000) ‘Structural Realism After the Cold War’, International Security, 25(1): 5–41. Watson, D.L. (2002) ‘The Terrorist Threat Confronting the United States’, Statement for the Record of the Executive Assistant Director on Counterterrorism and Counterintelligence, Federal Bureau of Investigation, before the Senate Select Committee on Intelligence, Washington, DC, 6 February. WEF (2004) Network Readiness Index, The World Economic Forum, available on <http://www.weforum.org/pdf/Global_Competitiveness_ Reports/Reports/GITR_2004_2005/Networked_Readiness_Index_Rankin gs.pdf> (accessed 9 June 2006). Weimann, G. (2004) ‘Cyberterrorism: How Real is the Threat?’, Special Report 119 (December) Washington, DC: United States Government. —— (2006) Terror on the Internet: The New Arena, the New Challenge, Washington, DC: United States Institute of Peace. Wendt, A. (1992) ‘Anarchy Is What States Make of It: The Social Construction of Power Politics’, International Organization, 46(2): 391–425. —— (1999) Social Theory of International Politics, Cambridge: Cambridge University Press. ‘What Are Al Qaeda’s Capabilities?’ (2003) PBS, 24 April, available on <http://pbs.org/wgbh/pages/frontline/shows/cyberwar/vulnerable/alqa eda.html> (accessed 10 June 2006). White House, The (1998) Presidential Decision Directive/NSC-63, Critical Infrastructure Protection, Washington, DC, 22 May. —— (2001a) Review of Critical Infrastructure Protection and Cyber Security, Statement by the Press Secretary, Washington, DC, 9 May. —— (2001b) Fact Sheet on New Counter-Terrorism and CyberSpace Positions, Washington, DC: Office of the Press Secretary, 9 October. —— (2003) The National Strategy to Secure Cyberspace, Washington, DC. Wight, C. (2002) ‘Philosophy of Social Science and International Relations’, in W. Carlsnæs, T. Risse and B.A. Simmons (eds) Handbook of International Relations, London: Sage, 23–51.
Bibliography
217
Wight, M. (1994) International Theory: The Three Traditions, London: Leicester University Press for the Royal Institute of International Affairs. Wiktorowicz, Q. (2004a) Islamic Activism: A Social Movement Theory Approach, Bloomington, IN: Indiana University Press. —— (2004b) ‘Framing Jihad: Intramovement Framing Contests and alQaeda’s Struggle for Sacred Authority’, International Review of Social History, 49: 159–77. —— (2005) Radical Islam Rising: Muslim Extremism in the West, Oxford: Rowman & Littlefield. —— (2006) ‘Anatomy of the Salafi Movement’, Studies in Conflict & Terrorism, 29: 207–39. Williams, M.C. (2003) ‘Words, Images, Enemies: Securitization and International Politics’, International Studies Quarterly, 47(4): 511–31. Wilson, T.R. (2002) Global Threats and Challenges, Statement for the Record of the Director, Defense Intelligence Agency, before the Senate Armed Services Committee, Washington, DC, 19 March. Wiser, L.G., Jr. (2001) Cyber Security, Statement for the Record of the Chief, Training, Outreach, and Strategy Section, National Infrastructure Protection Center, Federal Bureau of Investigation, before the House Committee on Government Affairs, San Jose, CA, Field Hearing, 29 August. Wolfers, A. (1962) Discord and Collaboration: Essays on International Politics, Baltimore, MD: Johns Hopkins University Press. World Bank, The (2003) ‘The World Bank Development Report’, Washington, DC. Worth, R.F. (2005) ‘Insurgents Adopting Defence Tone’, New York Times, 13 March. Wright, L. (2001) Memorandum for the Chairman, Defense Science Board, Subject: Report of the Defense Science Board Task Force on Defensive Information Operations, Washington, DC, 3 January. Wright, S. (2000) ‘Political Control and the Internet’, in S. Hick, E. Halpin and E. Hoskins (eds) Human Rights and the Internet, New York: St. Martin’s Press, 200–10. Wright, V. (1994) ‘The New Role of the State in Telecommunications: An International Comparison’, West European Politics, 17(3). Wyn Jones, R. (1999) Security, Strategy, and Critical Theory, London: Lynne Rienner. Young, O. (1985) International Co-operation: Building Regimes for Natural Resources and The Environment, Ithaca, NY: Cornell University Press. Yourdon, E. (2002) Byte Wars – The Impact of September 11 on Information Technology, Upper Saddle River, NJ: Prentice Hall PTR.
