Web Warfare. NATO, Cyber-attacks and Territoriality. André Liivakant UPPSALA UNIVERSITY. Bachelor thesis Political Science Fall Semester 2017

Transcription

1 Web Warfare NATO, Cyber-attacks and Territoriality André Liivakant Bachelor thesis Political Science Fall Semester 2017 UPPSALA UNIVERSITY Department of Government Supervisor: Kristin Ljungkvist Word Count: 12213

2 Table of content 1. Introduction Aim and Research question Background Cyberspace and Cyber Security The fragmentation of policies and definitions NATO Theory The widened security agenda Securitization theory Territoriality in the modern era Methodology Analytical framework Material Analysis What is the nature of a cyber-threat and how is it connected to territoriality? What is the referent object and how is it connected to territoriality? Does NATO express any concerns, regardning territoriality, in relation to the triggering of an Article 5 response to a cyber-attack? Concluding remarks Conclusion References

3 We have decided that a cyber attack can trigger Article 5, meaning that a cyber attack can trigger collective defence 1 Jens Stoltenberg, NATO Secretary general, 14 June Introduction NATO s concern regarding cyber-threats has grown over the past years. During the Wales summit in 2014 the member states agreed that cyber defence is part of NATO s core tasks of collective defence. This was also the first time when a link between Article 5 of collective selfdefence and cyber-attacks was established officially in NATO s outward communication 2. At the Warsaw summit, two years later, NATO decided to recognise cyberspace as a domain of operations in which it must defend itself as effectively as it does in the air, on land, and at sea 3. The Article 5 response to cyber-attacks has also been reaffirmed on several occasions and the wording has shifted from a more speculative tone, could, to a more affirmative one, can (see footnote) 4. The notion of cyber-threats has become well-established not only within NATO but among scholars and a range of other actors as well. Ever since the first war of cyber that took place in Estonia in , cyber capabilities have received much attention worldwide. Significant resources have been invested in developing national capacities to respond to threats and vulnerabilities. Military doctrines for both defensive and offensive purposes have been drafted. Within the field of security, cyber related issues are considered to be most pressing national security issues. States and governments generally find that the internet and information and communications technologies (hereafter ICT s) are essential for economic and social developments 6. At the same time, there are no universal definitions of what really constitute breaches of security. 1 Press Conference 14 Jun Tosbotn (2016), p NATO (9 Jul 2016) 4 the risk of a large-scale attack on NATO s command and control systems or energy grids could readily warrant consultations under Article 4 and could possibly lead to collective defence measures under Article 5 NATO (17 May 2010) And I would like to start by telling you that NATO has made it clear that we did that last fall that a cyberattack can trigger Article 5 or our collective defence NATO (31 Mar 2015) 5 Hansen & Nissenbaum (2009), p Kasper (2014), p

4 Current research focuses mostly on the complexities that arise from the interconnectedness, that characterizes cyberspace, and the evaluation of cyber-attacks. Questions regarding key principles of proportion, distinction, attribution are highly debated and occupy a great deal of the academic discussion. What distinguishes the cyber domain from other domains are the risks it poses for different sectors (such as military, political, economic and societal) and referent objects (the state, non-state actors, companies and individuals). Even though existing research makes many valid points, it tends to approach cyber related issues from a philosophical angle, emphasizing potential worst-case scenarios, and less often examine or describe real cases. Three incidents during the past decade (Estonia, Georgia and Stuxnet) seem to have been major eye-openers, calling for immediate strategies in order to combat insecurity. However, as the chapter on previous research will show, fragmentation is manifest in the national cybersecurity strategies 7. Despite the existing discrepancy and the lack of consensus an actor such as NATO has declared that cyber-attacks can trigger its collective defence. A question yet to be answered, is how they render the usage of article 5 intelligible in relation to cyber-attacks. Because, as the background section will show territoriality is central for a legitimate invocation of Article 5. However, given the character of cyberspace, its interconnectedness and transboundary nature, it is not easy to apply the territory within this particular domain. Where do borders begin or end? How does NATO exactly extend territory to cyberspace, if they do? 1.1. Aim and Research question The aim of qualitative research is to understand an actor s own perspectives. Each phenomenon must be viewed from its own unique conditions, without generalizing ambitions 8. A case study, aims to describe a unit of analysis in detail 9. This thesis adopts an explorative approach and it takes off from NATO s statement that cyber-attacks can invoke its Article 5 of collective selfdefence, an article which is based on territory. The aim is to investigate how NATO renders the usage of Article 5 intelligible in relation to cyber-attacks, given the nature of cyberspace. The research question which will guide this paper to reach the aim is; How does NATO extend the concept of territoriality to cyberspace (which has no clear borders)? 7 Kasper (2014), p Teorell & Svensson (2016) p

