Quality of Governance and Cybersecurity

(1)

Quality of Governance and Cybersecurity

A quantitative study into Securitization-theory and Cyberspace

Tobias Calås

Political Science C (Bachelor Thesis) Department of Government

Uppsala University, Spring 2019 Supervisor: PhD Lina M. Eriksson Words: 13947

Pages: 64

(2)

Abstract

Does the Quality of Governance correlate with the outcome of a state´s Cyber- securitization? This study shows that it apparently does.

Cybersecurity is of great concern for many countries in the world. This study however finds that government level of commitment towards Cybersecurity necessarily don’t equal outcomes of actual security. With this insight, this study instead interprets observed security commitments through the theory of Securitization from the Copenhagen School of International Relations.

Quantitative methods and linear regression analysis are used to show that Qual- ity of Governance, in the form of bureaucratic efficiency, is important for a positive outcome of a Securitization process conducted in the form of Cybersecurity governance.

In the process, this study also responds to previous researches call for methodological diversity and empirical data regarding both Securitization theory as well as Cybersecurity research.

In sum, the contribution of this thesis is the importance of Quality of Govern- ance for state Cybersecurity. This is complemented by empirical findings on that outcomes, in the form of political commitments to Cybersecurity, don’t necessarily correlate with actual conditions of security in Cyberspace.

(3)

(4)

Lists of tables and figures

Table 1. Distinct concepts of Security within International Relations………….19

Table 2. Top five countries, number of Botnet infections………34

Table 3. Top five countries, percentage of Botnet infections………...35

Table 4. The dependencies of the number of Botnet infections………36

Table 5. The dependencies of Securitization Outcome……….45

Table 6. Statistical variables used in this study and their characteristics………..61

Figure 1. Balzacq´s structure of Securitization……….26

Figure 2. Proposed model of causal mechanism………...27

Figure 3. The hypothetic relationships of variables………..29

Figure 4. Scatterplot between QoG and Securitization outcome………..43

Figure 5. Marginal Effects of Quality of Governance………..46

Figure 6. Country plot………...64

(7)

1. Introduction

The term Cyberspace was first coined in a 1982´s short story by science-fiction writer William Gibson. It was then defined as:

“A consensual hallucination experienced daily by billions of legitimate operators, in every nation […] a graphic presentation of data abstracted from every computer in the human system”¹

The term soon went from fiction to fact and the US Department of Defence even- tually came up with its own somewhat more strict definition:

“The global domain within the information environment consisting of the interde- pendent network of information technology infrastructures, including the internet, telecommunications networks, computer systems, and embedded processors and controllers”²

Regardless of description, the cyberspace of today is broadly defined as the space which includes the infrastructure accessible via the Internet. Hence, it’s not just about the Internet, although it is regarded to constitute the most prominent part of it.³

Information technology like the Internet has become a driver for globalization and development. Time and space have shrunk due to the evolution of our new ways to communicate. This has led to a rapid increase in global human interactions, financial transactions, and international cooperation that all have become possible and easy to undertake.⁴ The Cyberspace of today is therefore described as central to us as individuals, both privately and professional. The same goes for the states we

1 Singer, Friedman, Cybersecurity and Cyberwar, 2014 p. 2

2 Ibid p. 3

3 Lewis, James A., Securing Cyberspace, A New Domain for National Security, 2012, p. 225

4E.G. Carayannis et al. (eds.), Cyber-Development, Cyber-Democracy and Cyber-Defense: Challenges, Op- portunities and Implications for Theory, Policy and Practice, 2014 p. 320

(8)

live in. They are too becoming more and more dependent on this no longer novel technology.⁵

The dependency is new however, and for states it has specifically created new potential threats and weaknesses. Each state within the international system has had to find a way to cope, identifying and mitigating threats and vulnerabilities to the best of their abilities.⁶ This is done through cybersecurity governance that strive to attain an adequate level of national cybersecurity. Some states not only seek protection and the abilities to defend their societies and its essential digital infrastructure, but also ways of prosecuting national- and international policies through information-technological means.⁷

There also exists a dichotomy in the view of the Internet and Cyberspace. Some argue that it’s a place without borders where governments neither matter nor be- long. In contrast, others view it as if every component that makes up the Internet, every router every switch and every node, in fact is located within the sovereign territory of nation states. This study’s position is firmly placed in the latter of these views as will soon be evident.

Concern has also been raised that some proposed security measures of states offer dual-uses that also can be used to promote authoritarian control and human rights abuse.⁸ The sovereignty of states has regardless expanded onto the Internet, in a new type of governance that is described as both shaping global security as well as the international system.⁹

A lot of political focus on cybersecurity has during the last years however mostly been aimed at social media as well as computer aided interference in dem- ocratic elections. Beyond these perpetrated information operations and new facets of political campaigning, there exists a more materialistic reality. A reality where the effects of our dependency on cyberspace during the last years can be argued to have been well and truly tested.

5E.G. Carayannis et al. (eds.), Cyber-Development, Cyber-Democracy and Cyber-Defense: Challenges, Op- portunities and Implications for Theory, Policy and Practice, 2014 p. 260

6Ibid p. 259

7Stevens, Tim, “Global Cybersecurity: New Directions in Theory and Methods”, Politics and Governance, 2018 p. 1

8 Singer, Friedman, Cybersecurity and Cyberwar, 2014 pp. 183-185

(9)

One such event was the massive ransomware campaign called WannaCry, which impacted computer systems globally on May 12^th, 2017.

In a matter of hours over 300.000 computer-systems in over 150 countries had their content encrypted. This was done by a then unknown culprit who demanded 300 USD in bitcoin ransoms for each computer belonging to its victim if they ever wanted their information accessible again.¹⁰

WannaCry was facilitated by the public disclosure of what is stated to be intrusion tools stolen from the US National Security Agency (NSA), by an anonymous actor calling itself the Shadowbrokers.¹¹ These tools made all unpatched Windows systems open for a type of network intrusion which the WannaCry attack exploited, spreading like a virus from one infected system to another without the need of human interaction.