218
Bibliography
Zacher, M.W. (1992) ‘The Decaying Pillars of the Westphalian Temple: Implications for International Order and Governance’, in J.N. Rosenau and E-O. Czempiel (eds) Governance Without Government: Order and Change in World Politics, Cambridge: Cambridge University Press, 58–101. Zagaris, B. (1998) ‘International Criminal Law’, The Wayne Law Review, 44: 1401. Zakaria, N., Stanton, J.M. and Sarkar-Barney, S.T.M. (2003) ‘Designing and Implementing Culturally-Sensitive IT Applications: The Interactions of Culture Values and Privacy Issues in the Middle East’, Information Technology & People, 16(1): 49–75. Zingerg, D. (2000) ‘Will the Internet Become a Crucial Tool in the Middle East Peace Struggle?’, 3rd edn. Boston Globe, 1 July.
Index
Note: Arabic names with the prefix al- have been indexed under the second element; e.g. al-Qaeda can be found under ‘Q’ Abd al-Nur 124–5 Abu Bakr Naji 43–4 Abu-Ghayth, Sulayman 42 Abu Musab al-Suri 37; International Islamic Resistance Call 42 Abu Zubayda 53 activism 8, 112, 121–2 actors: antagonistic 64; and complexity 101, 102, 103, 104; framing 62, 80; and international regimes 135, 136, 147; networks as 9; nonstate 2, 17, 64, 124–5, 141–2; securitizing 62; sovereignty-free 64; states as 123–4, 141, 152 Adamson, Fiona B. 55 Adler, E. 18 ADSL see Asymmetric Digital Subscriber Line Afghanistan 36, 39, 41, 42; counter-surveillance techniques 50, 51, 53 agenda-setting theory 62 Algeria 108, 111–12, 113, 130 All4Syria.com 125 Alterman, Jon 116 Alvarez, J.E. 169, 170 anarchy 11, 143–4, 145, 146 Anderson, Jon 115–16, 122
Ansar al-Mujahideen fi Bilad alHaramain (publication) 44 Anti-Terrorism Act (draft, USA 2001) 73 Arabian Peninsula 40, 42, 44 Armed Forces, US 67 Arquilla, John 17, 57 As-Sahab Foundation for Islamic Media Publication 44 Asharq Al-Awsat (newspaper) 116 Assili, Bassam 43 Asymmetric Digital Subscriber Line (ADSL) 138 asymmetry 9, 93 At-Tiby‰n Publications 41 Atran, Scott 46–7 Atta, Muhammad 38 Attrition.org 69 authoritarianism 126 avalanches (events) 99 al-Ayiri, Sheikh Yusuf Bin-Salih 42 Azzam, Abdallah 36–7 Bak, P. 99 Balkan conflict 36 banks, online 52, 155 Beck, Ulrich 27, 32 behaviour, non-linear 102 bifurcation point 99 bin al-Shib, Ramzi 38
220
Index
Bin Laden, Osama 35, 63, 70; methods of communication 38, 42, 44, 49, 65, 81; US focus on 73–4 blogs 13, 48–9, 120, 121 blueprinting 158, 162, 171 Boijinka, Operation 50 boundaries (of systems) 101, 102 Brachman, Jarret 32 Braithwaite, J. 161, 167 bread riots 130–1 Bretton Woods agreements 134 British Standard (BS) 7799 150–1 Brown, Tina 31 Burkhart, Grey E. 116–17 Bush, George W. (and administration): attitude before 9/11 65, 67–71, 78; and data protection 168; Iowa speech (2001) 70; post-9/11 change in focus 71–6, 78–9, 80, 176; post-2002 reversion 76–8, 79, 80 businesses: and confidentiality 156; cooperation among (strategic alliances) 148–51, 154–6; focus on integrity and availability 155–6; influence of multinational corporations 90, 141; interests in information assurance 154–7; relationships with states 141–2, 144, 146, 152; role in ICT development 178; and standards 150–1; see also industry Canada 165, 166 Carroll, Allan B. 63 CAS see Complex Adaptive Systems case studies, need for 182 Castells, Manuel 4 censorship 113, 125, 127, 128, 161 Central Intelligence Agency (CIA) 75 Centre for Islamic Studies and Research 41, 43 Cerf, Vint 175 Cerny, Philip G. 56