5 1.2. Background In order to get a better understanding of NATO, and familiarize the reader with the subject of the case study. This opening section of the paper will present a brief overview of NATO, the only invocation of the collective defence and the primary governing articles of the collective defence; Articles 4, 5 and 6. NATO is a political and military alliance with the purpose to guarantee the freedom and security of its members through political and military means. Security is understood in terms of territorial integrity and political independence 10. Strategic Concepts lay down the Alliance s core tasks and principles, its values, the evolving security environment and the Alliance s strategic objectives for the next decade. The 2010 Strategic Concept defines NATO s core tasks as: collective defence, crisis-management and cooperative security. The Alliance has always innovated and adapted itself to ensure its policies, capabilities and structures meet current and future threats, including the collective defence of its members 11. When NATO was founded in 1949, the primary aim of the founding treaty was to create a pact of mutual assistance to counter the risk that the Soviet Union would seek to extend its control of Eastern Europe to other parts of the continent. The key component of the alliance thus became Article 5 of the treaty, which calls for collective defence. The article stipulates that, if a NATO ally is the victim of an armed attack, each and every other member of the Alliance will consider this act of violence as an armed attack against all members and will take the actions it deems necessary to assist the ally attacked 12 : The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an armed attack against them all and consequently they agree that, if such attack occurs, each of them, in exercise of the right of individual or collective selfdefense recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties attacked [ ] 10 NATO (1949), Article 4 11 NATO, What is NATO?: Pick A Topic & Discover NATO 12 NATO (1949), Article 5 5

6 In order to specify the referent objects of Article 5, it is complemented by Article 6, which stipulates 13 : For the purpose of Article 5, an armed attack on one or more of the Parties is deemed to include an armed attack: on the territory of any of the Parties in Europe or North America, on the Algerian Departments of France, on the territory of or on the Islands under the jurisdiction of any of the Parties in the North Atlantic area north of the Tropic of Cancer; on the forces, vessels, or aircraft of any of the Parties, when in or over these territories or any other area in Europe in which occupation forces of any of the Parties were stationed on the date when the Treaty entered into force or the Mediterranean Sea or the North Atlantic area north of the Tropic of Cancer Insofar, Article 5 has been invoked only once, as a response to the 9/11 terrorist attacks against the Twin Towers and the Pentagon in the United States in Within 24 hours after the attacks, the North Atlantic Council (NATO s governing body) responded with its full support and proclaimed the need for an Article 5 response. But it was not a response free from controversy. First it was questioned, even by NATO officials, whether the attack had been an armed one. As already described, Article 5 contemplate an armed attack, but was an aircraft a weapon? Secondly, the attacks were attributed to international terrorism 14. A lively debate discussed how these attacks distinguished themselves from normal terrorism, as practiced by the IRA, ETA or the PKK, and which is handled by the internal law-enforcement. The 9/11 attacks distinguished themselves from normal terrorism on two criteria, the scale and external direction 15. It was also argued that territorial boundaries did not apply because the threat did not have a clear (national) sender s address 16. In the end, enough justification for a military response was provided by the considerable loss of life and the fact that the attacks occurred on American soil. Terrorist organisations were targeted despite the lack of territorial boundaries Previous research Cyberspace and Cyber Security Cyberspace is the domain to which cyber security is applicable. The term was coined in 1984 in William Gibson's novel Neuromancer and it refers to the virtual computer world 18. More 13 NATO (1949), Article 6 14 NATO Review, Invoking Article 5: five years on NATO Review magazine, New Threats: the cyber-dimension 17 Fedyszyn, T (2010). p Tech Terms 6

7 specifically, cyberspace can be defined as a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies 19. Cyber security, on the other hand, arrived as a concept on the post-cold War agenda in response to a mixture of technological innovations and changing geopolitical conditions 20. The terminology was first used by computer scientists in the early 1990s to underline a series of insecurities related to networked computers 21. Since then it has become a matter of global interest and importance. An increasing number of states have officially published some form of strategy document outlining their official stance on cyberspace, cybercrime, and/or cyber security 22. But as will be demonstrated further down these official strategies are very diverse and based on different understandings. Consequently, what constitute cyber security differs among actors. Yet, the International Telecommunications Union (ITU) provide an allencompassing definition which can serve to illustrate the diversity of factors that can be included in the concept. According to ITU, cyber security is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment 23. The U.S Department of Homeland Security further defines cyber security as the activity or process, ability or capability or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification or exploitation 24. RAND institute has also shown that cyber security discourse moves across distinctions normally deemed crucial to Security Studies. Between individual and collective security, between public authorities and private institutions, and between economic and political-military security 25. Much of the discussion in international relations when it comes to cyber, centre around cyber warfare and cyber-attacks. Several scholars have stressed a virtual policy vacuum, referring to 19 Vitel (2014), p Hansen & Nissenbaum (2009) p.1155) Van Niekerk & Von Solms (2013), p ITU, Definition of cyber security 24 CCDCOE, Cyber Definitions: Cyber Security 25 Hansen & Nissenbaum (2009), p