The rapid spread of WannaCry was thankfully soon interrupted by a then 22- year-old British citizen. On his own initiative he registered a web domain that ena- bled a kill-switch for WannaCry, initially stopping the spread giving victims time to patch their systems.¹² He was later that year arrested on unrelated charges by US authorities and has in 2019 also plead guilty of developing malware used to acquire access to online banking apps.¹³ For the WannaCry attack however, the US department of Justice has indicted a North Korean citizen working for the North Korean regime. The indictment also included charges for a successful online heist of 81 million USD from the Central bank of Bangladesh in 2016, along with intrusions and thefts of data from large American and Japanese companies as well as defence contractors. ¹⁴

In the “Oxford Handbook of International Relations” Robert Keohane lists six big questions that need to be studied more by the academic world. One of these questions is the implications that the Internet has on world politics.¹⁵

10 United States District Court for the Central District of California, AO 91 (Rev. 11/11) Criminal Complaint, 2019

11 Shane, Perlroth, Sanger “Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core”, New York Times, 2017

12 Arghire, Ionut, “Patched WannaCry Ransomware Has No Kill-Switch” Security Week, 2017

13 Arghire, Ionut, “"WannaCry 'Hero' Marcus Hutchins Pleads Guilty to Creating Malware” Security Week, 2019

14 Tung, Liam, ”Sony 2014 breach linked to $81m Bangladesh Bank cyber heist”, ZDNet, 2016

15 Reus-Smit, Christian; Snidal, Duncan, The Oxford handbook of International relations, 2010 p. 712

(10)

With WannaCry as an example, one apparent implication is that secret weapons of a superpower can be available for free online. This can enable a fragile nation- state to try and ransom all the worlds computer owners for money, an action which in turn can be interrupted by a private individual that turns out to be a cybercriminal.

It reads like a plot from a cheesy Hollywood script, but it is the apparent reality that affects both domestic- as well as international relations.

As for the alleged stolen NSA tools, they sadly had an even greater impact roughly two months later, in what is considered to be the most destructive and costly cyber-attack so far.¹⁶ This attack was named NotPetya and has been regarded as the work of the Russian military services by among others, the US and UK governments.¹⁷

Leveraging a small breach into a Ukrainian software company, an attack was orchestrated on 27^th of June 2017. The attack resulted in costs estimated to several billions of USD globally. Shipping giants, pharmaceutical companies and a diverse mix of businesses worldwide saw their operations grind to a halt when vital computer systems suddenly stopped working.¹⁸ In Ukraine, NotPetya made 10% of the country’s computers useless in a matter of hours. Hospitals, six power companies, two airports, more than 22 Ukrainian banks and card payment systems as well as practically every federal agency got their computer systems wiped and unusable.

The Ukrainian minister of infrastructure, Volodymyr Omelyan, has summarized the situation as that the Ukrainian government effectively: “went dead”.¹⁹ It’s worth to keep in mind that all of this destruction happened in a time of relative peace, i.e.

outside of open conflict.

The insurance company Lloyds has calculated a cost estimate on hypothetical scenarios: such as if attacks like WannaCry, or NotPetya would manage to take down a cloud- or manged service provider. They estimate that the immediate economic losses could exceed 53 billion USD for businesses worldwide.²⁰

16 US White House, Statement from the Press Secretary, 2018

17 UK Foreign Office, Foreign Office Minister condemns Russia for NotPetya attacks, 2018

18 Palmer, Danny ”NotPetya malware attack: Chaos but not cyber warfare” ZDnet, 2018

19 Greenberg, Andy “The Untold Story of NotPetya, the Most Devestating Cyberattack in History” Wired Magazine, 2018

20 Lloyds, Extreme cyber-attack could cost as much as Superstorm Sandy, 2017

(11)

It’s however not only attacks that are costly. Security and protection against these kinds of threats is even bigger business. The research and advisory firm Gart- ner for example asses that just the private spending on cybersecurity alone this year (2019) will exceed 124 billion USD globally.²¹ In light of such enormous costs, I argue that it, on one hand is of utmost relevance to study what governs the outcomes of such huge investments into state cybersecurity. On the other hand, I argue that its equally important to understand nation states endeavours to create security in this digital infrastructure we all have become so reliant on.

Inspired by Robert Keohane’s call for social science to engage in the examina- tion of what the implications of Internet on world politics may be, and given the resources that are spent on Cybersecurity alone, this thesis poses the following re- search question: Does the Quality of Governance correlate with the outcome of a state´s Cyber-securitization?

21 Gartner, Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019, 2018

(12)

2. Previous research

Theories regarding cybersecurity and international relations are in existing academic literature described as sparse. This is in part attributed to that Cybersecurity is a new field of study.

Joseph Nye for example draws parallels to the existing Cybersecurity research from the time when Nuclear weapons entered into the field of international politics, partly turning many previous theories upside down. The lessons learned then, was according to Nye, that an ongoing technological change will complicate early efforts at strategy- and theory development. Another lesson learned was that any theories based on the impact of a new technology initially will lack adequate empirical content.²²

One could disagree somewhat with this analogy. Firstly, the world only has nine nuclear armed powers, while the power of the Internet in turn is available to all nations of the globe. Secondly the Internet and its security are from a technical viewpoint literarily made of empirical data, which all is readily available for research. This does however not downplay the problem of the current lack of scien- tific theories on the subject matter.