Cetina, Knorr 48 Chambliss, Saxby 65 change, nature of 91–2, 105 chaos theory 97–8, 100–1 chat rooms 13, 49, 51 China 21, 68, 69, 74, 123, 180 CI see critical infrastructures CIA see Central Intelligence Agency CII see critical information infrastructure CIP see critical infrastructure protection civil liberties 165 civil society: and forum shopping 170; growth of 162 CIWG see Critical Infrastructure Working Group Clark,Wesley 75 Clarke, Richard A. 73, 76–7, 78 Clausewitz, Karl Marie von 26–7 Clinton, Bill (and administration) 4, 63–7, 71, 73, 79, 80; farewell lecture 66 CNN 65, 74 CNO see Computer Networks Operations codes see cryptography; encryption Cold War: compared to ‘war on terrorism’ 79; distribution of power in Europe 145; end of 3, 6, 17, 63, 76, 94; policy of deterrence 69 communication: in the Arab world 117–18; Habermas’ view of 117; see also information and communications technologies; telecommunications Communication Service Providers 159 Complex Adaptive Systems (CAS) 100 complex interdependence 2–3, 14–15, 95–6, 100, 144, 181 complex systems 95–7, 98–100; self-organization and fluctuations 98–9 complexity studies 87, 97–105, 180–1, 182
Index computer games 20–1 Computer Networks Operations (CNO) 26 computers: distancing effect of 20–1; effects of development of 5–6; as ‘evil’ 5; Middle East access to 108; modelling 100; see also information and communications technologies computing, quantum 175 confidentiality 153–4, 156; see also privacy Conner, Bill 75 constructivism 14, 17–21, 22, 54, 55, 180, 181; and complexity 87, 102; and IT in the Middle East 108, 123–4, 125, 126; of al-Qaeda 32 Contemporary Security Studies (journal) 25 contraception 121 Convention on Cybercrime 164–5, 171, 179 Cook, David 47 cooperation: of businesses 148–51, 154–6; distinction from harmony and discord 143; of states 142–4, 145–8, 150, 163 Copenhagen School 19, 60, 62; see also securitization theory Copts 121–2 copyright see intellectual property corporations see businesses; industry; multinational corporations corruption 111–12 Council of Europe 158, 164–5, 168, 171, 179 counter-surveillance techniques 49–54 couriers 50 courts 161, 162 credit cards 52 crime: creation of safe havens for 161, 163; high-tech (international regulation of) 162, 163–4, 165; organized 4; see also cybercrime; law enforcement
221
critical information infrastructure (CII) 94, 177 critical infrastructure protection (CIP) 94, 95, 96, 99–100, 103, 177 Critical Infrastructure Working Group (CIWG) 64 critical infrastructures (CI) 93–4; and complexity 95–6, 99–100 criticality, self-organized 99 Crypt Newsletter 58 cryptography 161, 167, 172; see also encryption Cuba 67–8, 75, 77 cultural modes 116 ‘Cyber Awareness’ warning 72 cyberattacks 66, 175, 183; see also cyberwar; hacking; information warfare cybercrime: implications of term 20, 59; opportunities provided by Internet 6, 132; regulatory difficulties 158–62; regulatory strategies 162–71; see also crime cyberinvestigations 66 cybermobilisation 32 cyberspace: expansion of 175; origins of term 4; see also Internet cyberterrorism: Clinton administration’s focus on 63–7; deprioritized by US after 2002 76–8; post-9/11 focus on 71–6, 78–9; US legislation against 73; see also al-Qaeda cyberthreats: compared to weapons of mass destruction 58, 66; conception of 6–9, 16–17; current decreasing concern with 176–7; differences in assessment of 58–9; difficulties of recognising 61–2; difficulty of predicting 62; increasing concern with in 1990s 57–8; as intelligence problem 173–4; linked with dependence on ICTs 93; requirements for direct physical effects 174–6; states as 7,
222
Index
67–71, 76–8; and US security policy 57–82; see also cyberterrorism; cyberwar cybertraining 53–4 cyberumma 36 cyberwar 21, 57; between China and US 69; Bush administration’s focus on 67–71, 76–8, 79; triggered by focusing event 69; see also information warfare dams, threats to 54 data protection 167–8 data retention 167–9, 171–2 dead drops 51 deculturalization 46 Deek, Khalil 50 Defense Intelligence Agency 75 Defense Science Board: 2001 report 68 Deibert, R. J. 55 denial-of-service attacks 183 Denning, Dorothy E. 8, 74, 78 Department of Homeland Security, US 16, 52 Der Derian, J. 20 deterrence, policy of 69 Deudney, D. 146 Deutch, John 58 Dhurwat al-Sanam (online magazine) 44 Dick, Ronald 66 diffusion: of IT 118–19, 120; policy 158 ‘Digital Pearl Harbor’ (exercise) 76 discord 143 Drahos, P. 161, 167 Drezner, D.W. 169–70 Dubai 128 Dunning, J. 152 dynamical systems theory 98 eBay.com 52, 53 Eberhardt, General 69 e-books 43 economics 14, 89–90, 113, 119 Edelman, Murray 21 education 113–14, 121, 129–30 e-government 111–12