8 the lack of universal definitions 26. Cyber capabilities represent a leap in the field of technology that has changed warfare from only being kinetic to also include non-kinetic capabilities. That is to create tailored effects from distance, through the virtual environment 27. Questions that still remain unanswered are; what exactly constitute breaches in cyberspace, agreement on what the damaging nature of cyber-attacks are, what adequate thresholds for invoking the right to self-defence, as stated in the UN Charter, should be etc. Briefly, the general consensus among scholars is that cyber-attacks are attempts to 28 ; 1) gain access to information systems, 2) Simply gaining access 3) stealing information stored as data, 4) altering (i.e. damaging) or destroying that data causing temporary or permanent losses of function without damaging or destroying system components and, 5) causing such losses of function via component damage or destruction. One of the difficulties when evaluating cyber-attacks is that they may have direct and/or indirect effects. The direct effects include damage and destruction of certain computer hardware, software or data 29. While indirect effects are damage and destruction to property, injury and/or death to persons. Indirect effects are able to occur is due to the link between computers, or network components, and the external world. Regarding the five types of cyber-attacks mentioned, number 3-5 could result in some form and degree of physical harm to both human beings and property The fragmentation of policies and definitions So far, no major attack has been launched but a key element of the security discourse is to argue that if action is not undertaken to deal with cyber-threats, then serious incidents will materialize in the near future, Lene Hansen and Helen Nissenbaum proclaim in their article Digital 26 Dipert (2010), p Barret 2015, p Barrett (2015), p ibid, p ibid. 8

9 Disaster, Cyber Security & the Copenhagen School 31. Scholars agree that threats arise not only from intentional agents, but also from systemic threats such as software or hardware failures 32. Both academic and policy discourses articulate a wide array of threats to government, businesses, individuals and society 33. Within Security Studies it is agreed that military threats can affect all components of the states, political threats weaken the state as a political entity, economic threats are seen as destabilizing for the economic sector amongst others, and societal threats relate to identity and culture 34. In cyberspace, however, the referent objects of the network and the individual are linked to national and regime/state security 35. Therefore, the key to understanding the potential magnitude of cyber threats is the networked character of computer systems. Networks control physical objects including everything from technical components and infrastructure to military domains 36. Networked consequences are widely acknowledged to affect referent objects beyond the networks themselves 37. In The Fragmented Securitization of Cyber Threats Agnes Kasper accounts for a diversity of interests and objectives among actors when it comes to cyber security. Her research demonstrates the development of several unique, and according to her, sometimes exotic approaches to cyber security 38. Cyber policies and strategies in the USA, Russia and number of other actors illustrate a very fragmented cyber security environment, not only among the traditionally strongest powers, but among states in general, and on regional levels 39. Russian views focus on the political nature of cyber threats, and call for protection of its national interests in the information sphere 40. Dutch cyber strategies focus on infrastructure and aim to prevent damage caused by disruptions to, breakdowns in, or misuse of ICTs 41. The EU on the other hand emphasize the potential of cyber threats to endanger the physical survival of people Hansen & Nissenbaum (2009), p Ibid, p Ibid, p Kasper (2014), p Hansen & Nissenbaum (2009), p Ibid, p Kasper (2014), p Kasper (2014), p Ibid, p. 175, p Ibid, p Ibid, p

10 There is no layered coordination or framework that reflects and reconciles the different interests and objectives of actors 43. Cyber security policies currently lack a shared understanding and a common terminology. Neither are there much empirical studies which clarify how different actors and societies construct or securitize threats in cyberspace. Scholars and actors dispute whether threats emanate from military, political, economic or societal fields 44. Forrest Hare, like Kasper, Hansen & Nissenbaum advocate that different actors will securitize issues according to their perceptions and agendas 45. While one nation may assert that an existential threat is posed by the distributed denial of service attack (DDoS) against their banking infrastructures, another may highlight fundamentally different issues 46. For instance, NATO s securitization of cyber domain will fall in line with NATO s agenda and purpose NATO There are strategic challenges in enhancing cyber security which at the moment seem unresolvable. In NATO s cyber defence: strategic challenges and institutional adaptation Burton states that the alliance has tried to come to terms with some of these but like all actors they still, for instance, cannot reliably attribute cyber-attacks to specific perpetrator 47. It is shown that NATO emphasize attribution as one of the main issues associated with responding to cyber-attacks. Burton s research also concludes that NATO appears to have accepted these difficulties and adopted a pragmatic cyber security posture which aims to handle attacks on a case by case basis 48. Another issue which has been addressed briefly in research on NATO is the criteria of scales and effects. In NATO after the Wales Summit: Readying the Alliance for the future it is stated that the actual threshold for invoking Article 5 insofar stays undefined which means that member states cannot be fully confident that collective defence would be invoked should they need it 49. NATO views on cyber-threats have been addressed in research but the field is far from overstudied. In NATO and Cyber security Roger André Tosbotn investigates the prominence of cyber security in NATO s official documents, and examines the way in which NATO s outwards understanding of the cyber domain has changed over time. The thesis adopts content analysis to measure word frequency (prominence) and discourse analysis to examine change of 43 Ibid, p Ibid, p Hare (2009), p Burton (2015), p ibid. 49 Kufc a k, J. (2014) 10