Tim Stevens has of late produced a paper that sums up fairly recent and relevant research in the intersection between cybersecurity and international relations. Cy- bersecurity research is in his paper described to have emerged from obscure technical origins into something that now is of major political concern for states, mul- tilateral organizations, businesses and civil society alike. Stevens does just like Nye point out the lack of theories but does also stress an absence of diversity in methods used to comprehend the subject. One cause for the current research situation is described as a direct consequence of an ongoing struggle to regulate and govern the complex landscape of global cybersecurity.²³

Cybersecurity studies have from the start been oriented on solving policy problems at the expense of theory-building and methodological innovations. The rapid

22 Joseph S. Nye, Securing Cyberspace - A New Domain for National Security, 2012 pp. 25-30.

23Stevens, Tim, “Global Cybersecurity: New Directions in Theory and Methods”, Politics and Governance,

(13)

rise as a concept within International Relations have also hindered the creation of consensus on definitions, which in turn have led to problems of researchers agreeing on even basic premises of what cybersecurity actually means and what it entails to be efficient. One positive outcome of the current state of research however is that such an unsettled field offers a lot of opportunity’s and productive engagement for academics.²⁴

Since studies of Cybersecurity in political science and international relations are scarce. Its thus not surprising that previous research has not yet examined if the Quality of Governance (QoG) for example interacts with the outcome of Cyberse- curity in a state. However, there exists related research that focuses on QoG regarding other outcomes concerning both infrastructure development as well as climate protection. Studies have for example shown that outcomes of physical-infrastructure development are more dependent on the QoG in the state conducting the development than on the rate of investment and economic growth. Findings have also suggested that the returns of infrastructure-investment are strengthened by the presence of adequate government institutions, both for developed and developing countries. In other words, the quality of infrastructures seems to be promoted by the QoG.²⁵²⁶ Can the same principle of QoG be applied to a state´s development of its own national digital-infrastructure and in particular the security effort for it?

In other words: Does the Quality of Governance correlate with the outcome of a state´s Cyber-securitization?

To the best of my knowledge, this is an open question yet to be answered by research. This question also constitutes the main research question of this study.

Outcomes of security in this context will be operationalized by the ITU Global Cy- bersecurity Index (ITU GCI). This index is developed and compiled by the Interna- tional Telecom Union (ITU). The index is meant to measure and describe the outcome of each of its 194-member states²⁷ commitment to Cybersecurity. What the

24 Ibid pp. 2-3

25 Crescenzi, Cataldo, Rodriguez-Pose, “Government Quality and the Economic returns of transport infra- structure investment in European regions”, Journal of Regional Science, 2016 pp. 555-582

26 OECD, Towards a Framework for the Governance of Infrastructure, 2015

27 ITU, List of ITU Member States, https://www.itu.int/en/ITU R/terrestrial/fmd/Pages/administrations_mem- bers.aspx, 2019

(14)

term Securitization entails, is covered in the next section, which provides the theo- retical framework for this study.

(15)

3. Theoretical Framework

3.1 Realism theory and Cyber threats

This study will be partly rooted in the realist theory of International Relations. The main tenants from this theory that will be used, is the understanding of the international system as an anarchy, in which the principal actors are the nation-states.

These actors are seen as primarily driven by self-interest and their own fight for survival.²⁸ Even though there exist many diverse theoretical schools within realism theory, the common signature argument for all realist schools are that the ever-present anarchy renders security problematic and a potential underlying cause for conflict and hardship between states.²⁹ The impact this has on Cybersecurity can be described by a quote form Hans Brechbül:

“In a networked world, there are no real safe harbours—if you are on the network, you are available to everyone else on the network. A key consequence is that secu- rity is not the concern of someone else”³⁰

Cyber-threats should according to realist theory be treated as classical security threats. An attack with so called cyber-weapons has the same possibility to weaken a state and diminish its relative power against other states like with any more classical choice of weapon.³¹ One main difference that Cyber-weapons however have is that they can take control of parts of the attacked state, its digital-infrastructure consisting of its connected computer systems and servers. By doing so not just causing disruption and destruction, but also challenge the sovereign control of the attacked state.³²

The object for this study will hence cover how states that in their best self- interest strive for security in the realm of Cyberspace. This study does not in any

28 Reus-Smit, Christian; Snidal, Duncan, The Oxford handbook of International relations, 2010, p. 133

29 Ibid p.135

30Brechbühl, Bruce, Dynes, Johnson, “Protecting critical information infrastructure: Developing cybersecu- rity policy”, Information Technology for Development, 2010, pp. 83–9

31Hanna Samir Kassab, Cyberspace and International Relations – Theory, Prospects and Challenges, 2014 p. 63

32 Ibid p. 64

(16)

way however assume that nation-states are the best actor to cope with cybersecurity.

They are nonetheless the political unit chosen as the object for this study.

3.2 Security Studies and Securitization

The exception to the rule of the previously described lack of theoretical framework, is the evidence of an established literature regarding Securitization theory and Cy- bersecurity. The following section will therefore briefly explain Securitization before examining existing research that employs this theory on cybersecurity.

The study of security in international relations is covered by the sub-discipline called security studies. This discipline covers the study of the international security system and the theories that has spawned form the nature of that system.³³Security in the field of international relations was initially purely a matter for state actors and did only concern the employment of military power. Kenneth Waltz for example saw the state as the sole and primary unit of analysis on the subject. This narrow view of security began to be challenged and widened during the late 1980s. Richard Ullman defined national security as anything that interferes with the autonomy of the state and the degradation of human life. His point being that it was what the state was supposed to protect that had to define what security was, not the state itself.³⁴

Referent objects is a central theme in security studies and implies the things that are seen to be existentially threatened and that have a legitimate claim to survival. How wide and loose the concept of security can be before it loses its distinc- tion is though debated. What security actual necessitates is also questioned. Within this debate Securitization theory was brought forth.