Egypt 113, 120, 121–2, 128, 130 electricity supplies 54 ‘electronic Pearl Harbor’ (scenario) 8, 21, 58, 67, 72, 79, 80, 173, 183 electronic populism 112 e-mail 50, 51, 52, 53, 125 emergence, concept of 100 encryption 49–52, 53, 65–6, 79, 81–2; see also cryptography Encyclopedia of Jihad 50, 52 Entrust Inc. 75 epistemic communities 161, 162 Eriksson, J. 20 Essoulami, Said 117–18 European Union 179; and data retention 168, 169, 171–2; and forum shopping 169–70, 171; see also Council of Europe Everard, J. 20 explosive devices: coded instructions 50, 52 fatwas 40, 41 faxes 50 FBI see Federal Bureau of Investigation FCW see Federal Computer Week fear 61 fear-mongering 58, 74, 183 Federal Bureau of Investigation (FBI) 52, 54, 64, 66, 75; see also National Infrastructure Protection Center Federal Computer Week (FCW) 72 Federation of American Scientists 82 financial institutions, online 52, 155 al-Firdaws (website) 43, 52 forensics tools 66 Forrester, J.W. 96 forum shopping 158, 162, 169–71 ‘fragmegration’ 91 frame resonance 48 framing 20, 59–63, 74, 80, 176, 181; contextual conditions 62–3, 80; frame characteristics 61–2, 80; framing actors 62, 80
Index freedom of information policies 161 Friedman, Thomas 32 Gansler, Jacques 63 Gartner Group 8, 76 gas supplies 54 GDP see gross domestic product G8 see Group of Eight Gershwin, Lawrence K. 70 Gibson, William 4 Global Information Grid 68 globalization 162; of criminal law 170; and empowerment of terrorists 32, 38, 56; and IT in the Middle East 113, 123, 126; of jihad 54; and liberalism 16–17, 22; and Muslim networking 36 ‘glocalization’ 91 Goldeneye (film) 57 Goldstein, J. 166, 167 Gompert, David 59 Google 180 gross domestic product (GDP) 119 Gross Stein, J. 55 Group of Eight (G8) 158, 163–4, 165, 168, 171 Haas, E.B. and Haas, P. 182 Habermas, Jürgen 117 hacking: and confidentiality 153–4; difficulty of detecting 61; difficulty of regulating 159, 160, 164; as faceless threat 94; ‘hacktivists’ 8, 112; increasing ease of 77; influence on development of IT 112; by juveniles 63, 69; penalties for 73; al-Qaeda and 53–4; seen as non-lethal 79; states and 21, 69; ‘Solar Sunrise’ incident 26; surveillance of 66 Haggard, S. 133 hajj 36 Hall, E.T. 116 Hammond, T.H. 62 Hamre, John 8 hardware companies 155 harmonization 171
223
harmony 143 Haufler, V. 141 Haverford College 121 Al-Hayat (newspaper) 116 Hegghammer, Thomas 40 al-Hesbah (website) 49 Hoffman, Bruce 53 Holsti, K.J. 91 Honeywell 136 Hopkins, R. 133 human rights 113, 124–5, 159, 161 human security 10 Huntington, Samuel 119 Hussein, Fouad 34, 36 Ibis Reproductive Health 121 ICAO see International Civil Aviation Organization ICTs see information and communications technologies Idarat al-Tawahhush (Abu Bakr Naji) 43–4 idealism 14, 15 identity warfare 20 idiot-codes 50 IGOs see intergovernmental organizations Ikenberry, G. J. 146, 166 India 21, 74, 154 individual 90, 116 Indonesia 54 industrialization 115–16 industry 161, 162, 165, 167; see also businesses information age: use of term 88 information assurance see international regime for information assurance information and communications technologies (ICTs) 1, 88; dependence on 93, 96, 175, 178; as power source 89, 90; from quantitative change to qualitative consequences 91–2; see also computers; information revolution; Internet information infrastructure 86, 94, 95–6 Information Operations (IO) 25–6
224
Index
