JITP4-1 Cyber Terror Cavelty

Cyber-Terror–Looming Threat or Phantom Menace?

The Framing of the US Cyber-Threat Debate

Myriam Dunn Cavelty

ABSTRACT. For some years, experts and government officials have warned of cyber-terrorismas a looming threat to national security. However, if we define cyber-terror as an attack or series ofattacks that is carried out by terrorists, that instills fear by effects that are destructive or disruptive,and that has a political, religious, or ideological motivation, then none of the disruptive cyber-inci-dents of the last years qualify as examples of cyber-terrorism. So why has this fear been so persis-tent? Instead of trying to answer how long cyber-terror is likely to remain a fictional scenario, thispaper analyzes the US cyber-terror discourse from a constructivist security studies angle: It looksat how cyber-threats in general, and cyber-terror in particular are framed, and speculates oncharacteristics that are responsible for the rapid and considerable political impact of the widespreadconceptualization of aspects of information technology as a security problem in the 1990s.doi:10.1300/J516v04n01_03 [Article copies available for a fee from The Haworth Document Delivery Service:1-800-HAWORTH. E-mail address: <[email protected]> Website: <http://www.HaworthPress.com> © 2007 by The Haworth Press. All rights reserved.]

KEYWORDS. Cyber-terrorism, security studies, threat framing, information infrastructure

INTRODUCTION1

The link between terrorism and computertechnology has been a theme in the US nationalsecurity literature for more than a decade. Asearly as 1991, a report on computer security de-clared: “We are at risk. Increasingly, Americadepends on computers. . . . Tomorrow’s terror-

ist may be able to do more damage with a key-board thanwith a bomb”(NationalAcademyofSciences, 1991, p. 7). Subsequent years saw thegradual refinement of the threat image and anincreasing amount of grim warnings, with the1995 Oklahoma City bombing and the politicalactivity in its aftermath marking the beginningof the firm establishment of a cyber-terror con-

Myriam Dunn Cavelty, PhD, is Head of the New Risks Research Unit, Center for Security Studies (CSS), ETHZurich, Switzerland; Coordinator of the Crisis and Risk Network (CRN), a Swiss-Swedish Internet and workshopinitiative for international dialog on national-level security risks and vulnerabilities; and Lecturer at the Universityof Zurich and the Swiss Federal Institute of Technology. Dr. Dunn Cavelty holds a degree in political science, mod-ern history, and international law from the University of Zurich.

Address correspondence to: Myriam Dunn Cavelty, Center for Security Studies (CSS), ETH Zurich, WEC,Weinbergstrasse 11, CH-8092 Zurich, Switzerland (E-mail: [email protected]).

This paper has won the “Millennium Award 2006 for an Outstanding Research Paper by a Younger Scholar”from the Comparative Interdisciplinary Studies Section of the International Studies Association. The author wouldlike to thank seven anonymous reviewers for their insightful comments and suggestions for improvements.

Journal of Information Technology & Politics, Vol. 4(1) 2007Available online at http://jitp.haworthpress.com

© 2007 by The Haworth Press. All rights reserved.doi:10.1300/J516v04n01_03 19

cept that was closely linked to the critical infra-structure protection (CIP) debate on thenational security agenda.

While governments and the media repeat-edly distribute information about cyber-threats, real cyber-attacks resulting in deathsand injuries remain largely the stuff of Holly-wood movies or conspiracy theory. In fact,menacing scenarios of major disruptive occur-rences in the cyber-domain, triggered by mali-cious actors, have remained just that–scenarios. Nonetheless, for the US government(and to a lesser degree other governmentsaround the world), the decision has been farmore straightforward: it considers the threat tonational security to be real, has extensivelystudied various aspects of cyber-threats, andspends considerable sums on a variety of coun-termeasures (Abele-Wigert & Dunn, 2006).This observation raises interesting questionsfrom a security studies perspective: Why andhow is a threat that has little or no relation toreal-world occurrences included on the secu-rity political agenda? Are there specificcharacteristics thatmakeitparticularly likely tobe there?

Due to its vague nature, cyber-terrorism is aplayfieldforverydifferentanddiversecommu-nities, concerned with topics such as freedomof speech and Internet censorship (Gladman,1998; Weimann, 2004a); cyber crime in con-nection with terrorism (Sofaer & Goodman,2000); or information warfare and sub-stategroups (Devost, Houghton, & Pollard, 1997;Rathmell, Overill, Valeri, & Gearson, 1997).This article will focus on cyber-threats andcyber-terror broadly framed as a national secu-rity issue. Previous research on the topic hasgenerally been highly specific and policy-ori-ented (Alberts & Papp, 1997; Arquilla &Ronfeldt, 1996) and has often uncriticallyadopted arguments on the nature and scale ofcyber-terrorism from official statements orpieces of media coverage.2 This is epitomizedin the tendency of many authors to hype the is-sue with rhetorical dramatization and alarmistwarnings (cf. Arquilla, 1998; Schwartau,1994).Ontheotherhand, theconsiderablehypehas brought forth a counter-movement of morecautious voices that are deliberately more spe-cific in their estimates of the threat (cf. Lewis,2002; Wilson, 2003). The key question on

which these two groups differ is whether or towhat degree there is a credible or likely connec-tion between terrorism and cyber-terrorism be-yond the suspected vulnerability of criticalinfrastructures (cf. Nicander & Ranstorp, 2004,p. 15) and consequently, at what point in futuretime such an attack might occur. While it isundisputed in both communities that cyber-at-tacks and cyber-incidents cause major incon-veniences and have cost billions of US dollarsin lost intellectual property, maintenance andrepair, lost revenue, and increased security inthe last couple of years (Cashell, Jackson,Jickling, & Webel, 2004), these two groups dif-fer considerably in their assessment of the fu-ture point in time at which such an attack mightoccur, and some even doubt whether there trulyisanationalsecurity threat linkedto theInternetand the information infrastructure.

The main reason for this controversy is thatcyber-threats have not materialized as a na-tional security threat, even granted that therehave been some few incidents with at leastsome potential for grave consequences. Inter-estingly enough, both hypers and de-hyperstend to agree on this point. But while the firstgroup assumes that vicious attacks that wreakhavoc and paralyze whole nations are immi-nent, more cautious researchers often point tothe practical difficulties of a serious cyber-attack (Ingles-le Nobel, 1999), question the as-sumption of critical infrastructure vulnerabilities(Lewis, 2002; Smith, 1998, 2000), or point tounclear benefits of cyber-attacks for terroristgroups (Barak, 2004). Despite this caution,however, even the second group contends thatone “cannot afford to shrug off the threat”(Denning, 2001a) due to unclear and rapid fu-ture technological development as well as dy-namic change of the capabilities of terrorismgroups themselves (TechnicalAnalysis Group,2003). To summarize the debate in a nutshell:due to too many uncertainties concerning thescope of the threat, experts are unable to con-clude whether cyber-terror is fact or fiction, or,since they are unwilling to dismiss the threatcompletely, how long it is likely to remain fic-tion.

So far, relatively few attempts have beenmade toapply IRtheory inanalyzing thisdevel-opment, with a few exceptions (Eriksson &Giacomello, 2006; Giacomello & Eriksson,

20 JOURNAL OF INFORMATION TECHNOLOGY & POLITICS

2007; partly Latham, 2003). Research that hasfocused particularly on aspects of the construc-tion of information-age security threats is alsolittle influenced by theory or is mostly outdated(Bendrath,2001,2003;Eriksson,2001b;newer:Bendrath, Eriksson, & Giacomello, 2007; DunnCavelty, in press). There is an agreement,though, that theelusiveand unsubstantiatedna-ture of cyber-threats means that approachesrooted in the constructivist mindset with a sub-jective ontology are particularly suitable for itsanalysis. Such approaches are typically linkedto the constructivist research agenda and applycritical self-reflection to the inherently contra-dictory and problematic concept of security.These approaches were particularly influencedby the question of how and why new threatswere moved onto the security agendas after theend of the Cold War.

Traditional security policy research viewsthreat images as given and actually out there,and assumes that security policies are re-sponses to an objective increase of threats andrisks (Walt, 1991). With constructivist ap-proaches however, the focus is on how, when,and with what consequences political actorsframe something–anything–as a security issue,with a strong emphasis on speech acts, that is,political language, and the implications thishasfor political agenda-setting and political rela-tions (Adler, 1997; Buzan, Wæver, & Wilde,1998; Reus-Smit, 1996; Wæver, 1995). In or-der to analyze why cyber-threats occupy such aprominent position on the security politicalagenda, this paper introduces a framework forthe analysis of threat frames (Eriksson, 2001b;Eriksson & Noreen, 2002; Eriksson, 2001a),partly based on the Copenhagen school’s secu-ritization approach (Buzan, Wæver, & Wilde,1998). Threat framing refers to the processwhereby particular agents develop specific in-terpretive schemas about what should be con-sidered a threat or risk, how to respond to thisthreat, and who is responsible for it.

The paper focuses on the characteristics thatmight be responsible for the swiftness and con-siderable political impact of the widespreadconceptualization of IT as a security problem.In doing so, it aims to shed light on how the is-sue of cyber-terrorism is perceived and repre-sented by the US government, and what theconsequences of this perception are. Thus, by

considering the salience of this threat ratherthan simply arguing over its significance, itpushes the debate in a new direction and pro-vides much-needed grounding and referencefor the public debate on cyber-security.