The Securitization theory was developed at the end of the cold war by Barry Buzan, Ole Weaver and Jaap de Wilde as a part of the so-called Copenhagen School of international relations.The theory does not deal with security directly or try to define it, instead the focus lies on a process which they termed Securitization. The

33 Reus-Smit, Christian; Snidal, Duncan, The Oxford handbook of International relations, 2010 p. 572

34Hanna Samir Kassab, Cyberspace and International Relations – Theory, Prospects and Challenges, 2014 p.65

(17)

Securitization process is used by an authority, also known as a Securitizing actor, to frame an issue as a threat in order to justify enacting security measures to protect against it.³⁵

Securitization theory sees security in international relations as something that is socially constructed inside a state by actors that makes what is termed as a Secu- ritizing move. This move is done mainly through what´s called a Speech-act in which an issue gets presented before an audience in such a way that it poses an existential threat to a particular referent object^.36

What constitutes a threat can in other words be constructed by the Securitizing actor with the acceptance of an audience. Speech in Speech-act doesn't have to be vocal and is instead handled and executed according to accepted conventional procedures of communication.³⁷

An issue that isn’t securitized at all according to Securitization theory starts as nonpoliticized. A nonpoliticized issues is neither a part of the public debate nor affected by political decisions. Internet as we know it began nonpoliticized in 1989 with the creation of the World Wide Web, a service developed to meet the demand for automated information-sharing between scientists in universities and institutes around the world.³⁸

If the need arises to control a previously nonpoliticized issue it will through political discourse get moved to the politized area. A politized issue is something that the state deals with and requires government decisions as well as specific re- source allocation. In Sweden, the Internet probably got politized in 1994. This was the year when two heads of state, Bill Clinton and Carl Bildt for the first time sent an e-mail to each other. The same year the Swedish government also started to al- locate billions in funding to national internet development.³⁹

A politized issue becomes securitized when it is presented as under existential threat and requires security measures that are justified outside the bounds of normal political procedures.

35Richards, Julian, A Guide to National Security: Threats, Responses and Strategies, 2012 p.10

36Buzan, Weaver, de Wilde, Security: A New Framework for Analysis, 1998 pp. 24-25

37Ibid pp. 46-47

38 Pew Research Center, World Wide Web Timeline, 2014

39 Lafrance, Adrienne “The Truth About Bill Clinton´s email” The Atlantic, 2015

(18)

For Sweden one of the latest such securitization moves of the Internet comes from the EU, where securitization now is described to be happening on the supra- national level. In the wake of GDPR the member states in the EU have accepted a Securitization move in the form of the NIS-directive (Directive on Security of Net- work and Information Systems). The speech-act of Securitization conducted by the EU regarding the need for more security of the internet, contains both existential threats and a high degree of urgency:⁴⁰

“A failure to protect the devices which will control our power grids, cars and transport networks, factories, finances, hospitals and homes could have devastating consequences and cause huge damage to consumer trust in emerging technologies.

The risk of politically-motivated attacks on civilian targets, and of shortcomings in military cyber defence, deepens the risk still further”.⁴¹

When Buzan first described the theory of Securitization, he mentioned that Secu- ritization possibly one day could occur within the computer field.⁴² A lot of evidence points to that this now surely must have happened. ⁴³

Treating something as a security issue is in Securitization theory always a matter of political choice. The reason to make this choice and conduct a securitization move is done by an actor to shape policy, gather support and create justifications for actions that otherwise shouldn’t have been neither preferred nor accepted. Such actions can include limiting personal freedoms or redistributing resources like funding allocated elsewhere.⁴⁴ The stated need to act on an issue in the name of security will in other words bring policy beyond political discourse into the realm of national security with what that entitles.

With the use of a constructivist framework, the Copenhagen School effectively thus avoids the need to provide any objective interpretations of classical security

40Christou, George, “The collective securitisation of cyberspace in the European Union”, West European Politic, 2019 pp. 279-280

41 European Comission, Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, 2017

42 Buzan, Weaver, de Wilde, Security: A New Framework for Analysis, London, 1998 p.25

43Christou, George, “The collective securitisation of cyberspace in the European Union”, West European Politic, 2019 pp. 278-301

44 Buzan, Weaver, de Wilde, Security: A New Framework for Analysis, 1998 p.23

(19)

related subjects like threats, vulnerabilities, and different modes of defence and attacks. The theory of Securitization generalizes all these elements that constitutes traditional approaches to national security. This generalization opens the possibility to utilize the theory for other types of threats besides classic military ones, since just about anything can be framed as a threat that needs security to counter it.⁴⁵ In the words of Buzan and Weaver:

“Security is the move that takes politics beyond the established rules of the game and frames the issue either as a special kind of politics or as above politics”⁴⁶

For better clarity of what this entails, Table 1 below shows the main three episte- mological distinctions of Security in the forms of Objective-, Subjective and Dis- cursive concepts.

Table 1. Distinct concepts of Security within International Relations⁴⁷

Objective conceptions Subjective conceptions Discursive conceptions The absence/presence of

concrete threats

Usually defines security in relative material terms

The feeling of being threatened or not

Emphasises social context, history and the psycholo- gies of fear and (mis)per- ceptions

Maintains an objective reference

Security cannot be defined in objective terms

Security is a speech-act

Focuses on intersubjective process through which

“threats” manifest them- selves as security problems om the political agenda

This study will later on return to the difference of Objective- and Discursive concepts of security when it comes to interpreting the International Telecom Union´s (ITU) Global Cyber Security Index (GCI). The ITU claims that the GCI represents the Cybersecurity commitment taken by its member states. For its use in this study this measured level of commitment will be tested to see if it correlates with one characteristic of objective security. The chosen aspect will be the absence of

45Nissbaum, Helen, “Where computer security meets national security”, Ethics and Information Technology, 2005, p 66

47 Buzan, Hansen, The evolution of International Security Studies, 2016 p.34

(20)

objective Cyber threats in each state, operationalized by the presence of so-called Botnet infections, explained further on.

If the observed commitment to Cybersecurity don’t correlate with objective security in this test, it will be viewed through the theoretical lens of Securitization.

Security commitments will be viewed as the observable outcome of a Securitizing move. Doing so will tie this study to an established theory and open up for generalization of its results, without the need to objectively define what constitutes security.

3.3 Securitization and Cybersecurity

One frequently referenced article regarding Securitization and Cybersecurity is

“Digital Disaster, Cyber Security, and the Copenhagen School” by Lene Hansen and Helen Nissbaum. In it they adopt the framework of Securitization theory on the subject of Cybersecurity. Hansen and Nissbaum perceive Cybersecurity as a distinct sector of security due to its particular constellation of threats and referent objects.

They also differentiate Cybersecurity in two parts that are termed as Network Secu- rity and Individual Security.