information revolution 2, 4–5, 87–9, 90, 92–3, 94, 95, 105; impact on security 173–9 information society: origins of term 4; past research into 4–6 information warfare (IW) 12, 20, 21, 22, 178; implications of term 59; renamed by US and NATO 25–6; and rogue states 68; see also cyberwar infowar.com 57 InfraGuard program 72 infrastructure 64–5; see also critical information infrastructure; critical infrastructure protection; critical infrastructures; information infrastructure institutions: international 166, 167; limitations 62; Young’s theory of 135–6; see also international organizations; neo-liberal institutionalism intellectual property 164, 167 intelligence 39, 173–4 intercultural communication model 116 interdependence, complex 2–3, 14–15, 95–6, 100, 144, 181 intergovernmental organizations (IGOs) 90, 161, 162, 166, 169, 171 International Accounting Standards 150 International Civil Aviation Organization (ICAO) 169 international organizations 133, 134, 163–5, 167; see also intergovernmental organizations; nongovernmental organizations international regime for information assurance 132, 133–7, 140, 141–2; and anarchy of the international system 143–4, 145, 146; business interests in 154–7; consensus definition (comprising principles, norms, rules, decision making
processes) 133, 134–5, 136–7, 140–1, 148, 153; dead letter regimes 134; distinguished from international organizations 133, 134; inter-state cooperation 142–4, 145–8, 150, 163; main players 141–2; neo-liberal institutionalist approach 147–8, 151; neo-realist approach 145–6; states’ interests in 141–2, 152–4; tacit regimes 134; see also regulation, international international relations theory (IR) 2–3, 4, 11–23; application to digital-age security 86–7, 105, 179–82; and complexity 96–7; and critical infrastructure protection 85–105; fitting alQaeda into 54–6; and nature of change 91–2; and policy diffusion approach 158; pragmatic approach to 22–3; problem of dualism in 22, 23; relevance to IT in the Middle East 108, 122–7; security studies as branch of 9–11; and universalism 92; see also constructivism; liberalism; realism Internet: and academic cooperation 121; anarchical nature 144, 146; as arena for symbolic politics 21; and breaking of taboos 120–1; and concept of an international regime for information assurance (including OCI model) 137–42, 151; dynamism of 136, 146, 151; effect of inter-state cooperation 148; enables challenges to US and corporate dominance 136; and encryption 49–52; and fundraising 52; future development 175; growth 1; and interbusiness cooperation 154–5; jihadi websites and publications 39–45; languages 41; malicious activities and systems outages
Index 132, 140, 153–4, 155; in Middle East 117, 119–22, 124–5, 126–8, 130; and need to overcome state-centrism 141–2; new communications techniques 52-3; nomadic approach to 42; openness 6; and operations planning 53; alQaeda’s use of 31–2, 40–54; and radicalization 45–8; and recruitment 48–9; role of state 152, 153; semi-anonymity of 46–7; website defacing 8, 21, 73, 82 Internet cafés 51, 53, 121 Internet Security Policy Forum 69 internet service providers (ISPs) 127, 139 IO see Information Operations IR see international relations theory Iran 42, 77, 121, 125, 126 Iraq: as focus for jihad 34, 44; IT in 109; propaganda videos 39, 48, 53 Islam: websites promoting 126 Islamist movements 126, 127, 130 ISPs see internet service providers Israel 21, 35, 109, 111 Issues in Science and Technology 58 IW see information warfare al-Jazeera 44 jihad, Salafist: and the Internet 31–2, 39–45, 54, 127; networks 33; radicalization and recruitment 45–9; women and 41; see also al-Qaeda Joint Task Force-Computer Network Defense (JTF-CND) 72 Jordan 35, 43, 50, 120, 130 Jordan, Tim 112 July 7th bombings (2005) 44 Kahn, Robert 175 Keohane, Robert O. 2–3, 14–15, 55, 90, 134–5, 141, 144
225