11 the conceptualization of the cyber domain over time. The documentation analysed span from 2002, when cyber was first mentioned in official NATO documents, until the beginning of 2016 when the thesis was written. Tosbotn s results illustrate two main points; firstly, they indicate a relative prominence of cyber vis-à-vis other aspects NATO deem as important. Secondly, it elucidates several aspects of NATO s strategic culture. Russia and terrorism remain the main concerns of the alliance, but mentions of cyber has come to rank third in overall mentions. In addition, critical junctures in the period of (cyber-attacks in Estonia and Georgia) and 2014 (The Stuxnet virus) yielded a considerably higher frequency in mentions of cyber. The qualitative findings demonstrate a conceptualization that has grown to embody a rich variety of associations. Once a juncture has been reached the milieu and operation of NATO has transformed and forced them to reformulate cyber as a conspicuous security dimension. The purpose of this section has been to reinforce the aim of the paper and to show that a case study of NATO is of interest. Cyber-threats are undoubtedly one of the Alliances main concerns and the understanding of them is constantly changing. Different cyber security strategies and agendas, elements of uncertainty, the absence of universal definitions, and the lack of consensus over how cyber-attacks should be evaluated render cyber security a delicate matter. Any counter measure has the potential of being controversial. In the worst of cases minor disagreements could escalate into full-scale conflict. Consequently, NATO declaring that cyber-attacks can trigger its Article 5 stress for a clarification of their structure of thought. 2. Theory This section will present the theoretical framework which will serve to guide this paper in the process of answering the research question, which is to examine how NATO touch upon the idea of territoriality. In order to illuminate how they render the usage of Article 5 intelligible in relation to cyber, given the nature of cyberspace. The framework is founded on a constructivist school of thought and derives form non-traditional security studies. In order to understand and motivate the following approach a discussion accounting for the differences between traditional and non-traditional approaches to security will forgo the presentation of the theory. 11

12 2.1. The widened security agenda The nature of security defies pursuit of an agreed general definition Barry Buzan argue in his work 50. In the field of security studies there is an ongoing debate between traditional and nontraditional views of security. These approaches understand security within the language of insecurity 51. But what constitute insecurity differs depending on the adopted point of view. The security discussion is, in general, about the pursuit of freedom from threat. In the context of the international system, security is about the ability of states and societies to maintain their independent identity and their functional integrity. The bottom line is about survival for a designated referent object 52. Historically States have been the principal referent objects of security because they are both the framework of order and the highest source of governing authority 53. Security threats have traditionally been viewed through the prism of state survival. Security studies have therefore traditionally been about the phenomenon of war, with the State as a referent object. Scholars such as Stephen Walt define it as the study of the threat, use and control of military force 54. Other traditionalists such as John Chipman state that non-military aspects of security may occupy more of the strategist s time but the need for peoples, nations, states or alliances to procure, deploy, engage or withdraw military forces must remain a primary purpose of the strategic analysts inquires 55. In recent decades, however, non-traditional security challenges have increasingly occupied scholars and security analysts around the world, a trend reinforced by 9/11 and other high-profile terrorist attacks 56. Critics of traditional security studies, argue against the view that the core of security studies is war and force, and that other issues are relevant only if they relate to war and the use of force 57. They keep an open mind about the balance among the sectors, cross-linkages between them, and the types of threat, actor, and referent object that might be dominant in any given historical time 58. For wideners a group of non-traditionalist scholars who attempt to broaden or widen the concept of security a security problem can, for instance, be something that shows itself as a security problem through the discursive politics of security. (In)security is not an objective condition, a state 50 Buzan (2009), p Tripp, E. (2013) 52 Buzan, p Buzan, Waever & De Jaap (1998), p Hameiri & Jones (2013), p Buzan, Waever & De Jaap (1998), p