This paper has three parts. First, the theoreti-cal framework is introduced. Second, the paperreconstructs how cyber-threats in general andcyber-terror in particular have been framed andtreated over the years. Third, specific traits ofcyber-threat frames are analyzed.

THE FRAMINGOF SECURITY THREATS

As the end of the Cold War by and large coin-cided with the beginnings of the informationrevolution, this technological development–which is about a special set of technologies, of-ten subsumed under the heading of informationand communication technologies (ICT) (Al-berts, Papp, & Kemp, 1997)–had a consider-able impact on the perception and shaping ofnew threats. Next to the vast opportunities of anICT-dominated age in terms of economic de-velopmentand democratization(Dutton, 1999;Loader, 1997; Thornton, 2001) worries aboutthe security or rather the insecurity of digitalnetworks were of major concern from the be-ginning. While extensively discussed on thetechnical level under the heading of IT-secu-rity, the information revolution was early onperceived to have a number of negative impli-cations for national security (Abele- Wigert &Dunn, 2006; Dunn & Wigert, 2004; Hundley &Anderson, 1997).

It has become common in the informationagetocoinnewtermsbysimplyplacingthepre-fixes cyber, computer, or information beforeanotherword. Thus, an entirearsenalof expres-sions–among them cyber-crime, informationwarfare,andcyber-terrorism–hasbeencreated.Due to the newness of the topic and the sensa-tionalistnature of the discourse on it, there havebeen few semantic walls erected around the rel-evant concepts in the information security tax-onomy, with the result that these terms have somany meanings and nuances that the wordsquickly become confusing or lose their mean-ingaltogether(Dunn,2007;Fisher,2001).3 Theterm cyber-threats, for example, denotes a rather

Myriam Dunn Cavelty 21

vague notionsignifying themalicioususe of in-formation and communication technologies ei-ther as a target or as a weapon. Cyber-terrorismis one clear case of a cyber-threat. As the issueofcyber-terrorismhasgrowninpopularityoverthe years, it has also acquired a range of mean-ings, depending on the context in which it isused.

The term cyber-terrorism was allegedlycoined in the 1980s by Barry Collin, a senior re-search fellow at the Institute for Security andIntelligence in California, as a hybrid term thatencompasses the concepts of cybernetics andterrorism (Collin, 1997; Conway, 2002). Insubsequent years, the term cybernetics was re-placed by the term cyberspace, so that the con-cept is now composed of two elements: cyber-space and terrorism. As both concepts are noto-riously difficult to define, cyber-terror itselfwas and still is a very elusive and poorly-de-fined concept. Academics agree in general thatto be labeled cyber-terrorism, cyber-incidentsmust be mounted by sub-national terroristgroups,4 be aimedatparts of the information in-frastructure, instill terrorbyeffects thataresuf-ficiently destructive or disruptive to generatefear, and must have a political, religious, orideologicalmotivation (Denning, 2000, 2001a,2001b; Devost, Houghton, & Pollard, 1997;Nelson, Choi, Iacobucci, Mitchell, & Gagnon,1999; Pollitt, 1997).

According to this definition, none of thelarger and smaller disruptive cyber-incidentsthat we have experienced in the last couple ofyears has been an example of cyber-terrorism.Even though most terrorist groups have seizedon the opportunity accorded by the informationrevolution through an established multipleWeb presence, access to uncensored propa-ganda, and by using the Web as an auxiliary re-cruitment and fundraising tool (Thomas, 2003;Weimann, 2004a; Weimann, 2004b), cyber-space has so far mainly served as a force-multi-plier in intelligencegathering and target-acqui-sition for terrorist groups and not as anoffensiveweapon. Despite this, the termis usedfrequently in the political domain, detachedfrom any academic definition of the issue, as aspecter depicting a terrorist and a keyboard,wreaking havoc that can disrupt an entire soci-ety. Somewhat exemplary, Congressman CurtWeldon (R-Pennsylvania) placed cyber-terror-

ism at the top of his list of modern threats to theAmerican way of life in 1999, when he said that“in my opinion, neither missile proliferation norweaponsofmassdestructionareasseriousas thethreat [of cyberterrorism]” (Poulsen, 1999). InSeptember 2002, Richard Clarke, former Spe-cial White House Adviser for Cyberspace Secu-rity, told ABC News: “[Cyber- terrorism is]much easier to do than building a weapon ofmass destruction. Cyber-attacks are a weapon ofmass disruption, and they’re a lot cheaper andeasier” (Wallace, 2002).

What is the meaning of such statements, onemight ask? At all times, the cyber-threats de-bate was (and is) highly political. It is not onlyabout predicting the future, but also about howtoprepare for it in thepresent.As a resultof this,turf battles on different levels of governmentare the rule and ongoing. As there have been nomajor destructive attacks on the cyber-level,different scenarios, which are stories aboutpossible futures, are providing the grounds onwhich decisions have to be made. The differentactors involved–ranging from governmentagencies to the technologycommunity to insur-ance companies–with their divergent interestsare therefore competing with each other bymeans of constructed versions of the future(Bendrath, 2001, 2003). Ultimately, it is aboutresources and about who is in charge to counterthe threat.

The so-called Copenhagen School of Secu-rity, in particular, developed an approach thatfocuseson theprocessofbringingan issue froma politicized or even non-politicized stage intothe security domain. This process is called se-curitization (Buzan, Wæver, & Wilde, 1998).The process is seen as a socially constructed,contextual speech act (Austin, 1962; Searle,1969), meaning that by uttering the word secu-rity or another term expressing the need for ex-ceptional measures, a professional of security,most often a state representative, claims a spe-cial right to use any means necessary to countera certain threat (Wæver, 1995). Ultimately, thismeans that issues become security issues notnecessarily because a real existential threat ex-ists, but because the issue is successfully pre-sented and established by key actors in thepolitical arena as such a threat. Securitizationstudies aim to gain an understanding of whosecuritizes (the actor) which issues (the threat


subject), for whom or what (the referent ob-ject), why (the intentions and purposes), withwhat results (the outcome), and under whatconditions (the structure) (Buzan, Wæver, &Wilde, 1998, p. 32).

To explain why certain issues seem moresusceptible to securitization than others, andthis is also the focus of this article, some schol-ars have established a stronger link to (cogni-tive) framingresearch that looksatspecial traitsof the threat frames employed by key actors(Eriksson, 2001a;Eriksson, 2001b; Eriksson &Noreen, 2002). Frame theory is rooted in lin-guistic studies of interaction and points to theway shared assumptions and meanings shapethe interpretation of any particular event (Oli-ver & Johnston, 2000). We understand fram-ing to refer to the subtle selection of certainaspects of an issue in order to cue a specific re-sponse; the way an issue is framed explainswho is responsible and suggests potential solu-tions conveyed by images, stereotypes, mes-sengers, and metaphors (Ryan, 1991, p. 59;Snow & Benford, 1992; Snow, Rocheford,Worden, & Benford, 1986). In threat framing,government officials and experts use certainphrases and also certain types of stories to addurgency to their case. Specific uses of languagedramatize the actual threat: the use of specificphrases and words make its construction as anational security threat possible in the firstplace. Since there is no real-world reference forthe threat, constant persuasion is required tosustain the sense that it is a real danger. And be-cause the national security dimension is notcompletely obvious, it is necessary to use spe-cific analogies (Cohn, 1987).

Frame analysis can be seen as a strand of dis-course analysis that mainly focuses on relevantcontent and argumentation (Gamson, 1992).Framing is an empirically observable activity:frames are rooted in and constituted bygroup-based social interaction, which is avail-able for first-hand observation, examination,and analysis of texts (Snow & Benford, 1992).The high relevance of frames as social patternsis an outcome of the fact that frames definemeaning and determine actions. Specifically,socially accepted frames influence the actionsof actors and define meaning in the public mind(Gamson, 1992, p. 110; Snow, Rocheford,Worden, & Benford, 1986, p. 464). Social con-

tests for the legitimate definition of reality areheld by ways of different categories as ex-pressed in frames. In the case of threat framing,the process of categorizing something as a par-ticular threat has practical consequences whenkey actors begin seeing the world according tothese categories.

Framing theory addresses three main ques-tions, the second of which will be our mainfocus: (a) how frames influence social action;(b) which frames are particularly successful forwhat reasons; and (c)how frames canbechanged(Snow & Benford, 1988). There are three typesof framing (ibid. 199-202):

a. diagnostic framing, which is aboutclearly defining a problem and assigningblame for the problem to an agent oragencies. In other words, this is aboutdesignating that which appears to bethreatening (the subject of the threat im-age or threat subject) and what is per-ceived as threatened (the object of thethreat image or referent object);

b. prognostic framing, which is about of-fering solutions, and proposing specificstrategies, tactics, and objectives bywhich these solutions may be achieved;

c. motivational framing, to rally the troopsbehind the cause or a call for action.

To this list, they add a fourth key element, frameresonance, meaning that the frame contentmust appeal to the existing values and beliefs ofthe target audience to become effective.

In thefollowing,wewillconductamini-casestudy on the framing of the US cyber-terrordiscourse. Even though such an approach doesnot help to determine whether cyber-terror isfact or fiction or how long itwill remainfiction,we can identify those traits that have madecyber-threats such prominent features on thenational security policy agendas. Data for thecase study was collected from official policypapers, hearings, and other statements of keyactors. Top-level documents reflect actualpresidential intentions, as opposed to publicstatements of purpose, which frequently leaveout sensitive details and, on occasion, directlyconflict with the stated goals of the administra-tion.