Khalid Sheikh Mohammad 35, 37, 38, 51 Khan, Mohammed Naeem Noor 50 Khan, Muhammad Siddique 44 al-Khansa (online publication) 41 khutbas 40 King Abdul Aziz City of Science and Technology 127 Krasner, Stephen 133, 134, 135–6 ‘laundry lists’ 50 law enforcement 159–62, 164, 165, 167, 168, 170 Leheney, David 56 Lia, Brynjar 37, 42, 45 liberalism 12–17, 19, 22, 108, 123, 180; see also neo-liberal institutionalism libraries, public 53 lobbying 159, 161 London bombings (2005) 44 LophtCrack 53 Lynch, Marc 32, 55 Lyon Group on Transnational Organised Crime 165 McLaughlin, S.W. 119, 120 ‘malware’ technologies 78 Managing Savagery see Idarat alTawahhush Mandaville, Peter 47 manuals 52 Massachusetts Institute of Technology (MIT) 137 Mauritania 113, 129 Mawsu’at al-jihad see Encyclopedia of Jihad Mearsheimer, J. 11, 145 media: fear-mongering by 74; as framing agents 63, 65, 80; mass 57; in Middle East 116, 117–18; resistance to data retention 167; see also press Metcalfe’s Law 95 Microsoft 74, 136 Middle East (IT and security in) 106–131, 180; applicability of IT 115–18, 129; diffusion as measure of change 118–19;
226
Index
economics 113; empirical research and theory 114–22; impact as measure of change 119–22; importance of multidisciplinary studies 129; IR theories and 122–7; need to focus on end-users 129–30; penetration of IT 109–14; political elites 113; production as measure of change 122; slow evolution of IT theory 106–8; universities 113–14; see also jihad, Salafist; al-Qaeda Milan 52 military sphere: confidentiality problem 153; and information warfare 20, 178; power 89; relationship with civil sphere 15, 16; strategy 10, 12 Millennium (journal) 25 Milner, H. 143–4 MIT see Massachusetts Institute of Technology mi2g Digital Solutions Engineering 82 MNCs see multinational corporations mobile phones 51, 52, 108, 139 modelling 100 modernization 14, 118–19 Moore’s Law 95 Morocco 41, 113, 121 Morpheus 52 Movement for Islamic Reform 120 Mowlana, Hamid 4 Muaskar al-Battar (website) 41–2, 44 Mujahideen 41, 44, 45, 46, 49, 53 multilateralism 163 multinational corporations (MNCs) 90, 141; see also businesses; industry Muslim Brotherhood 120 NASA Jet Propulsion Laboratory 175 National Academy of Sciences 57, 58
National Infrastructure Protection Center (NIPC) 63, 64, 66, 69, 71, 72 National Infrastructure Simulation and Analysis Center (NISAC) 99 National Intelligence Council 57 National Plan for Information Systems Protection (2000) 64 National Research Council 7 National Security Council (NSC) 67, 73 National Strategy to Secure Cyberspace 16, 78 NATO see North Atlantic Treaty Organization Naval War College, US 8, 76 al-Neda (website) 41, 42 neo-liberal institutionalism 142–3, 144–5, 146, 147–8, 150, 151, 152, 156–7 neo-realism 2, 3, 11, 22, 142, 144–6, 147, 152 Netforce (Clancy & Pieczenik) 57 Netherlands 37–8, 45, 46; Hofstad network 47 networks 9, 33, 36; externalities 139–41; social 52 Newsbytes 74 Newsweek 74 NGOs see nongovernmental organizations Nimda virus 78, 80–1 9/11 see September 11th attacks NIPC see National Infrastructure Protection Center NISAC see National Infrastructure Simulation and Analysis Center nongovernmental organizations (NGOs) 17, 79, 90, 103, 167, 179 North Atlantic Treaty Organization (NATO) 70, 75, 145, 161 NSC see National Security Council nuclear safety 54, 62–3 Nye, Joseph 2–3, 14–15, 55, 90, 141, 144
Index
227
OCI see Open Communication Infrastructure OECD see Organization for Economic Cooperation and Development Office for Cyber Security 76 Office of Cyberdefense 73 Office of Population Research 121 offline-online interaction 180 oil: as target 43 Oklahoma City bombing (1995) 63, 64 Older, Susan 116–17 Open Communication Infrastructure (OCI) model 137–41, 142, 151 order, nature of 98–9 organization, nature of 98–9 Organization for Economic Cooperation and Development (OECD) 167, 172 Organization for Security and Cooperation in Europe 14 Orkut 52