13 of affairs that predates discourse 59. This discourse leads up to one of the main fault lines in contemporary security studies, that between those who see (in)security as an objective condition and those who emphasize its social construction 60. A focus on the subjective character of threats does of course not exclude the fact that there are objective threats. Balzacq emphasize that a distinction between institutional and brute threats should be made. Where the former refers to threats as mere products of communicative relations between agents and the latter to threats as more objective, not depending on language but as objective hazards for human life 61. There are many potential angles and frames that can be used by actors which a simply objective approach to threats, such as the traditional one, would miss. A security analysis which adopts a non-traditionalist approach, such as the Copenhagen School, allows one to understand how a specific actor reason and portrays threats to its security and existence Securitization theory The concept of securitization originates from the Copenhagen school of security studies, which is considered to be founded by Ole Waever, Barry Buzan. When securitization theory was first introduced it provided a new perspective on the debate between scholars who claimed that threats are objective, and those who maintained that what constitutes security is subjective. Security according to the Copenhagen School should be seen as a speech act, where the central issue is not if threats are real or not, but in the ways in which a certain issue is socially constructed as a threat 62. The invocation of security has been important for both legitimizing the use of force, but also for opening the way for the State to mobilize, and/or to invoke special powers to handle existential threats 63. Securitization studies aim to gain an increasingly precise understanding of who securitizes, on what issues (threats), for whom (referent objects), why, with what results, and under what conditions 64. The role of speech in framing the threats is examined in order to explain why issues become securitized and how these issues are ought to be handled. Defining why something is an existential threat to the actor is essential. In short, the Copenhagen Schools understanding is that securitization has to be understood as an essentially intersubjective process in which different States, nations and actors have different thresholds for defining a 59 Balzacq (2005), p Hameiri & Jones (2013), p Ibid, p Oxford Bibiliographies, Securitization. 63 Buzan, Waever & De Jaap (1998), p Hansen & Nissenbaum (2009) 13

14 threat 65. The interplay of securities within the international system is generated by the different perceptions among actors regarding what constitutes a real threat 66. Public issues can be located on a spectrum ranging from; (1) non-politicized through (2) politicized to (3) securitized. Non-politicized issues are not dealt with since they have not been made issues of public debate 67. The politicization of an issue, however, makes the issue a public- and government concern, which require attention and resource allocation 68. A securitizing move on the other hand, is, as explained in the previous paragraphs, a discourse which presents something as an existential threat to a referent object 69. The purpose of the securitizing move is to frame the issue as a special kind of politics or above politics which calls for action beyond the established rules of the game 70. According to Buzan, Waever & De Jaap the securitization of an issue can be considered as an extreme version of politicization 71. The process of securitization is completed by the speech act. By saying a word something is done 72. But a security speech act is not only defined by uttering the word security. What is essential is the designation of an existential threat requiring emergency action or special measures 73. As mentioned the Copenhagen Schools framework of analysis deals with the social construction of security 74. Why something is a threat and what it threatens differs from actor to actor. Therefore, in order to analyse the speech act, a distinction among two different units is required 75 ; 1) Referent objects: things that are seen to be existentially threatened and have a legitimate claim to survival. In general, these are objects to which one can point and say, it has to survive therefore it is necessary to [ ] 2) Securitizing actors: corresponds to actors who securitize issues by declaring a referent object threatened. 65 Ibid, p Ibid, p Hansen & Nissenbaum (2009) 70 Hansen & Nissenbaum (2009) 71 Buzan, Waever & De Jaap (1998), p Ibid, p Ibid, p Ibid, p Ibid, p

15 To conclude, the Copenhagen School strives to promote discourse analysis as a new technique of devising reproducible findings in security research 76. By studying a security discourse, one can learn what referent objects are appealed to and thus be able understand how an issue is perceived to be a threat for a certain actor, or in other words; what the connection is between an issue and a referent object or. Applying this framework in a case study on NATO is expected to generate their understanding of why cyber-attacks is a threat, and how different aspects of cyber-threats are used to motivate the special measure of invoking Article Territoriality in the modern era The bipolarity of the Cold War era upheld a distinction between the realms of internal security (concerned with crime, civil protection, law and order inside the state) and external security (which focused on defence and deterrence between states) 77. As the cold war ended the nuclear threat diminished and the threat of crime, terrorism, breakdowns or natural disasters increased 78. Transboundary security issues now emerged on the security agenda. The challenges of today are also considered to differ from those of yesterday in two ways. First in the issues themselves, and secondly the way in which modern societies are organized 79. The effects of today s security issues are difficult to predict or even prepare for, considering we do not always know for instance which systems will be compromised 80. The interconnectedness is considered to have dissolved the traditional boundary protecting the territorial nation state 81. The way societies are organized today, furthermore, exacerbates the dynamics of transboundary security issues 82. In the early centuries of the Westphalian order, territory was the main factor that determined the security of states. Therefore, the protection of it was one of the prime motivations of foreign policy 83. Territoriality can be understood as political authority is exercised over a defined geographic space 84. Territorial violations thus involve situations in which authority structures are not coterminous with geographic borders 85. Today, conduct continues to occur in territory, individuals reside in territory, and effects are felt in territory 86. Moreover, in the classical 76 Balzacq (2005), p Eriksson & Rhinard (2009), p Ibid, p Eriksson & Rhinard (2009), p ibid. 81 Hansen & Nissenbaum, p Eriksson & Rhinard, p Zacher (2003), p Krasner (2001), p Trachtman (1998), p