Network Security relates to the technical aspects of the Internet. This includes the everyday practise of security done by private organizations, businesses, government agencies and individuals.⁴⁸ Network Security can be understood as technical measures taken to ensure confidentiality, integrity and availability in internet and computer usage.

Individual Security in turn relates to human security, the freedom and protec- tion of us as individuals, and how threats towards our usage of the Internet in turn can affect us. These both aspects are seen as connected to the larger referent objects of national security when it concerns the state, its society and economy. Cyberse- curity is thus regarded as linked to state or regime security.⁴⁹

Hansen and Nissbaum also points out that it takes an interdisciplinary discussion with among other Computer Science in order to follow and assess

48 Hansen, Nissbaum, “Digital Disaster, Cyber Security and the Copenhagen School”, International Studies Quarterly, 2009 p.1165

(21)

Securitization and how it relates to cybersecurity. They state that the technical un- derpinnings of what constitutes cybersecurity requires that scholars in international relations acquire knowledge and familiarity with its methods and the dilemmas or possibilities these include. ⁵⁰

Securitization studies of cybersecurity are seen as primarily aimed at the discursive construction of cyber-threats and security. It also focuses on the tension between the political claims and the objective conditions that security refers to.⁵¹ The theory of Securitization is thus seen as a framework for analysis, an empirical theory and a theory on security that enables researches to challenge the notion of the objectivity of security threats.⁵²

Building on Hansen and Nissbaum’s work, this study will focus on the Network security of cybersecurity. It will also implement certain aspects and data from com- puter science where applicable. This study will also briefly cover the difference between political claims and the objective conditions of cybersecurity.

3.3.1 How to measure Securitization

The prescribed analytical method for the study of Securitization theory is discourse- analysis. The researcher reads texts central to a potential securitization actor and try to locate a specific rhetorical structure in the discourse that would indicate a securitization move. This can be framing of threats and calls for security measures to be taken. Implementing such an approach on a global scale would be cumbersome. It would require the analysis of 194 different national security strategies pertaining cybersecurity or threats to information or communications technology. The col- lected data would also be difficult to analyse beyond a nominal scale level, only concluding that an actor is speaking security i.e. if it is conducting a securitization move or not.

51 Stevens, Tim, “Global Cybersecurity: New Directions in Theory and Methods”, Politics and Governance, 2018 p. 2.

52 Guzzini, Stefano, Securitization as a causal mechanism, Security Dialogue, 2011 p. 332

(22)

A study by Stéphane Baele and Olivier Sterck on the Securitization of immigration within the EU, have however used quantitative methods to measure the level of Securitization by counting the presence of different words in legislative texts.⁵³ This might be a valid method when analysing one actor. When studying many different state actors from the same discursive lens, it would likely bring a serious validity problem, since discourse regarding security likely has different shape and forms in different parts of the world. When the government of Myanmar conducts its speech-act of security it will differ from when Estonia does the same, based on culture, history and general context.⁵⁴

To come around these problems, the operationalization of the of Securitization is in this study borrowed from research on environmental security by Yan Bo. He instead focuses solely on outcomes and operationalized the level of Securitization regarding environmental security as:

“Do the securitizing moves of climate change advance international and national efforts to address climate change?”⁵⁵

In his research Bo argues that outcomes are the most meaningful variable to measure in regard to Securitization. He particularly points out that a discursive analytical framework that focusses on language and audience risk to be too Eurocentric and miss how different states work socially. This kind of operationalization also has support in the research by Stefano Guzzini that has proposed to use Securitization as a casual mechanism for security. Guzzini states that all matters of security must have included a Securitization process. With that logic it's possible to use securitization in empirical explanations for security and vice versa.⁵⁶

53 Baele, Sterck “Diagnosing the Securitisation of Immigration at the EU Level: A New Method for Stronger Empirical Claims.” Political Studies, 2015 pp. 1120–39

55 Yan, Bo, “Securitization and Chinese Climate Change Policy”, Chinese Political Science Review, 2016 p.99

(23)

3.4 Cybersecurity governance

The explanation of Cybersecurity governance is in this study is borrowed from Michel van Eten. He defines Cybersecurity governance as policy-driven control over Internet resources, systems and services. Control in Cybersecurity is described as closely tied to the ownership of the resources which constitutes the systems and services that makes up the Cyberspace. This is for governments in turn problematic since most of these resources are both privately owned and operated by businesses or individuals. Governments can however control the policies and mechanism which governs the controlling owners, creating constraints and incentives for the owners to shape their security or apply Cybersecurity measures.⁵⁷

As an example, the government can’t force you to update the software you are using nor prevent you from reusing your same old password for all your online accounts. It can however make you aware of threats and promote Cybersecurity awareness that will make you conscious of such dangers.

Van Eten also points out that much of the Cybersecurity governance that is being studied, because of this relationship in fact are security discourses rather than actual security measures. The observables of the Cybersecurity governance are in part because of this described as Securitization.⁵⁸ If the government lacks control over the referent object, its only choice is to conduct securitization in order to shape policy, gather support and create justifications for actions that otherwise shouldn’t have been possible and out of its reach.

On the subject of Cybersecurity governance, Stephanie Simon and Marieke de Goede have done a study of what they term Bureaucratic vitalism and how it in turn affects cybersecurity. Bureaucratic vitalism is a phrase that is seen as a desire for vitality and flexibility that they perceive as important for effective Cybersecurity governance. They distinguish Cybersecurity practice as having inherent complexity as well as a lively nature and that bureaucratic principles must be able to handle these challenges effectively. Based on studies they also mention that bureaucrats

57 van Eeten, Michel, "Patching security governance: an empirical view of emergent governance mechanisms for cybersecurity", Digital Policy, Regulation and Governance (2017), 2017 p. 443

58 Ibid p. 446

(24)

handling Cybersecurity may not actually be doing what they say or believe that they are doing due to the inherent complexity.⁵⁹

It is to summarize apparent that bureaucracy is central and important when it comes to nation-state Cybersecurity governance. Previous research also makes it clear that governance of Cybersecurity in large parts only exists in the shape of security discourse. Since Securitization theory is based on a discursive concept of security it makes it an applicable theoretical framework for the subject.