power: changing nature of 89–90; and the Internet 146; redistribution of 90–2; soft/hard 15, 16, 55 pragmatism 22–3 Presidential Decision Directive NSC-63 64 President’s Commission on Critical Infrastructure Protection (PCCIP) 64, 78 press: Arab 116, 117–18, 120; see also media; USA Today Princeton University 121 privacy 165, 179; see also confidentiality; data retention process tracing 181 producers 122 P2P networking 52 psychological warfare 12 public–private partnership 15, 16, 132–57; see also international regime for information assurance Puchala, D. 133
Pakistan 21, 42, 43, 53, 54 PalTalk 52 pandemics 61 Paul, D. 152 PCCIP see President’s Commission on Critical Infrastructure Protection Peled, Alon 117 photocopies 116 Pisani, Francis 32 policy entrepreneurs 62 policy laundering 158, 162, 166–9, 171 policy making 62, 103, 176–7 policy studies 158, 162 politics: bureaucratic 62, 178; panic 67; of protection 176, 177–8; symbolic 21; of threats 176 pornography: coded information in 52, 65, 81; difficulty of regulating 159, 160, 164 positive network externalities 139–41 postmodernism 14, 18, 104
al-Qaeda 31–56, 114; countersurveillance techniques and use of encryption 49–52, 53, 65–6; doctrinal and military instructions 41–5; fund-raising 52; grand strategy 34–7; hacking abilities 53–4; and the Internet 31–2, 40–54; operating system 37–40; radicalization and recruitment 45–9; relevance of IR to 54–6; remote operations planning 53–4; surveillance and reconnaissance by 53–4; uncertainty over the nature of 32–4; US fear of after 9/11 74; use of new communication methods 52–3; youth training 41–2 al-Qa’ida fi Jazirat al-‘Arabiyya 40–1 Al-Qaidah University for jihad sciences 52 Quadrennial Defense Review (2006) 54 quantitative/qualitative link 91–2
228
Index
Al-Quds Al-Arabi 116 al-Qurashi, Ubeid 37 radicalization 45–9 radio 5, 25 rationalism 17 realism 11–12, 13–14, 17, 19, 22; and IT in the Middle East 108, 123, 125, 126–7, 128, 130, 180; in political science 89; see also neo-realism reality 103; material/social 18–19 recruitment 48–9 regulation, international 158–72, 179; competition 163; difficulties of 158–62; strategies 162–71; see also blueprinting; forum shopping; international regime for information assurance; policy laundering Reno, Janet 64 research, past 3–11; information society literature 4–6; literature on digital-age security 6–9; security studies 9–11 Revolution in Military Affairs (RMA) 6 Rhodes, Keith 70–1 ribat 36 Rice, Condoleezza 69, 79 Ridge, Tom 7, 16 Riptech Internet Security Threat Report (2002) 77 rituals 181 Riyadh attacks (2003) 42 RMA see Revolution in Military Affairs Rohozinski, Rafal 121 Ronfeldt, David 17, 33, 38 Rosenau, James N. 13, 64 Roszak, Theorode 112 Rove, Andrew 50 Rowe, Paul S. 121–2 Roy, Oliver 47 Rumsfeld, Donald 70, 75, 79 Russia 177–8, 179 Sageman, Marc 33 satellite phones 49, 51
satellite technology 116, 138, 139, 175 Saudi Arabia: IT and Internet in 110, 120, 126, 127; press 116; and al-Qaeda 41, 42, 43, 44, 53, 54; Riyadh attacks (2003) 42 Sawt al-Jihad (website) 40–1, 43, 44 Sawt al-Khilafah (web-cast) 45 Saxton, Jim 65 scenario building 183 Schneck, Phyllis 72 Schwartau, Winn 57 search engine companies 155 ‘securing’: distinguished from ‘security’ 87 securitization theory 19–20, 60, 61, 62, 179; applicability to US policy 66–7, 68–71, 72, 75–6, 79–80 security, definitions of 85–7 security studies 9–11; future requirements 182–3; traditionalists 9–10; wideners 10 self-organization 98–9 Senate Select Committee on Intelligence 67–8 ‘sensitive classified’ information 75 September 11th attacks (2001): and coded communications 38; commission report 53; effect on international system 55; effect on UK policy 168; effect on US policy 71–6, 80; as ghazwah (sacred raid) 34; initial purpose of 35; subsequent proliferation of jihadi websites 39, 54, 127; testimonies of hijackers 44 Shannon, Claude Elwood 97 shell game techniques 51 SIM cards 51 Simmons, B.A. 133 skill revolution 90 Skype 52 Smith, George 58 social movement theory (SMT) 47–8, 56