DEVELOPMENT AND PARAMETERSOF THE US CYBER-TERROR

DISCOURSE

The beginnings of the cyber-threats debatego back to the Reagan administration, whichwas concerned with preventing what it viewedas damaging disclosures of classified informa-tion as well as the acquisition of sensitive butunclassified information (DCI Center forSecurity Evaluation Standards Group, 1995).Subsequently, we find policy efforts in twodomains: the firstone linked to theprotectionoffederal agencies’ computer data from espio-nage, which was interlinked with the debate onencryption technology and led to the ComputerSecurityActof1987,5 and thesecondone linkedto the growing problem of computer crime,which led to the Computer Abuse Act of1984/866 that laid the groundwork for the pros-ecution of computer crimes in the US.

The first official threat frame can be found inNational Security Decision Directive Number145 on National Policy on Telecommunica-tions and Automated Information Systems Se-curity issued on September 17, 1984 (TheWhite House, 1984):

The technology to exploit these elec-tronic systems is widespread and is usedextensively by foreign nations and can beemployed, as well, by terrorist groupsand criminal elements. Government sys-tems as well as those which process theprivate or proprietary information of USpersons and businesses can become tar-gets for foreign exploitation.

As we will see below, this threat frame al-ready contains most of the ingredients of thecurrent threat frame, even though in a slightvariation. The threat subject ranges from for-eign nations to terrorists to criminals. There isan emphasis on foreign exploitation, whichseems to rule out that the problem could stemfrom US citizens. The referent object at thisstage is limited to government systems andbusiness systems that carry relevant informa-tion.

Further, we can see that it is a fairly narrowthreat frame that is concerned mainly aboutclassified material and not about the soci-

ety-threatening aspects of cyber-threats yet.This can be attributed to the technological sub-structure, which was still lacking the quality ofa mass phenomenon that it acquired when com-puter networks turned into a pivotal element ofmodern society (Ellison et al., 1997) and net-works ina moreabstractedsense becamea met-aphor formanyaspectsofmodern life (Arquilla& Ronfeldt, 1996; Arquilla & Ronfeldt, 2001;Castells, 1996). Even though terrorist groupsare listed as potential perpetrators in this 1984document, the cyber-terror specter as such hasnot yet been born, for the same reason.

Apart from a change in the technological en-vironment, the broadening of the vulnerabilityaspect can be attributed to changing threat per-ceptions and other developments in the US mil-itary: We can observe a close link of the earlycyber-threats debate to the US Revolution inMilitary Affairs–which refers to the strategic,operational, and tactical consequences of themarriage of systems that collect, process, andcommunicateinformationwith those thatapplymilitary force (Tilford, 1995)–and the subse-quent development of an information war-fare-information operations doctrine (Dunn,2002). While technology was seen mainly as aforce enabler for a considerable number ofyears until after the end of the Cold War, the USdeveloped the fear that their huge conventionalmilitarydominancewould forceanykindofad-versary–states or sub-state groups–to resort toasymmetric means, such as weapons of massdestruction, information operations, or terror-ism in the future (Kolet, 2001). The 1991 GulfWar played a large role in demonstrating thebenefits of the information differential pro-vided by the information systems employed(Campen, 1992; Eriksson, 1999), but it wasalso the Gulf War that birthed fear of the down-side of this development mainly through expe-riences with the threat of data intrusion asperpetrated by hacker attacks against 34Department of Defense computer sites duringthe conflict (Devost, 1995).

In theaftermathof theOklahomaCitybomb-ing in April 1995, the issue of cyber-threatswasdefinitely established as one the military estab-lishment could and should not deal with alone,and it was closely connected to the concept ofcritical infrastructure protection. The advan-tages inuseanddisseminationof ICTwereseen


to connote an over-proportional vulnerability,which caused experts to fear that enemies whowere likely to fail against the US war machinemight instead plan to bring the US to its kneesby striking vital points at home (Berkowitz,1997)–these points being fundamental to thenational security and the essential functioningof industrialized societies as a whole, and notnecessarily to the military in specific. Due tothe nature of cyber-attacks, it became clear thatis was often impossible to determine at the out-set whether an intrusion is an act of vandalism,computercrime, terrorism, foreign intelligenceactivity, or some form of strategic attack. Theonly way to determine the source, nature, andscope of the incident is to investigate. And theauthority to investigate such matters and to ob-tain the necessary court orders or subpoenasclearly resides with law enforcement (Vatis,1998). US domestic law also gave the armedforces’ lawyers headaches, because an attackon US infrastructures could originate in Iraq aswell as in the US. A military counter-strikethrough cyberspace might therefore unwit-tingly constitute an operation of US armedforces on domestic territory, which is prohib-ited by the Posse Comitatus Act of 1878.7

One direct outcome of the Oklahoma Citybombing was Presidential Decision Directive39, which directed Attorney-General JanetReno to leadagovernment-wideeffort to re-ex-amine the adequacy of the available infrastruc-ture protection. As a result, Reno convened aworking group to investigate the issue and re-port back to the cabinet with policy options(Freeh, 1997). The review, which was com-pleted in early February 1996, particularlyhighlighted the lack of attention that had beengiven to protecting the cyber-infrastructure ofcritical information systems and computer net-works. Thus, the topic of cyber-threats waslinked to the topics of critical infrastructureprotection and terrorism. Subsequently, Presi-dent Bill Clinton started to develop a nationalprotection strategy with his Presidential Com-mission on Critical Infrastructure Protection(PCCIP) in 1996, and the issue remained a veryhigh priority during his presidency and had astrong position in all the National SecurityStrategies between 1995 and 1999.

Theyears1997/1998inparticularwereawa-tershed in terms of the views on cyber-threats.

Whencomparingopenhearingsconcerningna-tional security or the annual defense reportsover the years, we see how the issue takes aquantum leap in 1998: there is a great quantita-tive increase in the time and space given to thetopic in public hearings. In addition, cyber-threats came to be depicted as one of the primedangers among the new threats. CIA directorJohn Deutch, for example, had regularlywarned of threats to national security fromcyber-attacks since the mid-1990s. Asked in aSenate hearing to compare the danger with nu-clear, biological, or chemical weapons, he an-swered, “it is very, very close to the top”(Deutch, 1996).

The PCCIP presented its report in the fall of1997 (PCCIP, 1997). The international impactof this document was such that it led to the firmestablishment of the topic of cyber-threats andcritical infrastructure protection on the securityagenda of various countries (Abele-Wigert &Dunn, 2006; Dunn & Wigert, 2004). Clintonfollowed the recommendationsof the PCCIP inMay1998withhisPresidentialDecisionDirec-tives (PDD) 62 and 63 (White House, 1998a,1998b). Clinton’s master plan adopted a two-foldresponse tocyber-threats:Ontheonehand,the intelligence community and the law en-forcementagencies togetherbuiltup furtherca-pacities for investigations of cyber-crimes, likecomputer forensics tools or close surveillanceof the hacker community; On the other hand,because of the amorphous nature of thesenon-state actors and unknown enemies, a lot ofeffort was put into hardening the critical infra-structures (Bendrath, 2001).

The distinct image of the cyber-terrorist alsoappears during these years. First mentioned in apublic hearing in 1998, cyber-terror quicklybecame one of the catchphrases of the debate.Poor definitions and careless use of terminol-ogy by many government officials is a majorobstacle for meaningful discussion of thecyber-terror issue. A statement of PresidentBill Clinton, who was very influential in shap-ing the perception of the issue, can serve as anexample of this semantic ambiguity. In his for-eign policy farewell lecture at the University ofNebraska at Kearney in December 2000, heidentified the need to pay attention to newsecurity challenges like cyber-terrorism, andsaid:


One of the biggest threats to the future isgoing to be cyberterrorism–people fool-ing with your computer networks, tryingto shut down your phones, erase bank re-cords, mess up airline schedules, dothings to interrupt the fabric of life.(Bowman, 2000, para. 7)

Both the PDD 62 and 63 and the NationalPlan follow the PCCIP’s reasoning and cementthe winning and dominant threat frame. Afterthatdate, all the threat frames thatareemployedin public hearings and other documents resem-ble the PCCIP’s threat frame. In the report, it isstressed that dependence on the informationand communications infrastructure have cre-ated new cyber-vulnerabilities (PCCIP, 1997,p. 5) and that potential adversaries include avery broad range of actors–“from recreationalhackers to terrorists to national teams of infor-mation warfare specialists” (ibid., p. 15). Thisvery broad and indeterminate framing of thethreat subject is one of the hallmarks of thecyber-threat frame. On the referent objectside, it was clearly established that “the nationis so dependent on our infrastructures that wemust view them through a national securitylens. They are essential to the nation’s security,economic health, and social well being” (ibid,p. vii). The dependence of society on theinformation and communication infrastructureon the one hand, and the ever-more complex in-terdependencies between infrastructures on theother, were identified as creating new dimen-sions of vulnerability, “which, when combinedwith an emerging constellation of threats, posesunprecedented national risk” (ibid., p. ix).

In the PCCIP report, cyber-threats are de-scribed as being even more dangerous thanothernewthreats, especiallybecause theneces-sary weapons are so easy to acquire (PCCIP,1997,p.14).On thewhole, there is littleempha-sis on the foreign intelligence threat, though itstill remainsaconcern.Amongthefarmorevir-ulent topics are scenarios of states using infor-mationwarfaremeans,or sub-stateactorsusingthe information infrastructures for their attack.This development was accompanied by an ex-pansion of the vocabulary to incorporate newterminology such as cyber-war, cyber-terror-ism, or electronic Pearl Harbor (Bendrath,

2001), terms that are frequently used inhearings, interviews, and press articles.