The next section will therefore cover what governs Securitization in a state and also explore how this process relates to bureaucratic efficiency measured as a form of Quality of Governance.

3.5 How could Quality of Governance affect Securitization

Quality of Governance (QoG) is a concept within political science that uses quantitative means to study qualitative aspects of government and how these in turn affect other factors. QoG studies are based on several acclaimed and often used in- dexes that measure different aspects of QoG. This study will focus on the effective- ness of bureaucratic institutions as a measure of QoG.

Buzan states that one criterion for a successful securitization is that the actor executing the speech-act holds a position of authority. This is in turn defined by that the actor demonstrates a high level of social capital among its audience.⁶⁰ Stud- ies conducted on QoG have found that governments with high social capital in them show higher levels of QoG and that it exists a relation between the two variables.^61,62 Accordingly, one can based on this argue that a state with good QoG would be able to promote successful securitization as well as Cybersecurity governance. This leads to the first hypothesis of this thesis:

59 Simon, de Goede, “Cybersecurity, Bureaucratic Vitalism and European Emergency”, Special Issue: Govern- ing Emergencies, Theory, Culture & Society, 2015 pp.79-106

61 Knack, Stephen, “Social Capital and the Quality of Government: Evidence from the states”, American Jour- nal of Political Science, 2002 pp.772-785

62 Rothstein, Bo “Social Capital, Economic Growth and Quality of Government: The Causal Mechanism”, New

(25)

H1: The Securitization Outcome of a state is dependent on the Quality of Govern- ance of a state.

Thierry Balzacq has developed a model that can be applied to advance this hypothesis further. Balzacq proposes a structure containing certain components aiming to make Securitization easier to understand and study. This structure is divided into (1) Political Agency, (2) Audience and (3) Context, which all are described to be needed in order to make securitization possible.⁶³

(1) Political agency is the capacity of the securitizing actor to frame its message correctly and being clear and convincing in reference to the current context.

(2) Audience relates to the audience´s frame of reference and its readiness to be convinced which in turn depends on if it perceives the securitization actor as trustworthy.

(3) Context describes the impact of the immediate situation and how it effects on how the securitizing move is interpreted by the audience.

Balzacq states that the emphasis or importance of each of these components can differ, but that they do all interact and the collective weight of them is required for a successful Securitization outcome. If the political agency is lacking in that the actor has limited ability to convince its audience, then the context for the audience of an immediate threat would have to be very clear and present in order for a successful Securitization to take place. The frame of reference and the Securitizing actor’s capacity can in other words be substituted for external forces in the form of threats.

63 Balzacq, Thierry, “The Three Faces of Securitization: Political Agency, Audience and Context”, European Journal of International Relations, 2005 p. 192

(26)

Figure 1. Balzacq´s structure of Securitization

Notes: This figure illustrates Balzacq´s structure of what governs Securitization.

3.6 Theoretical Argument

This section summarizes the theoretical arguments that will make up the framework of this study.

Firstly, van Eten´s description of nation-state Cybersecurity governance is seen as essential for this study. Since governments lack control of the majority of components and nodes that make up Cyberspace, their only option in order to enact security is to influence the respective owners of these components to take action.

This is explained as conducted through discourse that either encourages constraints or incentives regarding Cybersecurity. This discourse is understood as Securitiza- tion, wherein the cybersecurity governance represents the securitizing move.

Secondly, this study adapts Balzacq´s proposed components of how such a securitization move interacts with an audience. Balzacq´s variables are here interpreted as the mechanism for Securitization. This mechanism implies how the capacity of the Securitizing actor as well as the audience acceptance produces an outcome, which in turn is interpreted as the effect of the Securitization done within a state.

The input into this mechanism are the independent variable Quality of Govern- ance (QoG) that the outcome is dependent on. This variable is also is central for the research question of this study.

(27)

Figure 2. Proposed model of causal mechanism

Notes: This figure illustrates a proposed model of how the Independent variable Quality of Govern- ance, through a mechanism of Securitization, results in Securitization Outcome.

The model and mechanism above (Figure 2) provide hypothetical links between the independent variable and the dependent variable as suggested ways of causality on how Quality of Governance (QoG) through a Securitization process interact to produce Securitization outcome.

(1) Political Agency within the mechanism is the capacity for a government to frame its message in its security discourse. This is partly dependent on its bureaucratic capacity, as presented in previous research. A QoG variable that measures bureaucratic capacity is therefore in this study assumed to govern the capacity of Political Agency within a government and its political system. However, this is not being measured independently as it is incorporated into the measurement of QoG.

(2) Audience acceptance is based primarily on how trustworthy the Securitizing actor is perceived. Previous research shows that states with high QoG displays a high level of social capital and high trust in authorities and government functions.

(28)

This trust is in turn seen as created by efficient bureaucratic institutions. A QoG variable that measures bureaucratic capacity or efficiency would then in this model also be able to govern another component of Securitization in the form of Audience acceptance. However, as in the case above, this is also not being measured inde- pendently as it is incorporated into the measurement of QoG.

The (3) Context for the securitizing move is dependent on the current situation and how the Securitizing move is interpreted by the receiving audience. If the audience see importance in the referent object, which is stated as under threat, then they would show more acceptance towards the need for securing it. In the case of cybersecurity this study assumes that the Internet dependency in a society possibly could serve as a variable representing the audience context relative to the referent object. Therefore, this aspect of the mechanism is measured and operationalized as an independent variable. This results in the second hypothesis to be tested in this thesis:

H2: Quality of Governance interacts with Internet dependency in its effect on Securitization Outcome.

Balzacq´s three components are in other words the mechanism that the input variable in the form of QoG interacts via, to create the Securitization outcome. The mechanism is in this study also measured by the variable Internet dependency. To- gether the QoG variable and the variable Internet dependency, through the theorized interaction with the process of Securitization, produce an outcome in the shape of the final dependent variable seen as Securitization outcome.