Index social sciences 100, 126, 129, 180–1, 182 software: companies 154, 155; social 52 Solar Sunrise 26 South Africa 124 sovereignty: limitations as a concept 152; states’ loss of 4, 9, 13, 64, 103–4 Space Command, US 69, 72 speech acts 19 standards 150–1, 161 state-centrism 141–2, 144 states: cooperation among 142–4, 145–8, 150, 163; as cyberthreat 7, 67–71, 76–8; effect of information revolution 4–5; egoism of 144; identity threatened 20; interests in information assurance 152–4; and international regulatory strategies 162–71; and law enforcement 158–62; loss of power 90–1; loss of sovereignty 4, 9, 13, 103–4; Middle East 123–4, 125, 126–8; problems of definition 152; rationality of 144; relationships with businesses 141–2, 144, 146; rogue 63, 67, 70, 77, 81; security role threatened 1–2; see also cyberwar steganography 65–6 strategic alliances 148–51, 155 Sudan 77 Sun Tzu 12 surveillance: policies 161; by alQaeda 53–4; by USA 66; see also counter-surveillance Sweden 20, 177, 183 symbols 21, 181 Syria 35, 109, 124–5, 129 system administrators 182–3 tax collection, online 154 Taylor, Paul 112 technology: advances in 138–9, 174–5; emphasis on (for solutions) 177
229
telecommunications: and international cooperation 146, 149, 153; and Internet access 138–9; military use 16; mobile phones 51, 52, 108, 139; alQaeda and 49, 50, 51, 52–3, 54 television 5, 25; cable 138; satellite 116, 138 Tenet, George J. 58, 75 Tengelin Report 5 terrorism see cyberterrorism; alQaeda theory of everything, search for 184 threat see cyberthreats; framing tourism 43 trade 16, 161, 162 transnationalization 13, 16, 64, 123–4, 158–60, 181 treaties, international 161, 162–3, 169 Trompenaar, Fons 116 Tunisia 127, 130–1 United Arab Emirates 109, 111, 128, 129 United Kingdom: and policy laundering and data retention 167–9 United Nations 10, 14, 169; Development Program Report 114; Global E-Government Readiness Report 111; Security Council 161, 170 United States of America 57–82, 178; and asymmetrical vulnerability 93; and data protection 168, 169; dominance challenged 136; and forum shopping 169–71; and hacker attacks 21; influence of Silicon Valley model 131; and information assurance 177, 179; and international treaties 161; as observer at Council of Europe 165; and policy laundering 166, 167; and public–private partnership 16; strategic alliances of businesses
230
Index
in 149; and telecommuications 146; universities 114; ‘war on terrorism’ 16, 72, 73, 75, 79, 178; see also Bush, George W.; Clinton, Bill; September 11th attacks universalism 92 universities: Middle East 113–14, 129; USA 114 Unix Security Guards 82 USA Patriot Act (2001) 73 USA Today 65, 70, 72, 116 Vesely, M. 120–1 videos 44–5, 116; games 53; news programmes 45; training 50 Violent Jihad in the Netherlands 37–8, 45, 46 virtual cells 53 viruses, computer 77, 78, 79, 80–1, 82 Visvesvaraya Prasad, Ravi 74 Vogler, J. 135, 141 vulnerabilities 78, 92, 94, 178, 179; asymmetrical 93 Wadih El Hage 50 al-wala’ wa’l-bara (doctrine) 48 Waltz, Kenneth 2, 11, 97 ‘war on terrorism’ 16, 72, 73, 75, 79, 178 Washington Times 75 water supplies 54 ‘weapons of mass disruption’ 58 Weaver, Warren 97 web-casts 45
weblogs see blogs websites: attacks on 183; defacing 8, 21, 73, 82; jihadi 39–45; see also Internet West Virginia Information Assurance and Computer Security Alliance 73 Wi-Fi 139 Wight, M. 143 Wiktorowicz, Quintan 47–8, 56 Wilson, Thomas R. 67–8, 75 Windows XP 74 Wiser, Leslie G. 71 Wolfers, Arnold 2 women: constructivist focus on 126; and the Internet 120–1; and jihad 41, 47 Women’s Media Bureau 41 World Bank 119–20, 129, 164 World Trade Center: 1993 attack 64; see also September 11th attacks Wright, V. 153 Yahoo 180 Year 2000 (‘Y2K’) bug 7, 19 Yemen 41, 43, 109, 113 Young, O. 135–6 Yousef, Ramzi 49–50 YOUSSENTIIT.com 52 youth: radicalization 41–2, 43, 45–6, 47 Zagaris, B. 164 Zakaria, Norhayati 116 al-Zawahiri, Ayman 44, 50, 54