16 geopolitical view of security relations, geographical proximity renders the security of some states more independent than that of others. 87 Geographical proximity has also been an important factor in shaping policy, but transboundary threats make classical security policymaking difficult 88. Supra-territorial phenomena, like cyberspace, are today a challenge to the concept of territory because they fracture both conduct and effects 89. Today, the way risks travel is fluid and unpredictable due to societies being tightly linked, economically, politically, and socially 90. Moreover, as technical interconnections have become a vital part of our societies by increasing the speed of production amongst other things. These interconnections have simultaneously created highly efficient pathways along which potential disturbances can travel across geographical and functional boundaries 91. It has therefore been stated that cyber-attacks do not fit neatly into the traditional attacker/attacked State framework 92. The reason being that, as ICTs can cut across territorial borders the legitimacy and feasibility of laws based on geographic boundaries are undermined 93. Moreover, because modern security issues travel along intertwined systems that stretch across functional and geographical boundaries. It has become difficult to predict the impact of a security issue upon different societal systems such as transport, financial systems, energy networks 94. Transboundary security issues are considered to have bridged some of the internal-external divide as the line between cybercrime and cyber act of war is rather blurry 95. Transboundary security issues have furthermore several traits which render the responses to them difficult. First of all, they originate from opaque locations, but more importantly, because of their ability to cross political and functional boundaries with ease they affect a wide variety of referent objects 96. This is why transboundary security issues nowadays are argued to hold the potential to violate security in terms of absence of threat to acquired values, such as human lives or critical infrastructure Eriksson & Rhinard (2009), p ibid. 89 Trachtman (1998), p Eriksson & Rhinard (2009), p Ophardt (2010), p Johnson (1997) p Eriksson & Rhinard (2009), p Ibid, p Ibid, p

17 The interconnectedness of cyberspace renders cyber security challenging. There is no unified cyberspace, but the internet is considered to be the most pervasive one. However, not all networks are connected to it, in fact, most critical networks are isolated from the internet. But cyber threats to these types of networks are increasing due to hostile actors finding new ways of gaining access to them 98. Cyberspace consists of two dimensions 99 ; 1) the social space that emerges through the interaction between users and that is enabled through code; and 2) the physical infrastructure that makes digital activity possible. The worldwide penetration of the Internet is furthermore considered to have generated two related phenomena 100. First of all, it is now possible for both actors and issues to join up in different corners of the world, and secondly, we now rely heavily on the social and physical infrastructure of globally interconnected computer networks 101. The relevance and applicability of territory and borders is therefore challenged. China s efforts to control the internet are, however, one example which witness that the idea of national borders in cyberspace have not disappeared 102. Moreover, servers, networks and other types of hardware are clearly located in physical space and is therefore subject to territorial jurisdiction by states 103. At the same time, it has been argued that the integration of physical components of cyberspace cannot be interpreted as a waiver of the exercise of territorial sovereignty 104. DDoS attacks target servers and infrastructure in order to disrupt websites 105. At the height of the cyber-attacks in Georgia (the country), a large number of the besieged websites were temporarily moved to better protected servers located in the United States. But as the location of the servers changed, different territory came to be affected. The territory in cyberspace being interfered with was that of Georgia while actual territory was that of the United States 106. DDoS attacks are thus a good example of the multisided nature of transboundary threats. The origins, 98 Vitel (2014) p.1 99 Lambach (2016), p Eriksson & Rhinard (2009), p ibid. 102 ibid. 103 Lambach (2016), p Ophardt, J. (2010), p