(29)

Figure 3. The hypothetic relationships of variables

Notes: A state with higher political bureaucratic capacity also possess a higher institutional trust, which in turn would lead to a higher level of Securitization Outcome.

To sum up, two primary hypotheses have thus far been developed based on these theoretical arguments and are as follows:

H1: The Securitization Outcome in a state is dependent on the Quality of Governance of a state.

H2: Quality of Governance interacts with Internet dependency in its effect on Securitization Outcome.

Testing these hypotheses will be necessary to reach an answer to the main question of this study and conclude if the Quality of Governance correlates with the outcome of a State’s cyber-securitization

(30)

4. Research Design, Method, Operationalization and Data

This section covers the general design of the study. Initially the choice of method will be presented followed by selected data sources. Thereafter a short analysis is made to justify the operationalization of the ITU GCI as Securitization. In the pro- cesses this will highlight the difference between political claims and the objective conditions of Cybersecurity.

This is followed by a discussion and explanation of the other variables used.

Finally, any problems and limitations with the research design and its data will be presented.

4.1 Choice of Method

There is as previously stated a lack of methodological diversity concerning research of both securitization as well as cybersecurity in international relations. This study aims to do its small part in rectifying the situation.

Firstly, this study employs an established and well used theory in political science in the form of Quality of Governance. This theory is however applied on a new subject in the form of cybersecurity. Secondly, Securitization theory which traditionally is done through qualitative methods like discourse analysis, will instead be handled by statistical quantitative research with linear regression analysis.

Finally, the study will incorporate empirical computer science data. This is done to make the study of the subject-matter more relevant, and in the process answer previous researchers call for both lack of empiric data and an interdisciplinary discussion.

This study is intended to be a total survey where the sample size (n) will be as close to the whole population (N) of nation-states as possible. The reason for this is to be able generalize and increase the validity in the results⁶⁴. Cyberspace is also

(31)

inherently global in regard to network security. The plethora of possible threats are the same regardless from where you connect to it.

One of the assumptions when conducting linear regression is normality and that the error term is normally distributed. When normality isn’t present the data is said to present heteroscedasticity. This can in regression analysis be countered by em- ploying robust regression downweighing outliers and produce a better fit model than normal OLS.⁶⁵ Robust regression and robust standard errors was applied in the entirety of this study since it’s the recommended and more modern method of regression analysis.⁶⁶

All calculations have been made with R version 3.5.2 and the function lmrobfit in the robustbase library for robust regression analysis. Graphics and plots are done with ggplot and interplot.

4.2 Data Selection

This study utilizes the Gothenburg University Quality of Governance (QoG) dataset for independent and control variables. The International Telecom Union (ITU) Global Cyber Security Index (GCI) is where the dependent variable is derived from.

Data from the Computer Science field comes from the Spamhaus Project Compo- site Blocking List (CBL) and the Shodan Computer Search Engine. All included data-sources are described in detail in appendix 2.

4.3 Operationalization of Securitization

The study of Securitization has as mentioned traditionally been done through qualitative methods using discourse analysis as the primary research tool. This method is also prescribed by Buzan as a way to locate a specific rhetorical structure in the discourse that would indicate a securitization move. The aim of such discourse analysis is for the researcher to look for arguments that take a logical form to promote

65 Lewis-Beck, Lewis-Beck, Applied Regression: An introduction, 2016 p.28

66 Angrist, Pischke, Mastering Metrics – The path from cause to effect, 2014 p.97

(32)

security, namely the actors Speech-act.⁶⁷ If an issue is sufficiently important to merit the effort of Securitization, then the document prescribing it should be central to the actor's policies and strategies regarding security.⁶⁸

Previous research has as mentioned raised a need to diversify the methodological toolbox of Securitization theory beyond the classic discourse analysis. The primary reason for this is to be able to find determinants that either lead to success or failures of securitization attempts of certain issues

Based on previous research, a Securitization move is implied if a state shows commitment to security. The effort of such commitment regarding Cybersecurity is exactly what the ITU Global Cyber Security Index (ITU GCI) is meant to measure.

ITU is a United Nations specialised agency and an international regime that is re- sponsible for global issues concerning information and communications technologies.

The ITU created a “Cyber Security Agenda” in 2007 that focused on five pillars of Cybersecurity commitments among its 194-member states. The five pillars are;

(1) Legal, (2) Technical, (3) Organizational, (4) Capacity building and (5) Coop- eration. The ITU compiles results from the Cybersecurity efforts they observe in these pillars into a GCI score for each of its member state.

The (1) Legal pillar is described to be evaluated on the number of legal institu- tions and frameworks dealing with Cybersecurity and cybercrime.

ITU: s assessment of the (2) Technical pillar is based on the observed number of practical mechanisms that deals with Cybersecurity. This can be in the form of national bodies dealing with cyber incidents or government entities that can provide warning and recommendations.

The (3) Organizational pillar is according to the ITU evaluated based on the existence of institutions and strategies involving Cybersecurity development on a national level.

In regard to (4) Capacity building the evaluation is based on the observed num- ber of research and development, education and training programs dealing with

(33)

Cybersecurity. This pillar also evaluates the number of certified cybersecurity pro- fessionals as well as the number of public sector agencies present within a country.

The evaluation of (5) Cooperation is based on the number of partnerships, co- operative frameworks and information sharing network each country has access to that deals with Cybersecurity.

Each pillar is analysed by ITU experts based on member state questionnaires and primary- as well as secondary data collection. The results are compiled into a total GCI score that ranges from 0 to 1.

The ITU describe the commitment measured by the GCI in objective terms.

Based on the theoretical arguments about tensions between the political claims and the objective conditions that make up security its worth to examine what the GCI actually represents. To do so the ITU GCI will be tested to see if it correlates with an Objective concept of Security i.e. the absence of material threats. If it does, then this study could potentially take a more materialistic approach regarding its findings. Otherwise this study will handle the observed commitment to Cybersecurity in the ITU GCI as the outcome of a discursive concept of Cybersecurity governance.