The events of 11 September 2001 served tofurther increase the awareness of vulnerabili-ties and the sense of urgency in protecting criti-cal infrastructures (Bush, 2001a, 2001b). Firstand foremost, the attacks of 9/11 provided areason to restructure the overall organizationalframework of critical infrastructure protection(CIP) in the US. In the immediate aftermath of9/11, President George W. Bush signed twoExecutive Orders (EO) affecting CIP. With EO13,228, entitled Establishing the Office ofHomeland Security and the Homeland SecurityCouncil of 8 October 2001, Bush set up an Of-fice of Cyberdefense at the White House, aspart of the new Homeland Security Office,which in turn was part of the National SecurityCouncil (Executive Order No. 13,228, 2001).The mission of this office was to “develop andcoordinate the implementation of a compre-hensive national strategy to secure the US fromterrorist threats and attacks.” The second Exec-utive Order, EO 13,231 Critical InfrastructureProtection in the Information Age, establishedthe President’s Critical Infrastructure Protec-tion Board, whose responsibility was to “rec-ommend policies and coordinate programs forprotecting information systems for criticalinfrastructure” (Executive Order No. 13,231,2001).

The Bush administration’s policy regardingcritical infrastructure protection represented acontinuation of PDD-63 in many respects: Thefundamental policy statements are essentiallythe same, as are the infrastructures identifiedas critical, although they were expanded andemphasis was placed on targets that would re-sult in large numbers of casualties (Moteff,2007, p. 12). Therewas one primarydifference,however. First, the Office of Homeland Secu-rity was given overall authority for coordinat-ing critical infrastructure protection againstterrorist threats and attacks. Those responsibil-ities associated with information systems ofcritical infrastructures were delegated to thePresident’s Critical Infrastructure ProtectionBoard. Furthermore, the board’s responsibili-ties for protecting the physical assets of the na-tion’s information systems were to be definedby the assistant to the president for national se-curity and the assistant to the president for


homeland security. While Clinton’s PDD-63focused primarily on cyber-security, it gave thenational coordinator responsibility to coordi-nate the physical and virtual security for allcritical infrastructures. The above-mentionedExecutive Orders not only segregated respon-sibility for protecting the nation’s informationinfrastructure, but also considerably strength-ened the physical aspect vis-à-vis the aspect ofcyber- attacks.

As a result of this, many critical voices wereheard disapproving of the extent of the atten-tion given to the cyber-dimension.Thefact thatthe government’s first cyber-security chiefabruptly resigned after one year with the USDepartment of Homeland Security raised seri-ous questions in the press about the Bush ad-ministration’s ability to quickly improve thenation’s cyber-security (cf. Gross, 2004; Mark,2004; Verton, 2004). Negative press was partof thereasonwhythesecondsecretaryofhome-land security, Michael Chertoff, proposed torestructure the IAIP Directorate responsiblefor CIP and rename it the Directorate of Pre-paredness as one of his Second Stage Reviewrecommendations in 2005 (Chertoff, 2005).Later, the Information Analysis function wasmerged into a new Office of Intelligence andAnalysis. The Infrastructure Protection func-tion, with the same missions as outlined in theHomeland Security Act, remained, but wasjoined by other existing and new entities. Inaddition, the restructuring established the po-sition of an assistant secretary for cyber secu-rity and telecommunications, which had longbeen advocated by many within the cyber-security community, and of an assistant secretaryforinfrastructureprotection(Moteff,2007,p.15).

Generally speaking, the Bush administra-tion became bogged down in the details of im-plementing its own strategy. Shortly before thebeginning of Operation Iraqi Freedom in 2003,the DHS identified a list of 160 assets or sitesthat it considered critical to the nation, based ontheir vulnerability to attack and potential con-sequences. Over time,according to theDHS in-spector general, this initial priority list evolvedintowhat isnowcalledtheNationalAssetData-base,which, asof January2006,containedover77,000 entries (Moteff, 2006; Moteff, 2007,p. 25). While the DHS has reportedly madeprogress on improving the reliability of the in-

formation contained in the database, it contin-ues to draw criticismfor including thousands ofassets that many believe have more local im-portance than national importance. A DHS re-port summarizing the results of Cyber Storm, afour-day exercise designed to test how industryand the government would respond to a con-certed cyber-attack on key information sys-tems, was seen as another indicator forinsufficient progress made (DHS, 2006).Cyber Storm suggested that government andprivate-sector participants had trouble recog-nizing the coordinated attacks, determiningwhom to contact, and organizing a response.

Despite this, it can be argued that the attacksof 11 September 2001 did not bring manychanges for the overall strategy–and, regard-less of what might be commonly expected, didnot bring any changes in the threat frames.What we do see, however, is that at least ini-tially, one main focus in public hearings was onthe possibility of terrorists using cyber-meansfor attacks. In addition, a number of studieswere conducted in the aftermath of 9/11 that fo-cused on Muslim terrorists and their cyber-ca-pabilities (National Infrastructure ProtectionCenter, 2002; TAG, 2001; Vatis, 2001). At thistime, officials’ attention shifted from hackersdepicted as terrorists towards terrorist hackers,and specifically Muslim ones. The few exam-ples cited below again show how volatile andunfounded the cyber-threat assessments stillwere. In his Senate testimony on The TerroristThreat Confronting the United States in Febru-ary 2002, Dale L. Watson, the FBI’s executiveassistant director on counter-terrorism andcounterintelligence, talked about an emergingthreat:

Beyond criminal threats, cyber space alsofaces a variety of significant national se-curity threats, including increasing threatsfrom terrorists . . . . Cyberterrorism–meaning the use of cyber tools to shutdown critical national infrastructures(such as energy, transportation, or gov-ernment operations) for the purpose ofcoercing or intimidating a government orcivilian population–is clearly an emerg-ing threat. (Watson, 2002, Cyber/Na-tional Infrastructure section, para. 2, 3)


In March of 2002, the intelligence commu-nity’s new global threat estimate was presentedto Congress. CIA director George J. Tenet,when discussing possible cyber-attacks, talkedmostlyabout terrorists, afterhavingfocusedhisattention on the whole range of actors in previ-ous years (Tenet, 1997, 1998, 1999):

We are also alert to the possibility ofcyber warfare attack by terrorists . . . . At-tacks of this nature will become an in-creasingly viable option for terrorists asthey and other foreign adversaries be-come more familiar with these targets,and the technologies required to attackthem. (Tenet, 2002, terrorism section,para. 9)

In the CIA Answers to Questions for the Re-cord, dated April 8, 2002, it is further specifiedthat

Various terrorist groups includingal-Qa’ida and Hizballah are becomingmore adept at using the Internet and com-puter technologies, and the FBI is moni-toring an increasing number of cyberthreats . . . . These groups have both theintentions and the desire to develop someof the cyberskills necessary to forge aneffective cyber attack modus operandi.(CIA, 2002, the threat of cyber-terrorismsection)

Others, too, feared that al-Qaida had theseabilities: For example, Vice Admiral Lowell E.Jacoby, Director of the Defense IntelligenceAgency, stated that members of al-Qaida hadspokenopenlyof targetingtheUSeconomyasawayofunderminingUSglobalpower.Asprooffor this claim, he stated that al-Qaida was usingpublicly available Internet Web sites to recon-noiter US infrastructure, utilities, and criticalfacilities (Jacoby, 2003). Again others, such asRobert S. Mueller, Director of the Federal Bu-reau of Investigation, feared that though cur-rent attacks were mere nuisances such asdenial-of-service attacks, their options mightincrease (Mueller, 2003).

Detached from all of this, the cyber-threatframe as developed under Clinton remained inplace. The reason for this is twofold: on the one

hand, the prevalent threat frame was widely ac-cepted and therefore highly stable. Not onlywas the diagnosis–a very wide range of poten-tial perpetrators–accepted, but so was the prog-nosis: Whether cyber-terror or cyber-warfare,the countermeasures as laid out in the NationalPlan and Bush’s National Strategy to SecureCyberspace seemed to satisfy decision-mak-ers. In addition, all the turf battlesbetweenvari-ous agencies had been fought in the 1990s, sothat this specific threat occurred in a more set-tled phase: The lead of the law enforcementcommunity and the crucial importance of pub-lic-private partnerships were widely acceptedby all actors involved. The establishment of theDHS, propagated as a step towards pullingdown the artificial walls between institutionsthat deal with internal threats and others thatdeal with external ones, did not fundamentallychange this perception: it merely changed partsof the organizational setting.

CHARACTERISTICSOF THE US CYBER-THREATS/

CYBER-TERROR THREAT FRAME

Conceptions of cyber-threats are very broadand also very vague, both in terms of what orwho is seen as the threat and what or who isseen as being threatened. In theory, cyber-at-tacks can be carried out in innumerable waysby anyone with a computer connected to theInternet, and for purposes ranging from juve-nile hacking, to organized crime, to politicalactivism, to strategic warfare. Hacking-toolsare easily downloaded from the Internet, andhave become both more sophisticated anduser-friendly. Motivational framing became afeature of threat frames in the 1990s, when thethreat is frequently called new in order to indi-cate the inability of established structures andinstruments to deal with it. Cyber-terror ismore narrowly constructed as a subset ofcyber-threats, as it focuses on non-state actorson the threat subject side, but the two threat im-ages are so closely interlinked that the image ofthe cyber-terrorist and that of the larger set ofcyber-perpetrators are never truly separated inofficial statements.