18 targets and consequences of such attacks and other types of cyber-attacks will not be contained neatly within the borders drawn on a map 107. Therefore, acknowledging territory as either virtual, actual, or both will matter when determining if a crime aggression has occurred in cyberspace 108. Since cyber infrastructure is shared by states a broad range of territorial links emerge through the routing activities that constitute a cyber-attack 109. A challenge will therefore be when it can be said that the conduct occurred on a specific State s territory 110. Furthermore, if conduct can only be said to have occurred on the territory where the effects of a network attack are felt, it then has to be specified whether cyber-attacks, on equipment located in one State but generate actual effects in another, can be said to have occurred in the territory of the former, the latter, or both Methodology This paper is not interested in the process of securitization per se, since the aim is not to conclude whether NATO has successfully securitized cyber-threats or not. However, as mentioned the securitization theory framework allows one to gain an increasingly precise understanding of who securitizes, on what issues (threats), for whom, why, with what results and under what conditions 112. The research question in this paper focus on NATO s portrayal of cyber-threats, and how they, in their discourse, link territory to cyberspace. By examining how NATO touch upon the idea of territoriality, through the securitization theory framework, this paper aims to illuminate how NATO render the usage of Article 5 intelligible in relation to cyber-threats, given the nature of cyberspace. The research method deployed in this paper will be textual analysis, more specifically framing analysis. Textual analysis is a systematizing method of investigation which aims to clarify structures of thought among specific actors 113. Briefly, framing refers to the organisation of information and ideas within specific contexts and it is considered to be an extremely broad concept. The core of framing is to promote proposed 107 Ophardt (2010), p McDougall (2013), p Hansen & Nissenbaum (2009) 113 Essaiasson et al. (2012), p

19 interpretations and understandings 114. Creating a frame is to select some aspects of a perceived reality and emphasize these in a communicating text, in such a way which promotes a particular problem definition, causal interpretation, and/or treatment recommendation 115. Moreover, as frames stress certain aspects of reality and neglect others they decide what will be discussed, how much it will be discussed, and above all, how it will not be discussed 116. In conclusion framing is based on selectivity and therefore it can be considered to both produce and limit meaning. Because a frame never constitutes a neutral description of events or issues it inherently offers an interpretation of something which is based on a specific perception of reality 117. In summary, frames can be understood as mental structures or as a kind of reference tool which will enable individuals or actors to organise external impressions in order to construct meaning 118. As a method and analytical framework, frame analysis is not associated with any particular discipline 119. It has been described as an approach, a theory, an analytical technique and a research paradigm 120. Because of its multisided nature and the lack of a unified theory of the framing process, it is not given what frame analysis is supposed to entail and what it should focus on 121. Previous research has used framing analysis in different ways and contexts. As the essential elements of meaning construction, i.e. framing, are ideas scholars in the frame analysis tradition argue that frame analysis provides an analytical framework which cast light on possible links between ideas, events and action 122. One of the most important presumptions of frame analysis, and the one which brings the actor to the fore of the analysis, is the assumed presence of strategy and intent by an actor. The actor is considered to have a conscious and intentional part in the frame construction process 123. Furthermore, the definition of an issue is more than just a description of it, using a specific language will generate a specific meaning which in turn brings with it a causal interpretation as well as an implicit solution Doudaki (2016), p Björnehed (2012), p Ibid, p Doudaki (2016), p Björnehed (2012), p Ibid, p Björnehed (2012), p

20 As opposed to the traditional perspective of security studies which, as explained, holds that a security issue can be objectively observed and defined, the Copenhagen Schools Securitization theory embrace the notion of security being as a construction of meaning based on ideas 125. Frame analysis emphasizes that the definition of an issue is more than just a description of it, the choice of words will bring both a specific causal interpretation and an implicit solution 126. Securitization theory could be said to deal with a specific type of framing process, that of constructing security (see Björnehed). Buzan, Waever and De Jaap underline in A New Framework of Analysis that their theory offers a constructivist operational method for distinguishing the process of securitization. Securitization theory will therefore be used as a base for constructing the analytical framework which will help to illuminate how NATO renders the use of Article 5 possible in relation to cyber-threats Analytical framework The analytical tools for conducting the textual analysis take the form of precise questions that are asked to the object of analysis 127. In this case study NATO constitutes the object of analysis. In order to properly investigate how they frame cyber threats as territorial threats, securitization theory will be used to operationalize the aim into specific questions that will guide this paper in answering the research question. The Copenhagen School underlines that why something is a threat and what it threatens differs from actor to actor. The following questions will therefore be used in the textual analysis; According to NATO; 1) What is the nature of a cyber-threat and how is it connected to territoriality? 2) What is the referent object and how is it connected to territoriality? Given that Article 5 is a last resort measure which requires an armed-attack against NATO territory in order to be invoked legitimately. One could expect the announcing of its applicability on the cyber domain, as a measure to respond to cyber-attacks, to include some motivation of why that is the case. Furthermore, pointing out the referent objects is important because they can shred light to possible links between territoriality and Article Ibid, p Ibid, p Essaiasson et al. (2012), p