4.3.2 Does the ITU Global Cybersecurity Index correlate with objec- tive security?

To reiterate, the ITU GCI measures the stated commitment of ITU members toward Cybersecurity. Do this commitment however bring with it any correlation with objective security measured as the absence of threats? To test this, the number of Bot- net infections within each state will be used to expose any correlation with the observed commitment in the ITU GCI.

4.3.3 What are botnets and how do they relate to Security?

Botnets are made up from individual computers infected with malicious software that make them controllable as a single network. These networks enable much of the internet’s cybercrime by allowing whoever controls them to harness their com- bined computational power. This power can be used to everything from sending

(34)

spam-mail to guessing passwords and breaking encryptions. Their most malicious use is however described to be distributed denial of service (DDoS) attacks wherein these nets of computers can overload a legitimate network with traffic at a rate which makes it go down. Estimates hold that as much as 30% of all internet traffic at any given time might be attributed to Botnets. Notable DDoS attacks include the attack that Estonia suffered in 2007 and then later Georgia in 2008, both activities are according to many sources regarded as Russian military operations. Between 2011 and 2013 Iran is described to have impacted the US financial sector with ongoing DDoS attacks as response to American sanctions. These have been estimated to have costed individual banks up 20 million USD a month to remedy. It does because of all this exists a lot of ongoing efforts to eradicate Botnets where government authorities cooperate with private initiatives and companies to make this hap- pen.⁶⁹ In 2017 Europol for example led an operation that took down a Botnet named Andromeda. At the moment of takedown Andromeda consisted of 2 million infected devices spread all over the globe.⁷⁰

This study uses actual numbers of botnet infections rather than for example the percentage of Botnets per capita or IP-allocations for a country. As shown in table 2 and 3 there are a large difference between the two measurements.

Table 2. Top five countries, number of Botnet infections

Country Number of Botnet infections in country

1. India 2541575 (4,82%) 2. China 1991960 (0,31%) 3. Vietnam 1065201 (3,21%)

4. Egypt 941154 (1,96%)

5. Iran 723102 (3,15%)

69 Council on Foreign Relations, Council Special report No.83 Zero Botnets – Building a Global Effort to Clean up the Internet, 2018

(35)

Table 3. Top five countries, percentage of Botnet infections Country Percentage of country IP-numbers infected

1. Syria 11,41% (129727)

2. Iraq 8,05% (69258)

3. Mongolia 5,54% (19273) 4. Cambodia 5,52% (21527) 5. Albania 4,86% (22248)

Notes: The percentage of infected computer is compiled by Spamhaus and derived from the total number of ICANN assigned IP addresses to each country. Actual botnet infection respectively per- centage numbers shown in parenthesis.

Botnets are to summarize a recognized threat which also can be objectively measured. It’s hard to argue against that it doesn’t constitute a threat if one’s computer is controlled by someone else for nefarious purposes. A high level of objective Cy- bersecurity in a state would thus theoretically have to lead to a low level of botnet infections.

A regression analysis was conducted in order to find out if the ITU GCI pre- sents any correlation with Botnet infections. The control variables used in the analysis is described in detail further on.

(36)

4.3.4 Regression Analysis

Table 4. The dependencies of the number of Botnet infections

Dependent varia- ble: Number of Botnet infections

(1) (2)

Securitization Out- come (ITU GCI)

1.29e+04**

(2.88)

2.51e+04*

(2.18)

Quality of Govern- ance

-7.22e+03*

(-1.93)

GDP per capita 2.73e-02

(0.18)

Military Spending 1.21e+03

(0.70)

Size of internet bor- der

3.44e-03***

(8.35)

(Constant) 3045*

(2.44)

1.46e+04** (2.74)

RobustStd.error 10600 14890

R² 0.118 0.511

Adjusted R² 0.112 0.494

N 174 174

Notes: Ordinary least square regressions. Figures are coefficients with t-value in parentheses. Sig- nificance: *** p < 0,01; ** p < 0,05; * p < 0,10.

4.3.5 Discussion of findings

In the first model (1) the relation between Botnet infections from the ITU GCI i.e.

the Securitisation Outcome is tested. The adjusted R² of 0.112shows us that the explanatory factor of the model is very low which should be considered. The Secu- ritization Outcome variable does however show a 95% statistically significant pos- itive relationship to the number of Botnets in a state.

Positive is however here the wrong outcome of a variable that represents the commitment Cybersecurity, i.e. actions taken to preferably lower the presence of Botnets, not increase it. The ITU GCI Index that ranks countries on their security

(37)

commitment does in this static model apparently not correlate with a lower number of botnets. In fact, it’s statistically significant that countries with higher scores in ITU GCI are plagued by higher numbers of botnet infections. The ITU GCI does in other words not a measure Objective security, at least not concerning the presence of Botnet infections.

When (2) these findings are controlled and isolated against other variables its statistical significance remains but is lowered to 90%.

The first thing to notice is that the model fit here jumps up to R²0.494 which indicates a better explanatory power. Also, worth noting is that Quality of Govern- ance (QoG) apparently correlates with the presence of infections at 90% statistically significance. The coefficient shows a negative substantive impact, which means the presence of fewer infections. High QoG seemingly correlate with better cybersecurity.

The size of a state’s Internet border shows the most significance at 99%. it’s however perhaps not surprising that the number of exposed devices correlates so strongly with the size of infection.

To summarize, there exists no observable positive correlation between the ITU GCI and security defined as the lack of objective threats (at least not concerning botnets). The ITU GCI variable and the commitments it represents will hereafter in this study be used to symbolize a discursive concept of security, as the outcome of a Cyber-securitization process. The significance of QoG is also worth noting.

4.4 Dependent and Independent Variables

4.4.1 ITU GCI – Securitization Outcome

The previous analysis of the ITU Global Cybersecurity Index (GCI) relating to botnets concluded that the GCI does not represent an objective measure of Security outcome. There evidently is a disconnect between political claims and the objective conditions of cybersecurity. This strengthens this study’s adaptation of the Securit- ization theory and the discursive view of security. Building on previous research on observables of Securitization has led to that the chosen operationalization for

Quality of Governance and Cybersecurity