On the whole, the cyber-terror frame as asub-theme of the general cyber-threats frame


combines two of the great fears of the late 20thcentury:The fear of random and violentvictim-ization and the distrust or outright fear of com-puter technology,whichboth feedon the fearofthe unknown (Pollitt, 1997). Terrorism isfeared, and is meant to be feared, because it isperceived as being random, incomprehensible,and uncontrollable. Technology, including in-formation technology, is feared because it isseen as complex, abstract, and arcane in its im-pact on individuals. Because computers dothings that used to be done by humans, there isa notion of technology being out of control, arecurring theme in political and philosophi-cal thought (Winner, 1977) that is evenstrengthened by the increase in connectivitythat the informationrevolutionbrings.Theyareultimately seen as a threat to society’s core val-ues, especiallynational security, and to the eco-nomic and social well-being of a nation.Therefore, they are inevitably presented as anational security issue.

That officials in various agencies struggle toidentify the most dangerous actors or to decidewhether states or non-state actors are morelikely tobecomea threat is aconsequenceof thevery wide prognostic threat frame, especiallyon the threat subject side. At the end of the1990s the general consensus emerged thatstates were the ones to worry about, becausethey had greater capabilities–but that it wasmore likely that terrorists or criminalswould at-tack. As DIA Director Thomas Wilson said in2000:

Foreign states have the greatest potentialcapability to attack our infrastructure be-cause they possess the intelligence assetsto assess and analyze infrastructure vul-nerabilities, and the range of weap-ons–conventional munitions, WMD, andinformation operations tools–to take ad-vantage of vulnerabilities. (Wilson,2000, the growing asymmetric threatsection, para. 5)

The renewed focus on cyber-terrorists after9/11 proved a fairly temporary thing, too.About a year after 9/11, Richard Clarke, thenheadof theWhiteHouseOfficeforCyberSecu-rity, told the press that the government had be-gun to regard nation-states rather than terrorist

groups as the most dangerous threat. He said,“There are terrorist groups that are interested[in conducting cyber attacks]. We now knowthat al Qaeda was interested. But the real majorthreat is from the information-warfare brigadeor squadron of five or six countries” (Cha &Krim, 2002, p. A02).

Given this uncertainty, it is not surprisingthat the prognostic part of the frame remainedfar more contested than the diagnostic part dur-ing the entire debate. Issues of how to counterthe threat, mainly questions concerning re-sponsibilities, were discussed until approxi-mately 1997, when the PCCIP threat frameoffered a solution that appealed to everyone.Notions of cyber-threats have originatedamong military as well as civilian actors. In thelaw enforcement community, cyber-crime hasbecome a particularly salient threat image.Within the military bureaucracy, the perceivedthreats have been framed as information war-fare, information operations, and cyber-war.Both communities refer to cyber-terror, athreat image that has remained very fuzzy.Among computer scientists, technicians, andnetwork operators, the threat images are usu-ally much narrower, with an emphasis on at-tacks, exploits, and disruptions perpetratedagainst computer networks, software conflicts,and other bugs which can lead to systemscrashes. From the very beginning, the law en-forcement community played a strong role inthe process due to existing resources, norms,and institutions. Members of the military tookthe place of a framing, but not of an executingactor: they gave cyber-threats a new face, butthen had to cede responsibility and admit thatthey could not provide the answer to them (De-fense Science Board, 1994, 1996; Joint Secu-rity Commission, 1994). The perceived natureof the threat as well as restraints stemmingfrom norms and institutions made a bigger roleof the military establishment unfeasible. As aresult, they became more or less marginalizedin thebroaderdebateafter acertainpoint.Onlyin the domain of information warfare, framedasa traditionalmilitary task,did theyretainpri-mary responsibility and strive to advance de-velopments in the domain.

Nonetheless, even though the issue ofcyber-threat is clearly linked to national secu-rity on a rhetorical level, there are, in general,


no exceptional measures envisaged that wouldtraditionally fall under the purview of nationalsecurity apparatus. Therefore, the cyber-threats debate is an example of a failed securiti-zation (cf. Bendrath, 2001). If we turn onceagain to securitization theory, the criteriongiven by securitization theory is that issues be-come securitized when they are taken out of the“normal bounds of political procedure,” whichin turn amounts to a call for exceptional mea-sures (Buzan, Wæver & Wilde, 1998, p. 24). Inaddition, securitization moves are only suc-cessful if an audience accepts the security argu-ment (ibid., p. 25). A study of cyber-threatframes offer a possible interpretation of this:Even though the diagnostic part of currentcyber-threat frames establishes a forceful linkto national security, the prognostic part doesnot. And apparently, the prognostic part,which is about offering solutions, and propos-ing specific strategies, tactics, and objectivesby which these solutions may be achieved, ismore important, as it is, ultimately, about realconsequences.

CONCLUDING REMARKS

In this paper, it was shown that terroristshave not used cyberspace as a weapon or targetso far, though they routinely make use of com-puters, the Internet, or cryptography for organi-zational purposes. However, there is a lot ofuncertainty as to the future development of thisthreat. To answer the question of “howlikely–how soon” we would need concrete in-telligencedataofwhichnon-stateactor is likelyto employ cyber-tools as an offensive weaponat what point in time (Nicander & Ranstorp,2004, pp. 12-13)–data which is not available. Adifferent approach has therefore been chosen inthis paper: It looked at the cyber-threat dis-course from a constructivist security studiesperspective and identified key aspects of thecyber-threat frame (and cyber-terror frame) inorder to determine what aspects might be re-sponsible for its strong position on the nationalsecurity agenda.

We find that on the rhetorical level, the dan-ger is said to be caused by new and poorly un-derstood vulnerabilities due to dependence ofsociety on the information and communication

infrastructure on the one hand, and ever-morecomplex interdependencies between infra-structures on the other. The information infra-structure, including its physical and cyber-components, isoftennamedasaconcrete targetof cyber-terror and, more generally, of cyber-threats. In the agent dimension, a danger hasbeen constructed that emanates from an enemywho is located outside of the US, both in geo-graphical and in moral terms. This picture of adangerous other reinforces the idea of the na-tion as a collective self. The use of phrases likeour computers or our infrastructures amplifiesthis effect. The reference object of security isthe entire US society. The logical and politicalimplication of this is that defense againstcyber-attacks comes under the purview ofnational security policy.

However, it was argued that the prognosticframe is more important than the diagnosticthreat frame. In fact, it is likely that the PCCIPthreat frame has prevailed due to its prognosticpart rather than to its diagnostic one. Despitethe fact that there is national security rhetoric inabundance, the actual countermeasures inplace rely on risk analysis and risk manage-ment. This business rationale is forced upongovernments due to the fact that the private in-dustry owns and operates about 85% to 95% ofthe US critical infrastructures and key assets,depending on the source. Therefore, much ofthe expertise and many of the resources re-quired for planning and taking better protectivemeasures lie outside the federal government(Baird, 2002; Bosch, 2002; Goodman et al.,2002). As a result, it is necessary to delegate alargepartof theresponsibilityfor theprotectionof critical infrastructure to the private ownersand operators. Whereas the traditional logic ofnational security suggests unilateral govern-ment action and policy, CIP policies are inevi-tably blurred by domestic considerations andotherpolicy imperatives. Incontrast to the logicof security, the logic of risk is not binary, butprobabilistic. It is a constant process towards adesired outcome. Thus, managing risk is essen-tially about accepting that one is insecure, butconstantlypatching this insecurity,working to-wards a future goal of more security (Kristen-sen, in press).

Ultimately, all of this has a desecuritizing ef-fect. Desecuritization as the unmaking of secu-


rity has been considered a technique fordefining down threats, in other words, a nor-malization of threats that were previously con-structedas extraordinary.This normalization isa process by which security issues lose their se-curity aspect, making it possible to interpretthem in multiple ways, and therefore, allowsmore freedom both at the level of interpretationand in actual politics or social interaction(Aradau, 2001). Despite the fact that the securi-tization of cyber-threats has failed, as shown inthis article, the national security logic is upheldon the rhetorical level. This, on the one hand,makes it easier in theory to start new securitiza-tion moves and to challenge the current prog-nostic frame. On the other hand, it means thatthe fuzzy notions of cyber-threats and cyber-terrorwillmostcertainlyremainon thenationalsecurity agenda. Therefore, decision-makersshouldbecarefulnot tofomentcyber-angst toanunnecessary degree, even if the threat cannot becompletely shrugged off. In seeking a prudentpolicy, the difficulty for decision-makers is tonavigate the rocky shoals between hystericaldoomsday scenarios and uninformed compla-cency. It is clear that the focus should continueto be on a broad range of potentially dangerousoccurrences involving cyber- means and tar-gets, including failure due to human error ortechnical problems apart from malicious at-tacks.Thisnotonlydoes justice to thecomplex-ity of the problem but also prevents us fromcarelessly invoking the specter of terrorism.