21 Questions 1 and 2 aim to create an overview, based on specific cyber related announcements from a variety of occasions. The aim is to reveal the underlying narrative making up NATO s understanding of cyber-threats. And thus, illuminate implicit links between territoriality, the nature of cyber-threats and the referent objects which are ought to be protected. Identifying what referent objects of security are according to NATO, will simultaneously illuminate their understanding of how far territory extends in cyberspace. A third question will be included in the toolkit for textual analysis; 3) Does NATO express any concerns, regarding territoriality, in relation to the triggering of an Article 5 response to a cyber-attack? While the first two questions focus on revealing the underlying narrative this third question, on the contrary, is supposed to be a complement. Exposing any deliberation or statements made around the relationship between territoriality, cyberspace and cyber-attacks, throughout NATO s outspoken communication. Territoriality is an important aspect of an Article 5, and as explained territoriality in relation to cyberspace is not that straight forward because of the cyber domain having no clear overlap with geographical territory. Are any concerns raised by NATO regarding this? What do they say? In conclusion, by answering these questions when analysing the material this paper hopes to give a comprehensive overview of NATO s structure of thought regarding territoriality in relation to cyber-attacks Material For the scope of this thesis it is not possible to analyse all existing NATO documentation. Applying textual analysis to political communication therefore requires both justification and limitation of the choice of sources. The aim of this paper is to examine and investigate NATO s official stance by applying a framework of analysis deriving from securitization theory, which focus on speech acts. A speech act can constitute a discourse in which an actor is assumed to express its stance 128. Due to the aim and the focus on speech acts, the material must constitute of relevant documentation which is expected to contain NATO s official opinions. Because of 128 Buzan, Waever & De Wilde (1998) 21

22 the military character of the alliance secrecy is stressed in many aspects. This will limit the range of potential documents to only include non-classified ones. Which should not be a problem. There is of course a chance that classified documents express a different view or opinion, but such view is hereby assumed to be unofficial. Consequently, NATO s outward communication is assumed to represent the Alliance s official stance. Moreover, in order to minimize clouded facts or statements, only primary sources will be used. That is, documentation such as summit reports, statements, policies, interviews and press-releases etc. which have been produced and published by NATO and its primary organs like NATO s Communications and Information Agency (NCIA). Cooperative and external organs such as NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) will be excluded since their views does not necessarily represent the official position or policy of NATO 129. Furthermore, Tosbotn s content analysis, identified the first mentioning of cyber to have occurred in The range of documentation for analysis will thus stretch from 2002 until December 15 th, NATO s official website, their primary storage of information, served as the point of departure for locating documentation. The search word used to filter official texts was cyber. It generated 41 documents. Official NATO spokespeople are furthermore assumed to express the official opinions of the alliance. A first review of the official texts indicated a sparsely commented material in general. Journalists might, however, ask more demanding questions requiring more elaboration from NATO officials. I therefore decided to include archived material from press conferences, hoping to get a more nuanced data. Due the large number of such texts, only speeches and transcripts from 2014 and onward were reviewed. A cyber-attack was for the first time announced to possibly trigger article 5 in Because of this thesis interest to map the relationship between cyber and Article 5, 2014 therefore serves as a good limitation. Cyber and Article 5 were key words used to filter the speeches and transcripts found on NATO s website. The timeline was set to 2014 and onward. A final search using territory and cyberspace on speeches and transcripts was also conducted. In order to locate documentation which might relate to territory and cyberspace, this search generated 21 results. In addition to documentation found in NATO s E-library and Newsroom, cyber related texts on the NCIA webpage were reviewed. 129 CCDCOE, EU Cybersecurity Package: New Potential for EU to Cooperate with NATO 22

23 A total of 120 documents were generated from three different searches using the above-named keywords. All of the documents were reviewed but only such with the most relevant content will be presented in the reference list. Worth noting with reference to material is that there are no general answers to what the best material is when it comes to textual analysis 130. To analyse all the relevant material is the ideal but rarely the optimal. Practical limitations make selectivity permissible 131. However, excluding potentially relevant documentation increase the risk of drawing doubtful conclusions or missing something of essence 132. The case study is limited to analysing NATO s outward understanding. Official documents and Secretary General speeches can be considered as typical material. Even though NATO might have diverging internal opinion, official texts whether they are statements, speeches or reports, should express their main conclusions and ideas. 4. Analysis The operationalized questions constituting the framework of analysis provide the disposition of this analysis. The first part will focus on NATO s framing of the threats in the cyber domain. The second, on the referent objects of security and the third, on concerns related to cyberattacks What is the nature of a cyber-threat and how is it connected to territoriality? Textual analysis, of the 120 documents used as material, indicate that NATO has a wide conception of threats in the cyber domain. Frequent wording such as improving our defences 133, enhancing capabilities 134 and stepping up efforts 135 are some of the most illustrative examples which portray an inadequate defence, when addressing cyber-threats. Referring to inadequacy renders an implicit understanding of cyber-attacks being a challenge to the Alliance. Other passages raising concerns around cyber security, such as cyber threats and attacks will continue to become more common and sophisticated 136 support an 130 Esaiasson et al. (2012), p NATO (17 May 2010) 134 NATO (15 Jun 2016) 135 NATO (13 Dec 2016) 136 NATO (5 Sept 2014) 23