It has in fact been argued that one solution tothe problem of cyber-security is to focus oneconomicand market aspects of the issue ratherthan on suitable technical protection mecha-nisms (Andersson, 2001). If we apply thisviewpoint, we quickly realize that the insecu-rity of the Internet can be compared to environ-mental pollution and that cyber-security in factshows strong traits of a public good that will beunderprovided or fail to be provided at all in theprivatemarket.Publicgoods provideavery im-portant example of market failure, in which in-dividual behavior seeking to gain profit fromthe market does not produce efficient results(Dunn & Mauer, 2007; Suter, 2007). Clearly,looking at cyber-security as an economic prob-lem means to desecuritize the issue even fur-ther. At the same time, to focus on marketaspects of the issue can help create a market for

cyber-security,whichcouldreducemuchof theinsecurity of the information infrastructure,and thus also diminish the vulnerability ofsociety.

NOTES

1. Data availability and possibility for replication:This study tries to incorporate the notion that the mannerin which people and institutions interpret and representphenomena and structures makes a difference for theoutcomes. This ontology reflects an epistemology thatis based on intersubjectivity, which sees subject andobject in the historical world as a reciprocally interre-lated whole (Adler and Haas, 1992, p. 370; Cox, 1992,p. 135). Data is analyzed using a hermeneutical interpre-tive method of text analysis, which is the most suitableapproach for questions raised by post-positivist theoriesand speech act theory in particular (Adler, 1997). Thereis no claim that hypotheses need to be falsified in Pop-per’s sense; instead, the entire research community actsas “ultimate tribunal of truth” (Howarth, 2000, p. 142)so that the analysis is ultimately legitimate when it ispersuasive, consistent, and coherent.

2. The media routinely features sensationalist head-lines that cannot serve as a measure of the problem’sscope. Examples of such articles include the following:Christensen, J. (1999, April 6). Bracing for guerrillawarfare in cyberspace. CNN Interactive; Kelley, J.(2001, February 6). Terror groups hide behind Web en-cryption. USA Today; McWilliams, B. (2001, December17). Suspect claims Al Qaeda hacked Microsoft–Expert.Newsbytes; FBI: Al Qaeda may have probed govern-ment sites. (2002, January 17). CNN.; and Islamiccyberterror: Not a matter of if but of when. (2002, May20). Newsweek.

3. As Geoffrey French put it, referring to the diver-sity of terminology in a variety of information warfarearticles (French, 2000), “Before too long, the articlesseem to have been written by Lewis Carroll, with direwarnings of the Jabberwock, the Jubjub bird, and thefrumious Bandersnatch.”

4. This definition’s main weakness is that it does notapply a critical approach to the concept of terrorism. Bydeliberately not addressing the problem at the heart ofall definitions of terrorism (“one person’s terrorist is an-other person’s freedom fighter”), we avoid investigatingthe difficulty and subjectivity of labelling a person orgroup terrorist.

5. Computer Security Act of 1987, Public Law100-235, H.R. 145, (1988), (100th Congress).

6. The Counterfeit Access Device and ComputerFraud Abuse Act, 18 U.S.C. § 1030 (1984).; ComputerFraud and Abuse Act (U.S.) 18 U.S.C. § 1030(a) (1986).

7. 18 U.S.C. § 1385 (1878).


REFERENCES

Abele-Wigert, I. & Dunn, M. (2006). The internationalCIIP handbook 2006: An inventory of protection pol-icies in 20 countries and 6 international organiza-tions (Vol I). Zurich, Switzerland: Center forSecurity Studies.

Adler, E. (1997). Seizing the middle ground: Construc-tivism in world politics. European Journal of Inter-national Relations, 3, 319-363.

Adler, E., & Haas, P. M. (1992). Conclusion: Epistemiccommunities, world order, and the creation of a re-flective research program. International Organiza-tion, 46, 367-390.

Alberts, D. S., & Papp, D. S. (Eds.). (1997). The informa-tion age: An anthology of its impacts and conse-quences (Vol. 1). Washington, DC: National DefenseUniversity.

Alberts, D. S., Papp, D. S., & Kemp, W. T., III. (1997).The technologies of the information revolution. In D.S. Alberts & D. S. Papp (Eds.), The information age:An anthology of its impacts and consequences (pp.83-116). Washington DC: National Defense Univer-sity.

Andersson, R. (2001). Why Information Security is Hard:An Economic Perspective. In IEEE Computer Society(Ed.), Proceedings of the 17th Annual Computer Se-curity Applications Conference (pp. 358-365). Wash-ington, DC: IEEE Computer Society.

Aradau, C. (2001, December). Beyond good and evil:Ethics and securitization/desecuritization tech-niques. Rubikon, Retrieved May 1, 2007 from http://venus.ci.uw.edu.pl/~rubikon/forum/claudia2.htm

Arquilla, J. (1998, February 6). The great cyberwar of2002: A WIRED Scenario. WIRED, 122-127,160-170.

Arquilla, J., & Ronfeldt, D. (Eds.). (2001). Networksand netwars: The future of terror, crime, and mili-tancy. Santa Monica, CA: RAND.

Arquilla, J., & Ronfeldt, D. F. (1996). The advent ofnetwar. Santa Monica, CA: RAND.

Austin, J. L. (1962). How to do things with words. Lon-don: Oxford University Press.

Barak, S. (2004). Between violence and ‘e-jihad’: Mid-dle Eastern terror organizations in the informationage. In L. Nicander & M. Ranstorp (Eds.), Terrorismin the information age–new frontiers? (pp. 83-96).Stockholm: Swedish National Defence College.

Bendrath, R. (2001). The cyberwar debate: Perceptionand politics in US critical infrastructure protection.Information & Security: An International Journal, 7,80-103.

Bendrath, R. (2003). The American cyber-angst and thereal world–any link? In R. Latham (Ed.), Bombs andbandwidth: The emerging relationship between ITand security (pp. 49-73). New York: The New Press.

Bendrath, R., Eriksson J., & Giacomello G. (2006).Cyberterrorism to cyberwar, back and forth: How theUnited States securitized cyberspace. In J. Eriksson

& G. Giacomello (Eds.), International relations andsecurity in the digital age (pp. 57-82). London:Routledge.

Berkowitz, B. D. (1997). Warfare in the informationage. In J. Arquilla & D. Ronfeldt (Eds.), In Athena’scamp: Preparing for conflict in the information age(pp. 175-189). Santa Monica, CA: RAND.

Bowman, L. M. (2000, December 10). Cybercrime fight-ers: The feds want you! ZDNet News. Retrieved May2, 2007 from http://news.zdnet.com/2100-9595_22-526271.html?legacy=zdnn

Buzan, B., Wæver, O., & de Wilde, J. (1998). Security:A new framework for analysis. Boulder, CO:Rienner.

Campen, A. (1992). The first information warfare.Fairfax, VA: AFCEA International Press.

Cashell, B., Jackson, W. D., Jickling, M., & Webel, B.(2004). The economic impact of cyber-attacks (Con-gressional Research Service Documents, CRSRL32331). Washington, DC: Congressional Re-search Service.

Castells, M. (1996). The rise of the network society. Ox-ford, England: Blackwell.

Cha, A. E., & Krim, J. (2002, August 22). White Houseofficials debating rules for cyberwarfare. The Wash-ington Post, p. A02.

Chertoff, M. (2005, July 14). Statement of Secretary Mi-chael Chertoff, U.S. Department of Homeland Secu-rity, before the United States Senate Committee onHomeland Security and Government Affairs, Wash-ington, DC. Retrieved May 2, 2007 from http://www.homelandsecurity.ms.gov/docs/ChertoffTestimony_Senate_07142005.pdf

CIA. (2002, April 8). The Questions for the Record fromthe Worldwide Threat Hearing on 6 February 2002.Retrieved May 3, 2007 from http://www.fas.org/irp/congress/2002_hr/020602cia.html

Cohn, C. (1987). Sex and death in the rational world ofdefense intellectuals. Signs: Journal of Women inCulture and Society, 12, 687-718.

Collin, B. C. (1997). The future of cyberterrorism:Where physical and virtual worlds converge. Crime& Justice International, 13, 15-18.

Conway, M. (2002, November 4). Reality bytes:Cyberterrorism and terrorist ‘use’ of the Internet.Firstmonday, 7. Retrieved May 2, 2007 from http://firstmonday.org/issues/issue7_11/Conway

Cox, R. W. (1992). Towards a post-hegemonic concep-tualization of world order: Reflections on the rele-vancy of Ibn Khaldun. In J. N. Rosenau & E.Czempiel (Eds.), Governance without government:Order and change in world politics, CambridgeStudies in International Relations Nr. 20 (pp.132-158). Cambridge, England: Cambridge Univer-sity Press.

DCI Center for Security Evaluation Standards Group.(1995, September 15). An inventory of standards af-fecting security, 7th annual edition. Retrieved May 2,


2007 from http://www.fas.org/sgp/othergov/inventory.html

Defense Science Board (DSB). (1994). Report of theDefense Science Board Summer Study Task Force oninformation architecture for the battlefield. Wash-ington, DC: Department of Defense.

Defense Science Board (DSB). (1996). Report of theDefense Science Board Task Force on InformationWarfare–Defense (IW-D). Washington, DC: Depart-ment of Defense.

Denning, D. (2000, May 23). Cyberterrorism: Testi-mony before the Special Oversight Panel on Terror-ism. Committee on Armed Services, U.S. House ofRepresentatives. Retrieved May 2, 2007 from http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html

Denning, D. (2001a). Is Cyber-terror next? Essay for theSocial Science Research Council. Retrieved May 2,2007 from http://www.ssrc.org/sept11/essays/denning.htm

Denning, D. E. (2001b). Activism, hacktivism, andcyberterrorism: The Internet as a tool for influencingforeign policy. In J. Arquilla & D. Ronfeldt (Eds.),Networks and netwars: The future of terror, crime,and militancy (pp. 239-288). Santa Monica, CA:RAND.

Department of Homeland Security (DHS). (2006, Sep-tember 12). Cyber storm: Exercise report. Washing-ton, DC. Retrieved May 3, 2007 from http://www.dhs.gov/xlibrary/assets/prep_cyberstormreport_sep06.pdf

Deutch, J. (1996, June 25). Testimony of the Director ofU.S. Central Intelligence before the Senate Govern-mental Affairs Committee, Permanent Subcommitteeon Investigations.

Devost, M. G. (1995). National security in the informa-tion age. Unpublished master’s thesis, University ofVermont, Burlington. Retrieved May 7, 2007 fromhttp://www.devost.net/papers/national_security_in_the_information_age.html

Devost, M. G., Houghton, B. K., & Pollard, N. A.(1997). Information terrorism: Political violence inthe information age. Terrorism and Political Vio-lence, 9, 72-83.

Dunn Cavelty, M. (in press). Cyber-security and threatpolitics: US efforts to secure the information age.London: Routledge.

Dunn Cavelty, M. & Mauer, V. (in press). Concludingremarks: The role of the state in securing the infor-mation age–challenges and prospects. In M. DunnCavelty, V. Mauer, & S. Krishna-Hensel (Eds.).Power and security in the information age: Investi-gating the role of the state in cyberspace. Aldershot,England: Ashgate.

Dunn, M. & Wigert, I. (2004). The international CIIPhandbook 2004: An inventory of protection policiesin fourteen countries. Zurich, Switzerland: Centerfor Security Studies.

Dunn, M. (2002). Information age conflicts: A study onthe information revolution and a changing operatingenvironment (Zürcher Beiträge zur Sicherheit-spolitik und Konfliktforschung, No. 64). Zurich,Switzerland: Center for Security Studies.

Dutton, W. H. (Ed.). (1999). Society on the line: Infor-mation politics in the digital age. Oxford, England:Oxford University Press.

Ellison, R. J., Fisher, D. A., Linger, R. C., Lipson, H. F.,Longstaff T., & Mead, N. R. (1997, November). Sur-vivable network systems: An emerging discipline.(Technical Report. CMU/SEI-97-TR-013. ESC-TR-97-013). Pittsburgh, PA: Carnegie Mellon Univer-sity, Software Engineering Institute. Retrieved May2, 2007 from http://www.cert.org/research/97tr013.pdf

Eriksson, A. E. (1999). Information warfare: Hype orreality? The Non-Proliferation Review, 6, 57-64.

Eriksson, J. (Ed.). (2001a) Threat politics: New per-spectives on security, risk and crisis management.Aldershot, England: Ashgate.

Eriksson, J. (2001b). Cyberplagues, IT, and security:Threat politics in the information age. Journal ofContingencies and Crisis Management, 9, 211-222.

Eriksson, J. & Giacomello, G. (2006). The informationrevolution, security, and international relations:(IR)relevant theory? International Political ScienceReview, 27, 221-244.

Eriksson, J., & Noreen, E. (2002). Setting the agenda ofthreats: An explanatory model (Uppsala Peace Re-search Papers, 6). Uppsala, Sweden: UppsalaUniversitet. Retrieved May 2, 2007 from http://www.pcr.uu.se/publications/UPRP_pdf/uprp_no_6.pdf

Exec. Order No. 13,228, 3 C.F.R. 796 (2001).Exec. Order No. 13,231, 66 Fed. Reg. 53,063 (2001).Fisher, U. (2001, November). Information age state se-

curity: New threats to old boundaries. Journal forHomeland Security. Retrieved May 2, 2007 fromhttp://www.homelandsecurity.org/journal/articles/fisher.htm

Freeh, L. J. (1997, May 13). Statement of Louis J. Freeh,Director, Federal Bureau of Investigation, Depart-ment of Justice. In U.S. Senate Committee on Appro-priations, Counterterrorism: Hearing before theCommittee on Appropriations, United States Senate,One Hundred Fifth Congress, first session: SpecialHearing. Retrieved May 2, 2007 from http://www.fas.org/irp/congress/1997_hr/sh105-383.htm

French, G. S. (2000). Shunning the frumious band-ersnatch: Current literature on information warfareand deterrence. The Terrorism Research Center, Inc.Retrieved May 2, 2007 from http://www.terrorism.com

Gamson, W. A. (1992). Talking politics. Cambridge,England: Cambridge University Press.

Giacomello, G. & Eriksson J. (Eds.). (2007). Interna-tional relations and security in the digital age. Lon-don: Routledge.


Gladman, B. (1998, September). Wassenaar controls,cyber-crime and information terrorism. Leeds, UK:Cyber-Rights & Cyber-Liberties (UK). RetrievedMay 2, 2007 from http://www.cyber-rights.org/crypto/wassenaar.htm

Gross, G. (2004, October 1). U.S. cybersecurity chief re-signs: Amit Yoran, said to be frustrated with prog-ress, gives one-day notice. IDG News Service.Retrieved May 2, 2007 from http://www.infoworld.com/article/04/10/01/HNchiefresigns_1.html?DISASTER%20RECOVERY

Howarth, D. (2000). Discourse. Buckingham, England:Open University Press.

Hundley, R. O. & Anderson, R. H. (1997). Emergingchallenge: Security and safety in cyberspace. In J.Arquilla & D. Ronfeldt (Eds.), In Athena’s camp:Preparing for conflict in the information age (pp. 231-252). Santa Monica, CA: RAND.

Ingles-le Nobel, J. J. (1999, October 21). Cyberterrorismhype. Jane’s Intelligence Review. Retrieved May 3,2007 from http://212.111.49.124/cyberterror/resources/janes/jir0525.htm

Jacoby, L. (2003, February 11). Statement for the recordof Vice Admiral Lowell E. Jacoby, USN, Director,Defense Intelligence Agency before the Senate Se-lect Committee on Intelligence. In Current and pro-jected national security threats to the United States:Hearing before the Select Committee on Intelligenceof the United States Senate, One Hundred EighthCongress, First Session (pp. 48-67). Washington, DC:Government Printing Office. Retrieved May 3, 2007from http://purl.access.gpo.gov/GPO/LPS42906

Joint Security Commission (JSC). (1994, February 28).Redefining security: A report to the Secretary of De-fense and the Director of Central Intelligence. Wash-ington, DC: US Government Printing Office.

Kolet, K. S. (2001). Asymmetric threats to the UnitedStates. Comparative Strategy, 20, 277-292.

Kristensen, K. S. (in press). ‘The absolute protection ofour citizens’: Critical infrastructure protection andthe practice of Security. In M. Dunn Cavelty & K. S.Kristensen (Eds.), The politics of securing the home-land: Critical infrastructure, risk and securitisation.London: Routledge.

Lacey, M. (2000, December 9). Clinton gives a final for-eign policy speech. The New York Times.

Latham, R. (Ed.). (2003). Bombs and bandwidth: Theemerging relationship between IT and security. NewYork: The New Press.

Lewis, J. A. (2002, December). Assessing the risks ofcyber-terrorism, cyber war and other cyber threats.Washington, DC: Center for Strategic and Interna-tional Studies. Retrieved May 3, 2007 from http://www.csis.org/media/csis/pubs/021101_risks_of_cyberterror.pdf

Loader, B. D. (1997). The governance of cyberspace:Politics, technology, and global restructuring. In B.D. Loader (Ed.), The governance of cyberspace(pp. 1-19). London and New York: Routledge.

Mark, R. (2004, October 1). U.S. cybersecurity chief re-signs. eSecurity Planet. Retrieved May 3, 2007 fromhttp://www.esecurityplanet.com/trends/article.php/3416161

Molander, R. C., Riddle, A. S, & Wilson, P. A. (1996).Strategic information warfare: A new face of war.Santa Monica, CA: RAND.

Moteff, J. (2006, September 14). Critical infrastruc-ture: The national asset database. (CRS Report forCongress, RL33648). Washington, DC: Congressio-nal Research Service.

Moteff, J. (2007, March 13). Critical infrastructures:Background, policy, and implementation (Congres-sional Research Report for Congress, RL30153).Washington, DC: Congressional Research Service.

Mueller, R. S. (2003, February 11). Testimony of Rob-ert S. Mueller, III, Director, Federal Bureau of Inves-tigation before the Select Committee on Intelligenceof the United States Senate Washington. In Currentand projected national security threats to the UnitedStates: Hearing before the Select Committee on In-telligence of the United States Senate, One HundredEighth Congress, First Session (pp. 31-47). Wash-ington, DC: Government Printing Office. RetrievedMay 3, 2007 from http://purl.access.gpo.gov/GPO/LPS42906

National Academy of Sciences (NAS), Computer Sci-ence and Telecommunications Board (1991). Com-puters at risk: Safe computing in the information age.Washington, DC: National Academy Press.

National Infrastructure Protection Center (NIPC).(2002, 30 January). Terrorist interest in water supplyand SCADA systems. Information Bulletin 02-001.

Nelson, B., Choi, R., Iacobucci, M., Mitchell, M., &Gagnon, G. (1999). Cyberterror: Prospects and im-plications. White Paper prepared for the Defense In-telligence Agency Office for CounterterrorismAnalysis. Monterey, CA: Center for the Study ofTerrorism and Irregular Warfare (CSTIW).

Nicander, L. & Ranstorp, M. (Eds.). (2004). Terrorismin the information age–New frontiers? Stockholm:Swedish National Defense College.

Oliver, P. E. & Johnston, H. (2000). What a good idea:Frames and ideologies in social movements research.Mobilization, 5, 37-54.

Pollitt, M. M. (1997). Cyberterrorism–Fact or fancy?Proceedings of the 20th National Information Sys-tems Security Conference, 1997, 285-289. RetrievedMay 3, 2007 from http://csrc.nist.gov/nissc/1997/proceedings/nissc97.zip

Poulsen, K. (1999, September 8). Info war or electronicsabre rattling? ZDNet. Retrieved May 3, 2007 fromhttp://news.zdnet.com/2100-9595_22-515631.html?legacy=zdnn

President’s Commission on Critical Infrastructure Pro-tection (PCCIP). (1997). Critical foundations: Pro-tecting America’s infrastructures. Washington, DC:Government Printing Office.


Rathmell, A., Overill, R., Valeri, L., & Gearson, J.(1997, June). The IW threat from sub-state groups:An interdisciplinary approach. Paper presented at theThird International Symposium on Command andControl Research and Technology, Institute for Na-tional Strategic Studies–National Defense Univer-sity, Washington, DC. Retrieved May 8, 2007 fromhttp://www.kcl.ac.uk/orgs/icsa/Old/terrori.html

Reus-Smit, C. (1996). The constructivist turn: Criticaltheory after the Cold War. (Working Paper No.1996/4). Canberra: Australian National University.

Ryan, C. (1991). Prime time activism: Media strategiesfor grass roots organizing. Boston: South End Press.

Schwartau, W. (1994). Information warfare. Cyber-terrorism: Protecting your personal security in theelectronic age (2nd ed.). New York: ThundermouthPress.

Searle, J. R. (1969). Speech acts: An essay in the philos-ophy of language. Cambridge, England: CambridgeUniversity Press.

Smith, G. (1998, Fall). An electronic Pearl Harbor? Notlikely. Issues in Science and Technology, 15. Re-trieved May 3, 2007 from http://www.issues.org/15.1/smith.htm

Smith, G. (2000). How vulnerable is our interlinked in-frastructure? In D. S. Alberts & D. S. Papp (Eds.),The information age: An anthology of its impacts andconsequences (Vol. II, pp. 507-523). WashingtonDC: National Defense University Press.

Snow, D. A. & Benford, R. D. (1992). Master Framesand Cycles of Protest. In Morris, A. D. & Mueller, C.M. (Eds.), Frontiers in social movement theory (pp.133-155). New Haven, CT: Yale University Press.

Snow, D. A., Rocheford, E. B., Jr., Worden, S. K., &Benford, R. D. (1986). Frame alignment processes,micromobilization and movement participation.American Sociological Review, 51, 464-481.

Sofaer, A. D. & Goodman, S. D. (2000). A proposal foran international convention on cyber-crime and ter-rorism. Stanford, CA: Center for International Secu-rity and Cooperation, Stanford University.

Suter, M. (in press). Improving information security incompanies: How to meet the need for threat informa-tion. In M. Dunn Cavelty, V. Mauer, & S.Krishna-Hensel (Eds.), Power and security in the in-formation age: Investigating the role of the state incyberspace. Aldershot, England: Ashgate.

Technical Analysis Group (TAG), Institute for SecurityTechnology Studies, Dartmouth College (2003, No-vember). Examining the cyber capabilities of Islamicterrorist groups. Hanover, NH: Dartmouth College.Retrieved May 3, 2007 from https://www.ists.dartmouth.edu/TAG/ITB/ITB_032004.pdf

Tenet, G. J. (1997, February 5). Statement by Acting Di-rector of Central Intelligence George J. Tenet beforethe Senate Select Committee on Intelligence Hearingon Current and Projected National Security Threatsto the United States. Retrieved May 3, 2007 fromhttp://www.fas.org/irp/congress/1997_hr/s970205t.htm

Tenet, George J. (1998, June 24). Testimony by Directorof Central Intelligence George J. Tenet before theSenate Committee on Government Affairs. RetrievedMay 3, 2007 from http://www.fas.org/irp/congress/1998_hr/980624-dci_testimony.htm

Tenet, George J. (1999, February 2). Statement of theDirector of Central Intelligence George J. Tenet AsPrepared for Delivery Before the Senate Armed Ser-vices Committee Hearing on Current and ProjectedNational Security Threats.. Retrieved May 3, 2007from https://www.cia.gov/cia/public_affairs/speeches/1999/ps020299.html

Tenet, George J. (2000, February 2). The WorldwideThreat in 2000: Global Realities of Our National Se-curity. Statement by Director of Central IntelligenceGeorge J. Tenet Before the Senate Select Committeeon Intelligence. Retrieved May 3, 2007 from https://bcia.gov/cia/public_affairs/sh_ 032100.html

Tenet, George J. (2002, March 19). Worldwide Threat–Converging Dangers in a Post 9/11 World. Testi-mony of the Director of Central Intelligence beforethe Senate Select Committee on Intelligence. Re-trieved May 3, 2007 from http://www.fas.org/irp/congress/2002_hr/020602tenet.html

The White House (1984, September 17). National Pol-icy on Telecommunications and Automated Informa-tion Systems Security. National Security DecisionDirective Number 145. Washington, DC: Presidentof the United States. Retrieved May 3, 2007 fromhttp://www.fas.org/irp/offdocs/nsdd145.htm

The White House, Office of the Press Secretary (1998a,May 22). Fact Sheet. Combating Terrorism: Presi-dential Decision Directive 62. Washington, DC: Pres-ident of the United States. Retrieved May 3, 2007from http://www.fas.org/irp/offdocs/pdd-62.htm

The White House. (1998b, May 22). Protecting Amer-ica’s critical infrastructures: Presidential decisiondirective 63. Washington, DC: President of theUnited States.

The White House. (2000). Defending America’scyberspace: National plan for information systemsprotection: An invitation to a dialogue (Version 1.0).Washington, DC: President of the United States.

Thomas, T. L. (2003, Spring). Al Qaeda and theInternet: The danger of cyberplanning. Parameters(Spring), 112-123.

Thornton, A. (2001). Does the Internet create democ-racy? Ecquid Novi, 22, 126-147.

Tilford, E. H., Jr. (1995). The revolution in military af-fairs: Prospects and cautions. Carlisle Barracks, PA:Strategic Studies Institute.

Vatis, M. A. (1998, February 10) Statement by MichaelVatis, deputy assistant director and chief of the Fed-eral Bureau of Investigation’s National Infrastruc-ture Protection Center (NIPC) before the SenateJudiciary Subcommittee on Terrorism, Technologyand Government Information. Retrieved May 3,2007 from http://www.fas.org/irp/congress/ 1998_hr/98061101_ppo.html


Vatis, M. A. (2001). Cyber attacks during the war on ter-rorism: A predictive analysis. (Working Paper).Hanover: Institute for Security Technology Studies atDartmouth College. Retrieved May 3, 2007 fromhttp://www.ists.dartmouth.edu/analysis/cyber_a1.pdf

Verton, D. (2004, October 1). Nation’s cybersecuritychief abruptly quits DHS post: ‘I’m not a long-termgovernment kind of guy,’ says Amit Yoran.Computerworld. Retrieved May 3, 2007 fromhttp://www.computerworld.com/managementtopics/management/story/0,10801,96369,00.html

Wæver, O. (1995). Securitization and desecuritization.In R. Lipschutz (Ed.), On security (pp. 46-86). NewYork: Columbia University Press.

Wallace, C. (2002, September 16). Will next terror at-tack be electronic? Experts fear terrorists may attackthrough cyberspace. ABC News.com. Retrieved May3, 2007 from http://abcnews.go.com/WNT/story?id=130108&page=1

Walt, S. (1991). The renaissance of security studies. In-ternational Studies Quarterly, 35, 211-239.

Watson, D. L. (2002, February 6). The Terrorist ThreatConfronting the United States, Statement for the Re-cord of the Executive Assistant Director on Counter-terrorism and Counterintelligence, Federal Bureauof Investigation, before the Senate Select Committeeon Intelligence, Washington, DC. Retrieved May 3,2007 from http://www.fbi.gov/congress/congress02/watson020602.htm

Weimann, G. (2004a, March). www.terror.net. Howmodern terrorism uses the Internet. (United StatesInstitute of Peace, Special Report 116).Washington,DC: United States Institute of Peace.

Weimann, G. (2004b). Cyberterrorism–How real is thethreat? (United States Institute of Peace, Special Re-port 119). Washington, DC: United States Instituteof Peace.

Wilson, C. (2003, October 17). Computer Attack andCyber-terrorism: Vulnerabilities and Policy Issuesfor Congress (CRS Report for Congress, RL32114).Washington, DC: Congressional Research Service.

Wilson, T. R. (2000, February 2). Military threats andsecurity challenges through 2015. Statement beforethe Senate Select Committee on Intelligence given byVice Admiral Thomas R. Wilson Director, DefenseIntelligence Agency. Retrieved May 3, 2007 fromhttp://www.fas.org/irp/congress/2000_hr/000202-wilson.htm

Winner, L. (1977). Autonomous technology: Technics-out-of-control as a theme in political thought. Cam-bridge MA: MIT Press.

Received: 01/05/2007Revised: 04/30/2007

Accepted: 05/06/2007

doi:10.1300/J516v04n01_03


JITP4-1 Cyber Terror Cavelty

Documents

Transcript of JITP4-1 Cyber Terror Cavelty